Voter Database Security Is A Myth

In this post, guest author David Maman, CTO and founder of GreenSQL – the database security company – questions the security reliability of voter databases.

Some of us spend days and months of indecision, hours in front of the TV watching campaign commercials and presidential debates, researching on the Net, mulling the options with family and friends, all ultimately to go to the polls to exercise our constitutional right to vote. For millions among us, this is a final decision and a terminal point.

Not for me.

As an information security specialist and database security researcher, I wonder where my vote goes, in what database it’s maintained, and, of course, how secure it is.

Hard experience has taught me that right now, somewhere, a hacker is trying to penetrate the voter databases “just for fun,” “to prove something,” or if I really want to be paranoid, “because he’s part of a powerful, international organization that seeks to dictate our political process by determining elections.”

Paranoia? I wish. One only has to read the news… last year, the databases of major companies were hacked: LinkedIn, Visa, KT Mobile, Sony, Zappos, etc. Of course, that tally doesn’t include the organizations who don’t know they were hacked.

Want news on voter databases being hacked in the last few years? Take a look at the list below, the result of a two-minute Google search:

July 15, 2012: Florida Allowed to Access Citizen Database for Voter Purge

July 27, 2012: Obama Administration to Open Voter Database

March 26, 2012: GOP’s Voter Vault Database Hacked, Candidates’ Identity Altered

August 2011: No Personal Information Compromised After Voter Database Hacked

At a time when databases are being constantly penetrated by unauthorized users and personal information is being stolen, misused or just maliciously exposed, the question remains: How secure are voter databases?

As if selecting a candidate isn’t vexing enough, now, I have a bigger concern: “How can I be sure my vote ultimately goes to the candidate of my choice?” “Will my vote be manipulated in any way, whether by foreign or domestic entities?” “Will my voter information be used to make it easier to have my identity stolen? (Even the FBI says identity theft represents a more serious threat than drugs.)”

About GreenSQL:

GreenSQL, the Database Security Company, delivers out-of-the-box database security solutions for small and mid-sized organizations. Started as an open source project back in 2006, GreenSQL became the no. 1 database security solution for MySQL with 100,000 users worldwide. In 2009, in response to market needs, GreenSQL LTD developed a commercial version, bringing a fresh approach to protecting databases of small- and medium-sized businesses.

GreenSQL provides database security solutions that are affordable and easy to install and maintain. GreenSQL supports Microsoft Azure, SQL Server (all versions including SQL Server 2012), MySQL and PostgreSQL.

Scan a QR code – Expose yourself to mobile malware

Guest post by David Maman – CTO & Founder of GreenSQL.

A single poisoned link is all it takes to expose an entire organization to a full-scale attack.

Hackers write sophisticated browser-based attacks that operate quite stealthily. Now, they’re going after our mobile phones, which are soon to be the number one way we access the web.

As QR codes have evolved, they now can offer users – and thieves – unlimited information within seconds of scanning.

And we scan them voluntarily.

We’ve already been trained to think twice before entering an unknown link we get from a stranger or even a friend, but almost anyone will scan an unknown QR code with a smartphone or a tablet, if the offer it’s embedded in looks tempting enough.

The Experiment:

Over a three-day security conference in London, I created a small poster featuring a big security company’s logo and the sentence “Just Scan to Win an iPAD.” Thousands of people walked by, no one asked where the sign came from, and no one took it down, not even a representative of the company featured on the sign.

The results: 455 people scanned the sign and browsed the link over the three days. The breakdown: 142 iPhone users, 211 Android users, 61 Blackberry, and 41 unknown browsers.

Remember, this was a conference for security professionals.

As I’m a nice guy fighting for the right side, the QR code simply linked to a web page featuring a smiley face. If I had decided to include a malware or poisoned URL attack based on multiple mobile smart phone browsers, I wonder whose phone I would have penetrated…

To make a long story short: QR codes are becoming more and more prevalent. And most of us don’t have the same AV or URL filtering technology on our phones or tablets that we have on our PCs.

The question is: Can we really fully trust the QR codes we see on the streets, in restaurants, or in ads? Regretfully, the answer is no.

Any attacker can take advantage of QR codes. And remember, unlike computers, most mobile devices do not include antivirus solutions to protect us against mobile malware.

Think before you scan.

· Does this QR code seem to come from a reliable source?

· After scanning the QR code and seeing the link, is the link really from whom it claimed to be?

· Would I click on this link if it came through my email?

Even if you miss out on the iPAD or the free ice cream cone, you’re probably better off.

Author bio:

David Maman is CTO & Founder of GreenSQL, the database security company.

About GreenSQL:

GreenSQL, the Database Security Company, delivers out-of-the-box database security solutions for small and mid-sized organizations. Started as an open source project back in 2006, GreenSQL became the no. 1 database security solution for MySQL with 100,000 users worldwide. In 2009, in response to market needs, GreenSQL LTD developed a commercial version, bringing a fresh approach to protecting databases of small- and medium-sized businesses.

GreenSQL provides database security solutions that are affordable and easy to install and maintain. GreenSQL supports Microsoft Azure, SQL Server (all versions including SQL Server 2012), MySQL and PostgreSQL.

Five Steps for a Secure Cloud Transition

In this post, guest author David Maman, CTO and founder of GreenSQL – the database security company – lays out a series of simple steps for cloud migration – ensuring security is systematically addressed.

Five Steps for a Secure Cloud Transition

Almost every type of SMB is examining it’s current IT infrastructure, determining what data and processes can move to the cloud. Of course, security remains one of the biggest concerns.

Here are five steps to make the transition much safer for your data, and your company:

1. Understanding my “Attackability Surface”: Before considering migrating to the cloud, map every project component, and map all the hazards. Including which operating systems will be used, which applications will be installed, which types of security mechanisms are required for each component and, which types of access are required for each service running on this cloud.

Generally, after truly understanding the project scope, the risk becomes controllable.

2. Sharing is Not Caring: Many times, using cloud services involves sharing infrastructure and applications with others, which means that the risk factor is multiplied.

The lack of security configuration at one customer, of application vulnerabilities by other customers, can lead to data loss in your databases. Make sure which components you share, and which are dedicated to you.

Often, when it comes to your customers’ or employees’ sensitive information, you cannot avoid purchasing a private cloud for most components.

3. Command and Control: Demand your cloud providers give you true control and monitoring of any, and all, security components. If necessary, even insist that only you will be able to change the configuration of these components.

If it’s just a network firewall, if it’s a web application firewall, if it’s a database firewall or any other element, those elements ensure your level of risk and your business survival on the cloud. Make sure you are aware of any changes in any security element.

4. The Cat in the Hat: The “Cloud” is a beautiful buzzword; every vendor in the entire IT segment is using the word “Cloud” in presentations and sales speeches. But eventually we have to understand, “Cloud” is really only a hosting service; it might be more advanced; it might support “elastic” growth; it might even provide an extremely easy user interface.

Please make sure you understand that the “Cloud” is “smart” shared hosting, which means that many people may have physical access to the servers that host your data and operating systems.

You can almost never be sure that if – your servers have restarted, it’s not because someone copied the hard drive you are using. Encrypt what you can, and make sure that the most sensitive information is not on the “Cloud.”

5. Software As A Service (SaaS) can work: Salesforce taught us that SaaS can actually work, with extremely high business continuity and extremely high levels of security.

Many Fortune 1000 companies use Salesforce with some of their most sensitive information. The thing is is that Salesforce has invested $100s of millions on infrastructure and security, which more than 90% of other SaaS providers will ever be able to afford.

So, if you decide to go forward and adopt a SaaS provider, keep in mind that size does matter; the bigger the provider (and we’re not talking about boutique providers who cost a fortune), the more secured they are.