A few days have passed, some information originally reported has
been demonstrated to be incomplete and additional pieces have
been added to the puzzle. We will leave our posting from 30 July
as it was written and amend and append.
One thing we have learned that we didn't know before was that
the data exfiltrated was in "the Cloud" and not in CapOne's own
data center. That information explains a lot about how the
attacker, a former Amazon resource, knew what, where, and how to
accomplish the theft. It is also inline with the overwhelming
majority of successful attacks which are perpetrated either by,
or with the assistance of insiders. We have no doubt she
wouldn't have even attempted the attack if she didn't have
sufficient information, in advance, to be quite confident of
The second item explained by the data being at Amazon is what it
was doing in a mySQL database. We had assumed Oracle because
CapOne has a lot of Oracle databases and it would be reasonable
to think CapOne's CISO would have had sufficient expertise to
not move PII data into Amazon's cloud and from database with
full featured security to one with almost none. Clearly our expectations
were too high.
Ask Amazon how they protect their Cloud and they will refuse to
provide any meaningful answers, any specifics. Is that because they believe in
security by obscurity ... or is it because they would be
embarrassed to have to put in writing the current state of their
affairs. We know the answer and expect you will not require a
PhD in quantum mechanics to come to the right conclusion on your
One last note before we give this story a little more time for
additional non-public information to become public so we can
comment on it. That last note is with respect to so-called "At-Rest Data Encryption"
that it appears CapOne paid for. At-Rest Data Encryption is an IQ test for
auditors that they fail every day. At-Rest Data Encryption has
not protected a single byte in the last decade.
Let's examine what it does and doesn't do.
"At rest" means that the data, when the database is
"at rest" (which roughly equates with shut
down) is encrypted. Anyone with a valid login credential has
access to the unencrypted data without needing to know the
encryption algorithm or anything about keys, seeds,
padding, chaining, etc. So if you don't know how to deencrypt it
... just need a user-id ... the encryption is of zero value
(except that auditors are too ignorant to know
that as noted above).
There are only 2 possible scenarios in which at rest encryption
has value. Consider how likely they are:
The attacker shows up at the data center and with guns drawn
breaks in, gets to the SAN, puts all of the physical storage
devices on a hand truck and escapes out the back door before the
police arrive. Well yes they could possibly use a fork lift to
move the entire SAN out to the loading dock, drive it
somewhere else and plug it in, but what are the chances of
- The attacker is a storage or system
admin that decides to go into a SAN with hundreds to thousands
of TB of data striped and mirrored across many hundreds of
physical devices, capture data from a 64K or 1MB stripe using
the STRING command, all the time following a stripe from one
physical device to another.
You figured this one out without that PhD too, didn't you? LOL
But can you figure out why Boards and C Level execs can't?
Neither can we.
the whole truth, and nothing but the truth.
If you believe this pile of rubbish you shouldn't be allowed to touch a keyboard. "Exploit a configuration vulnerability" ROFLMAO.
Yeah, sure, Capital One stored data on 106 million people inside of a configuration vulnerability.
Let's try a small dose of reality.
First the attacker gained access to the network ... how?
Which firm did CapOne hire to perform a pentest that failed to identify the vulnerability?
Then the attacker somehow stumbled on login credentials that would provide access to the correct database and schema.
Does CapOne use Multi-Factor Authentication? How was that compromised?
Then the attacker found her way through thousands of infrastructure components to the right database. How?
Then not a single control prevented the attacker from querying 100,000,000+ rows of data from the right tables and columns.
Then the attacker exfiltrated the data out of CapOne's data center.
And we are asked to believe all of this the result of a single configuration vulnerability. Total rubbish.
Richard D. Fairbank, Capital One's founder, chairman and CEO, has a lot to answer for. But, unfortunately, newsrooms worldwide will abrogate their responsibility and "repeat" not "report". Repeat superficial fluff from a PR desk
rather than report on how, for a very small investment, CapOne could have prevented the entire mess.
Safe computing requires diligence.
Safe computing requires well thought out processes and procedures.
Safe computing requires management invest in more than just a firewall.
Safe computing requires defense in depth.
Safe computing requires not relying on sales account execs to solve problems they don't even understand.
If you don't know that data is stored in databases.
If you don't know how to attack a database and compromise a database.
You haven't even a prayer of being able to prevent an attacker from being successful.
CapOne's management failed.
CapOne's IT leadership failed.
And I'll bet there are many members of CapOne's IT technical staff who have been warning their immediate management for years.
Most likely, CapOne's Board will now fail again ... not because they are irresponsible and don't care ... but rather because they will rely on some company to sell them a magic bullet.
Unsolicited advice to CapOne ... if the company you hire can't answer the following question you deserve what you get.
Q: "List and explain all of the security flaws in the Oracle Database DEFAULT profile."
A: I count 17 separate issues.
Take a close look at the email I just received. It is the second one in the series. Clearly the intent is to get someone to click on the link. There are a couple of things that alerted me with the first message:
- I was not expecting a package
- The lack of a logo
- The lack of label number, phone number, and other information in the body of the email
- There was no need for an attachment
- The fact that I was present at the location and no sticker was left on the door from the attempted delivery
- American companies don't write "29th July" ... an American company would have written July 29, 2019
- The fact that the attached file is a .IMG and is 1.2MB ... no status notification requires 1.2MB of anything
The biggest single factor in my not responding to the first attempt to trick me was simply that the information required for me to contact DHL could have been included in the email text ... there was no need for an attachment.
The fact that I knew no attempt to deliver and there was no sticker on the door was confirmation.
This email repeats those same mistakes but makes an additional one that is equally egregious. As I type this entry into my blog, and post it to our website, ... 2:30pm on 29 July is 5 hours in the future.
Safe computing requires diligence. If you might have been tempted to click on the email you need to study the warnings signs I listed above. A click on the link would have infected your computer.
What is it going to take for people to come to what seems like an obvious conclusion. Nothing is free. If you expect to be paid for your work why are you so willing to accept that others write software for you for free?
To read the full article [Click Here].
Anyone familiar with DBSecWorx knows we are complete unamused by those that think security consists of an expensive firewall, an identity management system, and end-point monitoring.
For those that are open to learning from past mistakes ... here is another lesson. At your leisure look up NTLM Brute-Force (CVE-2019-1126) ... and while reviewing the lengthy explanation consider the value of securing data and databases.
In all of human history there has never been an impenetrable wall.
Oracle and Backward Compatibility
At almost every Oracle Security Master Class I teach I find multiple students wondering why Oracle doesn't "just fix" some of the more obvious security flaws and other anomalies and I explain that Oracle puts great value in backward compatibility:
In not breaking existing customers. One example I use to illustrate that point is that DBA_TAB_PRIVS contains all object privileges ... not just those related to tables as the name implies. As to why there is a view named DBA_TAB_COLS and another named DBA_TAB_COLUMNS
... perhaps that one needs to be addressed by Mr. Ellison.
Tonight while updating the Morgan's Library website I found what must be the most poignant example possible of the value Oracle places on backward compatibility.
I couldn't make this up so the following is copied (I added the highlight) from $ORACLE_HOME/rdbms/admin/dbmsssql.sql from version 19c.
-- Named Datatype CONSTANTS
Varchar2_Type constant pls_integer := 1;
Number_Type constant pls_integer := 2;
Long_Type constant pls_integer := 8;
Rowid_Type constant pls_integer := 11;
Date_Type constant pls_integer := 12;
Raw_Type constant pls_integer := 23;
Long_Raw_Type constant pls_integer := 24;
Char_Type constant pls_integer := 96;
Binary_Float_Type constant pls_integer := 100;
Binary_Double_Type constant pls_integer := 101;
MLSLabel_Type constant pls_integer := 106;
User_Defined_Type constant pls_integer := 109;
Ref_Type constant pls_integer := 111;
Clob_Type constant pls_integer := 112;
Blob_Type constant pls_integer := 113;
Bfile_Type constant pls_integer := 114;
Timestamp_Type constant pls_integer := 180;
Timestamp_With_TZ_Type constant pls_integer := 181;
Interval_Year_to_Month_Type constant pls_integer := 182;
Interval_Day_To_Second_Type constant pls_integer := 183;
Urowid_Type constant pls_integer := 208;
Timestamp_With_Local_TZ_type constant pls_integer := 231;
-- #(10144724): The typo Binary_Bouble_Type is purposefully retained for
-- backward compatibility.
Binary_Bouble_Type constant pls_integer := 101;
It can't get clearer than this. If you want backward compatibility Oracle provides it.
If you want security Oracle provides the database that can be made more secure than any other but not by default with the GUI installation tools like OUI, NETCA, and DBCA.
If you want to leverage all of the built-in security abilities of the product you must override the defaults yourself.
An example of one of those default configurations you will want to override to secure your database,
one that is as clear as the code above:
SQL> SELECT grantee FROM dba_tab_privs WHERE table_name = 'ALL_SOURCE';
Can anyone explain why a user, with no privilege other than
CREATE SESSION, needs to be able to read source code?
We can't so we are working on a product we will be offering later this year that will
address this and hundreds of other configuration issues.
Oracle Security Alert CVE-2019-2729
Oracle strongly recommends that customers follow the recommended actions noted in the Security Alert.
The Security Alert Advisory is the starting point for relevant information. It includes a summary of the security vulnerability, and a pointer to obtain the latest patches.
Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Advisory is available at the following location:
Oracle Critical Patch Updates and Security Alerts:
Oracle Security Alert for CVE-2019-2729:
Customer Support of Oracle Corporation
We feel no need for comment.
Daniel Morgan from DBSecWorx
has been selected to present his "Oracle Security for DBAs and Developers for ODTUG on Tuesday, July 23, 2019 at 12:00 - 13:00 EDT.
To register [Click Here]
We are experiencing an interesting side effect from going through all of the pages at Morgan's Library and making decisions about which ones have security implications and how to rewrite them from a security point-of-view. We have known
GLOGIN.SQL was a threat since reading what Pete Finnigan wrote about it back in 2002-2003. But we had not realized Oracle has done nothing to address it.
We are currently working on a tool that we believe will put an end to this threat and hope to release it to Pete and others for Beta testing before month's end.
If it passes its Beta we will announce it here in the Blog, on our home page, and it will become the first resident of our Products page.
If the concept fails we will announce that here and provide background on what we were trying to accomplish and how.
Why are we posting this report of another breach that could have been easily prevented? Because we want to remind everyone out there that thinks doing what everyone else is doing will protect their organization and their data.
We want to issue a challenge to al of the companies that sell firewalls. Publish the names of all organizations where a breach has exceeded 1 million PII, PHI, or PCI records.
Stop telling IT shops "what your product can do" unless you are willing tot acknowledging the number of times your product has failed to do so.
Cisco, Palo Alto, Fortinet, Check Point, Symantec, Huawei, Blue Coat, Juniper, Intel, McAfee, publish your failure rate so IT organizations can truly evaluate your offerings.
Our bet: AMCA. has a firewall from one of them as did OPM, Equifax, Sony, etc. etc. etc.
IT shops: There is little value in buying a million dollar lock for the front door when the back door is wide open.
If the following surprises you ... chances are you have an account on Twitter. :-)
Twitter use decreases student's test scores by 25% to 40% of a standard deviation from the average result. Link
When I was teaching at the University of Washington, I learned very quickly that my student's learning improved if I banned mobile phones and laptops from the classroom during lectures.
Personally, I shut down both my Facebook and Twitter accounts long ago ... don't regret it for an instant. The phrase, if you are trying to remember it, is "Opiate of the Masses."
And, an associated book recommendation, for those that value earnest and intelligent discourse to manufactured angst.
Another day. Another major breach. Another event where millions of Americans are affected. Guess which generated the greatest amount of new: The breach of 885 million documents and the winner of the Iron Throne?
On the other hand, according to Bloomberg News, First American Financial Corp., one of the largest US title insurance companies, is being sued by a client because "lax security measures put him at risk of identity theft, along with millions
of others whose personal information could be easily access through its website." And, again according to Bloomberg, stockholders likely have good reason to be a bit concerned because "First American Financial Corp. tumbled the most in
nearly eight years amid concerns that a security flaw in the title insurer may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003.
First American has more than 112 million outstanding shares. Assuming each share lost $3.00 the total cost of the breach, measured in shareholder equity, is $336,000,000. Does anyone believe the data could not have been protected for 2-3% of that amount?
What the Board of Directors should do, but they won't, is fire most if not every member of the corporation's C Level with cause. As this moves forward expect mortgage rates to increase as they "pass the cost of doing business" to their customers.
The customers didn't get upset out the loss of 885 million documents. The customers won't get upset about paying increased costs. But what's more important?
A data breach or who's going to die in the next episode of some brain-dead of a TV show?
Last week, May 23 and 24 we attended the 2019 Central Ohio InfoSec Summit in Columbus which was an incredibly rich and thought provoking environment at which we met old friends, made new friends, learned, laughed, and came to a somewhat surprising realization.
That realization being that everyone talks about "Defense-in-Depth" but all of the focus from both speakers and vendors is on the perimeter.
There wasn't a single presentation or vendor that was targeting data and databases with the exception of a few trying to detect bad actions with behavior analytics.
There is nothing wrong with utilizing behavior analytics just as there is nothing wrong with firewalls. They are all essential parts of a Defense-in-Depth strategy.
What they miss, unfortunately, is that they don't have the expertise required to know that a call to DBMS_UTILITY.VALIDATE is a safe activity while a call to DBMS_UTILITY.INVALIDATE could be incredibly destructive?
Do the behavior analytics know what they are looking at if a call is made to DBMS_UTILITY.EXEC_DDL_STATEMENT? We leave you to consider that there is only one right answer to this questions.