Friday, August 21, 2015

Data Confidence or Breach of Security?

I'm sure most of you reading this are familiar with what happened to Ashley Madison and some of you may have even seen the dump of information from their MySQL database. Whether or not is was done as an inside job or through SQL Injection, it emphasized the responsibility for all of us to make sure we are encrypting all corporate and customer data at all times.
Let me show you a brief example of how MagusNet, LLC. and Torduckin data  stays protected from these kinds of data extraction attacks.

In this example I took a known poem and inserted it into a test PostgreSQL database using the default schema for MagusNet, LLC.

-==========THE POEM===============-
I met a traveler from an antique land
Who said: "Two vast and trunkless legs of stone
Stand in the desert. Near them on the sand,
Half sunk, a shattered visage lies, whose frown
And wrinkled lip and sneer of cold command
Tell that its sculptor well those passions read
Which yet survive, stamped on these lifeless things,
The hand that mocked them and the heart that fed.
And on the pedestal these words appear:
My name is Ozymandias, King of Kings
Look on my works, ye mighty, and despair!
Nothing beside remains. Round the decay
Of that colossal wreck, boundless and bare,
The lone and level sands stretch far away".
-=============THE DATABASE============-

This is what a sample of the data in the database would look like.
This example is using Base64 encoding.
Our production data is always stored using Triple DES

psql -d test -c "select * from  file_data LIMIT 1;"

------------+-------------------------+--------+------------------+----------------+-------------------------------------------------------------------------------+
 1440182782 | txt |      2 | Text Data | OZYMANDIUS.txt | SSBtZXQgYSB0cmF2ZWxsZXIgZnJvbSBhbiBhbnRpcXVlIGxhbmQKV2hvIHNhaWQ6ICJUd28gdmFz\+ | Content type: text/plain
The snippet above is meant to show that if an attack from inside, outside took place, nothing useful would ever be revealed.

As a habit, learn from the mistakes made by your peers and use good practices.
1.Never, never, never allow direct communication to your databases.
   Follow best practices to defend against SQL Injection.
   https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

2. Never, never, never store information in any database in cleartext!

My .02.

Posted by MagusNet

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)