Our data on the Internet

This is what happens if the system administrator makes a little mistake.

Blogger JSZP, who blogs at http://jezusszive.crpl.hu/a-fantasztikus-neptun-es-uzemeltetoi/, brought to light a data leak in the University of Pannonia college systems. This case seems to be a perfect example of how not to run your IT security.

1. The system administrator prepares to save a database. Afterwards, they upload it into a library which is publicly available and which Google can access. This is by no means unique; just try with the Google keyword "phpMyAdmin SQL Dump" inurl:sql site:hu. This is the easiest way to get hold of information. There is no hacking involved.

2. Passwords are not encoded in the database. This is typical sloppy programming: instead of MD5 hash, unencoded passwords are entered into the database. This is so common that we need to be aware of it: if you enter a password into the portal, it is as though you have shown it to everyone. You can be really sure of this if, after registration, the service provider sends the password back to you in an email.

3. The way our personal data is handled really makes you think. Could those people affected to anything about the fact that data stored legally in Neptun was transferred to the college system? Without the right data process regulations, I really cannot say, but it is worth taking a look at.

All-in-all, it is an excellent example of what happens to the information we provide on a daily basis. Over the last couple of days, it has come to light that the data for 21 million German citizens is up for sale (http://www.hirszerzo.hu/cikk.rovidhir_adatvedelmi_riado_nemetorszagban.89912.html). So how many Hungarian citizens might me affected by similar data leaks?

Csaba Krasznay

Information security expert, kancellár.hu