Attacks/Breaches
7/2/2010
09:48 AM
Connect Directly
RSS
E-Mail
50%
50%

Six Messy Database Breaches So Far In 2010

From a National Guardsman's external hard drive faux pas to a financial services firm's slack practice of password-sharing, this year has already had its share of shocking database exposures

Whether it be insecure Web applications, poor password management, or a lack of database policies and monitoring, the average database today is at risk of exposure through a host of different threat vectors that many organizations are not even aware of -- let alone are addressing. Already in 2010, the number of database breaches as a result of such mistakes is mounting.

The list of disturbing database breaches so far this year mostly could have been avoided. The affected organizations had to learn the hard way, through public embarrassment and expensive incident response procedures. But the missteps that led to them provide a cautionary tale for other organizations.

"Security needs to be addressed by appropriate policies and systems, but perhaps more importantly a cultural commitment and buy-in by employees to achieving security," Daniel Mayo and Graham Titterington, principal analysts for Ovum, wrote recently about database security.

Garnering that cultural commitment starts with awareness. Here are six of the more eye-popping database-related breaches so far this year -- and some lessons learned from each:

1. Arkansas Army National Guard

Breach Details: An Arkansas soldier caused the Arkansas Army National Guard a lot of embarrassment earlier this year when he brought home an external hard drive containing a copy of the Guard's entire personnel database with the personal information of more than 32,000 current and former Guardsmen. For about two months the Guard couldn't track the hard drive down and had to notify personnel of the loss as a result of the potential breach. The drive was eventually recovered and the information destroyed, but the entire event left the organization with egg on its face.

Lessons Learned: Strike one in this case was that the data was completely unencrypted. But strike two and three was the fact that the soldier in question was able to copy the database in the first place and take it off-site.

Database security experts repeatedly warn organizations to take measures to prevent wholesale copying of database files, whether by innocent but negligent insiders or by malicious insiders looking to steal data. Database activity monitoring tools can help monitor for and prevent such activities.

2. University of Louisville

Breach Details: A staff doctor who set up a Web application that tapped into a University of Louisville database of dialysis patients put hundreds of patient records at risk by failing to use password protection to prevent unauthorized access to the application. The records were openly available online for close to a year-and-a-half until someone outside of the organization sent an e-mail cluing the university in on the privacy breach.

Lessons Learned: Web applications are the Achilles' heel of database security, and organizations have to work hard to bring DBAs, developers, and business stakeholders together to develop Web app security policies, particularly around access management issues that can cause breaches such as this.

3. WellPoint

Breach Details: A business logic flaw in a Web application that was tied to a database of individual insurance customers of health giant WellPoint allowed unauthorized users to potentially access any of 470,000 customer records. The vulnerability was discovered by a WellPoint customer who found that a simple URL manipulation could give her access to other customers' personal data. Turns out an outsourced vendor tasked with updating the application introduced the flaw last fall.

Lessons Learned: Insecure Web app code is frequently the submerged iceberg just waiting to sink an organization's database security. Before rolling out new or updated applications to live environments, organizations should run application testing that not only scans for common code vulnerabilities, but also business logic flaws such as this one.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.