Tag Archives: SQL

Ubiquity and pervasiveness of SQL DBs

In my second essay looking at increase breaches of personal information through malware and some questionable security practices, I will now take a look at the harbinger of the modern Doomsday Book, the pervasiveness of SQL databases.

There is much about data loss and compromise in the news today, almost on a weekly basis it seems. There was a recent data breach with Orange France in May, who lost the personal information of approximately 1.3 million customers. When questioned, Orange France was unable to confirm whether the data they held was encrypted; this is very serious. It is not like asking someone how long would it take to fly a rocket to the moon, making a best guess. Data either is or is not encrypted when stored within ubiquitous database systems. Orange should have encrypted this data. Not being able to provide an adequate answer, demonstrates to customers that their personal information is not safe with this company. Being able to trust in the security of computing systems is paramount in this information age. It is crucial that companies and governments provide evidence that proves our data is kept safe, unfortunately all too often the contrary is occurring.

Rik Ferguson vice president of security research at Trend Micro recently told the Guardian:

“effective security is no longer about designing architecture with the aim of keeping the attacker out permanently, that’s a pipe dream. If they want to get in, they will get in.”

Is this a lack of imagination in protecting personal data or a consequence of how data is stored in the early 21st Century? If we take Mr Ferguson’s advice, then we should stop using computer systems for all personal information. However there are ways of designing computing architecture to reduce the surface area of an attack.

Many online services are far from safe and some are known for not using encryption on personal information stored; remember the Sony hack of 2011. Worse still, many companies not only use web services with associated SQL servers containing personal information connected to the Internet, but also whole networks. This enables their employees to email, process data and surf the web, while also having access to your personal data. As a consequence, crackers and other malfeasants can also gain access. Continue reading

Advertisements

Comments Off on Ubiquity and pervasiveness of SQL DBs

Filed under InfoTech

Personal data, bugs and security breaches

This is the first in a series of 3 essays, looking at malware’s far reaching consequences to personal information and questionable security practices some organisations implement.

Protecting one’s personal data is becoming more difficult as security breaches of many companies and governments advance at pace. Their has been some recent high profile data losses, with eBay, shoe retailer Office, music service Spotify, and gaming platform Steam over a two week period. What one might think would normally be a trickle of data breaches has turned into a torrent.

With this increased threat from malware exploiting bugs within software code and some organisations implementing poor security practices, a basic understanding of how one can protect personal data from the next hack like eBay is necessary. There are many news articles on ways one can protect personal data following an attack and breach of a database containing approximately 233 million customer records on eBay’s systems.

eBay said the breach, which was detected two weeks ago, had not given the hackers access to customers’ financial information. But it did affect a database holding encrypted passwords as well as customer names, email addresses, physical addresses, phone numbers and dates of birth which were not encrypted. The site has 233 million customers worldwide, including more than 14 million active in Britain.

After the hack of Sony’s unencrypted personal user records, in July 2011 I wrote a brief security guide on protecting your login identity. While this article requires some updating, much of this guidance remains valid and relevant with the increasing use of SQL databases, while companies and governments are amassing huge dossiers on individuals with their computer systems being breached.

Before the first dot-com bubble bust period roughly around 1997-2000, companies with an on-line presence would generally only request an email address and a password to use their service. Wind forward 10 years and the use of on-line services from game playing, shopping, booking hotels, email services, government services… ask all sorts of personal identifying information. If this trend of intrusion into personal data continues from companies and governments, it will not be long before ID photos are requested along with collecting personal data on one’s eye colour, etc. With personal information being stored on private networks often with public access, and worse on public facing servers too, the scope and scale of malicious attacks will increase. Continue reading

Comments Off on Personal data, bugs and security breaches

Filed under InfoTech