Slashdot Mirror

← Back to Stories (view on slashdot.org)

Leaky Database Leaves Oklahoma Police, Bank Vulnerable To Intruders (dailydot.com)

Posted by BeauHD on from the exposed-database dept.

blottsie quotes a report from The Daily Dot: A leaky database has exposed the physical security of multiple Oklahoma Department of Public Safety facilities and at least one Oklahoma bank. The vulnerability -- which has reportedly been fixed -- was revealed on Tuesday by Chris Vickery, a MacKeeper security researcher who this year has revealed numerous data breaches affecting millions of Americans. The misconfigured database, which was managed by a company called Automation Integrated, was exposed for at least a week, according to Vickery, who said he spoke to the company's vice president on Saturday. Reached on Tuesday, however, an Automation Integrated employee said "no one" in the office was aware of the problem. Vickery was able to retrieve images of various doors, locks, RFID access panels, and the controller board of an alarm system all of which could be previously accessed without a username or password. The database also contained "details on the make, model, location, warranty coverage, and even whether or not the unit was still functional," Vickery said. What's worse is that Automated Integration is far from the only company whose database are left exposed online. "I have a constantly fluctuating list of 50 to 100 similar breaches that need to be reported," he said. "This one just happened to involve a security-related company and government buildings, so it got bumped to the top of my list."

16 comments

  1. This is the scenario right now. by Anonymous Coward · · Score: 0

    International FBI moles have been gathering this information for years and years. How can they possibly undo it? They fucked up.

  2. cause it all needs to be easy to access online! by wierd_w · · Score: 1

    how else will Tina in payroll make her TPS reports!? She has problems sending faxes out, just imagine if she had to follow a rigid security policy insead of just clicking a button on her in-house programmed VBA front end for Access (or excel)!!

    {because competent employees are worth less than pretty ones, if you believe the statistics on employment retention and wages earned. we get what we deserve.}

    1. Re:cause it all needs to be easy to access online! by Anonymous Coward · · Score: 0

      Hillary couldn't do payroll either. So you looking for her emails eh?

  3. PUBLIC SERVICE ANNOUNCEMENT: Pokémon is by Anonymous Coward · · Score: 0

    Pokémon is gay. Only fags and pedophiles play Pokémon. Normal people should never be playing Pokémon. It is an app designed to give perverts a reason to hang around public places with young children without getting arrested. This is not a game normal people should be playing.

  4. I wish this guy luck by Anonymous Coward · · Score: 0

    Vickery was able to retrieve images of various doors, locks, RFID access panels, and the controller board of an alarm system all of which could be previously accessed without a username or password

    I'm in favor of what he's doing, and it shouldn't be a crime to poke around at things that have zero access control, but that's not how banks and state police tend to view things. The way CFAA is worded, I'm pretty sure they can indict a dead guy for having his own identity stolen, if they haven't tried that already.

    1. Re:I wish this guy luck by Anonymous Coward · · Score: 0

      >> it shouldn't be a crime to poke around at things that have zero access control

      so the next time you fail to lock your front door, or leave your garage door open while you're working in the back yard, you don't mind the neighbors and anyone driving by coming in and rumaging through your stuff just as long as they say, just take pictures, but don't really take the things?

    2. Re:I wish this guy luck by Anonymous Coward · · Score: 0

      You're running a server on the internet. It's more like leaving your public business unlocked with the neon "OPEN" sign on. You can't really be surprised that someone walks in after hours.

    3. Re:I wish this guy luck by Anonymous Coward · · Score: 0

      "it shouldn't be a crime to poke around at things that have zero access control" ...was the original statement. I don't think anyone's surprised it happens, but saying it shouldn't be a crime is simply stupid.

      Freedom requires a sense of personal responsibility and self-control.

  5. Open Security Standard by EEPROMS · · Score: 1

    I think it is about time we all agreed the ever growing password and 2 level checking even with a mobile is verging on becoming a complete fail. What we need is an open security standard that not only securely transmits data but allows a user to use their web services "without a password". Im thinking some type of smart dongle with a rotating 2048 bit key with a fingerprint reader built in that can scan up to 10 finger prints (users can have a multi fingerprint login sequence). The dongle should work with mobiles and other PC related devices and even door locks. This way it removes the security key layer away from the PC and the telco networks and isolates the device from open Internet access (device is a 2 part connection when plugged in in that the device itself never electrically connects only the io part does)

    1. Re:Open Security Standard by Anonymous Coward · · Score: 0

      Yeah but that's not the only problem.

      I've looked on in horror as I peeked into a company's database and saw passwords stored in clear text.

    2. Re:Open Security Standard by dog77 · · Score: 1

      FIDO is what you are looking for: https://fidoalliance.org/speci...

    3. Re:Open Security Standard by EEPROMS · · Score: 1

      close but you still need a password and the USB device still has no fingerprint scanner.