WebApp Sec mailing list archives

Re: storing SSNs, CCNs, password in the DB

From: Alvin Oga <alvin.sec () Virtual Linux-Consulting com>
Date: Mon, 28 Feb 2005 01:07:33 -0800 (PST)


hi ya


What is the most secure way to store SSNs, CCNs, and passwords in the
DB?


the place where senstive info is stored should be using an encrypted fs
where data is encrypted/decrypted on the fly per inquiry

change keys often and that it only works from certain machines
and certain accts

Is this a good general policy?


assume that the cracker is watching everything, including your keystrokes
and protect your data accordingly ... and audit your hardware too

c ya
alvin

Current thread:

RE: ISA Server and SQL Injection, (continued)
- - - RE: ISA Server and SQL Injection Mark Curphey (Feb 21)
    - Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 23)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] David (Feb 23)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Feb 28)
    - storing SSNs, CCNs, password in the DB Francesco (Feb 28)
    - Re: storing SSNs, CCNs, password in the DB Adam Shostack (Feb 28)
    - Re: storing SSNs, CCNs, password in the DB Francesco (Feb 28)
    - Re: storing SSNs, CCNs, password in the DB Andrew van der Stock (Mar 01)
    - Re: storing SSNs, CCNs, password in the DB Paul Johnston (Mar 01)
    - Re: storing SSNs, CCNs, password in the DB Joseph Miller (Mar 01)
    - Re: storing SSNs, CCNs, password in the DB Alvin Oga (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Feb 28)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeremiah Grossman (Mar 01)
    - Re: Solutions, Results, and Comments - Was [ISA Server and SQL Injection] Jeff Williams (Mar 01)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 23)
    - RE: ISA Server and SQL Injection Mark Curphey (Feb 23)
    - Re: ISA Server and SQL Injection Paul Johnston (Feb 28)

(Thread continues...)