Securing SQL Server

Just Because It Isn’t a Password Doesn’t Mean It Shouldn’t Be Encrypted

Target has done a number on us as customers by having not just customer information but Personally Identifiable Information specifically.

As part of Target's ongoing forensic investigation, it has been determined that certain guest information - separate from the payment card data previously disclosed - was taken from Target. This theft is not a new breach, but was uncovered as part of the ongoing investigation. At this time, the investigation has determined that the stolen information includes names, mailing addresses, phone numbers or email addresses for up to 70 million individuals.

If Target has encrypted all the PII which sat within their database then this data breach wouldn’t have that big a deal because the data which was stolen would have been encrypted and useless to the thieves.  However based on the fact that Target had to announce the breach we are left to assume that the data wasn’t encrypted.

Because someone (probably a developer or project manager) made the decision to store all this PII in plain text instead of taking the time and CPU power to encrypt this information we the customers of Target have to pay the price.  And there is nothing that we can do about this as customers other than not shop there any more, which in reality this isn’t always an option.

As IT workers we need to push our employers and clients to ensure that they are properly encrypting all PII data possible so that the customers and general public aren’t put through this sort of thing.  Pushing to make this happen won’t make us popular with managers, or co-workers as it does add more work to the workflows and more work in general, but this is something which we must start doing.  And I’m not talking about encrypting data when at rest, but actually encrypting the data in the tables so that when an attacker exports the data from the tables using a basic select statement they get useless information, otherwise the entire data encryption process was pointless.

Someone within organizations needs to step up and start bringing this up in meetings.  If you don’t do it, no one will and this sort of massive data theft will happen again.  Just because you don’t work in a large retailer doesn’t mean that you shouldn’t be bringing this up in your company.  EVERY company needs to be thinking about this because you never know how much information the systems will be holding or how these systems will be used in the future, so it’s best to plan for the best now.

Denny

Securing SQL Server

Preventing Problems Like The Target Card Breach Are Easy

Unless you live under a rock you heard about the Target credit card breach that happened between November 27th and December 15th 2013. What really pisses me off about this sort of thing is that it never should have been possible for this to happen.

Our current concept of credit cards and hotargetw they work was designed decades ago when data encryption was basically non-existent outside of government work. Because of this all the data that is needed to steal every penny in your checking account is carried around in plain text in your wallet in the form of your debit card (which if you are in the US probably also functions as a credit card as well). I’ll say it again everything is stored in plain text so that anyone with a magnetic strip reader can simply read the information from the card and use it. This information includes your credit card number, bank information, expiration date, and any other information about you and your account that the bank has decided to put onto the card.

The banking industry has come up with all sorts of security safeguards that they put in place to try and ensure that your credit card information is safe, except encrypt the data on the card so that a thief can’t read it. The rest of the world has evolved their banking and credit card systems, but not the US because we don’t like change. And most importantly the banks like being able to charge merchants extra swipe fees for different kinds of transactions.

 

What we should be using here in the US is a system called chip and pin. The credit card looks exactly like it does today, but instead of swiping your credit card like we do today, instead you insert the card into the reader. The reader prompts you for your pin number, much like when you use your card as a debit card. If the pin that you enter matches the pin which is stored in the chip, then the data is decrypted and the machine charges your card directly, then it simply tells the cash register that the charge was accepted or declined. The credit card information never goes to the stores cash register so the problem that Target had simply wouldn’t have happened. The credit card information is sent to the bank via either a phone line or via the network, but the data is encrypted before it leaves the credit card machine so there is no risk of it being intercepted between the credit card machine and the bank.

One of the big reasons that banks don’t want this to happen is that every transactions now becomes a pin transaction. Banks charge fees for pin card transactions, as do some stores. If every transaction is a pin based transaction the banks (and the stores) will have to stop charging these fees which means that they will loose profit (which is all these fees are, pure profit). So instead of loosing out of some profit the banks instead put our time, and sanity at risk as now about 40,000,000 people will either need to watch their bank accounts daily to ensure that there’s no fraud on their account, or cancel their card (like I did) and not have a debit or credit card for 2-7 days (depending on how long it takes your bank to send you a new card). And don’t forget that this is all happening over Christmas and New Years holidays so having working credit cards is kind of important.

It should be obvious by now that the banks aren’t going to give us a more secure banking system to use. The government needs to step in and mandate that the banks and credit card companies move us to a more secure system and that system should be the same system that the rest of the world is using. The chip and pin system which the rest of the world uses is a well used system that everyone has gotten used to using. Staying with the existing system just isn’t a realistic plan. This breach is going to cost target a small fortune in fines, fees, consulting dollars, etc. as they try and deal with it. Wouldn’t it be nice if it simply wasn’t possible.

Many stores are actually getting ready for these new cards already. You may have seen the new card readers which have a swipe on the side and a slot in the bottom to insert your card. These consoles are the ones that we should be using, just with the swipe option disabled.

There will be some pushback I’m sure because this means change. Yes you will need to remember your pin number. But you probably already have one for your debit cards, and it’s really not that hard for you to remember that pin number. People will need to get used to inserting the card instead of swiping it. You’ll get used to it. The biggest change will be when you go out to eat as the server will now bring the credit card machine to do instead of disappearing with your card as you’ll need to enter your pin on the portable keypad. I admit it takes a little getting used to, but it isn’t that big of a deal. I promise.

The only way this is going to happen is if the federal government requires it. And I really hope that they don’t mandate something different from the rest of the world because that would be the only mistake that’s a bigger one than keeping what we have today.

Denny