May 28 2009 11:00AM GMT
Posted by: mrdenny
Encryption,
Security,
Database,
Database security,
Hashing,
SecurityFightClub
The biggest difference between encrypted data and hashed data is that encrypted data can be decrypted later. Hash algorithms such as MD5 are one way hashing algorithms which means that the value that is returned can’t be decrypted back to the original value.
It is important to know the difference between the two when designing your database encryption schema. If you don’t need to retrieve the encrypted value then only store the hash. This way you don’t have the actual data for anyone to steal.
Denny
Jan 4 2009 9:15PM GMT
Posted by: mrdenny
Denis Gobo,
Database security,
JournalSpace.com
The owner of JournalSpace.com has posted an update to the site (screen shot for posterity) giving more information about what happened.
Apparently the IT guy who liked to tell people how smart he was decided to rely on RAID as a backup for the database, but had automated backups of the web servers. He was apparently caught steeling from the company and wiped out the SQL database on his way out the door.
Apparently my suspicions were correct and it wasn’t a system problem, but a person who deleted the data.
Andrew Hart posted a note on how some of the users are able to get there data back using the Google cache. I tried using the Internet Wayback Machine but apparently JournalSpace.com was set to not allow it to be archived.
I would recommend to the owner of the site that the contact the local police department and file a report. While company employees can’t be held liable for stupidity, intentionally destroying the company we can be held liable for.
Denis Gobo posted an update as well, as I’m sure others did as well.
Denny
UPDATE: I forgot to include that I’m following the JournalSpace.com user on twitter so that I can keep abreast of new updates.
SECOND UPDATE: My horrible spelling was pointed out to me, so I’ve corrected this. Apparently Firefox didn’t pickup the spelling problems the first time around.
Jan 2 2009 8:46PM GMT
Posted by: mrdenny
Backup & recovery,
Database security,
SQL Injection,
JournalSpace.com,
SecurityFightClub
In case you live under a rock and haven’t heard about Journalspace.com’s little mistake, they have gone out of business due to a database problem. Here’s a screenshot in case the site is down when you look at it.
In a nutshell it appears that they were relying on a RAID1 array as the database backup. While we see this all the time in small database shops as noted on /. this site has been up since 2002 and had an Alexa page rank of 106,881 with 14k monthly visitors (according to Quantcast). For a site so large to be making such a simple mistake is just unacceptable. Continued »
Mar 11 2008 7:41PM GMT
Posted by: mrdenny
Identity theft,
Database security
Arian Eigen Heald has posted a good blog about identity theft titled “Identity Theft: A BIG issue for IT Auditors and DBAs” over on the Sister CISA CISSP blog. It’s a good read, so I wanted to make sure to pass the information along.
Denny