Oracle Corporation

Transcription

1 Oracle Corporation

2 Hackers and Hacking. Demonstration 2. SQL Injection Hacks Stuart Sharp, Information Security Sales Consultant, Oracle Oracle Corporation Insert Information Protection Policy Classification from Slide 18

3 Demo Session 2 - Agenda SQL Injection Hacking. What is it? Example SQL Injection Hacks. Demonstration Questions A Real World Example. Heartland Payments. DB Firewall Architecture. DB Firewall Demonstration. Questions Oracle Corporation

4 SQL Injection - What is it? Relational Database Model based upon an independence of client connection to DB *. Broadly speaking 3 types of client connections. Custom built application connections. Packaged application connections. 3rd Party Tools. SQL Injection Hackers exploit application vulnerabilities to introduce rogue SQL for their own ends. * Not just Oracle! Oracle Corporation

5 SQL Injection - Why is it so important? If they get access to your corporate databases - Hackers win BIG! Credit Cards are Important - but what about IPR? Client side SQL checks are typically weak. Application Roles - are just within the application Connection Pooling Code generating SQL unknown to customers You don t know, what you don t know? Oracle Corporation

6 SQL Injection - Setting the Scene for the demo The demo you are about to see illustrates the problem To do this succinctly we have prepared some example SQL statements which will be injected via text fields on an example web form. These could also arise from within the other types of connections mentioned. Also could be rogue connections established by hacker clients who had written their own application Oracle Corporation

7 Demo Environment Web + Application Servers Application Web UI Database Server Oracle Corporation

8 SQL Injection Hacks Demonstration Oracle Corporation Insert Information Protection Policy Classification from Slide 18

9 4 Example SQL Injection Hacks 1. Personal information breached - bypassing application record security 2. Errors - Application database user revealed - incorrect number of result columns - incorrect data type 3. Excessive privileges - Database user credentials leaked - application user with dba or select_catalog_role 4. Data at risk - Payment card details stolen - union with sensitive table Oracle Corporation

10 SQL Injection. The Basic Principle 1. Exploit unfiltered user input - e.g. use (single quote) to close field 2. Manipulate SQL SELECT name FROM customers where id=234 becomes SELECT name FROM customers where id=234 OR 1=1 3. Return unauthorized records 1=1 is true for all records Oracle Corporation

11 SQL Injection Hack 1 1. Personal information breached - bypassing application record security select a.userid, a.firstname, a.lastname, where upper(a.department) = 'ENGINEERING and upper(a.lastname) like Smith%' becomes: select a.userid, a.firstname, a.lastname, where upper(a.department) = 'ENGINEERING and upper(a.lastname) like Smith ' OR 1=1 -- % ** RETURNS ALL RECORDS Oracle Corporation

12 SQL Injection Hack 2 2. Errors - Application Database User revealed - incorrect number of result columns java.sql.sqlexception: ORA-01789: query block has incorrect number of result columns - incorrect data type java.sql.sqlexception: Fail to convert to internal representation **ERROR MESSAGES TELL YOU WHAT IS WRONG Oracle Corporation

13 SQL Injection Hack 3 3. Excessive privileges. Database user credentials leaked The database user has dba or select_catalog_role roles ' UNION SELECT '1', osuser, username from v$session -- ** ACCESSING SYSTEM LEVEL INFORMATION Oracle Corporation

14 SQL Injection Hack 4 4. Data at risk - Payment card details stolen A union with a sensitive table ' UNION SELECT '1', name, cardnumber, from ORDERS -- ** BIG WIN! ALL CREDIT CARD NUMBERS RETURNED Oracle Corporation

15 SQL Injection Variants 1. Data Extraction 2. Blind Injection 3. Out-of-Browser (OOB) Applications 4. Heavy Queries 5. Privilege Escalation 6. OS Code Execution 7. PL/SQL Injection Oracle Corporation

16 SQL Injection Summary 1. Root causes: Incorrectly filtered escape characters Incorrect type handling Excessive privileges for application user 2. Hackers Win BIG! 25% of attacks, 89% of stolen records 3. What s at stake: Customer data Financial and business information Control of entire corporate network Oracle Corporation

17 Questions Oracle Corporation

18 Real World Example. Heartland Payment Systems Oracle Corporation Insert Information Protection Policy Classification from Slide 18

19 Real World Example Heartland Payment Systems 1. In the top 10 credit card payment processing companies worldwide 2. New Jersey-based Jan 2009, announced that it had been the victim of a security breach within its processing system in Attack went undetected for months 5. Stolen data included digital information encoded onto magnetic strip on credit/debit cards 6. Company was PCI-compliant at the time of the attack 7. Attack involved an American and several Russians, and lead to a US Federal court case Oracle Corporation

20 How 130M Credit Cards Were stolen 1. Attack via SQL Injection through bespoke webapplication 2. Attacker owns compromised database connected to corporate network 3. Undetectable malware commissioned and installed to sniff secure payment network 4. Malware collected card details packaged and regularly sent home 4 1 Corporate Perimeter Customer Facing Web-application Low Security Web App High Security Application Corporate Network 3 Internal Application Users Secure Card System Low Security Database Malware High Security Card Database Oracle Corporation

21 Oracle DB Firewall. Derrick Hodnett, Information Security Pre Sales Manager Oracle Corporation Insert Information Protection Policy Classification from Slide 18

22 SQL Injection - How do you fix the problem? You need a white list based approach. Profile your SQL traffic Gain a picture of normal usage This allows suspect SQL traffic to be highlighted You can then enforce correct policies You audit what is happening You review and revise your approach NO APPLICATION CODE CHANGES Oracle Corporation

23 Demo Environment Web + Application Servers Application Web UI Oracle Database Firewall Database Server Oracle Corporation

24 Oracle DB Firewall Architecture Oracle Corporation Insert Information Protection Policy Classification from Slide 18

25 Deployment Architecture Inbound SQL Traffic Applications In-Line Blocking and Monitoring Out-of-Band Monitoring HA Mode Management Server Policy Analyzer Network-based Monitoring and Enforcement Centralized Management and Reporting No changes to Applications or Databases required Software Appliance: Hardened Linux on Intel for security, flexibility, scalability Deployment Modes: In-Line, Out-of-Band, Proxy Oracle Corporation

26 Grammar-Based Clustering Accuracy and Understanding Use the same level of language power to detect SQL as to process it Performance Speed of lookup is constant in the number of SQL rules in the policy Security SQL injection and other dangerous SQL detected as anomalies Customer Example: Powerful Synopsis 450 million statements 450 rules auto-generated Oracle Corporation

27 Statement Substitution Log Applications Allow SELECT * FROM accounts Alert Becomes SELECT * FROM dual Substitutewhere 1=0 Block Application Database connection pools cannot be disconnected Unique graceful blocking achieved by substituting out-of-policy statement with predefined benign statement Database guaranteed protected from inappropriate statement whilst the network session remains open Oracle Corporation

28 Database Monitoring and Reporting Extensive built in Security and Compliance reports Can be modified and customized Database activity monitoring Blocked and alerted statements Supports demonstrating controls for PCI, SOX, HIPAA, etc. Logged SQL statements can be sanitized of sensitive PII data Oracle Corporation

29 Oracle DB Firewall Demonstration Oracle Corporation Insert Information Protection Policy Classification from Slide 18

30 4 Example SQL Injection Hacks - Revisited 1. Personal information breached - bypassing application record security 2. Errors - Application database user revealed - incorrect number of result columns - incorrect data type 3. Excessive privileges - Database user credentials leaked - application user with dba or select_catalog_role 4. Data at risk - Payment card details stolen - union with sensitive table Oracle Corporation

31 DB Firewall : Summary 1. Monitors SQL Traffic between Applications and Databases 2. Profile Normal Activity to Detect Suspicious Activity 3. Enforce Policy and Audit Behaviour Blocking SQL Injection Hacks Minimises Impact of Application Breaches 4. Auditing Privileged User Activity Access to Sensitive Data Independent of Application and Database Administrators Oracle Corporation

32 Questions Oracle Corporation

33 Oracle Corporation

34 Oracle Corporation

35 Oracle Corporation