Hacking the Admin

Posted on July 22, 2020 by way0utwest

Recently Twitter had a security breach, with a silly scam. At least, I’d think it was silly. I saw a tweet from Elon Musk noting that he’d return $2k in bitcoin for every $1k anyone sent to him. He was feeling generous.

While that might seem silly, a number of other high profile accounts were breached and seemed to lend some level of veracity to the offer. I saw a few news reports that the hackers made off with over US$100,000, so apparently at least a few people were fooled. Twitter locked down verified accounts for a bit while it investigated, removed some tweets, and tried to close the security hole.

What is disturbing here is that apparently the hack took place through Twitter syadmins, with privileged accounts. As of this writing, it isn’t clear if this was social engineering or a sysadmin worked with hackers, but there were internal tools allowing Twitter employees to post tweets on behalf of users.

I have no idea how this happened, but I’m assuming this is some sort of data change made to their system. If this were an RDBMS with a “tweets” table, this would be adding a row to the table with links to the verified accounts’ linkage. Not a hard change in the SQL Server world, and certainly the type of change that most admins could make.

The question might be should they be allowed? Many of us have made ad hoc data changes to systems to correct an issue, and some of us do this regularly.

This reminds me of some customers whose DBAs aren’t allowed to directly connect from SSMS (or other clients) to production and make changes. All changes, including ad hoc data changes, must be submitted to some sort of pipeline, where the change is logged, and perhaps approved by someone else. A different sort of two factor authentication.

Should this be a more common pattern of access to production systems? Limiting access by everyone, even admins? I know we need to trust administrators, but what happens when administrators get fooled by social engineering? A thorny attack vector that we ought to be considering in our architectures.

Steve Jones
Listen to the podcast at Libsyn, Stitcher or iTunes.

Posted in Editorial | Tagged | 2 Comments

Daily Coping 22 Jul 2020

Posted on July 22, 2020 by way0utwest

I’ve started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here.

Today’s tip is to write your worries down and save them for a specific “worry time”.

What am I worried about? Not much, and my worries are really small. I worry my daughter won’t get to experience college this fall, including sports, and I won’t get to watch her play. I’m worried my middle kid won’t get a job when he graduates next year. I’m worried my oldest will get sick, or stuck, in Spain this year where he’s supposed to teach. Or that he won’t go.

Mostly I worry that I won’t be able to get back to my way of life, speaking, travel, coaching, and snowboarding. This is a good way to write a few things down, and I’ll worry about these on the weekend, when I can have a drink with my wife and complain about things.

Posted in Blog | Tagged , , | Comments Off on Daily Coping 22 Jul 2020

Adapting Privacy

Posted on July 21, 2020 by way0utwest

Lawyers will be lawyers.

That’s a quote from a piece at Ars Technica on how and why search engine startup Neeva changed their privacy policy. Their business model relied on users paying Neeva to keep their data private. The goal being a secure platform that considered users privacy. An admirable goal, and one that I might have been welling to fund. There is a lot of data out there, and while I don’t mind companies improving their service to me with data about me, I don’t like them sharing it.

In this case, Neeva didn’t read their terms of service very well. I don’t think this was malicious, but it was a mistake. I’m sure they used a legal group that someone recommended to them, and the lawyers were trying to craft a document that was structured to protect the company and allow for flexibility. Sharing data with affiliates and advertisers would seem to go against their model, but it’s something lawyers might think is fine. If you read the article, you can see how Neeva has adjusted their terms.

As the world grows more digital, and we all deal with an ever increasing number of organizations, data privacy will become more important to some, perhaps many people. The ideas of reducing data retention, limiting transfer of data, and giving users more control is an idea that may take hold, especially if a few companies start to succeed with this business model. We’ve seen pressure on companies throughout this year cause them to shift their previous stances, sometimes dramatically.

For those of us that work with data, this might mean easier administration in some ways. Certainly we will have to alter our systems for archival or more flexibly data retention policies. We might even need to adapt our data models to include more fields that allow us to easily decide what data to keep, remove, or obfuscate things.

In fact, I wonder if that’s the future of privacy. We de-link old users by randomly setting values for PII data and keeping other information like sales values or URLs clicked as useful information for aggregation without any risk of disclosure.

Steve Jones

Listen to the podcast at Libsyn, Stitcher or iTunes.

Posted in Editorial | Tagged | Comments Off on Adapting Privacy

Daily Coping 21 Jul 2020

Posted on July 21, 2020 by way0utwest

I’ve started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here.

Today’s tip is to get the basics right: eat well, exercise, go to bed on time

This is my go to coping tip, well, two of the three. Or maybe three of three, depending on how you view things.

First, exercise. This is something that’s important to me, as evidenced on my workout log for June. July is looking slightly worse, but I had a few interruptions.

2020-07-16 09_33_41-MapMyRun

I find exercise is a great break from life for me, but it’s also a good long term habit to build for your health. At least walk around regularly.

I like my bed, and I look forward to sleep. I do try to get to sleep early, with complaints from my wife that I can’t stay awake, but I have been struggling the last month to stay asleep. I seem to wake up at night, wide awake, and can’t get relaxed. Sometimes I lay there, sometimes I read a bit. I don’t feel too stressed and my diet hasn’t changed. I’m guessing I’m just getting old.

That brings me to eating. Food comforts me. While I try to cook more vegetables for the family and look for healthy alternative recipes, I’m not great at it, and I’m not great at limiting portions. I am trying to do better, and it’s on my mind, but doing better is a struggle.

Be better than me today.

Posted in Blog | Tagged , , | 1 Comment