Protecting Physical Documents
The attacker performed an SQL injection attack against subaru_bajas_rule.com. After gaining access to the database they downloaded the user’s social security number, banking information, and other personally identifiable information. Afterwards the attacker performed a ‘drop table users’ destroying the local copy of the data. When the site administrator was asked about this, he responded that knew SQL injection attacks were common, but he never expected to be targeted by one. As for the reason why the user data was accessible, the administrator admitted the site was in the process of transitioning to a new forum software, and that if the attack happened a week later when the new forum software was in place, this wouldn’t have been a problem.
- Only items in the back seat were stolen. Since there was so much stuff it looks like the attacker grabbed what they could, and then left without doing a full search of the car. I just was really unlucky that everything I cared about was in the back seat.
- When this happened, my car was parked at the far end of the parking lot, since I’d rather walk than squeeze into a small spot. This was a serious mistake considering all of the stuff I had in my car.
- While there was a night watchman, he did not notice the attack. Likewise there were no sensors collecting forensically useful data, (aka cameras, and the thief did not leave any useable fingerprints).
- I’m much too focused on digital issues. The fact that I bothered to encrypt my electronic documents and the store them with paper documents that are way more valuable to an attacker shows a serious lack of priorities and/or threat modeling. I’m not saying don’t encrypt your files, but simply that I should have taken the same care with my other documents and locked them up in my hotel room safe.
- The mindset, “Just because something bad hasn’t happened to me in the past means it won’t happen to me in the future” is very hard to avoid.
- I really hope all that is happening right now is some 16 year old kid is trying to use my passport to buy booze. That being said, I need to plan for much more serious scenarios, hence closing my old bank account rather than just canceling my checks, signing up to a credit check service, etc.
- Dealing with issues like this on a holiday weekend is extremely difficult. Canceling my old bank account and moving it to a new one was particularly stressful since I had a couple of hours to do it before the bank closed for the long weekend. Likewise, I will have to wait till Tuesday to have my car window replaced. Of course, cyberattacks never happen during a holiday…
- Security policies are important, but what’s more important is enforcement of those policies. You really do need some force from on high telling people, “Yes, it is a pain to take a second trip down to your car, but you are going to do it anyway”.
- Storing all of your valuables in one place has advantages and disadvantages. I still don’t know if the idea of a to-go bag was a fundamentally bad idea, but I certainly should have “checked out” my two forms of id from it rather than taking the whole thing.
- What makes a fiasco is a cascade of multiple smaller mistakes/failures occurring together. Whether we are talking about the BP oil spill, or a horribly hilarious Peter Pan play, serious problems often are not the result of just one thing going wrong, but several poor decisions.
- Combined with my comments in the previous paragraphs, it’s really easy to analyze all of the stuff that I did wrong after the fact. The problem is it all of my decisions seemed so reasonable at the time. On the other hand, you can’t live a perfectly secure life. What I’m wrestling with right now is how to re-evaluate my personal threat models and learn from this incident without letting it ruin my life.
*** This is a Security Bloggers Network syndicated blog from Reusable Security authored by Matt Weir. Read the original post at: https://reusablesec.blogspot.com/2010/07/protecting-physical-documents.html