Computers are stupid creatures
Monday's issue of Peter Neumann's Risks Digest highlighted a subtle
security problem that is rarely discussed and probably slipping under the
radar of most site administrators.
Earlier this month, the University of Texas discovered that the Social
Security numbers and other personal information of approximately 55,200
people had been illegally retrieved by an outside attacker.
How the attacker got in is an instructive lesson for us all. There was no
buffer overflow, no low-level attack�in fact, no subverting of security
measures at all.
The attacker discovered a publicly accessible Web application that allowed
a user to query a database using only a Social Security number and then
returned student and staff data for a person with the matching number.
At this point, harvesting the data was only a matter of data-entry tedium.
To fix this problem, the attacker wrote a program to automatically scan
through a range of SSN values and save returned data. Over a period of five
days, the attacker or attackers scanned through three ranges of SSNs,
making about 2.7 million queries to this application in the process.
There are a number of interlocking problems here:
1) Using the SSN as a database key ( better approaches);
2) Using only the structured, guessable SSN as both the authentication and
the lookup key�asking for a single extra piece of information, such as a
last name, would have blocked this attack;
3) Not having a mechanism in place to notice highly unusual application usage.
This last point is subtle. Computers are stupid creatures and will happily
do what they are designed to do as fast as resource constraints will allow
for as long as asked to do so.
MORE ON...
http://www.eweek.com/article2/0,3959,933132,00.asp
