Black Hat USA 2019, Marie-Sarah Lacharite's 'Breaking Encrypted Databases: Generic Attacks On Range Queries' →
tremendous conference videos on their YouTube Channel
Latest Data Loss Outrage
Chris Morris - writing at Fortune, harsh's my mid-week mellow with a report on the latest data loss outrage. Bad news for oldster's, given that (reportedly) the database contains data on 40+ year olds and older. h/t
"Among the data included on the 24 GB database is people’s full names, full street addresses, marital status, date of birth, income bracket, home ownership status and more. (Information such as income, dwelling type and gender is coded.)..." "Ran Locar and Noam Rotem of VPNMentor discovered the database and say they believe it is the first time a breach of this size has included such detailed information." via Chris Morris, writing for Fortune, files a wel crafted report detailing this data loss
EnclaveDB, The Proposition
via Christian Priebe of Imperial College London, Manuel Costa and Kapil Vaswani both from Microsoft Research, comes a tour dé force of database security, ostensibly monikered EnclaveDB (published this past May 2018, in the Proceedings of the 39th IEEE Symposium on Security & Privacy, in co-operation with the International Association for Cryptologic Research). The interesting functionality descibed in the trio's paper - pursuant to a secure database (if there possibly could be such a thing) is not the security of data in-motion or at-rest, but the addition of encrypted in-memory data. More here...
SQL Security Chronicles →
Quite likely, the single most significant data security educational series of blog posts this year - via the Imperva Cyber Security Blog,written by Elad Erez and Luda Lazar - now in Part 3 of the series (Part 1 and Part 2 are highly recommended as well). Rather than put my spin on what Elad and Luda have presented on the Imperva blog, I'll let their brilliant speak tell the tale! Today's highly important Must Reads.
What, Me Worry? Car Data, Where Does It Go... →
Where does all of that data gathered by car manfacturers while we drive? Perhaps Jonathan M. Gitlin, reporting for everyone's beloved Ars Technica can fulfill that data request in a speedy manner! Shouldn't the driver/owner of the vehicle make that decision? Enjoy.
Macie the Discoverer →
News that Macie The Discoverer has arrived in your S3 bucket... Data Security Automation - potentially - at it's finest? You be the judge.
NKOTBlockchain →
Eh, wot? New Kids on the Blockchain? No - simply put, it's the proliferation of Blockhain technology (in this case distributed database schema) into industrial processes. via the UK's The Engineer, and writer Andrew Wade, comes the news of said blockhain spread. Today's MustRead!
Fresh, from Bucharest...
Via CIO Romania correspondent Lucian Constantin, comes bad news indeed, for MongoDB users, that is:
'Five groups of attackers are competing to delete as many publicly accessible MongoDB databases as possible' - via CIO reporter Lucian Constantin
My suggestion is to, um - perhaps...not expose your database layer to external contact... Perhaps a DENY ALL to rule for your MongoDB deployment in your firewall would be helpful as well... just saying. Oh, and very good advice from Lucian at the end of his reportage: Use the MongoDB security checklist. It is - I can assure you - prietenul tău!. I also strongly suggest taking the time to read the Security Hardening documention from MongoDB; you can also download an EPUB version of the MongoDB manual. You'll be glad you did. That is all.
Bad DB →
DarkMatters takes us down the slippery-slope of poorly configured Databases, and Database Management Systems. Threats abound, yet little is accomplished to remdiate (until after data loss). Today's Must Read.
'As of this writing, there are more than 27,000 instances of MongoDB and approximately 29,000 instances of Redis on the internet that do not have authorization enabled. Misconfigured databases are just as dangerous as vulnerabilities—they provide the bad guys an easy-access, exploitable front door to user data.' via DarkMatters
Iron Tiger →
You should know Graham Cluley, specifically because of his outstanding information security reporting; as evidenced, if you will, by his latest screed targeting the so-called Iron Tiger targeted attacks. Noted as today's Must Read.
The Majority Compromised →
Lucas Mearian, writing at ComputerWorld, regales us with the astounding truth: The majority of health care providers and health plans/insurers have been compromised.
All of that is compounded by the same companies transfering risk, in the vainglorius hope they are better off for it.
Litchfield Unleashes Database Security Scorecard →
via El Reg's Darren Pauli, comes good news from David Litchfield, this time, in the form of a newly authored security product targeting the in-built security issues within Oracle Corporation's (NYSE: ORCL) DBMS. Outstanding.
Litchfield's Oracle Data Redaction Is Broken →
Uber's Private DB Key On Public GitHub Page →
Meanwhile, in Blatant Stupidity news, ArsTechnica's Dan Goodin writes of the latest Uber mistep. This time, Uber decided to store an encrypted database's PRIVATE KEY (anecdotally, the DB contained sensitive data for at least fifty thousand of the company's drivers) on a GitHub public page. Apparently, there may have been a wee bit of confusion as to what a PRIVATE KEY is, in relation to a PUBLIC KEY within Uber's apaprently crack IT department... Oops.