Waste of time #1: Seems like this blog is as good a place as any to start posting comments about actions promoted as enhancing security that are a total waste of time.
To start this feature let's start with some advice that is so ubiquitous it might appear to have value: But it doesn't.
The source of this that came to my attention this morning is from an Oracle University security class module titled: "Securing Network Services" in the form of the following slide.
Another source of this advice is a very reputable thus also lending credibility to this advice: the Center for Internet Security's Security Configuration Benchmark.
At first glance this might look like reasonable advice but here's why it isn't:
And the answer to that question is measurable in milliseconds.
- While "security by obscurity" is known to provide a false sense of value the opposite is not true.
Just because "everyone knows something, not doing it does not necessarily provide value.
- When advice like "Don't use port 1521 becomes the norm, those attacking system will approach each new target
with tools that do not assume the port will be 1521.
- Thus, the critical question is "how long does it take to identify the actual listener port if it is relocated from 1521"?
does not reveal information not readily available through a
search engine so the following will illustrate how an attacker might find the actual listening port but is not optimized in the manner a sophisticated attacker would likely use.
[oracle@gg00a dirprm]$ netstat -lntuxx
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:5801 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5901 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:56754 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:633 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN
tcp 0 0 :::47406 :::* LISTEN
tcp 0 0 :::1521
tcp 0 0 :::6001 :::* LISTEN
tcp 0 0 :::22 :::* LISTEN
tcp 0 0 :::7809 :::* LISTEN
udp 0 0 0.0.0.0:5353 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:627 0.0.0.0:*
udp 0 0 0.0.0.0:630 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:34070 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:45534 0.0.0.0:*
udp 0 0 :::5353 :::*
udp 0 0 :::49517 :::*
udp 0 0 ::1:63872 :::*
udp 0 0 ::1:39693 :::*
udp 0 0 :::59798 :::*
udp 0 0 ::1:19812 :::*
for another readily available view of open ports and their as
It took at most a few milliseconds to find the line showing port 1521 in use. But assume that the port had been changed to 1635.
Even an unsophisticated attacker would immediately exclude the UDP ports and have to, at most, try the 16 TCP ports. With a little shell scripting that would, again, take milliseconds.
Delaying an attacker by hours or days might have value. Delaying an attacker by milliseconds is a complete waste of time.
Our conclusion: You should absolutely change your default ports from 1521 to another port outside of the 1520 range. Doing it will not provide you with any additional security. But do it because it will make your CISO and the auditors happy.
It has been one of those days ... during one of those weeks ... during one of those months ... during one of those years ... and that has nothing to do with politics or Covid19.
To hopefully lift at least someone's spirits these are my contributions to the "unusual times" that is 2020.
SQL> exec dbms_rcvcat.sanityCheck;
BEGIN dbms_rcvcat.sanityCheck; END;
ERROR at line 1:
RMAN-20021: Database not set
ORA-06512: at "RMANADMIN.DBMS_RCVCAT", line 10066
ORA-06512: at "RMANADMIN.DBMS_RCVCAT", line 10027
ORA-06512: at line 1
SQL> exec dbms_internal_logstdby.cancel_future;
PL/SQL procedure successfully completed.
I figured, having failed the sanity check, there was no choice but to execute the second procedure.
For everyone that thinks they can protect data and databases with a firewall and end-point monitoring ... consider how just a month ago you thought you didn't need to pay for extra beds in hospital ICUs with extra ventilators.
Our ability to protect data and databases is not better than our ability to stop a viral pandemic: The two are quite comparable.
If you can take a minute out of the day to sanitize your hands ... can't you spare a day to sanitize your inputs?
Thank you Jack ... we appreciate that someone noticed.
And we also appreciate all of the other essential workers out there most of whom are not paid in accordance with their value to society but rather based on how little the greedy can get get away with.
Be sure that you say thank you to those people in your life who you don't normally say thank you to who are risking themselves every day to make it possible for you to not just survive, but to thrive.
Like, for example, cartoonists that so often bring more intellect, more understanding, and more clarity to an issue than all of the talking heads that are paid so much more.
Experiencing a time warp.
Some time last year I found myself on a flight from Minneapolis to Seattle traveling home from the UK and captured this picture from the seat-back display.
|At 12:33am I am traveling a distance of 18 miles from Minneapolis to Seattle and it will take 7 hours, 10 minutes.
Six minutes later at 12:39am, clearly the result of a close encounter with a black hole, the time to travel between Minneapolis and Seattle has been reduced by by four miles and the travel time by almost 4 hours.
An additional 20 minutes has now elapsed and the curvature of space time has increased the separation between the two cities by 131 miles without affecting the travel time.
Clear proof of DSR, the theory better known as Delta Special Relativity and understood by only to a few of members of an elite group of mathematicians and physicists at Princeton,
CalTech, Cambridge, the Perimeter Institute and those that studied at tahiti.oracle.com before it was swallowed by a black hole.
I note in today's news that Stephen King has quit Facebook. And, in reading his public statement, I realize that I never made a formal announcement many years ago when I closed my accounts with both Facebook and Twitter.
Seems like as good a moment as there will be to make up for lost time.
It is amazing that in the year 2020 I feel a need to write this but throwing away caution about writing a "good old days blog post" I will say what needs to be said.
When we look back at what happened to the Roman Empire, about how it collapsed, it is hard not to wonder why the army enabled the destruction of essentially all of European civilization for one man.
History is full of parallels where civilizations and citizens have surrendered themselves to one person, or a small self-appointed group, who's only claim to fame was their political or military power.
So where are we today? We have surrendered an overwhelming percentage of our ability to communicate as a civilization to a couple of individuals. Let's name them: Mark Zuckerberg, Jack Patrick Dorsey, Larry Page, Sergey Brin.
Thus I made the decision to refuse, to the extent that it is still possible, to be bought and sold as a commodity by them. How hard was it to close my accounts? Took only minutes.
I sent my friends my human contact information ... my phone and personal email ... and I have never, not for even a minute, regretted the decision.
If you don't want to trade that which is "you" for a the deception that there is a free lunch or a free service consider doing so too.
Google, I heard your meaningless code of conduct public relations stunt: "Don't be evil."
Clearly you sold your souls and ours along with them.
I prefer my personal code of conduct: "Don't be the tool of evil."
And that is why I won't buy any product or service they offer.
Not from Google, not from Amazon, not from Facebook, not from Twitter. And, not from others like them.
Oracle Database Version 20c will be released soon. Do you have experience with deploying, securing, managing, troubleshooting, and performance tuning a Container (CDB) Database?
Are you planning for your next job to be at Starbucks?
It is time, today, to start investing in your skill set because the legacy architecture will be unsupported in 20c and beyond ... that's 2020 ... that's this year ... that's just a few short months from now.
The new SQL Macros are cool but if you do not understand the security compromise Oracle introduced into the CONNECT role or secure a PDB how are you going to competently do your job?
The Chinese, the Russians, the Iranians, the North Koreans, and organized crime families all over the planet are investing time and money into breaching your organization's firewall, hiding from trip wires and auditing, spray painting and phishing.
And, judging from the number of successful attacks in 2019, they are doing a very good job at it.
So in 2020, precisely what are you going to do to protect your data and your database?
Are you prepared to protect against the legacy glogin attack that dates back to the 1980s? Are you up to speed on every default deployment weakness in Oracle Profiles, Roles, and System Privilege grants?
Would anyone in your organization have a clue what was going on if someone started using DBMS_SYS_SQL?
To advance your career and protect your organization contact us today for a free (no charge, no hassle, no sales pitch) technical Lunch & Learn for your team. You can arrange it with nothing more than an email to damorgan (at) dbsecworx.com.
If you are not having discussions now about moving past SHA1, if you are not budgeting time and money for a solution,
you are late to the party. As Ars says, they declared SHA1 officially dead three years ago.
Another example of why it is not sufficient to implement a feature or option. You must know how it works a dig deeper than just what is in the docs.
We have been reading up on the Dunning-Kruger Effect.
And, if you know you are not well versed in database security, you may not be experiencing Dunning-Kruger in at least one domain.
But to help you understand your coworkers ... click on the link, above.
Here are the first two sentence from the well written Wikipedia listing:
"In the field of psychology, the Dunning–Kruger effect is a cognitive bias in which people assess their cognitive ability as greater than it is.
It is related to the cognitive bias of illusory superiority and comes from the inability of people to recognize their lack of ability."
We consider this mandatory reading.
Thank you xkcd
Does the organization you work for train the staff on what phishing and spear phishing are?
Most organizations pretend they do ... others really do.
Does it make a difference?
Of course the solution is the one we recommend here at DBSecWorx.
Stop focusing solely on what has been proven repeatedly does not work.
And take the steps necessary to secure the data and the databases.
This Blog post should serve as a warning to each and every person installing and administering Oracle Databases. The following listings were extracted from the .bash_history file after an Oracle Database 188.8.131.52 installation.
The database name has been changed to protect the guilty.
The most offensive of security violations are highlighted in yellow.
netca -silent -responseFile /u01/stage/database/response/netca.rsp
dbca -silent -createDatabase -templateName General_Purpose.dbc -gdbname secdemo -sid secdemo -responseFile NO_VALUE -characterSet AL32UTF8 -nationalCharacterSet AL16UTF16 -
sysPassword Oracle123! -systemPassword Oracle123!
-recoveryAreaDestination "/u01/app/oracle/fast_recovery_area" -createAsContainerDatabase true -automaticMemoryManagement false -storageType FS -datafileDestination "/u01/app/oracle/oradata/" -redoLogFileSize 50 -emConfiguration NONE -totalMemory 6000 -ignorePreReqs
The initial password was ridiculously insecure. And I wouldn't be writing this but for the fact that the initial password was not changed allowing me to break into the database in a matter of seconds.
If you install any Oracle software, anywhere, and do not immediately change every password you should consider saving the attackers the effort of figuring out what you did and just post a notice on Facebook, Twitter, and LinkedIn.
If you have Oracle databases, as soon as you finish reading this blog post, check the .bash_history files on every UNIX server in your operation for the -sysPassword and -systemPassword strings. Verify that the passwords in .bash_history do not work.
Note to Oracle Corp.: This is not a feature ... this is a sloppy nightmare.
DBSecWorx is non-political and hopefully rational. So we present the following quote from Hugh Grant (@HackedOffHugh) August 28, 2019 not in context but because it demonstrates an eloquent and professional employment of the English language
in a manner rarely seen and sorely missed. Formatted, as it deserves, as poetry.
|You will not fuck with my children’s future.
You will not destroy the freedoms my grandfather fought two world wars to defend.
Fuck off you over-promoted rubber bath toy.
Britain is revolted by you and your little gang of masturbatory prefects.
We will know that we are again teaching the language of Shakespeare when this manner of speech is not unusual. And we say that even with the understanding that on occasion we may be the recipients.
It is looking like one blog post at the beginning of the month, one at the end. It has been a very busy month between a trip to Johannesburg South Africa, one to the San Francisco Bay area for the NoCOUG fall conference,
and a couple of weeks in Austin Texas with Oracle.
This month the following new pages were added here at DBSecWorx and we know you will want to review them to learn more about real-world exploits that work in the wild.
On August 19 a page of Oracle Initialization (Startup Parameters) was entered into the Resources Code Library.
You will want to review each of these parameters to determine if they are properly configured in your databases.
And today we added exploit demos you can use to teach yourself the NoSpaces, Base64, and RAW Encoding exploits.
With permission from your CISO and management use these exploits to determine whether your security processes and techniques can catch an attempt to use them as part of an attack.
This website will never provide information on zero day attacks. The NoSpaces, Base64, and RAW Encoding attacks are commercially as exploit toolkits available for sale on the dark web.
So, if you are unaware of them, that is the issue we are trying to address here at DBSecWorx. The bad guys have known about these for years.
A few days have passed, some information originally reported has been demonstrated to be incomplete and additional pieces have been added to the puzzle. We will leave our posting from 30 July as it was written and amend and append.
One thing we have learned that we didn't know before was that the data exfiltrated was in "the Cloud" and not in CapOne's own data center.
That information explains a lot about how the attacker, a former Amazon resource, knew what, where, and how to accomplish the theft.
It is also inline with the overwhelming majority of successful attacks which are perpetrated either by, or with the assistance of insiders.
We have no doubt she wouldn't have even attempted the attack if she didn't have sufficient information, in advance, to be quite confident of success.
The second item explained by the data being at Amazon is what it was doing in a mySQL database. We had assumed Oracle because CapOne has a lot of Oracle databases and it would be reasonable to think CapOne's
CISO would have had sufficient expertise to not move PII data into Amazon's cloud and from database with full featured security to one with almost none. Clearly our expectations were too high.
Ask Amazon how they protect their Cloud and they will refuse to provide any meaningful answers, any specifics. Is that because they believe in security by obscurity ... or is it because they would be embarrassed to have to put in writing the current state of their affairs.
We know the answer and expect you will not require a PhD in quantum mechanics to come to the right conclusion on your own.
One last note before we give this story a little more time for additional non-public information to become public so we can comment on it. That last note is with respect to so-called "At-Rest Data Encryption" that it appears CapOne paid for.
At-Rest Data Encryption is an IQ test for auditors that they fail every day. At-Rest Data Encryption has not protected a single byte in the last decade. Let's examine what it does and doesn't do.
"At rest" means that the data, when the database is "at rest" (which roughly equates with shut down) is encrypted.
Anyone with a valid login credential has access to the unencrypted data without needing to know the encryption algorithm or anything about keys, seeds, padding, chaining, etc.
So, if you don't know how to deencrypt it ... just need a user-id ... the encryption is of zero value (except that auditors are too ignorant to know that as noted above).
There are only 2 possible scenarios in which at rest encryption has value. Consider how likely they are:
- The attacker shows up at the data center and with guns drawn breaks in, gets to the SAN, puts all of the physical storage devices on a hand truck and escapes out the back door before the police arrive.
Well yes they could possibly use a fork lift to move the entire SAN out to the loading dock, drive it somewhere else and plug it in, but what are the chances of that?
- The attacker is a storage or system admin that decides to go into a SAN with hundreds to thousands of TB of data striped and mirrored across many hundreds of physical devices,
capture data from a 64K or 1MB stripe using the STRING command, all the time following a stripe from one physical device to another.
You figured this one out without that PhD too, didn't you? LOL
But can you figure out why Boards and C Level execs can't? Neither can we.
the whole truth, and nothing but the truth.
If you believe this pile of rubbish you shouldn't be allowed to touch a keyboard. "Exploit a configuration vulnerability" ROFLMAO.
Yeah, sure, Capital One stored data on 106 million people inside of a configuration vulnerability.
Let's try a small dose of reality.
First the attacker gained access to the network ... how?
Which firm did CapOne hire to perform a pentest that failed to identify the vulnerability?
Then the attacker somehow stumbled on login credentials that would provide access to the correct database and schema.
Does CapOne use Multi-Factor Authentication? How was that compromised?
Then the attacker found her way through thousands of infrastructure components to the right database. How?
Then not a single control prevented the attacker from querying 100,000,000+ rows of data from the right tables and columns.
Then the attacker exfiltrated the data out of CapOne's data center.
And we are asked to believe all of this the result of a single configuration vulnerability. Total rubbish.
Richard D. Fairbank, Capital One's founder, chairman and CEO, has a lot to answer for. But, unfortunately, newsrooms worldwide will abrogate their responsibility and "repeat" not "report". Repeat superficial fluff from a PR desk
rather than report on how, for a very small investment, CapOne could have prevented the entire mess.
Safe computing requires diligence.
Safe computing requires well thought out processes and procedures.
Safe computing requires management invest in more than just a firewall.
Safe computing requires defense in depth.
Safe computing requires not relying on sales account execs to solve problems they don't even understand.
If you don't know that data is stored in databases.
If you don't know how to attack a database and compromise a database.
You haven't even a prayer of being able to prevent an attacker from being successful.
CapOne's management failed.
CapOne's IT leadership failed.
And I'll bet there are many members of CapOne's IT technical staff who have been warning their immediate management for years.
Most likely, CapOne's Board will now fail again ... not because they are irresponsible and don't care ... but rather because they will rely on some company to sell them a magic bullet.
Unsolicited advice to CapOne ... if the company you hire can't answer the following question you deserve what you get.
Q: "List and explain all of the security flaws in the Oracle Database DEFAULT profile."
A: I count 17 separate issues.
Take a close look at the email I just received. It is the second one in the series. Clearly the intent is to get someone to click on the link. There are a couple of things that alerted me with the first message:
- I was not expecting a package
- The lack of a logo
- The lack of label number, phone number, and other information in the body of the email
- There was no need for an attachment
- The fact that I was present at the location and no sticker was left on the door from the attempted delivery
- American companies don't write "29th July" ... an American company would have written July 29, 2019
- The fact that the attached file is a .IMG and is 1.2MB ... no status notification requires 1.2MB of anything
The biggest single factor in my not responding to the first attempt to trick me was simply that the information required for me to contact DHL could have been included in the email text ... there was no need for an attachment.
The fact that I knew no attempt to deliver and there was no sticker on the door was confirmation.
This email repeats those same mistakes but makes an additional one that is equally egregious. As I type this entry into my blog, and post it to our website, ... 2:30pm on 29 July is 5 hours in the future.
Safe computing requires diligence. If you might have been tempted to click on the email you need to study the warnings signs I listed above. A click on the link would have infected your computer.
What is it going to take for people to come to what seems like an obvious conclusion. Nothing is free. If you expect to be paid for your work why are you so willing to accept that others write software for you for free?
To read the full article [Click Here].
Anyone familiar with DBSecWorx knows we are complete unamused by those that think security consists of an expensive firewall, an identity management system, and end-point monitoring.
For those that are open to learning from past mistakes ... here is another lesson. At your leisure look up NTLM Brute-Force (CVE-2019-1126) ... and while reviewing the lengthy explanation consider the value of securing data and databases.
In all of human history there has never been an impenetrable wall.
Oracle and Backward Compatibility
At almost every Oracle Security Master Class I teach I find multiple students wondering why Oracle doesn't "just fix" some of the more obvious security flaws and other anomalies and I explain that Oracle puts great value in backward compatibility:
In not breaking existing customers. One example I use to illustrate that point is that DBA_TAB_PRIVS contains all object privileges ... not just those related to tables as the name implies.
As to why there is a view named DBA_TAB_COLS and another named DBA_TAB_COLUMNS ... perhaps that one needs to be addressed by Mr. Ellison.
Tonight while updating the Morgan's Library website I found what must be the most poignant example possible of the value Oracle places on backward compatibility.
I couldn't make this up so the following is copied (I added the highlight) from $ORACLE_HOME/rdbms/admin/dbmsssql.sql from version 19c.
-- Named Datatype CONSTANTS
Varchar2_Type constant pls_integer := 1;
Number_Type constant pls_integer := 2;
Long_Type constant pls_integer := 8;
Rowid_Type constant pls_integer := 11;
Date_Type constant pls_integer := 12;
Raw_Type constant pls_integer := 23;
Long_Raw_Type constant pls_integer := 24;
Char_Type constant pls_integer := 96;
Binary_Float_Type constant pls_integer := 100;
Binary_Double_Type constant pls_integer := 101;
MLSLabel_Type constant pls_integer := 106;
User_Defined_Type constant pls_integer := 109;
Ref_Type constant pls_integer := 111;
Clob_Type constant pls_integer := 112;
Blob_Type constant pls_integer := 113;
Bfile_Type constant pls_integer := 114;
Timestamp_Type constant pls_integer := 180;
Timestamp_With_TZ_Type constant pls_integer := 181;
Interval_Year_to_Month_Type constant pls_integer := 182;
Interval_Day_To_Second_Type constant pls_integer := 183;
Urowid_Type constant pls_integer := 208;
Timestamp_With_Local_TZ_type constant pls_integer := 231;
-- #(10144724): The typo Binary_Bouble_Type is purposefully retained for
-- backward compatibility.
Binary_Bouble_Type constant pls_integer := 101;
It can't get clearer than this. If you want backward compatibility Oracle provides it.
If you want security Oracle provides the database that can be made more secure than any other but not by default with the GUI installation tools like OUI, NETCA, and DBCA.
If you want to leverage all of the built-in security abilities of the product you must override the defaults yourself.
An example of one of those default configurations you will want to override to secure your database, one that is as clear as the code above:
SQL> SELECT grantee FROM dba_tab_privs WHERE table_name = 'ALL_SOURCE';
Can anyone explain why a user, with no privilege other than
CREATE SESSION, needs to be able to read source code?
We can't so we are working on a product we will be offering later this year that will address this and hundreds of other configuration issues.
Oracle Security Alert CVE-2019-2729
Oracle strongly recommends that customers follow the recommended actions noted in the Security Alert.
The Security Alert Advisory is the starting point for relevant information. It includes a summary of the security vulnerability, and a pointer to obtain the latest patches.
Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Advisory is available at the following location:
Oracle Critical Patch Updates and Security Alerts:
Oracle Security Alert for CVE-2019-2729:
Customer Support of Oracle Corporation
We feel no need for comment.
Daniel Morgan from DBSecWorx
has been selected to present his "Oracle Security for DBAs and Developers for ODTUG on Tuesday, July 23, 2019 at 12:00 - 13:00 EDT.
To register [Click Here]
We are experiencing an interesting side effect from going through all of the pages at Morgan's Library and making decisions about which ones have security implications and how to rewrite them from a security point-of-view. We have known
GLOGIN.SQL was a threat since reading what Pete Finnigan wrote about it back in 2002-2003. But we had not realized Oracle has done nothing to address it.
We are currently working on a tool that we believe will put an end to this threat and hope to release it to Pete and others for Beta testing before month's end.
If it passes its Beta we will announce it here in the Blog, on our home page, and it will become the first resident of our Products page.
If the concept fails we will announce that here and provide background on what we were trying to accomplish and how.
Why are we posting this report of another breach that could have been easily prevented? Because we want to remind everyone out there that thinks doing what everyone else is doing will protect their organization and their data.
We want to issue a challenge to al of the companies that sell firewalls. Publish the names of all organizations where a breach has exceeded 1 million PII, PHI, or PCI records.
Stop telling IT shops "what your product can do" unless you are willing tot acknowledging the number of times your product has failed to do so.
Cisco, Palo Alto, Fortinet, Check Point, Symantec, Huawei, Blue Coat, Juniper, Intel, McAfee, publish your failure rate so IT organizations can truly evaluate your offerings.
Our bet: AMCA. has a firewall from one of them as did OPM, Equifax, Sony, etc. etc. etc.
IT shops: There is little value in buying a million dollar lock for the front door when the back door is wide open.
If the following surprises you ... chances are you have an account on Twitter. :-)
Twitter use decreases student's test scores by 25% to 40% of a standard deviation from the average result. Link
When I was teaching at the University of Washington, I learned very quickly that my student's learning improved if I banned mobile phones and laptops from the classroom during lectures.
Personally, I shut down both my Facebook and Twitter accounts long ago ... don't regret it for an instant. The phrase, if you are trying to remember it, is "Opiate of the Masses."
And, an associated book recommendation, for those that value earnest and intelligent discourse to manufactured angst.
Another day. Another major breach. Another event where millions of Americans are affected. Guess which generated the greatest amount of new: The breach of 885 million documents
or the winner of the Iron Throne?
On the other hand, according to Bloomberg News, First American Financial Corp., one of the largest US title insurance companies, is being sued by a client because "lax security measures put him at risk of identity theft, along with millions
of others whose personal information could be easily access through its website." And, again according to Bloomberg, stockholders likely have good reason to be a bit concerned because "First American Financial Corp. tumbled the most in
nearly eight years amid concerns that a security flaw in the title insurer may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003.
First American has more than 112 million outstanding shares. Assuming each share lost $3.00 the total cost of the breach, measured in shareholder equity, is $336,000,000. Does anyone believe the data could not have been protected for 2-3% of that amount?
What the Board of Directors should do, but they won't, is fire most if not every member of the corporation's C Level with cause. As this moves forward expect mortgage rates to increase as they "pass the cost of doing business" to their customers.
The customers didn't get upset out the loss of 885 million documents. The customers won't get upset about paying increased costs. What's more important? A data breach or who's going to die in the next episode of some brain-dead TV show?
Last week, May 23 and 24 we attended the 2019 Central Ohio InfoSec Summit in Columbus which was an incredibly rich and thought provoking environment at which we met old friends, made new friends, learned, laughed, and came to a somewhat surprising realization.
That realization being that everyone talks about "Defense-in-Depth" but all of the focus from both speakers and vendors is on the perimeter.
There wasn't a single presentation or vendor that was targeting data and databases with the exception of a few trying to detect bad actions with behavior analytics.
There is nothing wrong with utilizing behavior analytics just as there is nothing wrong with firewalls. They are all essential parts of a Defense-in-Depth strategy.
What they miss, unfortunately, is that they don't have the expertise required to know that a call to DBMS_UTILITY.VALIDATE is a safe activity while a call to DBMS_UTILITY.INVALIDATE could be incredibly destructive?
Do the behavior analytics know what they are looking at if a call is made to DBMS_UTILITY.EXEC_DDL_STATEMENT? We leave you to consider that there is only one right answer to this questions.