Ubiquity and pervasiveness of SQL DBs

In my second essay looking at increase breaches of personal information through malware and some questionable security practices, I will now take a look at the harbinger of the modern Doomsday Book, the pervasiveness of SQL databases.

There is much about data loss and compromise in the news today, almost on a weekly basis it seems. There was a recent data breach with Orange France in May, who lost the personal information of approximately 1.3 million customers. When questioned, Orange France was unable to confirm whether the data they held was encrypted; this is very serious. It is not like asking someone how long would it take to fly a rocket to the moon, making a best guess. Data either is or is not encrypted when stored within ubiquitous database systems. Orange should have encrypted this data. Not being able to provide an adequate answer, demonstrates to customers that their personal information is not safe with this company. Being able to trust in the security of computing systems is paramount in this information age. It is crucial that companies and governments provide evidence that proves our data is kept safe, unfortunately all too often the contrary is occurring.

Rik Ferguson vice president of security research at Trend Micro recently told the Guardian:

“effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in.”

Is this a lack of imagination in protecting personal data or a consequence of how data is stored in the early 21st Century? If we take Mr Ferguson’s advice, then we should stop using computer systems for all personal information. However there are ways of designing computing architecture to reduce the surface area of an attack.

Many online services are far from safe and some are known for not using encryption on personal information stored; remember the Sony hack of 2011. Worse still, many companies not only use web services with associated SQL servers containing personal information connected to the Internet, but also whole networks. This enables their employees to email, process data and surf the web, while also having access to your personal data. As a consequence, crackers and other malfeasants can also gain access.

There are many ways to ensure personal data is kept secure, and having publicly accessible or facing networks with personal sensitive data is not one of them. I can recall making databases in Informix SQL back in the early to mid 1990s. When designing table and data structures, it was good practice to separate out personal records into various different tables. Written SQL queries would anonymised personal records and SQL databases were not held on publicly accessible networks. The resulting anonymised data would be copied to floppy-disk and a website would be hand coded including the anonymised data, for use only on a local LAN network.

Computer systems are far more sophisticated today and databases have so much more processing and analysis capability on aggregated information. Here lies one of the 21st Century’s major issues with personal data security. The ease of access and power to transform information, is not too dissimilar in what followed the Norman invasion of Anglo-Saxon Britain with the introduction of the Doomsday Book.

While the power of SQL databases have increased many fold since the mid 1990s, creating safe data structures and implementing good data practices should not diminish or worse still, be ignored completely. Personal sensitive data should have no form of public access, without exception. While such services like on-line banking make our lives easier, it also makes it easier for such information to be accessed, stolen and exploited by criminals and unscrupulous (malfeasant) elements within government and the security services, as exemplified in recent UK court cases and Edward Snowdon’s files through the Guardian.

Also poorly coded ‘bug ridden’ software enables potential attacks on organisations and individuals who use said software. For example, with the Heartbleed flaw enabling potential exploitation of login accounts and other personal data transmitted via openSSL (with a particular release version), or the recently discovered software bugs within energy company’s power and sub stations that are being Internet connected.

Do we need to take drastic measures such as reverting to a stone-age culture to protect our personal information, or less dramatically revert to paper based systems for personal information? Based on recent high profile data security breaches of the past 7 years, as many governments and businesses seem to take a lax approach towards securing personal information, one might justify reverting to paper based securely located and transported personal information.

Ultimately what we should be looking to achieve is having secure private ‘unplugged’ LAN networks with no personal data being stored on publicly accessible servers. It is possible to setup systems that should protect personal data, while still having the benefit of service access where limited ‘locked away’ personal data is used for transactions, such as with commerce.

Many businesses will now ask for personal information they do not need, such as date of birth (Sony, Google, et. al.) etc. The justification for this highly confidential and personal information is for legal compliance. However seldom is this information really needed, instead age confirmation methods can be used. Also a company can have a legal disclaimer with terms for using their service stating a minimum age requirement. And if a customer of a service joins providing false information on age, for example a 15 year old joins where the age is restricted to 18 years, then liability resides not with the business but with the customer or their legal guardian; web filters can be put in place to restrict and prevent access.

Using complicated data protection systems does not guarantee 100% security. However the surface area for attack by malware should be drastically reduced, save for bugs like Heartbleed. If personal data security is to be taken seriously, more robust security measures are required, otherwise organisations risk loosing customers and WWW commerce growth will be in jeopardy, caused through a loss of confidence, followed by a new dot-com bust.

It maybe convenient to order an item online, to use eBay to purchase a pair of shoes, and PayPal to pay for them, or to access banking information at the touch of an app. However if your name, postal address, date of birth, credit card information, banking information, telephone numbers, and any other personal information you have supplied to use that service is stolen or ‘lost’, you are compromised. It is then easy to create a clone of your identity for fraudulent purposes and you will have to pick up the pieces and deal with the fallout that follows, not the company or government service who “lost” your data.

In my third essay in this series on malware’s far reaching consequences to personal information, I will take a look at alternative approaches with personal and business computing.