Our security awareness topic for June is electronic messaging - primarily email with some reference to online chat via I nstant M essaging and cellphone SMS/TXT messages. A lot of social interaction today occurs by electronic means, while organizations are increasingly adopting person-to-person messaging into their business processes for contacting employees, customers, suppliers and various others.  The days are long gone when email was merely a ‘nice-to-have’: email has all but replaced letters, FAXes and memos. Aside from the email junkies constantly checking their inboxes, most of us start to feel socially isolated if (when!) the messaging technologies let us down (not least me, living and working in the glorious but remote countryside of rural New Zealand).  Availability is clearly an issue, but so too are integrity and confidentiality. Phishing and other social engineering scams assault us from all sides, while many a personal or corporate secret has slipped out in casua...

Amazon's EC2 cloud computing service suffered a serious incident on April 21st.  Given that it affected several customers using its EBS (Elastic Book Store) service, Amazon could hardly deny it and has now published an interesting paper explaining what went wrong . The original trigger was a leeeetle mistake when reconfiguring network connectivity for some planned work.  Primary network traffic was redirected to a network with inadequate capacity, resulting in the servers losing the vital network connections they need to remain in synch as part of a cluster.  This in turn triggered the servers to try to re-synch, which exacerbated the network performance constraint until the house of cards fell. It caught my eye that Amazon's cloud-based relational database service was impacted by the incident: "In addition to the direct effect this EBS issue had on EC2 instances, it also impacted the Relational Database Service (“RDS”). RDS depends upon EBS for database and log storag...

Another news story of yet another privacy breach at Sony includes a handy timeline of their known breaches stretching back to mid-April. The latest incident involved 8,500 user accounts at a Sony music site in Greece, which means its another database breach, which is what makes it newsworthy (along with the fact that it was Sony, of course). Sony is a huge company with information assets all over the world.  Many of them are customer-facing, but many more are internal.  Sony is renowned for its business model of 'creating categories', in other words it constantly innovates, creating and launching hi-tech products aimed at satisfying previously unrecognized and untapped demand, and by the time the market category is wound up to speed, it moves on. Perhaps we'll soon see the Sony Database Security Station hit the streets?

Despite the headline stories about database hacks and privacy exposures, a survey of database users found that respondents particularly feared insider threats.  Many such attacks go unreported - in fact I strongly suspect many more go unrecognized.

Gene Spafford has told a congressional hearing that, months before the incident, Sony knew it was running old and unpatched software on its web servers ... implying that they were negligent in not patching or updating to address known security vulnerabilities.  It's not quite so cut-n-dried in practice however as patching/updating production services is itself a risky business (not least because the patched/updated software may have yet more security vulnerabilities). Sony evidently had other/compensating controls in place, since they at least detected the latest breach through their network security monitoring. Unfortunately, this happened too late to stop the hacker/s extracting personal information probably including credit card numbers.

Brian Krebs' excellent blog alerted me to a probable database compromise at LastPass.com LastPass.com ("The last password you'll have to remember!") is an online database or vault for users' passwords and other confidential user information.  Naturally the user information is encrypted, using a 'master password' and a salt to generate the cryptographic key.  It appears that hackers may have broken the site's security to access and steal encrypted data from the database, possibly including the salts.  They are presumably hard at work brute-forcing those master passwords right now, so the race is on for users of LastPass to login and change their master passwords before the crackers access all their stored data - and then go on a rampage though users' accounts on other systems using the stored passwords. This is exactly the kind of compromise that sites such as LastPass seek to avoid at all costs.  They do so through a process of examining their in...

According to the LA Times, Sony has now confirmed that 10 million credit card numbers may have been stolen in the PlayStation network hack.  The credit card numbers were evidently hashed rather than encrypted, which is potentially a good thing.  A strong hashing scheme works like a bit like a non-return valve:credit card numbers feed in at one end, are processed through an algorithm into a hash value, and that gets stored on disk.  However, there is [almost] no way to push the hash value backwards through the algorithm to regenerate the credit card number.  If they had been encrypted, the crypto key would have unlocked all 10 million card numbers. Hashing is normally used for passwords.  Having initially created and stored a hash of someone's password, the next time they login, the password they present is hashed in the same way and the hash values are compared for a match, indicating that the original password (or, strictly speaking, a password that gave the s...

According to The Register : "Try this for irony: The website of web application security provider Barracuda Networks has sustained an attack that appears to have exposed sensitive data concerning the company's partners and employee login credentials, according to an anonymous post." Barracuda's own application firewall appliance was offline for maintenance at the time, and hence failed to block the SQL injection attack. "Bugger" said Barracuda's management.

Anyone who has seen the huge furore in the press and the blogoshpere over the Sony PlayStation hack will surely agree that database security is a hot topic right now, so it's timely for us to release a thoroughly updated, revised and expanded awareness module on database security . We've used the Sony incident as a topical case study to illustrate the materials. We're hoping that customers will use the materials straight away, helping their employees make the link between the news coverage, their own privacy, and the privacy of other people whose personal information they may well be handling at work.