Académique Documents
Professionnel Documents
Culture Documents
Database
Attack
James Bleecker Scott Campbell
Application Security, Inc. Application Security, Inc
Principal Systems Engineer Regional Sales Manager
June 9, 2011
Todays Agenda
2 www.appsecinc.com
Some Scary Stats
3 www.appsecinc.com
Growing Threat
Different Targets/Objectives
Financial Steal Credit Cards and Money
Government Steal State Secrets
Business Industrial Espionage
Military Cyber Warhead Attacks on Critical Defenses and
Infrastructure
4 www.appsecinc.com
Growing Threat
Private Sector
Seen a lot of Successful Attacks
TJX, Heartland, Epsilon, UCLA, etc
Three Of Four Energy Firms Had Data Breach In Last Year
Sony Online Entertainment
Government Sector
Seen a lot of Successful Attacks
Russias cyber attack on Georgia
Wikileaks
All US Government Agencies
All Branches of the US DoD
StuxNet
5 www.appsecinc.com
Growing Threat
1-800-FLOWERS, AbeBooks, Air Miles (Canada), Ameriprise Financial, Ann Taylor credit card ,
Barclay's Bank of Delaware, Beachbody, Bebe Stores, Best Buy, Benefit Cosmetics, Brookstone,
Capital One, Chase, Citigroup, City Market, College Board, Crucial, Dell, Dillons, Disney
Destinations, Eddie Bauer, Eileen Fisher, Ethan Allen, Eurosport (Soccer.com), Food 4 Less,
Fred Meyer, Fry's Electronics, Hilton Honors program, Home Depot, Home Shopping Network,
J. Crew, JPMorgan Chase, Kroger, Marks and Spencer, Marriott, McKinsey Quarterly, MoneyGram,
New York & Co., QFC, Ralph's, Red Roof Inns, Ritz-Carlton, Robert Half International, Scottrade, Smith Brands,
Target, Tastefully Simple, TD Ameritrade, The Limited , TIAA-CREF, TiVo, US Bank, Verizon, Walgreen's
6 www.appsecinc.com
Growing Threat
7 www.appsecinc.com
The Enemy/Tactics
Who is behind data breaches?
- Over 70% credentialed users
- 10% business partners
- 46% insiders
8 www.appsecinc.com
Overview: Data Breaches
10 www.appsecinc.com
To Make Matters Worse - Threats Are Very Real
Database Security: Recent Findings
Only 1 out of 4 databases are locked down against attacks.
Source: 2008 IOUG Data Security Report, Joe McKendrick, Research Analyst
11 www.appsecinc.com
Compliance is More Critical than Ever!
12 www.appsecinc.com
Database
Vulnerabilities
Common Database Threats
Database Vulnerabilities:
Default accounts and passwords
Easily guessed passwords
Missing Patches
Misconfigurations
Excessive Privileges
---------------------------------------------------------
External Threats:
Web application attacks (SQL-injection)
Insider mistakes
Weak or non-existent audit controls
Social engineering
14 www.appsecinc.com
Database Vulnerabilities
15 www.appsecinc.com
Database Vulnerabilities: Weak Passwords
16 www.appsecinc.com
Database Vulnerabilities: Weak Passwords
18 www.appsecinc.com
Database Vulnerabilities: Missing Patches
Privilege Escalation
Become a DBA or equivalent privileged user
Denial of Service Attacks
Result in the database crashing or failing to respond to
connect requests or SQL Queries.
Buffer Overflow Attacks
Result in an unauthorized user causing the application to
perform an action the application was not intended to perform.
Can allow arbitrary commands to be executed
No matter how strongly youve set passwords and other
authentication features.
19
19 www.appsecinc.com
Database Vulnerabilities: Misconfigurations
9 9 9 9 9
Default & Weak
Passwords
9 9 9 9 9
Denial of Services
& Buffer Overflows
9 9 9 9 9
Misconfigurations &
Excessive Privileges
20
20 www.appsecinc.com
Database Vulnerabilities: Misconfigurations
Misconfigurations Can Make Databases Vulnerable
Oracle
External Procedure Service
Privilege to grant Java permissions
Default HTTP Applications
Privilege to Execute UTL_FILE
Microsoft SQL Server
Standard SQL Server Authentication Allowed
Permissions granted on xp_cmdshell
Sybase
Permission granted on xp_cmdshell
IBM DB2
CREATE_NOT_FENCED privilege granted (allows logins to
create SPs)
MySQL
Permissions on User Table (mysql.user)
21
21 www.appsecinc.com
The Database Insider Threat
23 www.appsecinc.com
SPIDER WEB OF DATABASE USERS, GROUPS, ROLES, AND PERMISSIONS
Legend Roles Permissions
QUALITY
reorder related record
ASSURANCE
DATABASE
ADMIN
new import
delete
PUBLIC EVP/SVP
delete found
Database Attacks!
Attacking Oracle: Become SYSDBA
Attack Target:
Oracle 10g Release 2
Privilege Level: Anyone with a Login
Examples: SCOTT / TIGER or Guest Account
Outcome: Complete Administrative Control!
Attacker can run any SQL as SYSDBA
Vulnerabilities Exploited:
Privilege Escalation via SQL Injection in
SYS.LT.MERGEWORKSPACE
Patched by Database Vendor:
Oracle October 2008 CPU
26 www.appsecinc.com
27 www.appsecinc.com
28 www.appsecinc.com
29 www.appsecinc.com
2905eca56a830226
30 www.appsecinc.com
Attacking Oracle: Become SYSDBA
31 www.appsecinc.com
Attacking Oracle: Become SYSDBA
Vulnerabilities Exploited:
Privilege Escalation via SQL Injection in
SYS.LT.MERGEWORKSPACE
32 www.appsecinc.com
Attacking Oracle: View Any Data
Attack Target:
Oracle 11g
Privilege Level: Any Login with CREATE
PROCEDURE
Outcome: Access to all Database Data!
Attacker can run any SQL as WMSYS
Vulnerabilities Exploited:
Privilege Escalation via SQL Injection in
[WM]SYS.LT.ROLLBACKWORKSPACE
Patched by Database Vendor:
Oracle April 2009 CPU
33 www.appsecinc.com
34 www.appsecinc.com
35 www.appsecinc.com
Attacking Oracle: View Any Data
The Setup:
Created a user (user1)
Granted only the privilege to login
Established that we cant see sensitive data
36 www.appsecinc.com
Attacking Oracle: View Any Data
The Attack:
Use CREATE PROCEDURE privilege to create
a function called SQLI
SQLI has code to read from SCOTT.EMP and print output to
the screen
Inject a call to SQLI into the vulnerable
DBMS_WM.ROLLBACKWORKSPACE
Watch as the data from SCOTT.EMP prints to
the screen
37 www.appsecinc.com
38 www.appsecinc.com
39 www.appsecinc.com
Attacking Oracle: View Any Data
Vulnerabilities Exploited:
Privilege Escalation via SQL Injection in
[WM]SYS.LT.ROLLBACKWORKSPACE
40 www.appsecinc.com
Attacking Microsoft SQL Server: The DataBurglar
41 www.appsecinc.com
DataBurglars Plan
42 www.appsecinc.com
The DataBurglar Attack
DataBurglar knows that the SQL OLE DB Provider is
installed on the target database server.
This means he can use the OPENROWSET function to send
data to his remote SQL Server database.
43 www.appsecinc.com
The Attack in Detail
44 www.appsecinc.com
starts
small
45 www.appsecinc.com
then
grows
46 www.appsecinc.com
and grows,
and grows
48 www.appsecinc.com
Database Security Best
Practices
Database Security Life Cycle
50 www.appsecinc.com
Addressing Database Vulnerabilities
Start with a Secure Configuration
Stay Patched
Stay on top of all the security alerts and bulletins
Regularly Review User Rights and Privileges
Revoke any unnecessary access
Defense in Depth / Multiple Levels of Security
Regularly scan your databases for vulnerabilities
Fix the problems reported!
Implement database activity monitoring
and database intrusion detection
Especially if you cant stay patched!
Encryption of data-in-motion / data-at-rest
51 www.appsecinc.com
Resources
Oracle
Oracle Project Lockdown
www.oracle.com/technology/pub/articles/project_lockdown/index.html
Oracle Security Checklist
www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db
_database.pdf
SANS Institute (SysAdmin, Audit, Network, Security)
Oracle Database Checklist
www.sans.org/score/checklists/Oracle_Database_Checklist.doc
Microsoft
SQL Server 2005 Security Best Practices
www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.ms
px
SQLSecurity.com
SQLSecurity Checklist
My Book!
Practical Oracle Security
52 www.appsecinc.com
Database Security Info from AppSecInc
White Papers
http://www.appsecinc.com/techdocs/whitepapers/research.shtml
SQL Server Forensics
Database Activity Monitoring
Search Engines Used to Attack Databases
Introduction to Database and Application Worms
Hunting Flaws in Microsoft SQL Server
Presentations
http://www.appsecinc.com/techdocs/presentations.shtml
Protecting Databases
Hack-Proofing MySQL, IBM DB2, Oracle9iAS
Writing Secure Code in Oracle
Addressing the Insider Threat to Database Security
Security alerts
www.appsecinc.com/resources/mailinglist.html
53 www.appsecinc.com
Thank You
Questions?
Vulnerabilities?
Locking down the
database?
Email our security
experts at:
asktheexpert@appsecinc.com
Scott Campbell
214-435-2772
scampbell@appsecinc.com
54 www.appsecinc.com