Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Database Security

8/12/2011
04:36 PM
50%
50%

Can Data Breaches Kill?

When data is sensitive enough, its exposure has the potential to be fatal

Data breaches have long threatened the identities of individuals whose data was stolen by pilfering cybercriminals. But, in some cases, the breach of sensitive data can put far more than just the credit histories of victims at risk. In the right set of circumstances, a data breach can put people's lives at risk.

As far as the security community knows, there has been no documented case where breached private details have proved fatal. But the recent exposure of sensitive information held by more than 70 different U.S. law enforcement agencies by Anonymous provides a perfect example of the type of information that could put a breach victim's life at risk.

The group nabbed and made public the personal information of hundreds of law enforcement officers via BitTorrent, as well as the names and information of police informants for many of the departments hit in the attack.

"It's certainly some pretty heavy-duty data that they got access to this time, very different from the typical user names and passwords that they publish," says Josh Shaul, CTO of database security firm Application Security. "We don't know exactly what happened, but we know their MO. When it's Anonymous and Lulzsec, it's almost always simple injection to get to the inside and extract some data. A lot of those files were not stored in databases, but they very likely used SQL injection to get to a database and then used database vulnerabilities to get to the sensitive files that they then extracted in the end. I think they got to really sensitive data because that data was completely accessible."

As Shaul and several security experts acknowledged, information like the data dumped on BitTorrent by Anonymous could put people's lives in danger. Police informants depend on their anonymity to provide confidential information to law enforcement officers, and they count on the agencies they work with to keep a tight lid on their personal details and connections to law enforcement.

"Just knowing the name of a person within a secret organization or relationship can be life-threatening for them," says Mel Shakir, CTO of NitroSecurity. "As organizations start looking at these incidents, they'll start to understand the implications of even employee information being stolen."

This latest Anonymous raid of public safety agencies was reportedly a retributive attack against the entire field of law enforcement for the arrest of "Topiary," the Lulzsec spokesman picked up by Scotland Yard in late July. But this isn't the first time Anonymous has put law enforcement lives at risk -- in June it released information about law enforcement officers from the Arizona Department of Public Safety.

"The rest of the country doesn't realize how dangerous it is here in Arizona," says Adrian Lane, security analyst for Securosis. "It's a border area, and we have groups of 'coyotes' that bring illegals over the border; it's a professional enterprise run by Mexican mafia. The border agents fear for their lives because those coyotes will come after them and will kill them. These are also the officers who are going to raid the houses of drug dealers. That's a potentially life-threatening issue."

Even law enforcement agencies themselves have been culpable of exposing people whose police involvement could put them at risk.

Last year an informant for the Sheriff's Office of Mesa County, Colorado, saw theirs name popping up on a Google search. The search engine's crawler had found an unsecure FTP site on a server owned by the county that contained names, contact information, and Social Security numbers of drug informants to the agency. Somehow an IT staffer mistakenly put that data onto the FTP site from a very sensitive database file.

Incidents like this and the Anonymous attacks show that public safety organizations need to spend as much attention to cybersecurity as they do to physical security; at this point, too much information is accessible over networks to ignore the risk.

"People going after information that is going to be life-threatening for others has some major legal ramifications and is going to hurt people's lives," Shakir says. "Organizations have to take more precautions, the same way that they put up secure buildings with cameras and guards. We are in the cyberworld and, with most of our lives being online, we have to make that investment. We cannot be lax anymore."

Sadly, though, this message just doesn't seem to be getting through to even those organizations that hold people's lives in their hands.

"This is the prevalent state of affairs across almost the entire universe right now in information security," Shaul says. "I think if something really bad happened I wouldn't be surprised to see this go political and see Congress try to put some sort of legislation in place that makes it look like they're doing something."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26246
PUBLISHED: 2020-12-03
Pimcore is an open source digital experience platform. In Pimcore before version 6.8.5 it is possible to modify & create website settings without having the appropriate permissions.
CVE-2020-29279
PUBLISHED: 2020-12-02
PHP remote file inclusion in the assign_resume_tpl method in Application/Common/Controller/BaseController.class.php in 74CMS before 6.0.48 allows remote code execution.
CVE-2020-29280
PUBLISHED: 2020-12-02
The Victor CMS v1.0 application is vulnerable to SQL injection via the 'search' parameter on the search.php page.
CVE-2020-29282
PUBLISHED: 2020-12-02
SQL injection vulnerability in BloodX 1.0 allows attackers to bypass authentication.
CVE-2020-29283
PUBLISHED: 2020-12-02
An SQL injection vulnerability was discovered in Online Doctor Appointment Booking System PHP and Mysql via the q parameter to getuser.php.