Saturday, August 25, 2007 security breach

So, (one of the world's biggest online job seekers site) suffered a huge security breach. Now what? I've registered with Monster years ago (around 2000) but have never gotten any responses from them over the years other than notifications from alert agents that I'd set up years ago.

Obviously like everything else, if someone from or other company contact you regarding potential job opportunities, common sense has to prevail especially when it comes to divulging personal and sensitive information without checking out the companies. We do use to post vacancies and now will probably need to revisit that particular approach.

On a different matter, with the current spotlight on things/products made in China, I'm reminded by how much stuff in N. America (in fact, in the Western world) are made in third world countries where anything could and can happen. Take software for instance, a number of commercial software products are developed overseas and Oracle is definitely no exception. We had an incident a while ago (which I can now blog about) with a commercial package from a well-known software organization (no, not Oracle).

One of our administrators was trying to install this product (in use for a number of years in our organization) on a new server and was running into some problems (it was a new install on a Linux server which we have never installed the product on Linux previously) so he decided to poke around to see what parameters could be specified with the install. Using a Unix dump utility, he dumped the software executable and something suspicious. Beside the list of valid parameters, there was a string "Death to the Infidels" and since it was a dump not a reverse engineered effort, he has no way of telling whether it was part of a command or a constant string. We had to contact the National law enforcement in Canada and turn everything over to them (documentation, software CD's and a formal signed statement). It took months before we heard anything and it turned out to be nothing more serious than an embedded string but it could have been worse.

I am sure that the software development for the product has been outsourced and whatever QA processes/procedures in place did not managed to catch the "flaw". Nowadays, with the global economy and village being almost next door (through the miracle of technologies), how can we be sure that there are safeguards in place to protect us from malicious code embedded in the software products that we use daily? Can we be assured by our vendors/partners that they have done everything possible to safeguard us against threats by "insiders"? What is there to guarantee that the next software product that you purchase to help run your organization might not have a time/logic bomb set to go off to do the most damage? Software testing the hell out of the product still do not guarantee that every single line of code is tested and working according to specifications especially if you are looking at a major product like Oracle RDBMS. According to Oracle Magazine, Oracle 10g has more than 100,000 automated tests so you can imagine the number of lines of code for Oracle.

Anyhow, food for thought, eh?

No comments: