[ISN] Hacker logs onto FWP hunter database, but no information stolen

InfoSec News isn at c4i.org
Fri Jul 1 05:35:55 EDT 2005 

Forwarded from: security curmudgeon <jericho at attrition.org>

: http://www.bozemandailychronicle.com/articles/2005/06/29/news/02fwp.txt
: 
: By NICK GEVOCK
: Chronicle Staff Writer 
: June 29, 2005
: 
: A hacker broke into a Montana Department of Fish, Wildlife and Parks 
: computer database containing personal information about hunters last 
: month, but officials say no data was stolen.

: The database includes personal information about hunters, including 
: Social Security numbers, along with data on where they hunted and 
: whether they killed game.
: 
: Upon discovering the hacking, FWP immediately contacted Sam Mason, a 
: state data security specialist, who determined the hacker hadn't 
: downloaded any information, Aasheim said.

: Based on a review of the database after the incident, it appears that 
: the hacker was looking for storage space for files, Mason said.

Because all of the system logs clearly show this? And the logs were
not altered?

: Luckily, Aasheim said, the agency's databases use Oracle software, which 
: compresses inforamtion into a code that is not visible to hackers as 
: readable text.

"Not visible to hackers" is quite amusing, given the nature of hacking
and how many hackers are responsible for reversing just about
everything, including encryption/obfuscation schemes. And heaven
forbid the hacker know Oracle commands, because I think Oracle can
read that "inforamtion"  (sic).

: In addition, the database takes up 12 gigabytes of disc storage that
: can't be accessed in pieces. 

So the machine has 12 gigs of RAM to load it into memory? Oh wait.. of
course it can be accessed in pieces. Maybe he couldn't download the
raw database in pieces, but Oracle sure can query it in such a way as
to display pieces.

: A transfer of that size would take time, but the hacker was only on the 
: server for a few minutes.

Or the logs were zapped past a certain point. It's hard to swallow
this story, that they detected the intrusion, responded and can
*guarantee* that no data was stolen. Any company/agency that runs the
swiss cheese we call Oracle should know better.

More information about the ISN mailing list