Security Risks in Publicizing a Database

Forum Moderators: open

Message Too Old, No Replies

Security Risks in Publicizing a Database

justgowithit

4:37 pm on Nov 3, 2008 (gmt 0)

I've recently complete a site for a government agency for use by the public. In order to comply with the Freedom of Information Act this agency has asked that we release the database structure.

I've impressed upon them the risks involved in doing this and they've agreed to let the database column names stay confidential, however, they still want a textual database dump released.

This is uncharted territory for me. What are the possible security implications in releasing a dump such as:

(1, 2, 3, 4, 800, 'data', 1, a', 'data', 'a'),
(1, 2, 3, 4, 800, 'data', 1, 'b', NULL, 'a'),
(1, 2, 3, 4, 800, 'data', 1, 'c', NULL, NULL),
(1, 2, 3, 4, 800, 'data', 1, 'd', 'data', 'a'),
(1, 2, 3, 4, 800, 'data', 1, 'e', 'data', 'a')

Thoughts?

Skywarden

6:41 pm on Nov 3, 2008 (gmt 0)

Well, for starters it gives potential hackers a blueprint to your database structure... this could make it easier for them to apply SQL injection hacks to your database. Make sure you are cleansing all of your input data (forms, querystrings, etc). It's good to see the column names are hidden at least. Correct me if I'm wrong, but for the Freedom of Information Act, doesn't someone need to formally request this information?

LifeinAsia

7:09 pm on Nov 3, 2008 (gmt 0)

Also, I believe the FOIA only applies to specific data, not full data dumps. For example, if someone submitted a request related to "data" in the 9th field of your DB, they should not be getting the 2nd or 3rd rows. The other fields in the rows that are returned may or may not be relevant to their request.

The underlying data structure should certainly NOT be subject to FOIA.

justgowithit

8:30 pm on Nov 3, 2008 (gmt 0)

You guys make some good points. Unfortunately, that's where I'm at. A lawyer has specifically requested this information.

My scripts are tight and all input is validated and cleaned.

gives potential hackers a blueprint to your database structure

This is my major concern. I think what I'm going to do is send them a non-breaking textual representation of all the data. That way columns won't be visible and it'll just be a mess of input.

aspdaddy

7:10 pm on Nov 5, 2008 (gmt 0)

What is the lawyer asking for ? FOIA is concerned with "information" not data. FOIA excemptions (comercial interest, breach of confidence, data protection) would likely prevent you disclosing this but its also not in the public interest to disclose it so you could just reject the request on that alone.

Skywarden

6:21 pm on Nov 6, 2008 (gmt 0)

I would highly recommend seeking legal counsel to assist you in finding out if the FOIA would apply to your database structure. It makes sense that someone would want the data, but not the data structure. There should be some sort of legal counsel available for you if you are working with a government agency. It would be in both your and the agency's best interest to verify things. I work at the county level, and can always clarify things with a county attorney.

ZydoSEO

7:29 pm on Nov 6, 2008 (gmt 0)

FOIA does not require that you give the public the data in a particular format. It just has to be made available to the public in some form - it can even be hardcopy. Lots of government agencies who maintain databases ONLY provide the data from their tables in human readable .PDF format even though it is quite obvious that the .PDF was generated from a database.

Not sure why a lawyer would be requesting that. I'd say you need to run that one up the flag pole to someone a little higher up than the lawyer you are currently dealing with.