It appears that US-based payroll services provider PayChoice has experienced the second phase of a very coordinated data attack. Last month, the company experienced a breach in which customer user names and passwords were stolen, and it appears that this information was used to trick customers into downloading malware. The download allowed criminals to add fraudulent employees and associated payrolls to the accounts of PayChoice customers. The details of the second phase of the attack are still emerging, but what happened at PayChoice shows the need to have added protection around sensitive data, even from people who are seemingly authorized to use it.
Once criminals have access to an account via an authentication method, they can manipulate the data as though they were a trusted user. Many times, the activity is not caught until well after the breach or theft has occurred because the system is operating under the assumption that it is getting orders from an authorized user. What PayChoice points to is the need to have a granular view of what is going on with data at all points and for all transactions.
With the proper controls in place, PayChoice would have been alerted to suspicious activity – in this case, apparently adding false employees to payroll accounts – and had the ability to block it.
Showing posts with label Database attacks. Show all posts
Showing posts with label Database attacks. Show all posts
Friday, 16 October 2009
Wednesday, 3 June 2009
Unhackable? Unsinkable! -- bold government claims
I am saddened to hear that the current crisis in the UK parliament over members' expenses has resulted in the demise of the Home Secretary. I enjoyed being interviewed last year on national radio to comment on her claims that the UK government's proposed ID card system would be "unhackable". A bold claim indeed, and I said as much at the time.
Anyone involved in IT security will recognize that there are no absolutes as strong as "unhackable" and that there are threats from more than outsiders. (Her claim was that as the ID card database would not be connected to the outside world it would be safe.)
When they pushed her off the docks in Belfast harbour they said that the Titanic was unsinkable. It is a shame the Home Secretary has found herself in need of a lifeboat.
Anyone involved in IT security will recognize that there are no absolutes as strong as "unhackable" and that there are threats from more than outsiders. (Her claim was that as the ID card database would not be connected to the outside world it would be safe.)
When they pushed her off the docks in Belfast harbour they said that the Titanic was unsinkable. It is a shame the Home Secretary has found herself in need of a lifeboat.
Labels:
Database attacks,
government,
security,
Titanic
Friday, 6 March 2009
Data Capture Protection
There has been a great deal of publicity in the UK today about the authorities finally establishing the existence of a database holding information about itinerant workers in the UK building industry. This information was syndicated to potential employers for vetting of “trouble makers”. This is not a database attack. The data held about the individuals’ breaks data protection regulations – this sort of human resources information is highly regulated.
This is not the first time that sensitive information is assembled by a trusted third party so that other organizations can utilize it. Consider the credit industry – individual banks are unwilling to share information about their customers to competitors, but they are willing to share to a trusted third party who can combine others’ information and then provide a central credit reference check.
As I wrote above, despite the media attention, this I not a database attack. This incident was not caused by inappropriate use or release or leakage of data, but simply by the inappropriate data being collected in the first place.
Now if only we could find a Data Capture Protection system that was compliant with all possible data protection laws …
This is not the first time that sensitive information is assembled by a trusted third party so that other organizations can utilize it. Consider the credit industry – individual banks are unwilling to share information about their customers to competitors, but they are willing to share to a trusted third party who can combine others’ information and then provide a central credit reference check.
As I wrote above, despite the media attention, this I not a database attack. This incident was not caused by inappropriate use or release or leakage of data, but simply by the inappropriate data being collected in the first place.
Now if only we could find a Data Capture Protection system that was compliant with all possible data protection laws …
Wednesday, 17 December 2008
Hack chain, held together by database attacks, linked at each end
As the western world enters their festive season the spirit of good will and peace to all men has most computer users lowering their guard. The rush to search the internet for gifts to buy and the process of ordering online has given those not winding down for Christmas (i.e. the attackers) a bumper harvest.
Following on from my previous post we see Microsoft issuing advice on how to mitigate newly exploited vulnerabilities in their web-browser that forms one link in a chain of vulnerabilities. What is really neat is that each end of the chain of this exploit requires an attack on a database. Initially, malware is force-fed into web-sites using a SQL Injection attack to poison an external database serving the web-site. Visitors of these sites accidentally load malware into their browser as served by the site. The malware then exploits the browser to masquerade as the computer user on the user’s own corporate network. Now the attacker is pretending to be an authorized user on the corporate network. The next part of the attack uses internal credentials to connect to an internal corporate database and then exploits vulnerabilities on the database to gain complete control of it. This includes stealing data and controlling the network further.
Organisation's internal databases are not well protected, and they typically expect their perimeter firewall to keep the outsiders out. Given the chain of events that allows an external attacker to get access to internal databases whilst appearing to be an insider, the perimeter firewall is totally ineffective. A database firewall is called for here. The best form of defence is to not trust any database accesses – regardless of whom and from where they come. This requires building active control policies for database usage and enforcing them. At Secerno, the DataWall™ product-line achieves just this by utilising the SynoptiQ™ Engine.
Break the chain of successful attacks! Proactively control and protect all your databases – from those on the inside – and those on the outside! It is no longer possible to safely discriminate who is who.
Following on from my previous post we see Microsoft issuing advice on how to mitigate newly exploited vulnerabilities in their web-browser that forms one link in a chain of vulnerabilities. What is really neat is that each end of the chain of this exploit requires an attack on a database. Initially, malware is force-fed into web-sites using a SQL Injection attack to poison an external database serving the web-site. Visitors of these sites accidentally load malware into their browser as served by the site. The malware then exploits the browser to masquerade as the computer user on the user’s own corporate network. Now the attacker is pretending to be an authorized user on the corporate network. The next part of the attack uses internal credentials to connect to an internal corporate database and then exploits vulnerabilities on the database to gain complete control of it. This includes stealing data and controlling the network further.
Organisation's internal databases are not well protected, and they typically expect their perimeter firewall to keep the outsiders out. Given the chain of events that allows an external attacker to get access to internal databases whilst appearing to be an insider, the perimeter firewall is totally ineffective. A database firewall is called for here. The best form of defence is to not trust any database accesses – regardless of whom and from where they come. This requires building active control policies for database usage and enforcing them. At Secerno, the DataWall™ product-line achieves just this by utilising the SynoptiQ™ Engine.
Break the chain of successful attacks! Proactively control and protect all your databases – from those on the inside – and those on the outside! It is no longer possible to safely discriminate who is who.
Subscribe to:
Posts (Atom)
