Oklahoma DPS and Bank Security Exposure
A database misconfiguration by a third-party company has exposed some of the internal security, surveillance, and alarm systems of several Oklahoma Department of Public Safety buildings as well as at least one branch of the Oklahoma-based Midfirst bank.
On Saturday, July 9th, 2016, I called Automation Integrated’s service hotline to report that they may have a database security issue. The answering technician agreed there could be a problem as I described a CouchDB implementation, requiring no username or password to access, that appeared to contain an alarming amount of internal company files.
Among those files were photographs of security mechanisms (e.g. locks, RFID access panels, and controller boards) from within protected Oklahoma DPS buildings. Database entries contained, among other things, details on the make and model, location, warranty coverage, and even whether or not the unit was still functional.
My telephone conversation ended after I was provided an email address to which I could send details and evidence of the exposure. The technician also informed me that the email would be received by a group of company employees, so I might receive a panicked response.
Not entirely sure what to expect, I sent a brief message to the email address along with photograph attachments including images of the inside of an Oklahoma Highway Patrol building, a collection of surveillance camera stills, and one image taken from within a bank vault. A few of these images are viewable along with this post.
Some hours later my phone rang. It was a VP from Automation Integrated calling to thank me for alerting them to the issue. He took personal responsibility for the oversight and couldn’t have been nicer to me. He stated that the issue had been corrected and I verified, while still on the phone with him, that I could no longer access the database.
This is an example of excellent incident response. The guy didn’t try to call me a hacker, he didn’t try to claim that it was a fake database filled with dummy-data, and he didn’t try to deflect responsibility onto another company. What he did do was fix the issue promptly, verify with the original reporter that the issue was fixed, and he appreciated the fact that someone would go out of their way to make sure an issue like this was taken care of.
Sure, in a perfect world the problem would have never existed in the first place. But that’s not reality. Automation Integrated is far from alone. I have a constantly fluctuating list of 50 to 100 similar breaches that need to be reported. This one just happened to involve a security-related company and government buildings, so it got bumped to the top of my list.
Companies make these mistakes all the time. I wish more of them would react as well as Automation Integrated did.
Continue reading security news at MacKeeper Security Research Center column.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Researcher, Chris Vickery.