Application Security //

Database Security

11/29/2012
04:26 AM
50%
50%

10 Top Government Data Breaches Of 2012

SQL injection, post-phishing privilege escalation, and poorly secured back-up information all played their part in exposing sensitive government data stores this year

With federal and local government agencies suffering the brunt of Anonymous protests, targeted phishing attacks leading to privilege escalation, and highly effective SQL injection attacks granting wide-scale access to information, citizen privacy definitely took a hit in 2012.

1. South Carolina
More than 3.3 million unencrypted bank account numbers and 3.8 million tax returns were stolen in a wide-ranging attack against the South Carolina Department of Revenue. Itt all started through a state employee falling for a phishing attack that enabled hackers to leverage that employee's access rights to gain access to the government entity's systems and databases.

Lessons Learned: Database protection layers, such as database activity monitoring, not to mention other network detection measures could have gone a long way toward minimizing the damage caused by the type of phishing attack that all organizations, public and private, face today.

[Find out where your privacy risk posture stands. See Free Risk Indexing Tool Offers Start For Assessments.]

2. California Department of Social Services
Sensitive payroll information about approximately 700,000 individuals was lost in the mail en route between IT contractors with Hewlett Packard and the California Department of Social Services. Information, such as caregiver and care recipient names, wages, and Social Security numbers, was exposed when package sent by U.S. Postal Service with microfiche containing the information was damaged with much of the data missing.

Lessons Learned: Databases are often most vulnerable when the information within them are put into more archaic forms like paper and microfiche. This breach proves that physical security and common sense still play a big role in data privacy protection.

3. Utah Department of Health
The health information and PII of more than 780,000 Utah citizens were put at risk when Eastern European hackers broke into a server maintained by the Utah Department of Technology Services this spring by taking advantage of poor authentication configuration following database migration to a new server.

Lessons Learned: Poor authentication controls, uneven patch management, and dicey configuration management add a inordinate amount of risk to the database protection equation.

4. California Department of Child Support Services
Californians suffered not one, but two huge breach events stemming from old-school data storage and questionable shipping of unobfuscated files. The California Department of Child Support Services lost more than 800,000 sensitive health and financial records when a FedEx shipment sent by the state's contractors with IBM and Iron Mountain containing backup tapes with the data in question fell off the proverbial truck.

Lessons Learned: Just because a database is on a backup tape or drive does not make the information contained within any less valuable or vulnerable. Protection of backup information needs to be accounted for within data protection policies.

5. United States Bureau of Justice Statistics
Anonymous embarrassed the United States Bureau of Justice Statistics (BJS) when it leaked 1.7 GB of sensitive data belonging to the bureau on The Pirate Bay this spring. Files included internal emails and a database dump with information from the BJS website.

Lessons Learned: While information stolen was generally publicly available anyhow, the database dump offers yet another example of how insecure Web applications put entire back-end databases at risk.

6. City of Springfield
Though government officials report that the number of citizens stung by a recent hack of the website run by the City of Springfield was only about 2,100, the perpetrators from Anonymous said they actually were able steal from municipal databases that included more than 1,000 vehicle descriptions from online police reports and records from more than 280,000 summons filed in city digital data stores. The grey hat hackers claimed to have more than they leaked to the public, reporting that they removed sensitive information as a public service to citizens.

Lessons Learned: Speculation on this one is that it was carried out through SQL injection. Even smaller municipalities are going to find themselves targets of SQLi attacks if they leave the Web app barn door open.

7. United States Navy & DHS
Hackers from a group calling itself Digital Corruption busted into Department of Homeland Security and U.S. Navy websites using Blind SQL injection attacks. They stole database information that included usernames, passwords, email IDs, and security questions and answers for all users on the Navy's Smart Web Move website and Homeland Security's Transportation Worker Identification Credential website.

Lessons Learned: As long as organizations fail to validate input in their Web applications, hackers will continue to run roughshod with these kinds of attacks.

8. Wisconsin Department of Revenue
South Carolina's tax authorities weren't the only government tax offices to suffer an embarrassing breach in 2012. In July, the Wisconsin Department of Revenue reported that it exposed sensitive seller information about more than 110,000 people and businesses who sold property in 2011 by allowing an unknown embedded file in a Microsoft Access file with public-facing sales data to go live with that information in a report that was available to real estate professionals from April through July.

Lessons Learned: Sometimes our databases' worst enemies aren't hackers, but, instead, unknowledgeable employees who put sensitive information in the most inopportune of places.

9. NASA
Although the 10,000 employees affected by the latest security lapse at NASA is fairly small compared to other big-number government privacy breaches this year, the circumstances offer glaring evidence of how government agencies still lag in employee awareness and training. Personally identifiable information was left on an unencrypted agency laptop, which was subsequently stolen from an employee's car on Halloween.

Lessons Learned: When large caches of information are transferred from the database, who knows where they'll end up. The NASA breach shows once again how easy it is for unencrypted information on laptops to "walk away" from authorized users.

10. New Hampshire Department of Corrections
In a case of the foxes running the hen house, the New Hampshire Department of Corrections found that inmates at a state correctional facility were able to access the main offender management database system. How so? That system was linked to a server that inmates working in the prison industries shops used. Access to the system would allow inmates to change items like parole dates and sentencing information, as well as view personally identifiable information on prison staff members.

Lessons Learned: This case offers a stark example of why uber sensitive databases require special segmentation measures to keep them safe from side-channel attacks.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
12/7/2012 | 12:23:00 PM
re: 10 Top Government Data Breaches Of 2012
Really great and resourceful
article! I personally enjoyed it really much, maybe because it perfectly proves
our vital need for a Cyber Security Bill that has measurable accountability
controls and/or we suffer an attack that takes out our power grid or another
piece of critical infrastructure. I know there's a lot of fear mongering out
there which is unfortunate as it then becomes difficult for people to separate
the wheat from the chafe. I've been in the IT Security space for enough time to
understand how fragile our corporate and government infrastructure is. Actually,
hereGs an interesting article on this matter: http://blog.securityinnovation....
Hope you find it useful!-
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
From DevOps to DevSecOps: Structuring Communication for Better Security
Robert Hawk, Privacy & Security Lead at xMatters,  2/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.