how long to check if database was compromised

berrypendel

How long would it take to find out if a company database had been copied by a worker and used to send spam? Is it a big job? Days? Weeks? Months?

Example
Joe Bloggs works for anycompany.com. he sends out advertsing to their customers. Joe has a sideline as joesbiz.com

He copies the list from anycompany and uses it to spam people seeking customers for his own joesbiz.com

Some spamee cops on and complains to anycompany.com.They promise investigation

How long will it take for anycompany.com to confirm if joe has copied their database for his own use. What would that involve and how long would it take if a tech was called in to do it

FSL

If Joe had authority to access the database then it would be almost impossible to determine whether his access had been part of his job or to extract a list of customer's email addresses.

You wouldn't need to copy the whole database just to extract the email addresses. Unless the customers were all individuals as opposed to businesses it would be difficult to prove the email addresses had not been sourced from elsewhere.

beans

Set traps. Fake addresses in the anycompany db that may be copied to the spam list in future. If spam arrives to that address, you have your proof.

berrypendel

FSL wrote: »

If Joe had authority to access the database then it would be almost impossible to determine whether his access had been part of his job or to extract a list of customer's email addresses.

You wouldn't need to copy the whole database just to extract the email addresses. Unless the customers were all individuals as opposed to businesses it would be difficult to prove the email addresses had not been sourced from elsewhere.

Thanks. I did not really understand one would not need to have full access to extract the email addresses. Assume Joe does not access the database but just copies the email addresses. How long would it take to determine if he had done this. Would there be a record anywhere of it in the system?

dilallio

beans advice is excellent.

If you are a company who sends out lots of emails, then you should set up at least one fictitious customer and email address which is only used by your companies email system. You will need to create this email address beforehand. Ensure that this email address does not use english words which could be randomly generated. When you create this email address, set up a forwarding rule so that any emails should be forwarded to your own address.

Then if another company or site, starts sending emails to this fictitious customer, you will receive the mails from the forwarded email account and it is obvious that your email distribution list has been copied. Some spammers have used programs which generate lists of email addresses using dictionaries and combination of words / names, so it's important that your email address for the fictitious customer uses random characters.

If the company doesn't have this system in place, then Joe can deny that he copied the database / email listings, and it would be very difficult to prove. Without proof, it would be difficult for the data commisioner or gardai to investigate.

LoLth

berrypendel wrote: »

Thanks. I did not really understand one would not need to have full access to extract the email addresses. Assume Joe does not access the database but just copies the email addresses. How long would it take to determine if he had done this. Would there be a record anywhere of it in the system?

the problem with hypothetical situations in discussions like this is that the answers are always "depends":

How long would it take to determine if X copied Y from the DB? depends on what level of logging is set on the DB itself and the system the DB is on, and the network connecting to the DB. Did X have access to the physical server the DB resides on? Was it done remotely? Does X know anyone else's password or the credentials for any DB specific accounts?

One option would be to forensically examine X's workstation (assuming that the workstation was used in the extraction of the email addresses) and then, depending on the OS, the regularity of X's access to the DB server, the logs on the network you could probably find out if X had at any time passed a file from teh DB to the workstation and on by either email (email system? logging levels? gmail? hotmail? ) or copied to USB: windows stores records of USB drives, was the PC rebuilt or reverted since the date of last DB access? (what OS is on the PC), can it be proven that the file transferred from teh server to the workstation was actually a list of email addresses and not a legitimate work file X wanted to work on at home?

you seem to want a definite answer to a very vague question and possibly the best answer I can give without any more detail on the systems involved would be another question: how long is a piece of string?

Are you the spamee in question here and you've been told that the incident is being investigated but you werent given a timeframe and now you think the company was just fobbing you off and have no intention of ever gettign back to you?

Are you the company looking for some advice on how to differentiate between several quotes you just received because one quote was excellent but where all others promise a three week turnaround, these guys are saying 2 working days ?

Or are you the DB thief wondering if the length of time is an indication of whether they found something or not because you know it started X days ago and surely they'd be finished by now if it was all clear ?

Sorry for the circular and ultimately pointless post but honestly, you didnt give me much to go with to formulate a proper response.

berrypendel

LoLth wrote: »

the problem with hypothetical situations in discussions like this is that the answers are always "depends":

How long would it take to determine if X copied Y from the DB? depends on what level of logging is set on the DB itself and the system the DB is on, and the network connecting to the DB. Did X have access to the physical server the DB resides on? Was it done remotely? Does X know anyone else's password or the credentials for any DB specific accounts?

One option would be to forensically examine X's workstation (assuming that the workstation was used in the extraction of the email addresses) and then, depending on the OS, the regularity of X's access to the DB server, the logs on the network you could probably find out if X had at any time passed a file from teh DB to the workstation and on by either email (email system? logging levels? gmail? hotmail? ) or copied to USB: windows stores records of USB drives, was the PC rebuilt or reverted since the date of last DB access? (what OS is on the PC), can it be proven that the file transferred from teh server to the workstation was actually a list of email addresses and not a legitimate work file X wanted to work on at home?

you seem to want a definite answer to a very vague question and possibly the best answer I can give without any more detail on the systems involved would be another question: how long is a piece of string?

Are you the spamee in question here and you've been told that the incident is being investigated but you werent given a timeframe and now you think the company was just fobbing you off and have no intention of ever gettign back to you?

Are you the company looking for some advice on how to differentiate between several quotes you just received because one quote was excellent but where all others promise a three week turnaround, these guys are saying 2 working days ?

Or are you the DB thief wondering if the length of time is an indication of whether they found something or not because you know it started X days ago and surely they'd be finished by now if it was all clear ?

Sorry for the circular and ultimately pointless post but honestly, you didnt give me much to go with to formulate a proper response.

Thanks your response is quite interesting. i cannot say much as this is a public forum. My friend is the spamee - nice word i invented today- and yes wonders how long it should take. So i do not not know what sort of database. Would it be negligent not having a fake address etc as dilallio and beans posted?

FSL

berrypendel wrote: »

Thanks. I did not really understand one would not need to have full access to extract the email addresses. Assume Joe does not access the database but just copies the email addresses. How long would it take to determine if he had done this. Would there be a record anywhere of it in the system?

You still don't seem to understand. If the email addresses are in the database then you have to have access to the database to extract them. What I am saying is if I have permission to access the email address on a customer record in order to do my job then unless the level of logging is very comprehensive it would be difficult to tell if I was accessing the email addresses for legitimate or nefarious reasons.

berrypendel

FSL wrote: »

You still don't seem to understand. If the email addresses are in the database then you have to have access to the database to extract them. What I am saying is if I have permission to access the email address on a customer record in order to do my job then unless the level of logging is very comprehensive it would be difficult to tell if I was accessing the email addresses for legitimate or nefarious reasons.

sorry thought you or someone said you didn't need access to db to copy the addresses. Must have picked it up wrong. EDIT Oh i see you said you do not have to copy the db but do have to access itGot ya now

Thanks for the answers here guys gives me an idea what it involves