Database security

What do you mean I can’t access my own database when trying to attach it?

When you detach a database from Microsoft SQL (I’m talking SQL Server 2005 and up here) the SQL Server automatically changes the NTFS permissions on the file so that only the user who told the SQL Server to detach the file has access to them.  SQL Server does this to ensure that an unauthorized person isn’t able to access the data files. Continued »

What’s the difference between encrypted data and hashed data?

The biggest difference between encrypted data and hashed data is that encrypted data can be decrypted later.  Hash algorithms such as MD5 are one way hashing algorithms which means that the value that is returned can’t be decrypted back to the original value.

It is important to know the difference between the two when designing your database encryption schema.  If you don’t need to retrieve the encrypted value then only store the hash.  This way you don’t have the actual data for anyone to steal.

Denny

JournalSpace.com Says the site was trashed by the IT guy

The owner of JournalSpace.com has posted an update to the site (screen shot for posterity) giving more information about what happened.

Apparently the IT guy who liked to tell people how smart he was decided to rely on RAID as a backup for the database, but had automated backups of the web servers.  He was apparently caught steeling from the company and wiped out the SQL database on his way out the door.

Apparently my suspicions were correct and it wasn’t a system problem, but a person who deleted the data.

Andrew Hart posted a note on how some of the users are able to get there data back using the Google cache.  I tried using the Internet Wayback Machine but apparently JournalSpace.com was set to not allow it to be archived.

I would recommend to the owner of the site that the contact the local police department and file a report.  While company employees can’t be held liable for stupidity, intentionally destroying the company we can be held liable for.

Denis Gobo posted an update as well, as I’m sure others did as well.

Denny

UPDATE: I forgot to include that I’m following the JournalSpace.com user on twitter so that I can keep abreast of new updates.

SECOND UPDATE: My horrible spelling was pointed out to me, so I’ve corrected this. Apparently Firefox didn’t pickup the spelling problems the first time around.

Mirroring isn’t a backup solution

In case you live under a rock and haven’t heard about Journalspace.com’s little mistake, they have gone out of business due to a database problem.  Here’s a screenshot in case the site is down when you look at it.

In a nutshell it appears that they were relying on a RAID1 array as the database backup.  While we see this all the time in small database shops as noted on /. this site has been up since 2002 and had an Alexa page rank of 106,881 with 14k monthly visitors (according to Quantcast).  For a site so large to be making such a simple mistake is just unacceptable. Continued »

Identity Theft: A BIG issue for IT Auditors and DBAs

Arian Eigen Heald has posted a good blog about identity theft titled “Identity Theft: A BIG issue for IT Auditors and DBAs” over on the Sister CISA CISSP blog.  It’s a good read, so I wanted to make sure to pass the information along.

 Denny