Application Security // Database Security
8/12/2011
04:36 PM
Connect Directly
RSS
E-Mail
50%
50%

Can Data Breaches Kill?

When data is sensitive enough, its exposure has the potential to be fatal

Data breaches have long threatened the identities of individuals whose data was stolen by pilfering cybercriminals. But, in some cases, the breach of sensitive data can put far more than just the credit histories of victims at risk. In the right set of circumstances, a data breach can put people's lives at risk.

As far as the security community knows, there has been no documented case where breached private details have proved fatal. But the recent exposure of sensitive information held by more than 70 different U.S. law enforcement agencies by Anonymous provides a perfect example of the type of information that could put a breach victim's life at risk.

The group nabbed and made public the personal information of hundreds of law enforcement officers via BitTorrent, as well as the names and information of police informants for many of the departments hit in the attack.

"It's certainly some pretty heavy-duty data that they got access to this time, very different from the typical user names and passwords that they publish," says Josh Shaul, CTO of database security firm Application Security. "We don't know exactly what happened, but we know their MO. When it's Anonymous and Lulzsec, it's almost always simple injection to get to the inside and extract some data. A lot of those files were not stored in databases, but they very likely used SQL injection to get to a database and then used database vulnerabilities to get to the sensitive files that they then extracted in the end. I think they got to really sensitive data because that data was completely accessible."

As Shaul and several security experts acknowledged, information like the data dumped on BitTorrent by Anonymous could put people's lives in danger. Police informants depend on their anonymity to provide confidential information to law enforcement officers, and they count on the agencies they work with to keep a tight lid on their personal details and connections to law enforcement.

"Just knowing the name of a person within a secret organization or relationship can be life-threatening for them," says Mel Shakir, CTO of NitroSecurity. "As organizations start looking at these incidents, they'll start to understand the implications of even employee information being stolen."

This latest Anonymous raid of public safety agencies was reportedly a retributive attack against the entire field of law enforcement for the arrest of "Topiary," the Lulzsec spokesman picked up by Scotland Yard in late July. But this isn't the first time Anonymous has put law enforcement lives at risk -- in June it released information about law enforcement officers from the Arizona Department of Public Safety.

"The rest of the country doesn't realize how dangerous it is here in Arizona," says Adrian Lane, security analyst for Securosis. "It's a border area, and we have groups of 'coyotes' that bring illegals over the border; it's a professional enterprise run by Mexican mafia. The border agents fear for their lives because those coyotes will come after them and will kill them. These are also the officers who are going to raid the houses of drug dealers. That's a potentially life-threatening issue."

Even law enforcement agencies themselves have been culpable of exposing people whose police involvement could put them at risk.

Last year an informant for the Sheriff's Office of Mesa County, Colorado, saw theirs name popping up on a Google search. The search engine's crawler had found an unsecure FTP site on a server owned by the county that contained names, contact information, and Social Security numbers of drug informants to the agency. Somehow an IT staffer mistakenly put that data onto the FTP site from a very sensitive database file.

Incidents like this and the Anonymous attacks show that public safety organizations need to spend as much attention to cybersecurity as they do to physical security; at this point, too much information is accessible over networks to ignore the risk.

"People going after information that is going to be life-threatening for others has some major legal ramifications and is going to hurt people's lives," Shakir says. "Organizations have to take more precautions, the same way that they put up secure buildings with cameras and guards. We are in the cyberworld and, with most of our lives being online, we have to make that investment. We cannot be lax anymore."

Sadly, though, this message just doesn't seem to be getting through to even those organizations that hold people's lives in their hands.

"This is the prevalent state of affairs across almost the entire universe right now in information security," Shaul says. "I think if something really bad happened I wouldn't be surprised to see this go political and see Congress try to put some sort of legislation in place that makes it look like they're doing something."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.