Open Source Databases Security

1,183 views
1,101 views

Published on

Open Source Databases Security.
at 2013 "Linux and Free/Open Source Solution" Paris Conference
by Serge Frezefond

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,183
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
25
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Open Source Databases Security

  1. 1. Open Sources DatabasesSecuritySerge Frezefond@sfrezefondhttp://Serge.frezefond.com29 / 05 / 2013Serge Frezefond - Databases Security
  2. 2. Companies are under permanent attacks•  Stealing  valuable  data    -  Customer  base  •  Deny  Of  Service  -  Make  your  database  unresponsive  •  Corrup;on  of  data  -  Totally  or  par;ally  •  Doing  transac;ons  /  money  transfers  on  behalf  of  X      Cost  of  a@acks  is  in  millions  of  $    May 28th 2013 2Serge Frezefond - DatabasesSecurity
  3. 3. Recent attacks are not sophisticated SQLinjectionOn  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,  was  compromised  by  a  hacker  using  SQL  blind  injec;on  On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of  using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that  were  stored  in  plaintext  on  Sonys  website,  accessing  the  personal  informa;on  of  a  million  users.  In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000  login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text  and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!  Voices.  The  group  breached  Yahoos  security  by  using  a  "union-­‐based  SQL  injec;on  technique".  May 28th 2013 3Serge Frezefond - DatabasesSecurity
  4. 4. Many companies havemajor lacks in security•  Most  use  basic  authen;ca;on  :  User  /  Password  •  Database  open  to  IP  with  no  origin  check  (  Firewall  )    •  No  strong  authen;fica;on  •  No  data  encryp;on  •  No  traffic  encryp;on  SSL  •  No  true  audi;ng  -  Rarely  database  ac;vity  audit  (too  costly)  •  IDS  rarely  used    •  Many  of  them  lack  a  security  officer  understanding  the  cri;city  of  databases  May 28th 2013 4Serge Frezefond - DatabasesSecurity
  5. 5. Some companies need to fullfillextra security obligations•  PCI  DSS  •  SOX  •  HIPAA  /    HITECH  •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )  •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  •  Fullfilling  these  rules  is  not  enough  to  be  secure  May 28th 2013 5Serge Frezefond - DatabasesSecurity
  6. 6. Inside vs Outsideis not a meaningful differenciation•  Many  subcrontactors  •  Not  always  happy  /  honest  employees  •  Network  open  to  third  par;es  to  ease  processes  :  -  Partners,  Customers,  Suppliers  •  Most  internal  databases  are  very  cri;cal  /  valuable  assets  (  even  if  not  part  of  a  web  exposed  applica;on)  •  BYOD  policy  introduces  risk.  May 28th 2013 6Serge Frezefond - DatabasesSecurity
  7. 7. Open source is a building blockof Secure Architectures•  Open  SSL  /  YASSL  •  Open  SSH  •  Open  radius  •  Open  LDAP  •  PAM  •  PKI  (EJBCA,  OPENCA)  •  Key  management  (StrongAuth)  •  2  factors  authen;ca;on  /  OTP  •  IDS  (Suricata)  May 28th 2013 7Serge Frezefond - DatabasesSecurity
  8. 8. Database is a key part of an architecture  •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult  or  impossible  to  restore.  •  The  impact  on  image  is  important  -  Many  companies  prefer  silence  •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /  shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge  May 28th 2013 8Serge Frezefond - DatabasesSecurity
  9. 9. All Open Source Databases are vulnerable•  PostgreSQL  :    -  Has  suffered  major  issues  recently  (April  2013)  •  MySQL  :  -  Has  suffered  major  issues  recently  •  SQLite  :  no  real  security  model  as  target  is  embeded  -  Cipher  solu;ons  availables  •  NoSQL  database  Big  Data  :  very  weak  security  models  May 28th 2013 9Serge Frezefond - DatabasesSecurity
  10. 10. MySQL Vulnerabilities•  CVE  2012  5613    (  a  0day  Exploit  )  •  MySQL  5.5.19  and  …,  when  configured  to  assign  the  FILE  privilege  to  users  who  should  not  have  administra;ve  privileges,  allows  remote  authen;cated  users  to  gain  privileges  by  leveraging  the  FILE  privilege  to  create  files  as  the  MySQL  administrator.    create  a  user  with  FULL  ACCESS  to  database    May 28th 2013 10Serge Frezefond - DatabasesSecurity
  11. 11. MySQL Vulnerabilities•  CVE  2012  5611    •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in  Oracle  MySQL  5.5.19  and  other  versions    ...  allows  remote  authen;cated  users  to  execute  arbitrary  code  via  a  long  argument  to  the  GRANT  FILE  command.  Execute  any  arbitrary  code  May 28th 2013 11Serge Frezefond - DatabasesSecurity
  12. 12. MySQL Vulnerabilities•  CVE  2012  2122  a  simple  loop  give  root  access  :  •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad  -­‐h  127.0.0.1  2>/dev/null;  done  •  mysql>    •  assump;on  that  the  memcmp()  func;on  would  always  return  a  value  within  the  range  -­‐128  to  127  Able  to  login  root  to  the  database  May 28th 2013 12Serge Frezefond - DatabasesSecurity
  13. 13. PostgreSQL Major Vulnerability“Any  system  that  allows  unrestricted  access  to  the  PostgreSQL  network  port,  such  as  users  running  PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”  •  PostgreSQL  team  Locked  down  the  Repository    -  Fear  that  code  work  lead  to  0day  exploit  •  All  linux  distribu;ons  need  to  released  patch  simultaneously  •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and  received  patch  before  other  :  -  Controversy  regarding  open  source  principles  May 28th 2013 13Serge Frezefond - DatabasesSecurity
  14. 14. MySQL Vulnerabilities :What to do ?•  Follow  them  systema;cally  in  a  ;mely  manner  •  Patch  your  system  /  upgrade  version  •  0Days  exploit  should  trigger  major  alert  •  Apply  best  prac;ce  •  Most  vulnerabili;es  do  not  apply  in  all  cases  -   database  not  open  to  network  ,  -  -­‐-­‐secure-­‐file-­‐priv  op;on    May 28th 2013 14Serge Frezefond - DatabasesSecurity
  15. 15. Authentication•  Standard  authen;ca;on  :  user/password  •  Authen;ca;on  plugin    -  SHA256  (5.6)  -  PAM  -  Windows  -  Mul;  factor  authen;ca;on  /  use  hardware  token  •  Do  not  expose  passwords  on  command  line  or  in  conf  files  (5.6)  May 28th 2013 15Serge Frezefond - DatabasesSecurity
  16. 16. Data traffic encryption•  SSL  based    •  keys  &  cer;ficates  for  both  server  and  client    •  OpenSSL  or  yaSSL  as  SSL  library  May 28th 2013 16Serge Frezefond - DatabasesSecurity
  17. 17. Stored Data Encryption•  Encrypt  Column  through  func;on  call  •  Encrypt  at  the  File  system  level  -  zNcrypt  •  Specialized  storage  Engine  can  do  encryp;on  -  MyDiamo  •  No  Transparent  Data  Encryp;on  in  MySQL    -  No  declara;ve  way  to  say  that  a  column  is  encrypted  •  Data  Masking  :  keep  your  data  secure  for  tests  May 28th 2013 17Serge Frezefond - DatabasesSecurity
  18. 18. MySQL backup secured ?•  Backups  are  a  vulnerable  point  -  Very  easy  to  reuse  •  They  should  be  crypted  •  Xtrabackup  can  encrypt  backup  with  AES256  -  Key  in  keyfile  •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK  May 28th 2013 18Serge Frezefond - DatabasesSecurity
  19. 19. Security model for developpers•  No  grant  to  access  the  data  through  select  •  Restrict  Access  to  :    -  Stored  proc  -  Triggers  -  Views  May 28th 2013 19Serge Frezefond - DatabasesSecurity
  20. 20. Database Proxy / Firewall•  Used  to  audit  or  implement  policies  at  the  client/server  protocol  level  by  being  true  proxy  or  sniffing  the  protocol  -  MySQL  proxy  -  GreenSQL  /  closed  source  -  Oracle  Database  firewall  •  Usefull  to  filter  traffic  •  They  can  be  bypassed  ;-­‐)  May 28th 2013 20Serge Frezefond - DatabasesSecurity
  21. 21. Database auditing•  A  mandatory  requirement  for  compliance  •  MySQL  audit  API  available  (improved  by  MariaDB)  •  Used  by  :  -  MacFee  audit  plugin  -  Oracle  Audit  plugin  -  MariaDB  Audit  Plugin  (  work  in  progress  )  •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons  May 28th 2013 21Serge Frezefond - DatabasesSecurity
  22. 22. Do not neglect SQL injections•  The  applica;on  is  the  weak  point  by  allowing  unpredicted  queries  to  be  run  •  F5  router  hacking  through  embeded  MySQL  (now  solved)  •  To  avoid  it  :  -  Sane;zing  the  input  -  Use  Prepared  statements  May 28th 2013 22Serge Frezefond - DatabasesSecurity
  23. 23. MySQL & PHP :SQL injection$query  =  "SELECT  *  FROM  customers  WHERE  username  =  $name";    $name_bad  =  "  OR  1";  $name_evil  =  ";  DELETE  FROM  customers  WHERE  1  or  username  =  ";        Normal:  SELECT  *  FROM  customers  WHERE  username  =  ;mmy  Injec;on:  SELECT  *  FROM  customers  WHERE  username  =    OR  1  May 28th 2013 23Serge Frezefond - DatabasesSecurity
  24. 24. Best practice•  Have  you  architecture  audited  by  third  party  -  Do  not  believe  in  self  evalua;on  -  Do  regular  internal  pen  test  •  Keep  informed  about  vulnerabili;es  of  all  your  components.  •  Train  people  that  remain  the  weakest  point  •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)    May 28th 2013 24Serge Frezefond - DatabasesSecurity
  25. 25. Is you databasemore secure in the cloud ?•  AWS  /  HP  CLOUD  /  AZURE  /  …  •  The  same  principle  applies  except  :  -  You  have  no  clear  idea  of  how  it  is  internally  architectured  and  operated  -  Quality  of  isola;on    is  not  clear  •  You  have  to  have  confidence  in  your  cloud  provider  and/or  be  more  carefull  :    -  Full  encryp;on  of  filesystem  and  backup  files  -  Key  management  outside  the  cloud    May 28th 2013 25Serge Frezefond - DatabasesSecurity
  26. 26. If you detect a security breach•  Take  a  snapshot  of  the  whole  system  -  Including  key  elements  of  the  architecture  •  Be  sure  your  logs  are  safe  •  When  did  it  first  started  •  Who  did  it  :  do  not  loose  evidences  May 28th 2013 26Serge Frezefond - DatabasesSecurity
  27. 27. May 28th 2013 27Serge Frezefond - DatabasesSecurityThanksQ&ASerge.Frezefond@skysql.com@sfrezefondhttp://Serge.frezefond.com

×