Database security issues PETRA BILIĆ ALEXANDER SPARBER

Similar documents
Security and Control Issues within Relational Databases

Comprehensive Approach to Database Security

White Paper. Blindfolded SQL Injection

Thick Client Application Security

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

MS-55096: Securing Data on Microsoft SQL Server 2012

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

ICTN Enterprise Database Security Issues and Solutions

The Top Web Application Attacks: Are you vulnerable?

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Securing Data on Microsoft SQL Server 2012

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Blindfolded SQL Injection. Written By: Ofer Maor Amichai Shulman

Penetration Testing: Advanced Oracle Exploitation Page 1

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Oracle Security Auditing

Oracle Security Auditing

Columbia University Web Security Standards and Practices. Objective and Scope

Web Application Report

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Making Database Security an IT Security Priority

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

Hacking Database for Owning your Data

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Passing PCI Compliance How to Address the Application Security Mandates

White Paper. PCI Guidance: Microsoft Windows Logging

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Global Partner Management Notice

Top Ten Database Security Threats

CMP3002 Advanced Web Technology

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Teleran PCI Customer Case Study

A Review Report on Security Threats on Database

Application Security Testing. Generic Test Strategy

BM482E Introduction to Computer Security

INF 212 ANALYSIS OF PROG. LANGS ADVERSITY. Instructors: Crista Lopes Copyright Instructors.

Securing Database Servers. Database security for enterprise information systems and security professionals

SY system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

North Dakota 2013 IT Security Audit Vulnerability Assessment & Penetration Test Project Briefing

Security Issues with Integrated Smart Buildings

Where every interaction matters.

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

SQL Injection January 23, 2013

Pension Benefit Guaranty Corporation. Office of Inspector General. Evaluation Report. Penetration Testing An Update

Guarding Against SQL Server Attacks: Hacking, cracking, and protection techniques.

Implementing Database Security and Auditing

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Threats and Attacks. Modifications by Prof. Dong Xuan and Adam C. Champion. Principles of Information Security, 5th Edition 1

Computer Security DD2395

Using Foundstone CookieDigger to Analyze Web Session Management

Criteria for web application security check. Version

Database Security Guide

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

March

Oracle Database Security

Database Security and Auditing: Leading Practices. Rob Barnes Director, Enterprise Auditing Solutions Application Security, Inc.

The monsters under the bed are real World Tour

A Decision Maker s Guide to Securing an IT Infrastructure

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Hacking databases for owning your data. Cesar Cerrudo Esteban Martinez Fayo Argeniss (

Executable Integrity Verification

Top 10 Database. Misconfigurations.

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Understanding and evaluating risk to information assets in your software projects

Certified Ethical Hacker Exam Version Comparison. Version Comparison

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Testing Web Applications for SQL Injection Sam Shober

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Magento Security and Vulnerabilities. Roman Stepanov

Secure and Safe Computing Primer Examples of Desktop and Laptop standards and guidelines

B database Security - A Case Study

Security Implications Associated with Mass Notification Systems

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Penetration Testing. Presented by

How To Manage Security On A Networked Computer System

Network Security Audit. Vulnerability Assessment (VA)

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Network and Host-based Vulnerability Assessment

Last update: February 23, 2004

Discovering passwords in the memory

Chap. 1: Introduction

Boston University Security Awareness. What you need to know to keep information safe and secure

SANS Top 20 Critical Controls for Effective Cyber Defense

SQL SERVER Anti-Forensics. Cesar Cerrudo

GFI White Paper PCI-DSS compliance and GFI Software products

The Trivial Cisco IP Phones Compromise

TOPIC HIERARCHY. Distributed Environment. Security. Kerberos

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Database Assessment. Vulnerability Assessment Course

Transcription:

Database security issues PETRA BILIĆ ALEXANDER SPARBER

Introduction Database security is one aspect of computer security It uses different information security controls to protect databases Information security controls appropriate to databases: Access control Auditing Authentication Encryption Integrity controls Backups Application security

Database security threats: privilege abuse database platform vulnerabilities SQL injection weak audit trail denial of service weak authentication backup data exposure database communication protocol vulnerabilities SQL rootkits

Privilege Abuse Idea: Access Control Restrict users to minimum required SQL operations and data Define access control mechanisms for each user (ACL) Issues Excessive Privilege Abuse Legitimate Privilege Abuse Privilege Elevation

Excessive Privilege Abuse impossible to keep access control list up to date lack of time lack of information Result: Large groups of users are granted generic default access privileges that far exceed specific job requirements May be abused for malicious purpose.

Excessive Privilege Abuse ACL semantics are too limited select * from AdminUsers where username='john' and password='secret' vs select username, password from AdminUsers

Prevention: Query-Level Access Control Query-Level Access Control select * from AdminUsers where username =? and password =? Normal Usage select * from AdminUsers where username = john and password = smith Detected Abuse select username, password from AdminUsers select * from AdminUsers where username = john and password = idontknow or 1=1 Use automated tool

Legitimate Privilege Abuse abuse of legitimate database privileges for unauthorized purposes Copy large amount of information from database: to trade data for money to have easier access vulnerable to Trojans, laptop theft, etc.

Prevention: Context based Database Access augment access control with context of query Take into consideration usage attributes: Client location (IP address, GPS location) Client type (application) Additional identity attributes (Operating System, OS username) Time of day Take into consideration the consequence Size of result set Query-Level Access Control

Privilege Elevation database platform software vulnerabilities stored procedures, built-in functions, protocol implementations, and even SQL statements Get administrator access privileges find out password convert access privileges from those of an ordinary user Prevention: Use strong authentication Keep software up to date Use query-level access control

Inference When users are able to piece together information at one security level to determine a fact from a higher security level. No good solution: Polyinstantiation Live with inference Flight ID Cargo Hold Content s Classification 1254 A Boots Unclassified 1254 B Guns Unclassified 1254 C Atomic Bomb Top Secret 1254 D Butter Unclassified

SQL rootkit (database rootkit) Operating Systems and Databases are quite similar in the architecture. Both of them have: Users Processes Executables Symbolic Jobs Links

Rootkits are stealthy tools used by hackers to control operating systems Completely unknown to the user, a hacker may install a rootkit by exploiting a vulnerability or cracking a password The rootkit may then be used to hide processes, redirect application I/O, alter specific application programming interfaces or, simply, take over user operating system

To install a simple database rootkit is very easy task, and once it s installed it can be very difficult to uncover It can be used to capturing passwords, stealing data, tampering with user accounts, or performing similar nefarious activities A SQL Server rootkit can take many disguises, but in its simplest form it can be a function whose logic has been subtly altered to return different results

There are several ways to implement SQL rootkits: Modify the (database) object itself Change the execution path Change the SQL statement via VPD PL/SQL Native

Detecting rootkits Generate a baseline of the repository or get the baseline from the vendor Compare the repository against a baseline Check the results of the comparison Checksums must be calculated externally because the internal MD5-checksum could be tampered

SQL Standard language for relational database management systems It consist of two main parts: DML and DDL Differences in syntax Description ORACLE MS SQL Server String length LENGTH DATALENGTH

SQL injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application Very common and very popular attack because of his simplicity With SQL injection attacker is trying to insert his malicious SQL code into some database and force her to execute given command The average web application is attacked at least four times per month by SQL injection techniques.

Point of attack The attacker may input specifically crafted SQL commands with the intent of bypassing the login form barrier and seeing what lies behind it

SQL injection attack Two main steps: a) Discovering how the application handles bad inputs b) Start the real attack Asuming: SELECT field FROM table WHERE email = $email ;

Discovering how the application handles bad inputs SELECT field FROM table WHERE email = hacker@database.com ; If the attacker submit that there are 2 possibilities: 1. The application will first sanitize the input 2. The application will take the input from the attacker and immediately run it as part of the SQL

Start the real attack SELECT field FROM table WHERE field = something OR x = x ; Attacker could get prove that he is able to manipulate the query to his own ends.

SELECT field FROM table WHERE field = x AND email is NULL; -- ; The purpose of this query was to use a proposed field name (email) in the constructed query and find out if the SQL is valid or not If attacker get any kind of valid response like email is not recognized it means that he guessed the name of the field correctly

SELECT email, password, userid, name FROM table WHERE email = x AND 1=(SELECT COUNT(*) FROM tabname); -- ; Purpose of this query is to find out is the name of the table is valid Includes a lot of guessing

SELECT email, password, userid, name FROM users WHERE email = x AND users.email IS NULL; -- ; This query is executed in order to assure that table users is the table that is used in query This query only works for tables that are actually part of this query, not on any table that exists in database

Attacker can try find some users: SELECT email, password, userid, name FROM users WHERE email = x OR name LIKE %Bob% ; or drop entire table: SELECT email, password, userid, name FROM users WHERE email = x ; DROP TABLE users; -- ;

SQL injection prevention Access the database using an account with the least privileges necessary Install the database using an account with the least privileges necessary Ensure that data is valid Do a code review to check for the possibility of second-order attacks Use parameterised queries Use stored procedures Ensure that error messages give nothing away about the internal architecture of the application or the database

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information