This is cache of http://www.schneier.com/blog/archives/2008/04/oklahoma_data_l.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.
Oklahoma Data Leak
2008-04-18 06:16:51 by schneier in Schneier on Security
 

Usually I don't bother blogging about these, but this one is particularly bad. Anyone with with basic SQL knowledge could have registered anyone he wanted as a sex offender.

One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.

The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed ­ and possibly, changed ­ any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records ­ SSNs and all ­ from their website.

 
Tags: knowledge, basic sql knowledge, computer science class, sql, computer, negligently bad, bad, website, input
 
 
 
 
 
TOP SEARCH
Expand / MinimizeClose Widget
  •  
RECENT SEARCH
Expand / Minimize
  •  
RELATED VIDEO
Expand / Minimize
SecurityRatty FAQ
Sergey Zarubin, 31yo
CISSP, CCSP
Moscow, Russia