Attacks/Breaches
7/2/2010
09:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Six Messy Database Breaches So Far In 2010

From a National Guardsman's external hard drive faux pas to a financial services firm's slack practice of password-sharing, this year has already had its share of shocking database exposures

Whether it be insecure Web applications, poor password management, or a lack of database policies and monitoring, the average database today is at risk of exposure through a host of different threat vectors that many organizations are not even aware of -- let alone are addressing. Already in 2010, the number of database breaches as a result of such mistakes is mounting.

The list of disturbing database breaches so far this year mostly could have been avoided. The affected organizations had to learn the hard way, through public embarrassment and expensive incident response procedures. But the missteps that led to them provide a cautionary tale for other organizations.

"Security needs to be addressed by appropriate policies and systems, but perhaps more importantly a cultural commitment and buy-in by employees to achieving security," Daniel Mayo and Graham Titterington, principal analysts for Ovum, wrote recently about database security.

Garnering that cultural commitment starts with awareness. Here are six of the more eye-popping database-related breaches so far this year -- and some lessons learned from each:

1. Arkansas Army National Guard

Breach Details: An Arkansas soldier caused the Arkansas Army National Guard a lot of embarrassment earlier this year when he brought home an external hard drive containing a copy of the Guard's entire personnel database with the personal information of more than 32,000 current and former Guardsmen. For about two months the Guard couldn't track the hard drive down and had to notify personnel of the loss as a result of the potential breach. The drive was eventually recovered and the information destroyed, but the entire event left the organization with egg on its face.

Lessons Learned: Strike one in this case was that the data was completely unencrypted. But strike two and three was the fact that the soldier in question was able to copy the database in the first place and take it off-site.

Database security experts repeatedly warn organizations to take measures to prevent wholesale copying of database files, whether by innocent but negligent insiders or by malicious insiders looking to steal data. Database activity monitoring tools can help monitor for and prevent such activities.

2. University of Louisville

Breach Details: A staff doctor who set up a Web application that tapped into a University of Louisville database of dialysis patients put hundreds of patient records at risk by failing to use password protection to prevent unauthorized access to the application. The records were openly available online for close to a year-and-a-half until someone outside of the organization sent an e-mail cluing the university in on the privacy breach.

Lessons Learned: Web applications are the Achilles' heel of database security, and organizations have to work hard to bring DBAs, developers, and business stakeholders together to develop Web app security policies, particularly around access management issues that can cause breaches such as this.

3. WellPoint

Breach Details: A business logic flaw in a Web application that was tied to a database of individual insurance customers of health giant WellPoint allowed unauthorized users to potentially access any of 470,000 customer records. The vulnerability was discovered by a WellPoint customer who found that a simple URL manipulation could give her access to other customers' personal data. Turns out an outsourced vendor tasked with updating the application introduced the flaw last fall.

Lessons Learned: Insecure Web app code is frequently the submerged iceberg just waiting to sink an organization's database security. Before rolling out new or updated applications to live environments, organizations should run application testing that not only scans for common code vulnerabilities, but also business logic flaws such as this one.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.