Attacks on Unsecured Databases

Posted on August 11, 2020 by way0utwest

Imagine that you’re a researcher doing some data analysis for your company. You run some queries or load some data and then go home. The next day, you come in and find that all of our data has been deleted. Perhaps you’re the victim of a Meow attack, where people look for unsecured databases and wipe them out. If you read the comments, many of them indicate this may be considered a public service.

I think I agree with that, and here’s why. If you put up data about me in a system and don’t secure it. I’m not sure you should be trusted with the data. The article notes that UFO VPN was a victim. They got caught not only with an unsecured database, but one that had data that wasn’t supposed to be logged, including passwords. They moved their data to a new database, also unsecured, and a meow attack wiped it out.

While I understand this might cause a company to fail and affect employees who hadn’t made the decision to store this data and ignore security, I’m don’t think that the world overall is worse off because their data is gone. I’m also not sure that the employees are worse off as I’d suspect fines or other legal action might have wiped the company out anyway.

I know some university groups may lose data that is difficult or impossible to recover. I know some companies might be irreparably harmed. However, I also know that it’s 2020 and there is no reason to have an unsecured set of data available to the public. Whether a database, a file-share service, or anything else. Security needs to be provided for data.

Like many of you, I do use some services in the cloud to share files. I also find it maddening that most public access has been revoked and I need to specifically invite people, set passwords, and more to easily share things. However, that’s what we need to do in an interconnected world where we have personally identifiable and sensitive data. We need to secure it.

I’m glad SQL Server doesn’t allow blank passwords for sa, and I hope that no one allows simple, easy passwords on their systems. It is convenient, but the price your organization might pay for this convenience could put them out of business. It’s also a large price to ask someone whose data you have to pay if it impacts their life.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

Posted in Editorial | Tagged | 1 Comment

My T-SQL Tuesday #129 Time Capsule

Posted on August 11, 2020 by way0utwest

This month the T-SQL Tuesday invitation comes from tsqltuesdayTamara Clark. I strong-armed Tamara last fall, along with her husband, into hosting this year. She came through, with a great topic given the state of the world.

She asks us to write about what we’d put in time capsule, the items or information that goes into a #sqlcommunity bucket. In some sense, this invitation reminds me of Brent’s reminder post to himself.

Memories of 2020

What do I remember about this year? First, a lot of vacation for me. My employer, Redgate Software, gives a sabbatical every five years. It’s a great perk for employees that stick around, and it has helped me recharge and refresh. I think I was the last one to get a sabbatical this year while the offices were open, however, there are other companies that take care of employees, and my first memory is a reminder of this. Maybe some future person opening this capsule will think about asking their organization for this.

The second thing is that I won’t go into an office this entire year. I didn’t get any visits before lockdown, and we’ve closed our offices for the year. That’s a first for me in over a decade. However, the next thing I want to remember from this year is that so many companies are realizing that work from home (WFH) not only works, but lots of people are very productive. We can rethink our costs in buildings, commutes, living locations, and more. Redgate has traditionally not allowed anyone to avoid the office. There are a few of us that have been exceptions over the years, but 90% of our employees have been expected to show up at the office every week.

That’s changed, and it will change our culture and organization in the future.

The last thing to put in this time capsule is the importance of social contact and togetherness. I’ve missed a lot of this across the five months, to the point I work to see some people locally every couple weeks. I love my family, but I miss the social contact I used to get regularly, whether traveling to a SQL Saturday, visiting an office, maybe working in a library or Starbucks for a few hours, or just at a movie theater.

We need more social contact, or at least, I do.

Posted in Blog | Tagged , | Comments Off on My T-SQL Tuesday #129 Time Capsule

A Data Attack

Posted on August 10, 2020 by way0utwest

I got a new mobile phone and was going through the setup. On top of numerous Android updates, I had to reset a number of applications back up. While it’s a pain, I also appreciate from a security standpoint that moving access to my data and sites to a new device could be an issue. One of the applications I was trying to set up was Garmin Connect, as I track my exercise, heart rate, and more on my watch. When I first tried this, I got a 404 in the app, which was strange.

Apparently Garmin was having issues. They had a large outage. The next day I saw that article, and while I could get to the main Garmin site and log in, I couldn’t get a new install of the app to connect on my phone, and I couldn’t get access to any of my workout data. Even old data, apparently isn’t on my phone, as I thought. It’s being read from the cloud. That’s disconcerting, though I record my data separately at MapMyRun, so I’m not overly worried. I even found a procedure and tested it for saving my data locally.

Over the weekend after this happened, I didn’t do much, but as of the Monday after the attack, the Verge reported that some data was visible and sync was working. Not for me, but for someone. That’s good, and Garmin has a touch of information about the outage, saying they expect devices to begin syncing at some point. Mine didn’t that day, but did a day or two later.

This is interesting as an attack because it’s not just the company’s own internal data, but also their customers’ data. I don’t know if that was the intention, but what better way to put pressure on a company that take away their customers’ data. I don’t know that this would make them respond differently than losing their internal data, but it  likely would be more public. It also might put more pressure on them to pay some ransom.

Ultimately, this is an area that I think the GDPR started to help, but allowing customers to access copies of their data, as well as have rights over how it is used. I think having the right to not only get a copy of my data, but a regular backup is something I think should be required of organizations that collect information about me. Likely there might need to be a charge, but perhaps some regulation about what is reasonable and how this data should be available is a something else that might need some regulatory boundaries.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

Posted in Editorial | Tagged | Comments Off on A Data Attack

Fixing Broken Pip

Posted on August 10, 2020 by way0utwest

I’ve got Python 3.8 on my machine, and recently I got a note that my pip version was old. I tried to upgrade PIP recently with this command:

c:\python38\python.exe -m pip install --upgrade pip

This resulted in an error. When I got the error, which I didn’t save, I tried again from an admin console, but got this: 

# c:\python38\python.exe -m pip install --upgrade pip
c:\python38\python.exe: No module named pip

That is frustrating. In searching around, I found an issue that a broken upgrade from Windows may cause Pip to get lost. As a result, I need to get pip reinstalled. This post shows how to get this, with a quick curl and python script execution.

Steve@ARISTOTLE C:\Users\Steve
# curl https://bootstrap.pypa.io/get-pip.py -o get-pip.py
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 1840k  100 1840k    0     0  1840k      0  0:00:01 --:--:--  0:00:01 2103k

Steve@ARISTOTLE C:\Users\Steve
# python get-pip.py
Collecting pip
  Using cached pip-20.2.1-py2.py3-none-any.whl (1.5 MB)
Collecting wheel
  Downloading wheel-0.34.2-py2.py3-none-any.whl (26 kB)
Installing collected packages: pip, wheel
Successfully installed pip-20.2.1 wheel-0.34.2

Steve@ARISTOTLE C:\Users\Steve
# pip install tweepy

That worked, and allowed me to do what I wanted, which was get the tweepy module.

Now to do a little Python work.

Posted in Blog | Tagged , | Comments Off on Fixing Broken Pip