Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Open Sources DatabasesSecuritySerge Frezefond@sfrezefondhttp://Serge.frezefond.com29 / 05 / 2013Serge Frezefond - Database...
Companies are under permanent attacks•  Stealing	  valuable	  data	  	  -  Customer	  base	  •  Deny	  Of	  Service	  -  M...
Recent attacks are not sophisticated SQLinjectionOn	  March	  27,	  2011,	  mysql.com,	  the	  official	  homepage	  for	  M...
Many companies havemajor lacks in security•  Most	  use	  basic	  authen;ca;on	  :	  User	  /	  Password	  •  Database	  o...
Some companies need to fullfillextra security obligations•  PCI	  DSS	  •  SOX	  •  HIPAA	  /	  	  HITECH	  •  EU	  Data	 ...
Inside vs Outsideis not a meaningful differenciation•  Many	  subcrontactors	  •  Not	  always	  happy	  /	  honest	  empl...
Open source is a building blockof Secure Architectures•  Open	  SSL	  /	  YASSL	  •  Open	  SSH	  •  Open	  radius	  •  Op...
Database is a key part of an architecture	  •  When	  Data	  is	  destroyed	  or	  corrupted	  it	  is	  very	  difficult	  ...
All Open Source Databases are vulnerable•  PostgreSQL	  :	  	  -  Has	  suffered	  major	  issues	  recently	  (April	  201...
MySQL Vulnerabilities•  CVE	  2012	  5613	  	  (	  a	  0day	  Exploit	  )	  •  MySQL	  5.5.19	  and	  …,	  when	  configure...
MySQL Vulnerabilities•  CVE	  2012	  5611	  	  •  Stack-­‐based	  buffer	  overflow	  in	  the	  acl_get	  func;on	  in	  Or...
MySQL Vulnerabilities•  CVE	  2012	  2122	  a	  simple	  loop	  give	  root	  access	  :	  •  $	  for	  i	  in	  `seq	  1	...
PostgreSQL Major Vulnerability“Any	  system	  that	  allows	  unrestricted	  access	  to	  the	  PostgreSQL	  network	  po...
MySQL Vulnerabilities :What to do ?•  Follow	  them	  systema;cally	  in	  a	  ;mely	  manner	  •  Patch	  your	  system	 ...
Authentication•  Standard	  authen;ca;on	  :	  user/password	  •  Authen;ca;on	  plugin 	  	  -  SHA256	  (5.6)	  -  PAM	 ...
Data traffic encryption•  SSL	  based	  	  •  keys	  &	  cer;ficates	  for	  both	  server	  and	  client 	  	  •  OpenSSL	...
Stored Data Encryption•  Encrypt	  Column	  through	  func;on	  call	  •  Encrypt	  at	  the	  File	  system	  level	  -  ...
MySQL backup secured ?•  Backups	  are	  a	  vulnerable	  point	  -  Very	  easy	  to	  reuse	  •  They	  should	  be	  cr...
Security model for developpers•  No	  grant	  to	  access	  the	  data	  through	  select	  •  Restrict	  Access	  to	  :	...
Database Proxy / Firewall•  Used	  to	  audit	  or	  implement	  policies	  at	  the	  client/server	  protocol	  level	  ...
Database auditing•  A	  mandatory	  requirement	  for	  compliance	  •  MySQL	  audit	  API	  available	  (improved	  by	 ...
Do not neglect SQL injections•  The	  applica;on	  is	  the	  weak	  point	  by	  allowing	  unpredicted	  queries	  to	  ...
MySQL & PHP :SQL injection$query	  =	  "SELECT	  *	  FROM	  customers	  WHERE	  username	  =	  $name";	  	  $name_bad	  =	...
Best practice•  Have	  you	  architecture	  audited	  by	  third	  party	  -  Do	  not	  believe	  in	  self	  evalua;on	 ...
Is you databasemore secure in the cloud ?•  AWS	  /	  HP	  CLOUD	  /	  AZURE	  /	  …	  •  The	  same	  principle	  applies...
If you detect a security breach•  Take	  a	  snapshot	  of	  the	  whole	  system	  -  Including	  key	  elements	  of	  t...
May 28th 2013 27Serge Frezefond - DatabasesSecurityThanksQ&ASerge.Frezefond@skysql.com@sfrezefondhttp://Serge.frezefond.com
Upcoming SlideShare
Loading in …5
×

Open Source Databases Security

1,661 views

Published on

Open Source Databases Security.
at 2013 "Linux and Free/Open Source Solution" Paris Conference
by Serge Frezefond

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

Open Source Databases Security

  1. 1. Open Sources DatabasesSecuritySerge Frezefond@sfrezefondhttp://Serge.frezefond.com29 / 05 / 2013Serge Frezefond - Databases Security
  2. 2. Companies are under permanent attacks•  Stealing  valuable  data    -  Customer  base  •  Deny  Of  Service  -  Make  your  database  unresponsive  •  Corrup;on  of  data  -  Totally  or  par;ally  •  Doing  transac;ons  /  money  transfers  on  behalf  of  X      Cost  of  a@acks  is  in  millions  of  $    May 28th 2013 2Serge Frezefond - DatabasesSecurity
  3. 3. Recent attacks are not sophisticated SQLinjectionOn  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,  was  compromised  by  a  hacker  using  SQL  blind  injec;on  On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of  using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that  were  stored  in  plaintext  on  Sonys  website,  accessing  the  personal  informa;on  of  a  million  users.  In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000  login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text  and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!  Voices.  The  group  breached  Yahoos  security  by  using  a  "union-­‐based  SQL  injec;on  technique".  May 28th 2013 3Serge Frezefond - DatabasesSecurity
  4. 4. Many companies havemajor lacks in security•  Most  use  basic  authen;ca;on  :  User  /  Password  •  Database  open  to  IP  with  no  origin  check  (  Firewall  )    •  No  strong  authen;fica;on  •  No  data  encryp;on  •  No  traffic  encryp;on  SSL  •  No  true  audi;ng  -  Rarely  database  ac;vity  audit  (too  costly)  •  IDS  rarely  used    •  Many  of  them  lack  a  security  officer  understanding  the  cri;city  of  databases  May 28th 2013 4Serge Frezefond - DatabasesSecurity
  5. 5. Some companies need to fullfillextra security obligations•  PCI  DSS  •  SOX  •  HIPAA  /    HITECH  •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )  •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  •  Fullfilling  these  rules  is  not  enough  to  be  secure  May 28th 2013 5Serge Frezefond - DatabasesSecurity
  6. 6. Inside vs Outsideis not a meaningful differenciation•  Many  subcrontactors  •  Not  always  happy  /  honest  employees  •  Network  open  to  third  par;es  to  ease  processes  :  -  Partners,  Customers,  Suppliers  •  Most  internal  databases  are  very  cri;cal  /  valuable  assets  (  even  if  not  part  of  a  web  exposed  applica;on)  •  BYOD  policy  introduces  risk.  May 28th 2013 6Serge Frezefond - DatabasesSecurity
  7. 7. Open source is a building blockof Secure Architectures•  Open  SSL  /  YASSL  •  Open  SSH  •  Open  radius  •  Open  LDAP  •  PAM  •  PKI  (EJBCA,  OPENCA)  •  Key  management  (StrongAuth)  •  2  factors  authen;ca;on  /  OTP  •  IDS  (Suricata)  May 28th 2013 7Serge Frezefond - DatabasesSecurity
  8. 8. Database is a key part of an architecture  •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult  or  impossible  to  restore.  •  The  impact  on  image  is  important  -  Many  companies  prefer  silence  •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /  shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge  May 28th 2013 8Serge Frezefond - DatabasesSecurity
  9. 9. All Open Source Databases are vulnerable•  PostgreSQL  :    -  Has  suffered  major  issues  recently  (April  2013)  •  MySQL  :  -  Has  suffered  major  issues  recently  •  SQLite  :  no  real  security  model  as  target  is  embeded  -  Cipher  solu;ons  availables  •  NoSQL  database  Big  Data  :  very  weak  security  models  May 28th 2013 9Serge Frezefond - DatabasesSecurity
  10. 10. MySQL Vulnerabilities•  CVE  2012  5613    (  a  0day  Exploit  )  •  MySQL  5.5.19  and  …,  when  configured  to  assign  the  FILE  privilege  to  users  who  should  not  have  administra;ve  privileges,  allows  remote  authen;cated  users  to  gain  privileges  by  leveraging  the  FILE  privilege  to  create  files  as  the  MySQL  administrator.    create  a  user  with  FULL  ACCESS  to  database    May 28th 2013 10Serge Frezefond - DatabasesSecurity
  11. 11. MySQL Vulnerabilities•  CVE  2012  5611    •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in  Oracle  MySQL  5.5.19  and  other  versions    ...  allows  remote  authen;cated  users  to  execute  arbitrary  code  via  a  long  argument  to  the  GRANT  FILE  command.  Execute  any  arbitrary  code  May 28th 2013 11Serge Frezefond - DatabasesSecurity
  12. 12. MySQL Vulnerabilities•  CVE  2012  2122  a  simple  loop  give  root  access  :  •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad  -­‐h  127.0.0.1  2>/dev/null;  done  •  mysql>    •  assump;on  that  the  memcmp()  func;on  would  always  return  a  value  within  the  range  -­‐128  to  127  Able  to  login  root  to  the  database  May 28th 2013 12Serge Frezefond - DatabasesSecurity
  13. 13. PostgreSQL Major Vulnerability“Any  system  that  allows  unrestricted  access  to  the  PostgreSQL  network  port,  such  as  users  running  PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”  •  PostgreSQL  team  Locked  down  the  Repository    -  Fear  that  code  work  lead  to  0day  exploit  •  All  linux  distribu;ons  need  to  released  patch  simultaneously  •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and  received  patch  before  other  :  -  Controversy  regarding  open  source  principles  May 28th 2013 13Serge Frezefond - DatabasesSecurity
  14. 14. MySQL Vulnerabilities :What to do ?•  Follow  them  systema;cally  in  a  ;mely  manner  •  Patch  your  system  /  upgrade  version  •  0Days  exploit  should  trigger  major  alert  •  Apply  best  prac;ce  •  Most  vulnerabili;es  do  not  apply  in  all  cases  -   database  not  open  to  network  ,  -  -­‐-­‐secure-­‐file-­‐priv  op;on    May 28th 2013 14Serge Frezefond - DatabasesSecurity
  15. 15. Authentication•  Standard  authen;ca;on  :  user/password  •  Authen;ca;on  plugin    -  SHA256  (5.6)  -  PAM  -  Windows  -  Mul;  factor  authen;ca;on  /  use  hardware  token  •  Do  not  expose  passwords  on  command  line  or  in  conf  files  (5.6)  May 28th 2013 15Serge Frezefond - DatabasesSecurity
  16. 16. Data traffic encryption•  SSL  based    •  keys  &  cer;ficates  for  both  server  and  client    •  OpenSSL  or  yaSSL  as  SSL  library  May 28th 2013 16Serge Frezefond - DatabasesSecurity
  17. 17. Stored Data Encryption•  Encrypt  Column  through  func;on  call  •  Encrypt  at  the  File  system  level  -  zNcrypt  •  Specialized  storage  Engine  can  do  encryp;on  -  MyDiamo  •  No  Transparent  Data  Encryp;on  in  MySQL    -  No  declara;ve  way  to  say  that  a  column  is  encrypted  •  Data  Masking  :  keep  your  data  secure  for  tests  May 28th 2013 17Serge Frezefond - DatabasesSecurity
  18. 18. MySQL backup secured ?•  Backups  are  a  vulnerable  point  -  Very  easy  to  reuse  •  They  should  be  crypted  •  Xtrabackup  can  encrypt  backup  with  AES256  -  Key  in  keyfile  •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK  May 28th 2013 18Serge Frezefond - DatabasesSecurity
  19. 19. Security model for developpers•  No  grant  to  access  the  data  through  select  •  Restrict  Access  to  :    -  Stored  proc  -  Triggers  -  Views  May 28th 2013 19Serge Frezefond - DatabasesSecurity
  20. 20. Database Proxy / Firewall•  Used  to  audit  or  implement  policies  at  the  client/server  protocol  level  by  being  true  proxy  or  sniffing  the  protocol  -  MySQL  proxy  -  GreenSQL  /  closed  source  -  Oracle  Database  firewall  •  Usefull  to  filter  traffic  •  They  can  be  bypassed  ;-­‐)  May 28th 2013 20Serge Frezefond - DatabasesSecurity
  21. 21. Database auditing•  A  mandatory  requirement  for  compliance  •  MySQL  audit  API  available  (improved  by  MariaDB)  •  Used  by  :  -  MacFee  audit  plugin  -  Oracle  Audit  plugin  -  MariaDB  Audit  Plugin  (  work  in  progress  )  •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons  May 28th 2013 21Serge Frezefond - DatabasesSecurity
  22. 22. Do not neglect SQL injections•  The  applica;on  is  the  weak  point  by  allowing  unpredicted  queries  to  be  run  •  F5  router  hacking  through  embeded  MySQL  (now  solved)  •  To  avoid  it  :  -  Sane;zing  the  input  -  Use  Prepared  statements  May 28th 2013 22Serge Frezefond - DatabasesSecurity
  23. 23. MySQL & PHP :SQL injection$query  =  "SELECT  *  FROM  customers  WHERE  username  =  $name";    $name_bad  =  "  OR  1";  $name_evil  =  ";  DELETE  FROM  customers  WHERE  1  or  username  =  ";        Normal:  SELECT  *  FROM  customers  WHERE  username  =  ;mmy  Injec;on:  SELECT  *  FROM  customers  WHERE  username  =    OR  1  May 28th 2013 23Serge Frezefond - DatabasesSecurity
  24. 24. Best practice•  Have  you  architecture  audited  by  third  party  -  Do  not  believe  in  self  evalua;on  -  Do  regular  internal  pen  test  •  Keep  informed  about  vulnerabili;es  of  all  your  components.  •  Train  people  that  remain  the  weakest  point  •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)    May 28th 2013 24Serge Frezefond - DatabasesSecurity
  25. 25. Is you databasemore secure in the cloud ?•  AWS  /  HP  CLOUD  /  AZURE  /  …  •  The  same  principle  applies  except  :  -  You  have  no  clear  idea  of  how  it  is  internally  architectured  and  operated  -  Quality  of  isola;on    is  not  clear  •  You  have  to  have  confidence  in  your  cloud  provider  and/or  be  more  carefull  :    -  Full  encryp;on  of  filesystem  and  backup  files  -  Key  management  outside  the  cloud    May 28th 2013 25Serge Frezefond - DatabasesSecurity
  26. 26. If you detect a security breach•  Take  a  snapshot  of  the  whole  system  -  Including  key  elements  of  the  architecture  •  Be  sure  your  logs  are  safe  •  When  did  it  first  started  •  Who  did  it  :  do  not  loose  evidences  May 28th 2013 26Serge Frezefond - DatabasesSecurity
  27. 27. May 28th 2013 27Serge Frezefond - DatabasesSecurityThanksQ&ASerge.Frezefond@skysql.com@sfrezefondhttp://Serge.frezefond.com

×