some thoughts about Oracle's security breach (by SAP)

Fri Mar 23 18:29:12 EDT 2007

On Fri, Mar 23, 2007 at 02:29:14PM -0800, Alex Alten wrote:
> It seems to me that this could have been prevented (or better damage 
> control) by:
> 1) encrypting the files

Encrypting the files would not have served any purpose; the decryption key would simply have been part of the customer credentials that were abused.  Proper key management is actually harder than proper access control.

> 2) putting in place good access controls (policy adjudication and 
> enforcement)
> 	examples: if more than 100 files / week then raise alert
>                          if customer access incorrect areas /directories 
> raise an alert

Yes, Oracle did not enforce proper access controls if customers could
download things they were not entitled to.  An argument can be made in their favor that they allow customers without a license to browse around so that they will be tempted to actually buy the product later on, and relying on the legal system to enforce abuse.  

This, however, does not explain why internal, proprietary information
was available with unrestricted access, and SAP (or anyone else, for
that matter) was able to download it.  

Again, as far as alerts are concerned, it is easier to put
hard-and-fast access controls than to try to deduce customer behavior.

> 3) possibly better auditing in place to assist after-the-fact forensics 
> (this might have
>     reduced the scope of the theft by allowing a more timely response)
> 

I think their auditing is fine; the attacks occured in late November
2006, and the litigation is starting less than four months later. 

/ji

--
John Ioannidis       | Packet GENERAL Networks, Inc.
ji at packetgeneral.com | http://www.packetgeneral.com/

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com