Another Security Breach
First of all I whole heartedly agree with the Skipper. I may not be an Oracle DBA but I work with them as well as Java developers and hundreds of other IT staffers. In a large company with a huge IT staff and many recent acquisitions and mergers we find ourselves lost in an enormous maze of systems. Thanks to Sarbanes-Oxley I have more then 30 passwords to maintain and the security department keeps tightening the rules. Must be more then 8 characters must contain a capital and lowercase character as well as a number. Some require a symbol as well. They all expire every 60 days. You must not use a password that is within the last 15 passwords previously used. Part of the reason for the numerous passwords that I must maintain is the policy to have admin accounts and regular accounts, so I really only have approximately 15 accounts if I didn’t need to have everyone of them duplicated for administrative purposes. Accounts are regularly audited and if the password is too weak, you are notified and forced to change your password. i.e. the auditors literally attempt to hack passwords (automated process) and anything too easy to break is forced to change. This also provides them a list of forbidden passwords which get added to the system so if you try to use one of these words while entering a new password it’s rejected. There is a move to a single sign on process designed to eliminate or reduce the need for multiple accounts. This won’t work for everything but if they can get the average person down to only a few passwords, they will be less likely to write them down and tape them to their monitors!
Most of the employee’s bitch about the rules and the number of passwords, but I just tell them ‘You think you’ve got it bad? I’ve got triple the passwords you do!’. I end up writing them down electronically and encrypting the list with a strong encryption scheme. But no one’s given the users such a tool, so they use all sorts of their own techniques. They write down passwords and leave it lying around. Security walks around at night and removes these lists when they find them out in the open. They check for post it notes and look under keyboards.
This is an ongoing issue across all IT departments. Yes, we all need security but we also need it to be easier to use. Perhaps a passphrase public/private key encryption syste (storing the keys on a secure smart card) using single sign on techniques along with encrypted network transmission (not sending passwords in clear text within tcp/ip packets!). The creation of the passphrase will provide feedback on the quality of the passphrase while the user enters it. Thus helping them create one that won’t be rejected. Of course, some ID10T will store the passphrase on a post it stuck to their monitor and the smart card under their keyboard!
We have been trying to educate the users on basic security and require they take an online security training class that teaches about basic physical security of your person as well as your desk, etc. We tell them not to write down passwords but then we give them too many passwords to remember which expire too often. Users get lazy trying to come up with good passwords.
Access to production data is removed from IT staff responsible for those systems. If they need to trouble shoot a problem they get a temporary id set to expire in say 8 hours that will provide access to customer production data. These accounts are heavily logged and audited. The IT staffers manager must call the operations center 24/7 and request one of these ID’s. All access to production data is heavily logged and those employees with access to production data are watched more closely then a casino dealer. Even reads are logged. So if an employee say looks up an account they have no need to look up it will be logged somewhere. Certain actions would be red flagged as urgent. A special investigation team would then start watching the employee over time to see if they are doing anything they shouldn’t be doing. This prevents identity theft and other fraud from occurring.
Yep, long gone are the old days… Security is forefront in the world of finance. I am rather proud to work for a company that is so security conscious. Of course Sarbanes-Oxley has a lot to do with the rules being the way they are. I am sure there are still security holes but there will always be security holes. We can’t lockup our data and throw it to the bottom of the ocean armed with explosives now can we?
Posted by MJS
08/23/2005 at 08:23 AM
Good one, MJS. I knew this post would smoke out the IT folks out there. We all feel your pain. As for SARBOX, it is the devil’s spawn and is only really benefiting the auditing contractors who are making a bundle off of consulting and auditing services.
The only viable solution to our problem is .... biometrics. Either fingerprint or retinal scanning devices, which are already available and are easily integrated into network services and database services. That, combined with single-sign-on is the only way we can overcome the “end-user problem”.
Outside hackers can be tracked down and shot. Inside employees are another matter entirely. Too bad we can’t shoot them too.
I don’t have to deal with the particular problems of any kind of secure network/database so I don’t have these problems.
However, I thought I’d alert the other readers to something that recently got my full attention: I got an email from an auction site that had seen some suspicious activities. It seems that another auction site had been using the screen names and passwords of customers to enter their accounts on other sites to access information. The email warned customers to change their passwords and never to use the same password on different sites.
While I do use the same password for news sites and such that I frequent, I always make sure that I use different individual passwords for sites like PayPal and eBay as well as any other sites that involve personal finances or buying and selling whatever items might interest me.
Another thing: You don’t really know if the password is stored in the clear in the site’s database or if it’s encrypted on your machine before being transmitted to the site for storage or comparison. If it’s stored unencrypted anybody with access to that DB can retrieve it and use it elsewhere. If it’s encrypted it is less likely that you may have this problem.
OCM - Off topic reply: Data cards have not changed much over the years. You have one’s with a barcode which is just a number that contains your account number. Then you have cards with a magstripe which generally contain an account number and maybe some other data but there’s not a lot of storage. There are three dimensional barcodes that can hold as much data as the Gettysburg Address. Then you have smartcards which contain a memory chip that can contain a whole lot more data. One could fit an entire medical history including xrays some day.
From what I have been reading about a possible National ID Card or improved passports as well as driver licenses; the data stored would be pretty much what is on the drivers license, passport, etc. i.e. Digital photo, scan of signature, fingerprint, data concerning expiration, account number, etc. In the case of a passport a digital representation of all your travels. The data on a smartcard is generally encrypted but that could be bypassed. Frankly, if you have the equipment you could forge an electronic passport but with all the other features such as holigraphic pictures and watermarks it’s still a major feat to forge such. We all know the terrorists have mastered forging passports, so it’s a serious concern.
Obviously, I understand the technology and I know it could be abused so I come under the privacy groups viewpoint of paranoia. I don’t like the idea of my personal data being stored on a digital device that can be read by retailers, customs, etc. However, I am also a realist and am much more concerned about data mining and data warehousing practices being performed by financial and medical companies. The Skipper surely knows how all that works!
As an example, my father had a dog that attacked another dog when he escaped from the house (slipped past my stupid sister-in-law) and my father’s German Shepherd just about tore the throat out of the golden retriever (that dog just hates other dogs). Long story short, my father had to pay the emergency vet bills and he made a claim against his home owners insurance. When the dog went to my brothers care and my father switched insurance companies, they knew all about the dog incident even though they were definitely not the same company. All sorts of information about people is out there floating around and being shared by various entities.
Posted by MJS
08/23/2005 at 11:27 AM
The question of what data is stored on an ID Card and who can access that data is the current debate. Encryption is also under debate. i.e. just how good the encryption needs to be and who will be able to decode it.
Posted by MJS
08/23/2005 at 12:02 PM
Build a better security scheme and some crook builds a better way around it. I recall a science fiction movie in recent years where the bad guys need to get past a retinal scan device so they grabbed one of the scientists who worked in the lab and using somewhat violent techniques, ripped out his eyeball after they killed him. Holding the eyeball (impaled on a ballpoint pen) up to the retinal scan quickly before all the blood drained out, they were able to penetrate the secret vault. I can’t recall the movie but I think AH-nuld was in it.
Biometrics devices are constantly being upgraded to prevent this kind of thing. The newest fingerprint reading devices for security access scan the finger for a fingerprint match but they also have a temperature sensor to make sure the finger is at or near 98.6 degrees fahrenheit. This means crooks can’t chop off your finger and use it at some future ATM. Some of the newer devices also check for pulse when they scan the finger.
Give the crooks time though and they’ll finger out a way to beat even these devices.
My condolences! Maybe someday you will get to work with a real database and get away from the kiddie version.....
Three people can keep a secret, only if two of them are dead.
Saw that on a T-shirt somewhere…
We’ve already got a Soc Sec #, OCM. I remember when I first got mine, the card had “not for identification” at the bottom. We see where that has gone.
The problem would be “creep”. The SS# creeped from a single purpose number into an all purpose ID #. One number gives access to all sorts of info from bank accounts to school records.
MJS: Actually I think enforcement of strong passwords is a good thing. They need not be hard to remember. For a series of passwords for interlinked systems I have this system:
1. choose a well-known phrase with the same number of major words (not ‘a’ or ‘the’, etc) as the number of logins;
2. change the first consonant to upper case;
3. transpose some of the letters to numbers or other chars (t->7, e->3, a->@, g->9, i->1, etc)
4. Don’t write it down, just remember it (the hard part I know!).
Of course, for step 1, you could look around the office for inspiration - the “hide in plain sight” gambit.
I think your temporary password setup is just too cumbersome. It would be OK to arrange it if a developer had to be let in to un-corrupt some data from one of his bugs, but people like me need access rights 100% of the time.
Skipper: you are 100% right. The important part of security is the enforcement. I also work in IT and have broken my cluebat on a few users in my time.
Using the customer’s SS# or NI# as a primary key is actually illegal (I think), or it should be. But every year with depressing regularity some developer thinks it’s a great idea. So I have to squelch it, with lots of horrible examples. Heh. A man’s gotta have a hobby.
Sarbanes-Oxley is having an impact over here in Europe too. But in my company it’s more to putting a watch on all money trails. It sure has exposed loads of dodgy business processes - not a bad thing in that regard. Working in production IT support, anything that illuminates the murky waters of business logic is good. Most of my time is taken up with black holes in processes, not bugs in programs.
DWMF - Temporary Passwords to Production Data: The whole point is to restrict access to customer confidential data to only those people who absolutely need it. The IT staff can get access to production data but only temporarily. They do have access to both Dev and QA systems with test data. They just can’t get to the live customer data unless they need to troubleshoot a problem. You might not be familiar with an enterprise workflow. There is a development system that the programmers use to actually build a system. Then changes are pushed onto a QA system where the developers and dedicated IT plus Business QA staff can test it extensively. Then a change control ticket is opened (used to track all production changes) and the change is pushed to production. All the IT staff has full access to both Dev and QA systems and during the change they have access to production, but once the change is implemented and tested then their access to production is removed.
The idea is to prevent IT people from gaining access to customer confidential data. Previously, it would be possible for an IT person to steal the data for nefarious purposes and because they are IT they could cover their tracks as well. It may be OK to trust an individual in a smaller company but when you have 50k+ employee’s it is necessary to restrict how many hands can reach into the cookie jar.
In a larger organization there are more people involved, it’s not just one staff member with root on a Unix box that can do anything he/she wants. You’ve got a Unix SysAdmin who is a member of the Unix team (Solaris, AIX, Linux, etc), then you’ve got Web Engineering who manages Weblogics, Apache, etc. After those you have the DataBase Administrators (MSSQL, SYBASE, UDB, ORACLE). Then you’ve got Network Engineers, and LAN center staff and an Operations Center, and finally the Help Desk and Deskside Support Technicians. The actual programmers come after all that and they have very limited access. They write code on the Dev box and test on the QA boxes then work with the business department responsible for the project. When it’s ready for production, a Unix SysAdmin or a Web Engineer will be the one pushing it to production and ensuring that they have a rollback plan of action if something goes BOOM! when they roll it out.
Obviously, this is not totally secure as nothing can be made totally secure. But it does seem like a well fortified castle. The keys to the inner sanctum are guarded by the high priests. Of course, in a system this big you’ve got to have cadre of Ninja’s to try to sneak in and tell you how they did it! That way you find loopholes in security and fix them.
Posted by MJS
08/24/2005 at 08:53 AM
DWMF: We have tried to train users on proper password creation. It doesn’t work… People are complete idiots and they don’t really care about the password. Most people feel they could not be bothered to create a good password. The number one call to the Help Desk every single month is always password resets. Users are generally pissed off when they can’t login and their account has been expired or disabled. The amount of lost productivity is remarkable. I suppose a thumb print scan and a reasonable passphrase would go a long way to both securing systems and soothing the users lost productivity and frustration. Running some reports from the Help Desk database showed it’s always the same fools who end up locking themselves out and need a password reset. Most either type sloppily and too fast or they are just very forgetful. We are talking about eight or nine hundred calls a month! Sometimes as high as twelve hundred when a new password scheme is rolled out, etc.
Using biometric (thumb print scan or iris scan) plus a passphrase (a sentence long password) would probably be enough. Employee’s already have card access id’s and RSA SecurID’s but they leave them at home and lose them all the time too. They won’t be losing their thumb or eyeball! (yea Hollywood is good about the eyeball on a pencil scheme, but that was a nuclear plant and not a regular business). If the passphrase is not changed for say six months, it would be easier for users. Not even sure if you’d need to change the passphrase as the combo is required. The thumb print is digitized and the passphrase is used for generating your public/private keys. It’s like generating an enormous combination lock thousands of digits long.
Of course most of those security auditors that break into banks and corporations for a living generally do so using a combination of human engineering and physical access to the building. They use charm and bypass the front gate! They waltz in like Robin Hood dressed as a monk and completely circumvent your hard built security. Once inside the vault, it’s an easy matter to get data out of users. Kevin Mitnick was not such a brilliant hacker, however, his charm and wit got him a lot farther then trying to break passwords. i.e. he would pick up a phone and smooth talk a stupid employee into giving him the password! A survey in London indicated that most people would give up their work usernames and passwords or even their ATM PIN for a chocolate bar!
Posted by MJS
08/24/2005 at 09:24 AM
OCM: At least you have an eMac, going to get my father a Mac when his PC gets obsolete or dies. I’ve got three of them and they are quite remarkable. I’ve also got a couple of Sun workstations and a bunch of home built Linux boxes plus the Wife’s PC with WinXP that she rarely uses since she uses my old PowerBook Mac laptop. I support WinBlows all day long and it’s nice to come home and not have to fix my own systems!
Hey, Skipper! Oracle runs on Mac OS X! http://www.oracle.com/technology/tech/macos/index.html
Personally Oracle gives me the willies, I’d rather run PostgreSQL but then again, I am not pushing the limits on a relational database so it does what I need. Oracle can do many things that PostgreSQL can’t…Posted by MJS
08/25/2005 at 08:41 AM
Ooh! Just got this in the ole’ inbox:
http://www.apple.com/itpro/profiles/oracle/Posted by MJS
08/25/2005 at 08:42 AM
The Mac ceased being a ‘toy’ when they dumped OS 9 and went with OS X whose parent was NeXTSTep/OpenStep which is a real Unix. OS X added Display PDF and a Mac GUI but all the API (Application Programming Interfaces) under the hood are NeXTSTep libraries. It runs a Mach Microkernel with FreeBSD command line tools. Not only is the Mac easy for computer newbies it’s got a Unix underbelly for those who dig a little deeper. Many Linux developers are now running Mac laptops and the USENIX show sports over 50% of the attendee’s carrying a Mac laptop. By 2007 Apple will be running on recently announced Intel dual core chips that offer tremendous power savings (less heat) and will run faster then existing Pentiums and will all be 64bit. Imagine a dual core laptop! That’s two actual processors in a laptop and it will run cool enough to be practical. Intel just announced they are porting their compilers (which outperform all others) to Mac OS X. It’s an exciting time for Apple.
Posted by MJS
08/25/2005 at 10:05 AM
MJS: Oracle scares a lot of people because of its complexity. It’s taken me nearly 20 years (since Oracle version 6) to get to the point where I can claim to be in the top tier of Oracle DBA’s in the country.
PostgreSQL is OK but for purely fun database work I recommend MySQL to individuals and small companies.
Oracle has been available for the Mac for many years. It really shines on terabyte and petabyte storage arrays powered by Unix (Solaris, HP-UX, AIX or Linux) up front. Now you’re talking real databases. Hook ‘em up in a grid with TAF for HACMP and it is literally “unbreakable” like the ads say.
Footnote: most Mac users are liberal arts people (leftists) or people interested in desktop publishing and graphics, media publishing. Mac has always won that battle hands down because of its architecture with an embedded high-power graphics processor from the git-go.
Hopefully, with the OS/X and the Unix base, more sane people (conservatives) will take a look at Macs.
Have had a Mac for over 10 years with nary a problem until this past weekend when my internet service was down & a jacka** tech royally screwed up my service - took my neighbor, an internet supervisor, to fix my problem .............otherwise I am a Mac person all the way.............
Posted by Dottie
08/28/2005 at 09:26 PM
08/24/2005 at 07:34 AM
Next entry: Ask Professor Peabody
Previous entry: Freedom Of Speech, Abridged Version