Big Challenges in Data Modeling: Ethics & Data Modeling April 24th

ethics image via Shutterstock

ethics image via Shutterstock

I’m pleased to say that I’ve been invited to join a panel Thursday April 24th at 2pm EDT (11am EDT). This panel is titled “Ethics & Data Modeling“, which is a pretty timely topic given things like the Target breach, HeartBleed, etc.  There will be 5 people on the panel including myself.  The other members will be Karen Lopez, Len Silverston, Tamera Clark and Kerry Tyler.  This will be an interesting panel as Karen, Tamera, Kerry and I will all be located at the same place (should be interesting for Len).

The panel has an open Q&A time where you can ask the panel questions during the discussion.  There are some topics that we’ll be starting with (and probably deviating from pretty quickly).

  • What is the nature of ethics?
  • How do ethics differ from morality? Legality?
  • Can ethics be taught?
  • Where does ego come into play here?
  • What about Codes of Ethics and Codes of Conduct?
  • Is there one right answer? Is there an always wrong answer?
  • What’s the difference between a whistleblower and a tattletale?
  • What tools do we have in making ethical decisions?
  • How should we deal with unethical co-workers? Management? Customers?
  • What does it all mean, anyway?
Register now and bring your ethical questions and comments, and we’ll see you there.
(this post was originally posted via TechTarget)

Securing SQL Server 2nd Edition is the Microsoft Deal of the Day

I’ve just learned that Securing SQL Server 2nd Edition is the Microsoft Deal of the Day on O’Reilly’s website. This means that O’Reilly is selling the book for 1/2 off today (Feb 11th, 2014) so you can pick the book up for just $24.98! That’s a deal and by far the best sale that I’ve seen. I don’t know what timezone this deal is based on, but I’d buy now rather than later.

Denny

Just Because It Isn’t a Password Doesn’t Mean It Shouldn’t Be Encrypted

Target has done a number on us as customers by having not just customer information but Personally Identifiable Information specifically.

As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

If Target has encrypted all the PII which sat within their database then this data breach wouldn’t have that big a deal because the data which was stolen would have been encrypted and useless to the thieves.  However based on the fact that Target had to announce the breach we are left to assume that the data wasn’t encrypted.

Because someone (probably a developer or project manager) made the decision to store all this PII in plain text instead of taking the time and CPU power to encrypt this information we the customers of Target have to pay the price.  And there is nothing that we can do about this as customers other than not shop there any more, which in reality this isn’t always an option.

As IT workers we need to push our employers and clients to ensure that they are properly encrypting all PII data possible so that the customers and general public aren’t put through this sort of thing.  Pushing to make this happen won’t make us popular with managers, or co-workers as it does add more work to the workflows and more work in general, but this is something which we must start doing.  And I’m not talking about encrypting data when at rest, but actually encrypting the data in the tables so that when an attacker exports the data from the tables using a basic select statement they get useless information, otherwise the entire data encryption process was pointless.

Someone within organizations needs to step up and start bringing this up in meetings.  If you don’t do it, no one will and this sort of massive data theft will happen again.  Just because you don’t work in a large retailer doesn’t mean that you shouldn’t be bringing this up in your company.  EVERY company needs to be thinking about this because you never know how much information the systems will be holding or how these systems will be used in the future, so it’s best to plan for the best now.

Denny

Preventing Problems Like The Target Card Breach Are Easy

Unless you live under a rock you heard about the Target credit card breach that happened between November 27th and December 15th 2013. What really pisses me off about this sort of thing is that it never should have been possible for this to happen.

Our current concept of credit cards and hotargetw they work was designed decades ago when data encryption was basically non-existent outside of government work. Because of this all the data that is needed to steal every penny in your checking account is carried around in plain text in your wallet in the form of your debit card (which if you are in the US probably also functions as a credit card as well). I’ll say it again everything is stored in plain text so that anyone with a magnetic strip reader can simply read the information from the card and use it. This information includes your credit card number, bank information, expiration date, and any other information about you and your account that the bank has decided to put onto the card.

The banking industry has come up with all sorts of security safeguards that they put in place to try and ensure that your credit card information is safe, except encrypt the data on the card so that a thief can’t read it. The rest of the world has evolved their banking and credit card systems, but not the US because we don’t like change. And most importantly the banks like being able to charge merchants extra swipe fees for different kinds of transactions.

 

What we should be using here in the US is a system called chip and pin. The credit card looks exactly like it does today, but instead of swiping your credit card like we do today, instead you insert the card into the reader. The reader prompts you for your pin number, much like when you use your card as a debit card. If the pin that you enter matches the pin which is stored in the chip, then the data is decrypted and the machine charges your card directly, then it simply tells the cash register that the charge was accepted or declined. The credit card information never goes to the stores cash register so the problem that Target had simply wouldn’t have happened. The credit card information is sent to the bank via either a phone line or via the network, but the data is encrypted before it leaves the credit card machine so there is no risk of it being intercepted between the credit card machine and the bank.

One of the big reasons that banks don’t want this to happen is that every transactions now becomes a pin transaction. Banks charge fees for pin card transactions, as do some stores. If every transaction is a pin based transaction the banks (and the stores) will have to stop charging these fees which means that they will loose profit (which is all these fees are, pure profit). So instead of loosing out of some profit the banks instead put our time, and sanity at risk as now about 40,000,000 people will either need to watch their bank accounts daily to ensure that there’s no fraud on their account, or cancel their card (like I did) and not have a debit or credit card for 2-7 days (depending on how long it takes your bank to send you a new card). And don’t forget that this is all happening over Christmas and New Years holidays so having working credit cards is kind of important.

It should be obvious by now that the banks aren’t going to give us a more secure banking system to use. The government needs to step in and mandate that the banks and credit card companies move us to a more secure system and that system should be the same system that the rest of the world is using. The chip and pin system which the rest of the world uses is a well used system that everyone has gotten used to using. Staying with the existing system just isn’t a realistic plan. This breach is going to cost target a small fortune in fines, fees, consulting dollars, etc. as they try and deal with it. Wouldn’t it be nice if it simply wasn’t possible.

Many stores are actually getting ready for these new cards already. You may have seen the new card readers which have a swipe on the side and a slot in the bottom to insert your card. These consoles are the ones that we should be using, just with the swipe option disabled.

There will be some pushback I’m sure because this means change. Yes you will need to remember your pin number. But you probably already have one for your debit cards, and it’s really not that hard for you to remember that pin number. People will need to get used to inserting the card instead of swiping it. You’ll get used to it. The biggest change will be when you go out to eat as the server will now bring the credit card machine to do instead of disappearing with your card as you’ll need to enter your pin on the portable keypad. I admit it takes a little getting used to, but it isn’t that big of a deal. I promise.

The only way this is going to happen is if the federal government requires it. And I really hope that they don’t mandate something different from the rest of the world because that would be the only mistake that’s a bigger one than keeping what we have today.

Denny

Health Data Breaches – Insider Data Trading?

This was reposted from http://blog.infoadvisors.com/index.php/2013/01/09/health-data-breaches-insider-data-trading/ written by Karen Lopez. They get all the credit for this, not me.

image

It seems like the majority of health data breaches I read about are via insiders with access to patient information systems stealing and selling their data.

Federal authorities say Sergei Kusyakov, who was involved with Metro Chiropractic and Wellness Center and City Lights Medical Center, illegally obtained private information about patients through Dale Munroe II and his wife, Katrina Munroe, who worked at Florida Hospital’s Celebration campus.

Authorities said Dale Munroe accessed more than 763,000 records for patients treated at various Florida

Additional reading can be found at the original author’s post.

NTLM 100% Broken Using Hashes Derived From Captures

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-x3fWaDw3LA/story01.htm written by Soulskill. They get all the credit for this, not me.

New submitter uCallHimDrJ0NES writes “Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time, probably, but this is the first time a ‘white hat’ has researched and exposed the how-to details for us all to enjoy. ‘You might think that with all the papers and presentations, no one would be using NTLM…or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!’ Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!”

Additional reading can be found at the original author’s post.

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/4jJjYcqA-4M/story01.htm written by Unknown Lamer. They get all the credit for this, not me.

vikingpower writes “As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens’ digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore.” Fixes were released, so it looks like it’s on their sysadmin team now.

Additional reading can be found at the original author’s post.

An Audible Data Privacy Breach

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://blog.infoadvisors.com/index.php/2013/01/02/an-audible-data-privacy-breach/ written by Karen Lopez. They get all the credit for this, not me.

 

image

RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 pe

Additional reading can be found at the original author’s post.

Are Your Protecting Your DB Backups?

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://www.sqlservercentral.com/blogs/brian_kelley/2012/11/27/are-your-protecting-your-db-backups/ written by (author unknown). They get all the credit for this, not me.

tapes by twicepix, on FlickrFolks have cited the recent InformationWeek article on how South Carolina’s Department of Revenue was hacked because the SC state government basically said, “It’s the IRS’ fault for not telling us we should encrypt social security numbers.” I’m not going to touch that. It stands on its own for its foolishness. However, I did key in on how the hack happened and how the data was obtained. I found this bit to be particularly interesting:

“But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system — outside the state’s control — and deleted the zip files to help hide the data breach, according to Mandiant’s report.”

In other words, the attacker, once inside the trusted network, located the database backup files, zipped them up, and then copied them offsite. That’s how the data was lost. The database backups were attacked.

 

Additional reading can be found at the original author’s post.

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5ifWhOwuT7U/story01.htm written by Soulskill. They get all the credit for this, not me.

concealment sends this quote from MIT’s Technology Review: “AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T’s blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn’t received much attention so far, but should he be found guilty this week it will likely become well known, fast.”

Share on Google+

Read more of this story at Slashdot.

Additional reading can be found at the original author’s post.