This story reminds me of the SQL Slammer of January 2003.
For those who do not remember it, this was the first example of an incredibly small piece of code (less than 400 bytes total) which intruded networks as a network worm and caused havoc to many large databases exposed to the internet. For instance, Continental Airlines reservations system went down and caused serious issues at Houston’s International airport; Bank of America’s ATM network was affected; and a number of other large corporations suffered from that attack as well. In that case, the worm was simply exploiting the fact that some people keep these databases completely exposed (read: vulnerable) to the internet.
Apparently, 10 years later, we have not learned our lesson.
This article on Dark Reading reports the possible number of databases exposed to the internet to be under 900,000 – that is absolutely staggering. The assumption is that these would be small companies who do not follow best practices, who do not understand security issues, and who are more likely to be at risk. While that, in my opinion, is a rather naïve and ‘hopeful’ assumption, it still concern me. Even IF this is true, the data exposed on those small databases owned by those small companies who are not following such best practices could be my credit card number or my social security number. For all I know, they might very well be a small online retailer from which I purchased something last year.
On top of all this, the internet makes everyone look “equal”. The smallest mom and pop shop can look like a large chain on the internet; you have no way of knowing who you are giving your information to; and before you know, it ends up on the net.
And what about PCI, you may ask?
True, PCI is trying to address the issue but this is so big an issue that it would be virtually impossible to address it in its entirety. It just makes me wonder – should I stop shopping online? Should I just stick with Amazon.com? (assuming, no, hoping they follow best practices, of course). No law or regulation can ever ensure that everybody follows best practices; even within the banking industry, with yearly audits, strict regulations and clearly assigned responsibilities, issues remain possible.
And if those at risk are indeed small companies not following best practices, will they update their systems once a patch becomes available? Or will they leave their systems vulnerable and expose their data for a long time?
I wish I had a more hopeful answer to all these concerns but the unfortunate truth is that, at the moment, I do not see a solution in the horizon at all.
Databases are exposed, and they will be exploited, and data will be stolen. It should be obvious that this should not happen; it should go without saying that you do NOT expose a database to the world. But, then again, not everyone follows the “obvious” logic.