2. Companies are under permanent attacks
• Stealing
valuable
data
- Customer
base
• Deny
Of
Service
- Make
your
database
unresponsive
• Corrup;on
of
data
- Totally
or
par;ally
• Doing
transac;ons
/
money
transfers
on
behalf
of
X
Cost
of
a@acks
is
in
millions
of
$
May 28th 2013 2
Serge Frezefond - Databases
Security
3. Recent attacks are not sophisticated SQL
injection
On
March
27,
2011,
mysql.com,
the
official
homepage
for
MySQL,
was
compromised
by
a
hacker
using
SQL
blind
injec;on
On
June
1,
2011,
"hack;vists"
of
the
group
LulzSec
were
accused
of
using
SQLI
to
steal
coupons,
download
keys,
and
passwords
that
were
stored
in
plaintext
on
Sony's
website,
accessing
the
personal
informa;on
of
a
million
users.
In
July
2012
a
hacker
group
was
reported
to
have
stolen
450,000
login
creden;als
from
Yahoo!.
The
logins
were
stored
in
plain
text
and
were
allegedly
taken
from
a
Yahoo
subdomain,
Yahoo!
Voices.
The
group
breached
Yahoo's
security
by
using
a
"union-‐
based
SQL
injec;on
technique".
May 28th 2013 3
Serge Frezefond - Databases
Security
4. Many companies have
major lacks in security
• Most
use
basic
authen;ca;on
:
User
/
Password
• Database
open
to
IP
with
no
origin
check
(
Firewall
)
• No
strong
authen;fica;on
• No
data
encryp;on
• No
traffic
encryp;on
SSL
• No
true
audi;ng
- Rarely
database
ac;vity
audit
(too
costly)
• IDS
rarely
used
• Many
of
them
lack
a
security
officer
understanding
the
cri;city
of
databases
May 28th 2013 4
Serge Frezefond - Databases
Security
5. Some companies need to fullfill
extra security obligations
• PCI
DSS
• SOX
• HIPAA
/
HITECH
• EU
Data
Protec;on
Direc;ve
(
Right
to
Privacy
)
• -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
• Fullfilling
these
rules
is
not
enough
to
be
secure
May 28th 2013 5
Serge Frezefond - Databases
Security
6. Inside vs Outside
is not a meaningful differenciation
• Many
subcrontactors
• Not
always
happy
/
honest
employees
• Network
open
to
third
par;es
to
ease
processes
:
- Partners,
Customers,
Suppliers
• Most
internal
databases
are
very
cri;cal
/
valuable
assets
(
even
if
not
part
of
a
web
exposed
applica;on)
• BYOD
policy
introduces
risk.
May 28th 2013 6
Serge Frezefond - Databases
Security
7. Open source is a building block
of Secure Architectures
• Open
SSL
/
YASSL
• Open
SSH
• Open
radius
• Open
LDAP
• PAM
• PKI
(EJBCA,
OPENCA)
• Key
management
(StrongAuth)
• 2
factors
authen;ca;on
/
OTP
• IDS
(Suricata)
May 28th 2013 7
Serge Frezefond - Databases
Security
8. Database is a key part of an architecture
• When
Data
is
destroyed
or
corrupted
it
is
very
difficult
or
impossible
to
restore.
• The
impact
on
image
is
important
- Many
companies
prefer
silence
• Data
need
anyway
to
be
exposed
:
to
be
manipulated
/
shared
/
saved
/
tested
/
audited
Financial
impact
of
this
kind
of
a;ack
is
huge
May 28th 2013 8
Serge Frezefond - Databases
Security
9. All Open Source Databases are vulnerable
• PostgreSQL
:
- Has
suffered
major
issues
recently
(April
2013)
• MySQL
:
- Has
suffered
major
issues
recently
• SQLite
:
no
real
security
model
as
target
is
embeded
- Cipher
solu;ons
availables
• NoSQL
database
Big
Data
:
very
weak
security
models
May 28th 2013 9
Serge Frezefond - Databases
Security
10. MySQL Vulnerabilities
• CVE
2012
5613
(
a
0day
Exploit
)
• MySQL
5.5.19
and
…,
when
configured
to
assign
the
FILE
privilege
to
users
who
should
not
have
administra;ve
privileges,
allows
remote
authen;cated
users
to
gain
privileges
by
leveraging
the
FILE
privilege
to
create
files
as
the
MySQL
administrator.
create
a
user
with
FULL
ACCESS
to
database
May 28th 2013 10
Serge Frezefond - Databases
Security
11. MySQL Vulnerabilities
• CVE
2012
5611
• Stack-‐based
buffer
overflow
in
the
acl_get
func;on
in
Oracle
MySQL
5.5.19
and
other
versions
...
allows
remote
authen;cated
users
to
execute
arbitrary
code
via
a
long
argument
to
the
GRANT
FILE
command.
Execute
any
arbitrary
code
May 28th 2013 11
Serge Frezefond - Databases
Security
12. MySQL Vulnerabilities
• CVE
2012
2122
a
simple
loop
give
root
access
:
• $
for
i
in
`seq
1
1000`;
do
mysql
-‐u
root
-‐-‐password=bad
-‐h
127.0.0.1
2>/dev/null;
done
• mysql>
• assump;on
that
the
memcmp()
func;on
would
always
return
a
value
within
the
range
-‐128
to
127
Able
to
login
root
to
the
database
May 28th 2013 12
Serge Frezefond - Databases
Security
13. PostgreSQL Major Vulnerability
“Any
system
that
allows
unrestricted
access
to
the
PostgreSQL
network
port,
such
as
users
running
PostgreSQL
on
a
public
cloud,
is
especially
vulnerable”
• PostgreSQL
team
Locked
down
the
Repository
- Fear
that
code
work
lead
to
0day
exploit
• All
linux
distribu;ons
need
to
released
patch
simultaneously
• Plavorm
As
a
ServiceS
HEROKU
was
exposed
and
received
patch
before
other
:
- Controversy
regarding
open
source
principles
May 28th 2013 13
Serge Frezefond - Databases
Security
14. MySQL Vulnerabilities :
What to do ?
• Follow
them
systema;cally
in
a
;mely
manner
• Patch
your
system
/
upgrade
version
• 0Days
exploit
should
trigger
major
alert
• Apply
best
prac;ce
• Most
vulnerabili;es
do
not
apply
in
all
cases
-
database
not
open
to
network
,
- -‐-‐secure-‐file-‐priv
op;on
May 28th 2013 14
Serge Frezefond - Databases
Security
15. Authentication
• Standard
authen;ca;on
:
user/password
• Authen;ca;on
plugin
- SHA256
(5.6)
- PAM
- Windows
- Mul;
factor
authen;ca;on
/
use
hardware
token
• Do
not
expose
passwords
on
command
line
or
in
conf
files
(5.6)
May 28th 2013 15
Serge Frezefond - Databases
Security
16. Data traffic encryption
• SSL
based
• keys
&
cer;ficates
for
both
server
and
client
• OpenSSL
or
yaSSL
as
SSL
library
May 28th 2013 16
Serge Frezefond - Databases
Security
17. Stored Data Encryption
• Encrypt
Column
through
func;on
call
• Encrypt
at
the
File
system
level
- zNcrypt
• Specialized
storage
Engine
can
do
encryp;on
- MyDiamo
• No
Transparent
Data
Encryp;on
in
MySQL
- No
declara;ve
way
to
say
that
a
column
is
encrypted
• Data
Masking
:
keep
your
data
secure
for
tests
May 28th 2013 17
Serge Frezefond - Databases
Security
18. MySQL backup secured ?
• Backups
are
a
vulnerable
point
- Very
easy
to
reuse
• They
should
be
crypted
• Xtrabackup
can
encrypt
backup
with
AES256
- Key
in
keyfile
• Symetric
key
?
Stored
where
?
Pvk
/
PbK
May 28th 2013 18
Serge Frezefond - Databases
Security
19. Security model for developpers
• No
grant
to
access
the
data
through
select
• Restrict
Access
to
:
- Stored
proc
- Triggers
- Views
May 28th 2013 19
Serge Frezefond - Databases
Security
20. Database Proxy / Firewall
• Used
to
audit
or
implement
policies
at
the
client/server
protocol
level
by
being
true
proxy
or
sniffing
the
protocol
- MySQL
proxy
- GreenSQL
/
closed
source
- Oracle
Database
firewall
• Usefull
to
filter
traffic
• They
can
be
bypassed
;-‐)
May 28th 2013 20
Serge Frezefond - Databases
Security
21. Database auditing
• A
mandatory
requirement
for
compliance
• MySQL
audit
API
available
(improved
by
MariaDB)
• Used
by
:
- MacFee
audit
plugin
- Oracle
Audit
plugin
- MariaDB
Audit
Plugin
(
work
in
progress
)
• Associated
with
Database
Ac;vity
Monitoring
Solu;ons
May 28th 2013 21
Serge Frezefond - Databases
Security
22. Do not neglect SQL injections
• The
applica;on
is
the
weak
point
by
allowing
unpredicted
queries
to
be
run
• F5
router
hacking
through
embeded
MySQL
(now
solved)
• To
avoid
it
:
- Sane;zing
the
input
- Use
Prepared
statements
May 28th 2013 22
Serge Frezefond - Databases
Security
23. MySQL & PHP :
SQL injection
$query
=
"SELECT
*
FROM
customers
WHERE
username
=
'$name'";
$name_bad
=
"'
OR
1'";
$name_evil
=
"';
DELETE
FROM
customers
WHERE
1
or
username
=
'";
Normal:
SELECT
*
FROM
customers
WHERE
username
=
';mmy'
Injec;on:
SELECT
*
FROM
customers
WHERE
username
=
''
OR
1''
May 28th 2013 23
Serge Frezefond - Databases
Security
24. Best practice
• Have
you
architecture
audited
by
third
party
- Do
not
believe
in
self
evalua;on
- Do
regular
internal
pen
test
• Keep
informed
about
vulnerabili;es
of
all
your
components.
• Train
people
that
remain
the
weakest
point
• Keep
up
to
date
with
best
pra;ces
(BYOD,
…)
May 28th 2013 24
Serge Frezefond - Databases
Security
25. Is you database
more secure in the cloud ?
• AWS
/
HP
CLOUD
/
AZURE
/
…
• The
same
principle
applies
except
:
- You
have
no
clear
idea
of
how
it
is
internally
architectured
and
operated
- Quality
of
isola;on
is
not
clear
• You
have
to
have
confidence
in
your
cloud
provider
and/or
be
more
carefull
:
- Full
encryp;on
of
filesystem
and
backup
files
- Key
management
outside
the
cloud
May 28th 2013 25
Serge Frezefond - Databases
Security
26. If you detect a security breach
• Take
a
snapshot
of
the
whole
system
- Including
key
elements
of
the
architecture
• Be
sure
your
logs
are
safe
• When
did
it
first
started
• Who
did
it
:
do
not
loose
evidences
May 28th 2013 26
Serge Frezefond - Databases
Security