Security Bullet In
Communiques from the security front, sir
Friday 30 March 2007, 4:50 PM
Litchfield: ID database ethical, not technical problem
David Litchfield, who has in the past dramatically exposed various vulnerabilities in Oracle, has told ZDNet UK at the Black Hat security conference in Amsterdam that the UK ID data base is an ethical, not technical problem.
"The problems aren't technical, but ethical -- in terms of privacy. But they don't have a technical problem -- the databases can be secured as needs be."
Researchers from Ernst and Young may be able to challenge this. Billy K. Rios and Raghav Dube, senior security researchers, are currently working on methods to use compromised web browsers to access sensitive company management consoles -- and they're working on a method to circumvent those consoles to access a back-end database. The scary thing is, using a web session slips the hacker in right underneath any encryption and firewall.
Litchfield said that the threat from insiders to government databases was also great.
"They shouldn't have a database open to abuse by privileged users," said Litchfield.
"The problems aren't technical, but ethical -- in terms of privacy. But they don't have a technical problem -- the databases can be secured as needs be."
Researchers from Ernst and Young may be able to challenge this. Billy K. Rios and Raghav Dube, senior security researchers, are currently working on methods to use compromised web browsers to access sensitive company management consoles -- and they're working on a method to circumvent those consoles to access a back-end database. The scary thing is, using a web session slips the hacker in right underneath any encryption and firewall.
Litchfield said that the threat from insiders to government databases was also great.
"They shouldn't have a database open to abuse by privileged users," said Litchfield.
Previous
