Customers at T-Mobile UK have been found to have been selling customer information to data brokers who work on behalf of other cellular phone companies in the UK.Obviously T-Mobile wasn’t aware that this was happening. However they needed to put more projections in place to ensure that this didn’t happen. Hopefully other companies will learn from this data breach and ensure that their employees aren’t selling off customer data.  I can’t stress enough that this wasn’t an external break-in.  This was employees selling customer data which they got from the customer management system.

I also hope that the prosecution of people responsible for this data theft and sale makes the next person think twice about doing this.  As the case moves forward I’ll be sure to post updates here.

Denny

This is fairly common on file servers, and internal applications such as CRM software.  All to often the domain groups Everyone or Authenticated Users will be used to grant access to network resources that only a subset of users need access to.  Often this is done because “eventually more people will need access to the network resource, so well just open it to everyone now”.  But even if others need access to the network resource later this isn’t a very good reason for granting everyone access to the resource.

The group that requested the resource may assume that the resource is not open to everyone (how would they know otherwise) and put data in that folder or application which others within the company shouldn’t have access to.  Now all of a sudden you’ve got a security breach just waiting to happen.  The employees that aren’t supose to have access find out that they have access to it, and start looking around and there’s all this data that they shouldn’t be able to see.  It could be company financials, it could be HR data, it could be the executives vacation photos, or the crown jewel of data your customers personally identifiable information.

Assume that it’s customer data, that hasn’t been masked for one reason or another, and a less than scrupulous employee comes across the data.  Being the less than scrupulous employee that they are they take the data and find a buyer for it, and not all of a sudden your customers all have identity theft issues.  All because someone didn’t set the rights to some network resource correctly.  Talk about something that should have been easy to avoid but is going to cause a lot of pain.

Considering that anywhere from 34% to 70% of data theft is by employees (depending on what report you read) security by obscurity just seams like it isn’t the way to go.

Denny

I just received this text message “First Heritage Bank Alert: Your CARD has been DEACTIVATED. Please contact us at 877-649-1737 to REACTIVATE.”. Now I know this is a scam for a couple of reasons.

1. I don’t have an account with First Heritage Bank
2. A bank wouldn’t text me to have them call me.
3. They’d tell me to call without providing a number, instead telling me to use the number on my card.
4. They’d identify the account which has a problem.

If you see this don’t call them. I’d say report it to your local law enforcement but they probably don’t really care, and probably won’t do anything about it. Good luck if you decide to call your local law enforcement.

Denny

P.s. Sorry for any spelling issues. This was posted from my blackberry. I’ll spell check from home.

When you leave your workstation unlocked you are giving anyone that walks by access to everything on your computer.  Your email, access to the company intranet, etc.  Anything that you have access to without entering a username and password (or that has a saved username and password) they have access to.

Have iTunes installed on your work computer with a credit card saved in it so you can grab the new song that just came out?  So do they.  They could download 10,000 songs on your account and you wouldn’t know it until the next time you opened iTunes or checked your credit card statement.  (I’m assuming that iTunes will save your credit card, I don’t actually use it but you get the idea.)

Have usernames and passwords saved in your browser so you can easily log into various websites like your bank, credit cards, forums, etc?  So does anyone who sits at your computer.

You are probably sitting there thinking to your self, if some strange person was sitting at my desk, someone would notice.  They might, but probably not.  Lots of times I’ve had strange people sitting in my chair waiting for me with no one around to question them.

If you have an office, you aren’t exempt.  Yes I know that you lock your office door at night.  Look around your office, do you have a trash can sitting in there somewhere?  Do you use it?  Is it empty in the morning?  The magic trash can fairy doesn’t clean out your trash.  Someone who makes way to little money to clean up after the slobs in the office (sorry I’m projecting a little here, or depending on your office maybe I’m not) comes in and cleans it out and dusts your desk off.  You know how they get in, either they have a key or the guards open the doors for them.

I know that one company I worked at everyone who had an office would be gone by 7pm.  At about 9pm the security guards would come around and unlock every single office from the lowest manager to the highest C level exec.  I know this because I worked swing there as a Database Engineer for several years (pretty much every department except for Marketing was staffed 24×7 365 days a year).  After the guards would open the offices the cleaning crew would come through and clean all the offices, empty the trash, etc.  Some offices had a window to the inside of the building, some didn’t.  Most had blinds that could be closed for privacy.  Lost of people had only a laptop, many were left at the office on weeknights, and many people had a desktop.  I would say that 80% of offices had a computer in them at night.

How hard would it be for an outside person to pay someone from the cleaning crew $5000 to get them to copy some data to a USB drive, or infect the network with a virus?  That’s probably more than most people on the cleaning crew make in a month for just a few minutes of work.  To most people, especially in this economy this would probably be to much money to pass up.

If a competitor (or an employee for that matter) wanted access to data that was private, and we didn’t have a policy in place to automatically lock the computers, it would have been a piece of cake for someone to sit at a desk and download all sorts of confidential data from the persons computer.  All without anyone knowing about it.

Fortunately at this company we had a policy which required the computers to lock them selves, but many smaller companies don’t enable this feature for one reason or another.

If your computer isn’t locked when you get to work in the morning I urge you to talk to your IT staff and have them enable auto-locking on the company computers.  It’s a slight annoyance to have to unlock your computer in the morning, but it’s much better than having someone walk in and simply take all your personal and corporate data.

Denny

Your database holds all of your data.  If someone was to great into your database server they would have access to view, and possibly delete all your data forcing you to restore your data from your backup.  In a perfect world there would be no database servers directly accessible from the Internet.  There is pretty much no reason for database servers to be directly accessible from the Internet.

If your servers are CoLo’d then setup a VPN between your office and the CoLo, or VPN directly into the CoLo.  There are some hosting providers which prefer to setup the servers on public IPs, however most of them will if requested use private IPs and configure a Site to Site VPN connection for you.

Pretty much the only times that a database needs to be on the Internet would be if you are replicating data between servers as this will typically require that at least one of the servers be on the public Internet.  SQL Service Broker can need to be on the public Internet as well.  However in both of these cases, you don’t need to give the server a public IP.  You can give the server a private IP, and NAT the server from the Internet to the private IP.  However make sure that only the correct port or ports are open through the firewall.

In Oracle this should be done by setting up a new listener.  In SQL Server this is done by setting up a new endpoint either for general connection, or in the case of Service Broker an Endpoint is used to connect to, which listens on a seperate TCP port.  When setting up these listeners or endpoints make sure that only the accounts which need to have access to them have access.  This way the minimal attack surface is avaialble from the Internet.  In addition you will want to setup your firewall or router ACLs to allow only the required public IP addresses to have access to the listener or endpoint.

With your database being publicly available attack scripts could attack for it, or people could manually try and break in.  With SQL Server running in mixed mode, and with Oracle there are accounts which can be brute forced which have well known usernames such as system and sa.  When SQL Server is running in Windows only mode breaking in is harder, but not impossible.

Denny

His lawyer claimed that he is “extremely remorseful as to what has happened” in a statement to the AP on Thursday.  Personally I think that he’s remorseful that he was caught, not that he swindled and stole, but that’s just me.

As part of the plea dea Gonzalez must forfeit his computers, home, car and cash, in addition to the $1.1 million that federal agents found buried in his parents back yard.  His girl friend, her father and friends also have to turn over to authorities watches and jewelry which Gonzalez gave them as gifts.

Under the terms of his plea deal Gonzalez will be behind bars for 15 to 25 years (reality 7-10 years with good behavior and early release).  His computer usage will be restricted for 5 years post release (which probably means not a whole hell of a lot).  If convicted at trial Gonzalez could have been sentenced to several hundred years, effectively a life sentence.

May he enjoy the next 7 years of his life in club fed.

Denny

Gonzalez, who is a former US Secret Service informant, is already in custody on charges related to the TJ Max break in.  Also charged as two unnamed Russian persons who are suspected of being Gonzalez’s partners in the operation.

Based on information released these attacks do not appear to be the standard “script kiddy attacks” that we as sysadmins are used to dealing with.  These attacks were well thought out and well executed, granting the attackers access to corporate and production networks for months in some cases.

The software, which was custom written for these attacks when tested against a variety of anti-virus and anti-spyware software before the attack was launched.  Additionally it was written to delete all trace of itself in order to avoid detection.

The truly pathetic thing about this is that according to the documents, the attacks all started via SQL Injection attacks.  Which means that they could have been avoided if basic security protocols and procedures were being followed on the websites in question.  These basic security protocols include:

• No dynamic SQL either in stored procedures or from the websites directly.
• If dynamic SQL must be used in stored procedures, use as few actual values from the Website as possible.  (For example if sorting a result set which must be done through dynamic SQL don’t pass in the column name from the website, pass in an ID which means nothing except that the stored procedures knows that 1 = Column2, 2 = Column4, etc.
• Clean the data before you pass it to the database.  This is where the website developers and the DBAs really need to get along.  The database can’t secure it self, the Website has to check each value that is being passed in and ensure that the values won’t harm the database in any way.
• Disable xp_cmdshell as well as anything else that you aren’t using (oh yeah and don’t use xp_cmdshell on SQL Servers that websites have access to).
• Don’t allow the account that the website uses to do anything more than it needs.  This means not using ANY fixed server or fixed database roles.  Just the minimum rights that are possible, in a perfect world this means execute rights to stored procedures only.

If these basic rules had been followed then the hackers probably wouldn’t have been able to get into the system and we wouldn’t have had these problems to begin with.

It also would have helped if these companies were actually following the PCI rules which they are required to follow but apparently weren’t.  If they were then this wouldn’t have been an issue either as they wouldn’t have been storing anything, and everything in flight would have been encrypted and basically worthless.

Denny

This is especially true for people who used to be making a lot more money and are now working entry level jobs outside their former field.  From their perspective they are doing what they need to do to make ends meet so that they can fulfill there commitments (mortgage, bills, etc) or at least as many commitments as they can.

However from the companies point of view that customer data, or price list, or email database is priceless.  Having that data out in the open can hurt profits, and damage customer confidence in your company and your employees.  And nothing will drive customers away from you faster than having someone steal their data.

Unfortunately this means the companies must take drastic measures to ensure that private data stays private.  This means buying and installing security products which track emails, website usage, etc so that you are aware of every piece of information which leaves your company network.

Many companies (especially larger companies) already track this information.  If you have something in place already you are one step ahead.  It may be time to review your settings and tighten up the security on some parts of the Internet such as chat rooms, proxy sites, and web-mail sites.

If you don’t already have something which tracks this data installed at your company then I can’t suggest enough that you find one to get.  (Hint: we sell software which does this, links are on the right.)  If you are the one that suggests that you install an employee monitoring software package you aren’t going to make any friends, that’s for sure.  Buy if it catches someone sending data to someone they aren’t supposed to be sending data to, it will pay for itself and suddenly you’ll be the hero.

Now I know that software like this isn’t something that people want to talk about, but it’s in the best interest of your company to bring this up at the IT department meeting.

Denny