• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Idea about securing data from data theft

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases

View previous topic :: View next topic  
Author Message
breaker
Just Arrived
Just Arrived


Joined: 21 Aug 2007
Posts: 0


Offline

PostPosted: Tue Aug 21, 2007 2:41 pm    Post subject: Idea about securing data from data theft Reply with quote

In light of the recent theft of data from monster.com (http://news.bbc.co.uk/1/hi/technology/6956349.stm)

I thought to myself “how do we prevent the theft of data when the user appears to be legitimate?" (i.e they have logged in)

And I thought what about a deliberate skewing of all of your data? For example:

Code:
Table Customer
CustomerID       | name          | email            |
-----------------|---------------|------------------|
1                | Bill Jimson   | sd14@website.net |
2                | Sid Sisdon    | tuna@fish.com    |


The above is a normal "unskewed" table. Now what if we were apply some sort of formula to the table so that it jumbled a certain field in a certain way.

Let’s say our formula is basic and Jumbles the e-mail address by moving it up one record:
Code:
Table Customer
CustomerID       | name          | email            |
-----------------|---------------|----------------- |
1                | Bill Jimson   | tuna@fish.com    |
2                | Sid Sisdon    | sd14@website.net |



All applications that access this data then need to account for the skewing and need to correct it somehow.

This is just something that came to my head. Here are a few drawbacks with it:
1. Extra logic needed to unskew data
2. Why not just encrypt? (Perhaps unskewing would be more innexpensive?)
3. This probably breaks just about every database rule going.

The skewing could have different formulas applied to different columns in the table. Whilst a malicious user posing as a credible user could still get some data back, it would be of significantly less value to someone attempting to use the data in a Phishing attack.

What do you guys think? Is there already something out there like this?

Moderator note: fixed table formatting - capi
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Wed Aug 22, 2007 5:59 pm    Post subject: Reply with quote

I can think of quite a few things wrong with this. The idea behind a database is that each record describes a single entity, and one can use the information to identify relationships between the data. If the data contained within a row no longer applies to that row, how can one possibly hope to guarantee accurate results? If I do a "SELECT email FROM person WHERE name=Bill Jimson", I know that I am going to get his correct email. If it is not correct, that what good does it do me? What if I want a list of all people whose emails addresses end in ".sparx.net"? How many queries will I have to do to get the id's of those who have that email address, then figure out the offset, and then finally get the name that goes with that address? Are you going to guarantee that it is going to be correct 100% of the time?

When doing a deletion, you have to find the record that you want to delete, figure out the other records that may contain all of the other bits of data that go with that one record, alter all of them, and still guarantee that the next time someone queries the database, they get correct results? What do you do with the entries that previously contained data from the now deleted entry? Leave them null? How many re-alignments will you have to do for just one deletion, or just one insertion?

There is also no concept of 'one record up" or "one record down". If I do ten selects of a table with 100 rows, chances are that I will probably get them all back in the order I put them in. Maybe 500 rows. I have tables with tens of thousands of rows that never give me results in the same order. Records are stored in trees, and the trees are periodically rebalanced.

The contract with any database is that you get out the data that you put into it. If you programatically alter records as they go into the database, that contract can no longer be honored, and the data is largely useless to everybody.
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Databases All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register