"Insecure databases are now low-hanging fruit for hackers"

7) Accountability for the negative social effects caused by insecure databases

This issue is mainly about the responsibility of databases and what it can cause if a database is insecure. Insecure databases are basically databases which are not kept protected or are vulnerable to outsiders.



Politics and government


Personal Privacy can be lost depending on the database that is insecure e.g. if it was a government agency database, maybe social security numbers, bank account details and other data might be exposed. This data can be used in various places for example credit card numbers can be used to purchase goods and services.This can cause serious problems because a person might loose alot of money or even become bankrupt without even knowing that his credit card or bank account details have been used to purchase goods. (Basse 2003) A clear example was found to happen in the U.S, when "four U.S. government Web sites left the contents of internal databases open to Web surfers" this caused "the Federal Judicial Center's site at FJC.gov" to exposed e-mails from the site's webmaster.
http://www.infosecnews.org/hypermail/0204/5704.html

Security is taken away complelty by the hacker as he/she might obtain information regarding where you stay etc. For example, a hacker obtained a database containing the names of top-post business men/women and he used the information to steal belongings, cash and various other goods from them..(Leahe 2005) A clear example occured when a hacker broke into a inscure database used by the government and used it to find "names, phone numbers, e-mail accounts, and addresses. In addition to this "more sensitive information such as Social Security numbers and account numbers were included in the same database" The hacker used this information to steal and make fake ID's as of many people on the database.
http://www.consumeraffairs.com/news04/2007/09/ameritrade_hack.html



Education


Intergrity might be considered as an issue as data can be tampered or changed if it comes into the wrong hands. E.g a student getting hold of a database full of report grades. A student might take advantage of this and change the grades of his/hers. This will cause the school or univeristy to provide incorrect data about the student and may cause long term problems.(Howel 1999) This has happend before at Marana High School, as a student was "arrested and charged with breaking into a computerized grade database to alter his and other students' grades, authorities said."
http://seclists.org/isn/2004/Nov/0043.html

This is an example of security and privacy because nearly "900,000 children aged 10 to 17 already have their genetic information stored on the police's national DNA database, along with 108 under the age of 10." These schools contain insecure computers which are holding precious unique personal information and are a gift to identity thieves. Furthermore Parents and students want to know what happens to the data after the children leave because it is said that "the police have the right to get into any database, private or public." This therefore poses as an issue to do with privacy
http://www.thisishertfordshire.co.uk/news/stalbans/display.var.1484752.0.is_your_child_being_fingerprinted.php

Overall Analysis

My issues within the area of impacts stated above contain relatively same issues, if not one or both issues which relate to both impacts. Both the government and schools store very personal information which is meant to be kept safe and also used in cases where the person themself know, however as the issues stated above clearly show, this information is very easy to retrieve by circumventing firewalls or by even human error such as forgetting to log off a computer before allowing another person to use it.
Continuing with this example, integrity can be easily considered as an issue to do with the government and political impacts because if the database is breached it also rises integrity issues because it can cause serious implications. Due to the development of technology it is very easy to change data without allowing others to trace back to the hacker/employee. Furthermore this also overlaps with the issue regarding privacy, regarding back to the same example or examples shown in the area of impacts, we would not really know who is accessing or using this information because there is no real way of finding out. Therefore the prime cause to all these issues is to do with the security of the database it self, because if it is secured well and only accessed legally, there would'nt be any cause for the other issues to arrise.



Evaluation


To evaluate this, I think the issue regarding Personal Privacy and Security are the most problematic when compared to Integrity because if information is seen or fallen into the wrong hands, serious consequences are definitely going to follow up when compared with the integrity issue. I personally think this because the security and privacy issue is likely to cause more danger to people e.g. people getting robbed or getting bankrupt etc. Data integrity may be lost however there is a solution to it e.g. backing up data – so if data was to be changed, the company, business or whoever can easily backup the previous data. However on the other hand, data being tampered could also danger people’s lives e.g. a prisoners name and picture being changed into someone innocent. But overall there is no real solution to privacy because we would never know if the employee or person allows others to view the database because there is no real way of finding out unless there were cameras. Nevertheless the employee could show other people the database at other places.

Protection

To protect this from happening, users may use
  1. Server security -- ensuring security relating to the actual data or private HTML files stored on the server
  2. User-authentication security -- ensuring login security that prevents unauthorized access to information
  3. Session security -- ensuring that data is not intercepted as it is broadcast over the Internet or Intranet

· Table Access Control
· User-Authentication Security
· Session Security
· Public and Private Key Security
· Secure Sockets Layer (SSL) and S-HTTP
· Certificate Servers
· Digital Signatures as Passwords


Table Access Control –

This is Standard table access control, this feature is mainly used for online databases and is more important on web applications than on traditional client/server systems. Database administrators (DBAs) are often strict in restricting access to particular tables because few users would know how to create a custom Structured Query Language (SQL) query to retrieve data from the database.
· Structured Query Language --> is a standard interactive and programming language for getting information from and updating a database. Queries take the form of a command language that lets you select, insert, update, find out the location of data, and so forth.

User-Authentication Security –

Authentication security governs the barrier that must be passed before the user can access particular information. The user must have some valid form of identification before access is granted. Logins are accomplished in two standard ways: using an HTML form or using an HTTP security request. The HTML login is simply an HTML page that contains the username and password form fields. The actual IDs and passwords are stored in a table on the server.Once a login has occurred, a piece of data called a "cookie" can be written onto the client machine to track the user session. The Web server can then send a message to the browser, and the data is returned to the server.

Session Security –

After the user has supplied proper identification, access is then granted to the data, furthermore session security ensures that private data is not intercepted or interfered with during the session.

Certificate servers -

validate or certify, keys. Keys are strings of text generated from a complex series of encryption algorithms hat allow you to secure communication for a company or group of users. The purpose of this process is to create a way for people to communicate and be reasonably sure that others are not eavesdropping or assuming a false identity.

Digital signature -

is basically a way to ensure that an electronic document (e-mail, spreadsheet, text file, etc.) is authentic.

Public-key cryptography -

this is when a user has a public key and a private key. The private key is kept secret, while the public key may be widely distributed. The keys are related mathematically, but the private key cannot be practically derived from the public key. A message encrypted with the public key can be decrypted only with the corresponding private key.

SSL (Secure Sockets Layer)

- is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral.

Sources:

Howel Paul, Tue Sep 21 1999, Retrieved from http://dailynews.yahoo.com/headlines/local/state/oregon/story.html?s=v/rs/19990920/or/index_2.html#6 on 4th October 2007
Rahmel Dan, Internet Systems , Database Security, April 1997, Retrieved from http://www.governmentsecurity.org/articles/DatabaseSecurityPart1.php on 3rd October 2007
Glossary of terms, Retrieved from www.shop-script.com/glossary.html on 3rd October 2007
Baase, S. (2003). A Gift of Fire - Second Edition. Upper Saddle River, New Jersey: Pearson Education, Inc.
Patrick Leahe, Operators Weigh Options as Senate Moves Toward New Data Security Rules, September 7th 2005, Retrieved from http://www.hotel-online.com/News/PR2005_3rd/Sep05_NorthwindSafeguards.html on 5th October 2007