Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Security Presentation Available"] [Next entry: "Oracle Post Exploitation and Password cracking"]

English Football Fans Data Allegedly Sold to the BlackMarket

I saw today via my Oracle Security forum in a post by Marcel-Jan titled "Rogue employees sell passport data of World Cup fans" that refers to a blog on net security that alledges that passport and other details of 35,000 English fans who visited the World Cup in 2006 have been sold to the black market.

This is really interesting and backs up what I have been saying for years on a number of levels. The attack wasnt technical, the data was stolen by abusing functionallity and privileges granted to the attackers. This was also an insider attack. I constantly go on about the insider threat and the fact that having a firewall on the perimeter of an organisation does nothing to protect the data within as most staff have access to it via applications or directly to the databases. Often also data is not even held in just the database, often its copied many times and replicated outside of the database, this just means there is no controls over data and someone can pick it off easily if they wished. Whats more organisations rely on application security to protect the data whilst the database often has sweepingf privileges. When the same users are allowed different access through different applications they often can see data that was not intended for them to see.

You must know where your data is and who can access before any attempt to secure that data is made otherwise you are wasting your time.

Also today I came across another new blog in the data security space, that of Michael Smith which is called "Database Security" which i have also added to my Oracle security blogs aggregator.

There has been 1 Comment posted on this article

September 14th, 2010 at 03:11 pm

Pete Finnigan says:

Bad news for the English fans. The article is an interesting read though. It gives a little insight of how the data was (not) protected.

In most organizations it takes months to years before a hack is found out. In this case they don't seem to know whether the data was stolen in 2010 or years before. That tells you something.

You might, with reason, blame FIFA. This situation is however not all that uncommon in other organizations.

You might say FIFA was "unlucky" that this came out. You also might say other organizations with similar (lack of) protection are damn lucky that nothing (seems to have) happened yet.