Database Attacks, How to protect the corporate assets
Upcoming SlideShare
Loading in...5
×
 

Database Attacks, How to protect the corporate assets

on

  • 5,826 views

 

Statistics

Views

Total Views
5,826
Views on SlideShare
5,826
Embed Views
0

Actions

Likes
0
Downloads
48
Comments
1

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • how to install ??
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Data security used to be simple. (click) A Large Mainframe stored in a glass house manipulated data stored in a Winchester array. If someone tried to steal that data, you saw them through the window, (click) pulled the Halon fire supression lever, and watched them pass out.
  • It’s gotten a lot more complicated. (click) The demand for pervasive Access (read slide) has lead to (clock) increasingly focused attacks (read slide) (click) which in turn has created a whole new set of compliance needs.
  • A couple of preliminaries. This is a network we’ll use throughout this talk. Please note we’ve got firewalls, and web proxies, and encrypted channels, and all the good stuff to NETWORK security. Today we’re going to talk about APPLICATION security. We will show how the two are complimentary, but different.
  • As the environment evolved so has the threat.
  • This is Jack’s FUD slide. Data is a valuable resource in your company. You, of course, are the most valuable resource. And People want to steal that data. If you believe attacks are coming only from 18 year olds sitting up all night sucking down Red Bull, you’re sadly vulnerable. Those kids have grown up. But they’ve now got spouses and kids of their own. They need to earn a living. For the most part, we won’t hire them because they’re disaffected. Those that didn’t become ethical hackers, revert to what they did in college, and we make it easy for them.
  • Here’s a little evidence that the bad guys have moved up the stack. Scarcely a week goes by that were not reading about a personal privacy breach. Here are ten of the biggest we’ve seen, just since the beginning of the year. Nearly 50 million customers privacy invaded. So what? Choicepoint’s stock tumbled 15% the day after their breach was disclosed and hasn’t recovered. Card Systems went out of business as Visa and MasterCard will no longer do business with them.
  • So let’s summarize the top 5 issues with Application level security. (Read bullet points)
  • Second, is a depiction typical web enabled enterprise application. Web Front End; Application Specific middle ware; and a database back end. The database has the good stuff. We’ll talk about how this this application can be attacked at each of the component levels.
  • Databases, actually, any complex software is riddled with vulnerabilities. Software makers are under pressure to make their products easy to use. Ease of use and security are somewhat opposed concepts. Let’s look at a very simple vulnerability Default and Weak Passwords. Databases have their own user accounts and passwords.
  • Databases, actually, any complex software is riddled with vulnerabilities. Software makers are under pressure to make their products easy to use. Ease of use and security are somewhat opposed concepts. Let’s look at a very simple vulnerability Default and Weak Passwords. Databases have their own user accounts and passwords.
  • Like any software, databases ship with a default user name and password. Oracle uses a little obfuscation by having over 200 different defaults for different versions, but that doesn’t really cause the bad guy much of a problem. Here’s a list a some of the defaults…everyone knows them.
  • Notice the Microsoft default. SA BLANK! Remember that MSDE is a Microsoft SQL server. MSDE has this same default. So any application, like a Blackberry Mail Server, or a Cisco Network Manager, that uses MSDE has this same default user….until you change it.
  • Without account lockout, I can just try every password I can think of, or run a script. We’ll look at this a little later.
  • Let’s talk for a minute about Denial of Service and Buffer overflow attacks
  • So what’s a denial of service? We know what that is in a network. Applications have the same issues. READ THE SLIDE Here are common DOS vulnerabilities in these popular databases.
  • And Buffer Overflows. READ the Slide We’ll talk more about the RESOLUTION STACK buffer overflow later. They all have them.
  • A third tranche of vulnerabilities deal with misconfigurations. Databases are complex beasts. You know you can’t just fire them up and let ‘em rip.
  • These are some common problem areas in databases. We’ll look at how to get in through a default HTTP server in an Oracle database later. How many of you know Oracle has a built in web server? Check your port 7777. IBM DB2 CREATE_NOT_FENCED privilege granted This privilege allows logins to create stored procedures that run in the address space of the database. These stored procedures can execute malicious code under the privileges of the database manager. MySQL Permissions on User Table (mysql.user) This table contains password hashes as well as a list of privileges for a user.
  • A third tranche of vulnerabilities deal with misconfigurations. Databases are complex beasts. You know you can’t just fire them up and let ‘em rip.
  • So let’s get inside the head of one of those folks looking to take something from you. How do they plan an attack? It’s much like a Special Operations mission. [REVIEW the Slide] What types of issues will we look to exploit?
  • We simply start writing our own extended SQL commands using a UNION to inject the valid command that we’re using for malicious purposes. In this example, here we select passwords out of the DBA User’s Table. In this specific example we will pull out the hashed password for “SYSTEM” in an Oracle database.
  • When we hit “Submit”, and it returns the Password Hash as the Customer Address. And to answer the earlier rhetorical question, we only need refer to any or a number of publicly available hash dictionaries to back into the cleartext password.
  • Here we have an Oracle HTTP Server running on port 7778 – somebody could have created a web application using the Oracle HTTP Server which can exist on an any port even on port 80. The things to be aware of are the following: This application which comes standard with the installation of the Oracle HTTP Server can be used as a way into the database, and eventually into the host operating system or other trusted systems. The hackers can attack the database using a SQL Injection exploit.
  • This is the demo application that ships with the server. It is susceptible to SQL Injection: demo/sql/jdbc/JDBCQuery.jsp The first step in using SQL Injection to see where we can penetrate. We use the “connStr” command to connect to target any Oracle database in the network.
  • Here we Union the command to ask for the database name using SQL Injection.
  • And that command conveniently displays the database name within the browser.
  • Let’s try another command. The Sys.login should return the user name the web server uses to login to the database. As an aside, how often is this ever changed in your networks?
  • … and here are the results showing that the web server uses “Scott” to login to the database.
  • Here we are going to use an existing buffer overflow in Oracle in our SQL Injection attack for whatever we’d like to do. There’s exploit code taking advantage of this buffer overflow on the Internet available for you to look up and see all of the various exploits. http://www.appsecinc.com/Policy/PolicyCheck81.html http://www.securityfocus.com/bid/9587/info/ A buffer overflow exists in the built-in function NUMTOYMINTERVAL. This buffer overflow may allow an attacker to overwrite the stack and execute arbitrary code under the security context of the database server. NUMTOYMINTERVAL is a built-in function and as such permissions to execute this function are granted to all database users.
  • Here we inject the buffer overflow attack and it crashed the database.
  • Here’s a simple one.
  • I wonder what this search might return?
  • So what do you do about this stuff? Diligence to the application is required. Security is an ongoing process. [READ Slide]
  • Hackers want to steal from you. Your valuable assets are in your databases. Doesn’t it just make sense to protect them?
  • Use the industry best practices.
  • Note we modified #2. Seriously, MBSA is ok for O/S level attacks but at the application layer you probably want an independent third party looking at the app.
  • AppDetective performs 4 basic functions: Application Discovery Penetration Testing Security Auditing Advanced Reporting A mature product, AppDetective includes many enterprise-class features…

Database Attacks, How to protect the corporate assets Database Attacks, How to protect the corporate assets Presentation Transcript

  • Database Attacks, How to protect the corporate assets Presented by: James Bleecker
  • Agenda
    • Introduction
      • Landscape
      • Database Vulnerabilities Are The New Front-Lines
    • Attacking Where the Data Resides
      • Planning an Attack
      • Attacking Database Vulnerabilities
    • How Do You Protect Your Database?
    • What is Application Security direction/Vision?
  • Old Data Processing Environment Winchester IMS Array Glass House Halon Release Switch CICS Controller BIG IRON Hyperchannel Halon
  • New Data Processing Requirement
    • Increasingly Focused Attacks
    • Directly on applications (75%!)
    • Including insiders (80+%!)
    • As perimeter crumbles
    • Demand for Pervasive Access
    • By anyone
    • To any application
    • Increasingly direct
    • Compliance Requirements
    • Info ultimately in Db apps:
      • Privacy / confidentiality
      • Integrity
    • Compliance must be:
      • Repeatable
      • Demonstrable
    Stored Data
  • Typical Network Landscape
  • Database Vulnerabilities
    • A decade ago, databases were
      • Physically secure
      • Housed in central data centers – not distributed
      • External access mediated
      • Security issues rarely reported
    • Now, databases are externally accessible
      • Suppliers directly connected
      • Customers directly connected
      • Customers and partners directly sharing data
  • Database Vulnerability Exploitation
    • A decade ago, attacks were
      • Broad based
      • Launched by disaffected “Hackers”
      • Intended to disrupt, gain respect / notoriety in the community
    • Now, attacks are
      • Targeted against specific resources
      • Launched by sophisticated professionals
      • Intended to bring monetary gain to the attacker
    • Data is a valuable resource in your company
      • Value increases with greater integration and aggregation
      • But so does the threat of data theft, modification, or destruction
  • Databases Are Under Attack
    • 106 Incidents in 2005
    • Flurry of new data breaches disclosed : More than 190 such incidents have been reported since February 2005, Jaikumar Vijayan and Todd Weiss; June 19, 2006 (Computerworld)
    • We’re not Winning!
  • Recent Incidents 22-May-06 1500 Department of Energy’s nuclear weapons 15-Feb-06 350,000 Dept of Agriculture 5-Mar-06 41,000 Georgetown University 9-Feb-06 200,000 Misc retail debit card compromise (OfficeMax?) Source: Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm ~50,000,000+ # of customers affected Etc, etc, etc . 15-Feb-05 145,000 ChoicePoint 19-Apr-05 200,000 Ameritrade 9-Mar-05 310,000 LexisNexis 25-Feb-05 1,200,000 Bank of America 8-Mar-05 1,400,000 DSW Shoe Warehouse 6-Jun-05 3,900,000 Citigroup 17-Jun-05 40,000,000 Card Systems Date of Initial Disclosure # of Affected Customers Company/Organization
  • Top 5 Issues in Enterprise Security
    • Attackers have gone pro
      • Want personal data they can sell – Personal data like credit card and social security numbers are relatively easy to monetize
    • Attacks are moving to the source
      • Why pull a single credit card via compromising the network? It's relatively hard with a meager pay off. Instead, take over the corporate database and get them ALL
    • The perimeter provides little defense
      • Insiders don't go through the firewall thus perimeters provide no protection from this growing source of risk
    • Inside the perimeter, enterprises have little-to-no protection
      • Beyond anti-virus, enterprises are only just now getting started to build a layered defense. For example, how does a largely signature-based security solution protect you from an insider that doesn't need to run a vulnerability against a system to get access? They've got plenty of privileges already ;-)
    • Everyone is watching
      • Everyone is very-much clued in to the increased threats against personal data. Any mistakes are likely to be very public
  • How Do You Secure Apps? Key Components of Enterprise Applications Vulnerabilities exist within each of these components
  • Database Vulnerabilities:
    • Default & Weak Passwords
    • Denial of Services (DoS) & Buffer Overflows
    • Misconfigurations & Resource Privilege Management Issues
  • Database Vulnerabilities: Default & Weak Passwords
    • Databases have their own user accounts and passwords
    Oracle Microsoft SQL Server Sybase Default & Weak Passwords MySQL IBM DB2     
  • Database Vulnerabilities Default Passwords
    • Oracle Defaults (Over 200 of them)
        • User Account: internal / Password: oracle
        • User Account: system / Password: manager
        • User Account: sys / Password: change_on_install
        • User Account: dbsnmp / Password: dbsnmp
    • IBM DB2 Defaults
        • User Account: db2admin / Password: db2admin
        • User Account: db2as / Password: ibmdb2
        • User Account: dlfm / Password: ibmdb2
  • Database Vulnerabilities Default Passwords
    • MySQL Defaults
        • User Account: root / Password: null
        • User Account: admin / Password: admin
        • User Account: myusername / Password: mypassword
    • Sybase Defaults
        • User Account: SA / Password: null
    • Microsoft SQL Server Defaults
        • User Account: SA / Password: null
  • Database Vulnerabilities Weak Passwords
    • It is important that you have all of the proper safeguards against password crackers because:
        • Most databases do not have Account Lockout
        • Database Login activity is seldom monitored
        • Scripts and Tools for exploiting weak identification control mechanisms and default passwords are widely available
  • Database Vulnerabilities: Denial of Services (DoS) & Buffer Overflows
    • Databases have their own DoS’s & Buffer Overflows
    Oracle Microsoft SQL Server Sybase Denial of Services & Buffer Overflows Default & Weak Passwords MySQL IBM DB2          
  • Denial of Services Databases Have Their Own Class of DoS Attacks
    • Category of attacks that could result in the database crashing or failing to respond to connect requests or SQL Queries.
    • Significant Database Denial of Services:
      • Oracle8i: NSPTCN data offset DoS
      • https://www.appsecinc.com/Policy/PolicyCheck31.html
      • Oracle9i: SNMP DoS
      • https://www.appsecinc.com/Policy/PolicyCheck45.html
      • Microsoft SQL Server: Resolution Service DoS
      • https://www.appsecinc.com/Policy/PolicyCheck2066.html
      • IBM DB2: Date/Varchar DoS
      • https://www.appsecinc.com/Policy/PolicyCheck3014.html
  • Buffer Overflows Databases Have Their Own Buffer Overflows
    • Category of vulnerabilities that could result in an unauthorized user causing the application to perform an action the application was not intended to perform.
    • Most dangerous are those that allow arbitrary commands to be executed by authenticated users.
        • No matter how strongly you’ve set passwords and other authentication features.
      • Significant Database Buffer Overflows:
        • Oracle9i: TZ_OFFSET buffer overflow
        • Microsoft: pwdencrypt buffer overflow / Resolution Stack Overflow
        • Sybase: xp_freedll buffer overflow
  • Database Vulnerabilities Misconfigurations & Resource Privilege Management Issues
    • Misconfigurations can make a database vulnerable
    Oracle Microsoft SQL Server Sybase Misconfigurations & Resource Privilege Management Denial of Services & Buffer Overflows Default & Weak Passwords MySQL IBM DB2               
  • Misconfigurations & Resource Privileges Misconfigurations Can Make a Database Vulnerable
    • Oracle
      • External Procedure Service
      • Default HTTP Applications
      • Privilege to Execute UTL_FILE
    • Microsoft SQL Server
      • Standard SQL Server Authentication Allowed
      • Permissions granted on xp_cmdshell and xp_regread
    • Sybase
      • Permission granted on xp_cmdshell
    • IBM DB2
      • CREATE_NOT_FENCED privilege granted
        • This privilege allows logins to create stored procedures
    • MySQL
      • Permissions on User Table (mysql.user)
  • Database Vulnerabilities Wrap-up Oracle Microsoft SQL Server Sybase Misconfigurations & Resource Privilege Management Denial of Services & Buffer Overflows Default & Weak Passwords MySQL IBM DB2               
  • Planning an Attack
    • Create a Map
      • What does the network look like?
    • Reconnoiter
      • Collect information about the layout of the target
      • What looks intere$ting?
    • Probe, Progress, Plot
      • What can we do?
      • Build the springboard for further activity
      • Plan the strike
    • Retreat and Re-attack
  • How are search engines used for attacks?
    • First thing an attacker needs is information
      • Where to attack
      • What a site is vulnerable to
    • Search engine is a large repository of information
      • Every web page in your application
      • Every domain on the Internet
    • Search engines provide an attacker:
      • Ability to search for attack points on the Internet
      • Ability to search for an attack point in a specific website
      • Ability to look for specific URLs or files
    • http://johnny.ihackstuff.com/index.php?module=prodreviews
  • Example – looking for iSQL*Plus
    • Oracle HTTP Servers
      • Provides a way to run queries on database using an HTTP form
      • Accessed using the URL /isqlplus
      • By default runs on any Oracle HTTP server installed with:
        • Oracle Applications Server
        • Oracle Database Server
    • Search can be performed on Google or Yahoo
      • looking for Oracle HTTP servers
      • Using the “allinurl” advanced search feature
  • Using Google Advanced Search
  • Results of Google Advanced Search
  • Yahoo! Advanced Search Works Too…..
  • Connect with default username/password
  • Attacker can execute any query
  • Example – SQL Injection in demo applications
    • Oracle HTTP Servers
      • Provided default web applications
      • /demo/sql/jdbc/JDBCQuery.jsp
      • /demo/sql/tag/sample2.jsp
    • Contains SQL Injection
      • Google search value of “allinurl:JDBCQuery.jsp”
  • Vulnerable Oracle HTTP Servers
    • Oracle
    X’ UNION SELECT password FROM dba_users WHERE username=‘SYSTEM Oracle Example
  • Password Hash Returned Customer address: EED9B65CCECDB2E9 http://www.pentest.co.uk/sql/check_users.sql
  • SQLINJECTION1
  • SQLINJECTION1
    • 7778/demo/sql/jdbc/JDBCQuery.jsp
  • SQLINJECTION2 sys.database_name
  • SQLINJECTION3
  • SQLINJECTION4 sys.login_user
  • SQLINJECTION5
  • SQLINJECTION6 NUMTOYMINTERVAL
  • SQLINJECTION7
  • Hackers Can Find Credit Cards
    • Recent posting to security newsgroups
      • To: [email_address] Subject: New google's top query?
      • Instructions on finding credit cards on the Internet
        • Involves using Numrange searches in Google
          • http://www.google.com/search?q=visa+4356000000000000..435699999999999
        • Can focus in on a single domain
        • Can focus in on a single person
        • “ Numrange can be used to specify that results contain numbers in a range you set. You can conduct a numrange search by specifying two numbers, separated by two periods, with no spaces. Be sure to specify a unit of measure or some other indicator of what the number range represents.”
  • Google Advanced Search Page
  • How Do You Address These Vulnerabilities?
    • Stay Patched
      • Stay on top of all the security alerts and bulletins
    • Defense in Depth
    • Multiple Levels of Security
      • Regularly perform audits and penetration tests on your database
      • Encryption of data-in-motion / data-at-rest / data-in-use
      • Monitor database activity log files
      • Implement application layer intrusion detection
        • Especially if you can’t stay patched!
  • How Do You Address These Vulnerabilities?
    • “I’m running auditing, vulnerability assessment, and IDS tools for the network/OS. Am I secure?”
      • NO!!!!
    • Databases are extremely complex beasts
    • Databases store your most valuable assets
    • Significantly more effort securing databases is necessary
      • “If your workstation gets hacked, that’s bad. But if your database gets hacked, you’re out of business.”
          • http://www.devx.com/dbzone/Article/11961
  • Best Practices Provided by Database Vendors & Notable Third Parties
    • Oracle
      • Oracl9i Security Checklist
    • SANS Institute (SysAdmin, Audit, Network, Security)
      • Oracle Database Checklist
    • Microsoft
      • 10 Steps to Secure SQL Server
    • SQLSecurity.com
      • SQLSecurity Checklist
  • Oracle9i Security Checklist A Security Checklist for Oracle9i
    • Install Only What is Required
    • Lock and Expire Default User Accounts
    • Change Default User Passwords
    • Enable Data Dictionary Protection
    • Practice Principle of Least Privilege
    • Enforce Access Controls Effectively
    • Restrict Network Access
    • Apply Security Patches and Workarounds
    http://otn.oracle.com/deploy/security/oracle9i/index.html
  • 10 Steps to Secure SQL Server 2000 AppDetective Compliance Capabilities http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp 10) Audit connections to SQL Server 9) Delete or secure old setup files 8) Use the most secure file system 7) Disable SQL Server ports on your firewall 6) Limit privilege level of SQL Server Services 5) Assign a strong password 4) Isolate your server and back it up regularly 3) Use Windows Authentication Mode 2) Assess your server’s security with Microsoft Baseline Security Analyzer ((We’d suggest AppDetective!!)) 1) Install the most recent service pack
  • Database Security Resources
    • SQL Server Security
      • www.SQLSecurity.com
      • www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
    • Oracle Security
      • www.sans.org/score/checklists/Oracle_Database_Checklist.doc
      • otn.oracle.com/deploy/security/oracle9i/index.html
    • Database Security alerts
      • www.appsecinc.com/resources/mailinglist.html
    • Database Security Discussion Board
      • www.appsecinc.com/cgi-bin/ubb/ultimatebb.cgi
  • How Do You Secure Apps? Apply the vulnerability management lifecycle...
    • Determine risk and prioritize based on vulnerability data, threat data, asset classification
    • High-priority vulnerabilities
    • Establish controls and eliminate root causes
    • Baseline compliance
    • Vulnerabilities
    • Threat environment
    • Establish “as is” position
    • Identify vulnerabilities
    • Develop ideal baseline
    Maintain Baseline/ Discover Prioritize Shield and Mitigate Monitor
  • Proactive Hardening Complete Database Vulnerability Assessment
    • Database Discovery
    • Penetration Testing
    • Security Audit
    • Reporting
    • Remediation: Fix Scripts
    • Keep current: ASAP updates protect against latest threats
    Baseline/ Discover Prioritize Shield and Mitigate Monitor
  • Real-Time Monitor Security Alerts + Focused, Granular Monitoring
    • Who, What and When
    • Activity Monitoring & Alerting
      • All User Activity and System Changes
      • Complex Attacks and Threats
      • Misuse and Malicious Behavior
    • Configurable Detection
      • User Defined Alert Rules
      • User Defined Threat Signatures
    • Regularly Updated
      • ASAP Updates™
    • Microsoft SQL Server
    • Oracle
    • Sybase
    • IBM DB2
    Baseline/ Discover Prioritize Shield and Mitigate Monitor
  • Last Line of Defense - Shield Usable Crypto for Production Databases
    • Column-level Encryption
      • Selective protection
    • Built in Key Management
      • Control Administrator rights
    • Easy to Implement
      • Clustering / Mirroring
      • Back up / Disaster Recovery
    • Easy to Use
      • Application Transparency
      • User Invisibility
    • Cryptographically Strong
      • Broad set of algorithms
    Baseline/ Discover Prioritize Shield and Mitigate Monitor
  • Security Industry Direction
      • More focused and complex attacks
      • Blended attacks
      • Increased audit and tracking requirements
      • Mixed Database vendors with less resources
    • Oracle
    • Microsoft SQL Server
  • AppSecInc Direction
      • Product working closer to together
      • Vulnerability scan feeding IDS monitoring
      • Reporting across functions for compliance issues
      • Security Change Audit tracking
    Baseline/ Discover Prioritize Shield and Mitigate Monitor
  • Contact Info
    • Ben Brieger – Northwest Regional Manager
      • 650-796-4919
      • [email_address]
      • www.appsecinc.com
    • James Bleecker – Senior Systems Engineer
      • 949-310-4639
      • jbleecker @appsecinc.com
      • www.appsecinc.com