Database misuse: who watches the watchers?

We do

  • alert
  • submit to reddit

Website security in corporate America

Misuse of database information by insiders happens everyday, and there's little we can do about it.

Sed quis custodiet ipsos custodies?

Two groups of people will understand the meaning of this phrase. Those classically trained with a few years of Latin at some point during their education will be one group - and then there's the paranoid. I'd venture a guess that there's quite a few paranoid security professionals reading this, since it's a trait that pays great dividends in our line of work. But if you're a paranoid linguist who's stumbled across this column, then Google made a mistake - keep searching.

Last month, I discussed privacy breaches within several major companies. We learned over the span of a few days that hundreds of thousands of consumer identities were potentially compromised when some large companies "lost" the data to both criminals and logistics. The stories were hot topics for major news outlets and bloggers, due to the companies involved and the massive number of compromised records. We're still seeing ripples from these incidents with new references and follow-up articles. Maybe all it will take is some bad press to convince these large companies that privacy is now paramount, on par with price and service - but one can only wish.

What's bothering me now? It's the security and privacy stories that don't make major headlines, and recently I stumbled across two that stuck with me. The first only came my way when the Drudge Report picked it up. A woman in Florida wrote some rather unflattering remarks about a local sheriff in the newspaper. She was then caught off guard after receiving a letter at home from the sheriff himself, using her full name. Inquiries from reporters revealed the fact that the sheriff and his staff had used Florida's driving records system to access personal information about the lady after seeing the letter in the newspaper.

The other story, one seemingly more relevant to our line of work, involved a student changing her grades. I know what you're thinking, "That's the most clichéd hack this side of Wargames, I bet he's going to launch into a diatribe on authentication measures." Wrong! What I found most intriguing about the story was that the girl used private information about two professors which she obtained from a database at her job with a local insurance company. Using that data, she reset their school passwords, logged in illegally and changed her grades. Is this what gets passed off as a hack these days?

What do these stories have in common? One strikes me as a gross violation of power and public trust. Even though the information the sheriff needed may be available via Google, accessing state records in order to address a critical letter is just wrong. The other is a seemingly silly "hack" where someone didn't think the plan fully through. In both cases, we have an insider using privileged access to gain personal and confidential information on "customers".

In the security world, we are constantly worried about the people getting in from the outside. The thought of hackers poking around and stealing information keeps all of us up at night. It's why we read books and articles, buy new products, and install the latest and greatest software. And every security pro worth their salt remembers to address the insider threat. But I think too often we only consider the "big" risks. The salesman duplicating a client contact list before resigning, the engineer copying a crucial algorithm before switching jobs, the customer service rep writing down credit card numbers. Or the whopper - one disgruntled IT worker sabotaging the network!

But what about the little risks? A sheriff looking up a woman's home address using a private system. A student learning her professor's SSN and DOB from the insurance company database. A tech at an ISP browsing a coworker's email. A teller browsing her neighbors' bank accounts. A sys-admin leaking a celebrity's phone cam pics. These little violations are endless in nature and add up to big issues over time.

Compounding the problem is how difficult the monitoring insider activity can be. It's all about someone roaming just a tiny bit outside the normal bounds of their job activity and access, for personal interest or gain. While the arguments can be made that the student shouldn't have access to that type of information in the database, it was realistically part of her job. And what's strange about a sheriff running a name for license plates? A competent DBA would certainly notice someone doing massive, broad database queries, but what about a few stray ones here and there? And virtually every type of entity maintains client records. My customers include accountants, lawyers, schools, retail shops, local government and health organizations, every one of which has the potential for such abuse. Very few, aside from those affected by HIPAA, even consider such threats worth addressing.

So what can we do? Every situation is different, which means there's no easy, all-encompassing answer. One of the more clever security ideas I've seen in a while comes from Lance Spitzer of Honeynet fame - the Honeytoken. Basically they're bogus entities (such as database records, files, spreadsheet entries) that trigger an alarm when accessed. This is a great idea for catching someone doing some rather broad snooping, but it still wouldn't have worked for the scenarios described above. Obviously we can increase access control and audit trails, but reviewing such data for abuse is a daunting, if not impossible task. In an ideal world, restricted information would be encrypted and available only on a need-to-know basis, but I've yet to come across an "ideal" system combining proper authentication, access and audit controls.

I fear that the security business is rapidly becoming just that - a business where mitigating threats is based on ROI, which means that defending against such attacks just isn't feasible for most organizations. And while the occasional privacy violation seems trivial, perhaps even silly to some readers, these abuses really do add up over time. What about the thousands of tiny violations that go unreported or unnoticed? As we've learned from the larger companies failures, they can be costly in terms of lawsuits and publicity when discovered.

Which brings us back to Sed quis custodiet ipsos custodies. "But who is watching the watchers?" The quote used to be a mantra for conspiracy theorists fearing a 1984 style world of government monitoring. But the watchers have turned out to be our own employees, bosses, co-workers and clients. The same people who go to work every day with growing access to internal reports, database queries, privileged communications and more. Every entity has an obligation to protect the private information they hold - either for customers or public citizens. And that means from threats big and small, external and internal.

Sed quis custodiet ipsos custodies? Tu et ego.

But who is watching the watchers? You and I.

Copyright © 2005, SecurityFocus logo

Matthew Tanase is president of Qaddisin, a services company providing nationwide security consulting.

Related stories

Privacy from the trenches
George Bush fears email privacy breach
It's official: ChoicePoint, LexisNexis rooted many times

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
prev story


Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.