Open Source Databases Security
0 likes2,004 views
Serge Frezefond discusses the vulnerabilities of open source databases, emphasizing the significant security threats they face, such as SQL injection attacks and poor authentication practices. He highlights the importance of encryption, stringent auditing, and best practices in database security to mitigate risks. The document calls for regular assessments, employee training, and adherence to compliance standards to ensure robust database protection.
Open Source Databases Security
- 1. Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013 Serge Frezefond - Databases Security
- 2. Companies are under permanent attacks • Stealing valuable data - Customer base • Deny Of Service - Make your database unresponsive • Corrup;on of data - Totally or par;ally • Doing transac;ons / money transfers on behalf of X Cost of a@acks is in millions of $ May 28th 2013 2 Serge Frezefond - Databases Security
- 3. Recent attacks are not sophisticated SQL injection On March 27, 2011, mysql.com, the official homepage for MySQL, was compromised by a hacker using SQL blind injec;on On June 1, 2011, "hack;vists" of the group LulzSec were accused of using SQLI to steal coupons, download keys, and passwords that were stored in plaintext on Sony's website, accessing the personal informa;on of a million users. In July 2012 a hacker group was reported to have stolen 450,000 login creden;als from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a "union-‐ based SQL injec;on technique". May 28th 2013 3 Serge Frezefond - Databases Security
- 4. Many companies have major lacks in security • Most use basic authen;ca;on : User / Password • Database open to IP with no origin check ( Firewall ) • No strong authen;fica;on • No data encryp;on • No traffic encryp;on SSL • No true audi;ng - Rarely database ac;vity audit (too costly) • IDS rarely used • Many of them lack a security officer understanding the cri;city of databases May 28th 2013 4 Serge Frezefond - Databases Security
- 5. Some companies need to fullfill extra security obligations • PCI DSS • SOX • HIPAA / HITECH • EU Data Protec;on Direc;ve ( Right to Privacy ) • -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐ • Fullfilling these rules is not enough to be secure May 28th 2013 5 Serge Frezefond - Databases Security
- 6. Inside vs Outside is not a meaningful differenciation • Many subcrontactors • Not always happy / honest employees • Network open to third par;es to ease processes : - Partners, Customers, Suppliers • Most internal databases are very cri;cal / valuable assets ( even if not part of a web exposed applica;on) • BYOD policy introduces risk. May 28th 2013 6 Serge Frezefond - Databases Security
- 7. Open source is a building block of Secure Architectures • Open SSL / YASSL • Open SSH • Open radius • Open LDAP • PAM • PKI (EJBCA, OPENCA) • Key management (StrongAuth) • 2 factors authen;ca;on / OTP • IDS (Suricata) May 28th 2013 7 Serge Frezefond - Databases Security
- 8. Database is a key part of an architecture • When Data is destroyed or corrupted it is very difficult or impossible to restore. • The impact on image is important - Many companies prefer silence • Data need anyway to be exposed : to be manipulated / shared / saved / tested / audited Financial impact of this kind of a;ack is huge May 28th 2013 8 Serge Frezefond - Databases Security
- 9. All Open Source Databases are vulnerable • PostgreSQL : - Has suffered major issues recently (April 2013) • MySQL : - Has suffered major issues recently • SQLite : no real security model as target is embeded - Cipher solu;ons availables • NoSQL database Big Data : very weak security models May 28th 2013 9 Serge Frezefond - Databases Security
- 10. MySQL Vulnerabilities • CVE 2012 5613 ( a 0day Exploit ) • MySQL 5.5.19 and …, when configured to assign the FILE privilege to users who should not have administra;ve privileges, allows remote authen;cated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator. create a user with FULL ACCESS to database May 28th 2013 10 Serge Frezefond - Databases Security
- 11. MySQL Vulnerabilities • CVE 2012 5611 • Stack-‐based buffer overflow in the acl_get func;on in Oracle MySQL 5.5.19 and other versions ... allows remote authen;cated users to execute arbitrary code via a long argument to the GRANT FILE command. Execute any arbitrary code May 28th 2013 11 Serge Frezefond - Databases Security
- 12. MySQL Vulnerabilities • CVE 2012 2122 a simple loop give root access : • $ for i in `seq 1 1000`; do mysql -‐u root -‐-‐password=bad -‐h 127.0.0.1 2>/dev/null; done • mysql> • assump;on that the memcmp() func;on would always return a value within the range -‐128 to 127 Able to login root to the database May 28th 2013 12 Serge Frezefond - Databases Security
- 13. PostgreSQL Major Vulnerability “Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable” • PostgreSQL team Locked down the Repository - Fear that code work lead to 0day exploit • All linux distribu;ons need to released patch simultaneously • Plavorm As a ServiceS HEROKU was exposed and received patch before other : - Controversy regarding open source principles May 28th 2013 13 Serge Frezefond - Databases Security
- 14. MySQL Vulnerabilities : What to do ? • Follow them systema;cally in a ;mely manner • Patch your system / upgrade version • 0Days exploit should trigger major alert • Apply best prac;ce • Most vulnerabili;es do not apply in all cases - database not open to network , - -‐-‐secure-‐file-‐priv op;on May 28th 2013 14 Serge Frezefond - Databases Security
- 15. Authentication • Standard authen;ca;on : user/password • Authen;ca;on plugin - SHA256 (5.6) - PAM - Windows - Mul; factor authen;ca;on / use hardware token • Do not expose passwords on command line or in conf files (5.6) May 28th 2013 15 Serge Frezefond - Databases Security
- 16. Data traffic encryption • SSL based • keys & cer;ficates for both server and client • OpenSSL or yaSSL as SSL library May 28th 2013 16 Serge Frezefond - Databases Security
- 17. Stored Data Encryption • Encrypt Column through func;on call • Encrypt at the File system level - zNcrypt • Specialized storage Engine can do encryp;on - MyDiamo • No Transparent Data Encryp;on in MySQL - No declara;ve way to say that a column is encrypted • Data Masking : keep your data secure for tests May 28th 2013 17 Serge Frezefond - Databases Security
- 18. MySQL backup secured ? • Backups are a vulnerable point - Very easy to reuse • They should be crypted • Xtrabackup can encrypt backup with AES256 - Key in keyfile • Symetric key ? Stored where ? Pvk / PbK May 28th 2013 18 Serge Frezefond - Databases Security
- 19. Security model for developpers • No grant to access the data through select • Restrict Access to : - Stored proc - Triggers - Views May 28th 2013 19 Serge Frezefond - Databases Security
- 20. Database Proxy / Firewall • Used to audit or implement policies at the client/server protocol level by being true proxy or sniffing the protocol - MySQL proxy - GreenSQL / closed source - Oracle Database firewall • Usefull to filter traffic • They can be bypassed ;-‐) May 28th 2013 20 Serge Frezefond - Databases Security
- 21. Database auditing • A mandatory requirement for compliance • MySQL audit API available (improved by MariaDB) • Used by : - MacFee audit plugin - Oracle Audit plugin - MariaDB Audit Plugin ( work in progress ) • Associated with Database Ac;vity Monitoring Solu;ons May 28th 2013 21 Serge Frezefond - Databases Security
- 22. Do not neglect SQL injections • The applica;on is the weak point by allowing unpredicted queries to be run • F5 router hacking through embeded MySQL (now solved) • To avoid it : - Sane;zing the input - Use Prepared statements May 28th 2013 22 Serge Frezefond - Databases Security
- 23. MySQL & PHP : SQL injection $query = "SELECT * FROM customers WHERE username = '$name'"; $name_bad = "' OR 1'"; $name_evil = "'; DELETE FROM customers WHERE 1 or username = '"; Normal: SELECT * FROM customers WHERE username = ';mmy' Injec;on: SELECT * FROM customers WHERE username = '' OR 1'' May 28th 2013 23 Serge Frezefond - Databases Security
- 24. Best practice • Have you architecture audited by third party - Do not believe in self evalua;on - Do regular internal pen test • Keep informed about vulnerabili;es of all your components. • Train people that remain the weakest point • Keep up to date with best pra;ces (BYOD, …) May 28th 2013 24 Serge Frezefond - Databases Security
- 25. Is you database more secure in the cloud ? • AWS / HP CLOUD / AZURE / … • The same principle applies except : - You have no clear idea of how it is internally architectured and operated - Quality of isola;on is not clear • You have to have confidence in your cloud provider and/or be more carefull : - Full encryp;on of filesystem and backup files - Key management outside the cloud May 28th 2013 25 Serge Frezefond - Databases Security
- 26. If you detect a security breach • Take a snapshot of the whole system - Including key elements of the architecture • Be sure your logs are safe • When did it first started • Who did it : do not loose evidences May 28th 2013 26 Serge Frezefond - Databases Security
- 27. May 28th 2013 27 Serge Frezefond - Databases Security Thanks Q&A Serge.Frezefond@skysql.com @sfrezefond http://Serge.frezefond.com