database attacks, how to protect the corporate assets
TRANSCRIPT
Database Attacks,
How to protect the corporate assets
Presented by: James Bleecker
www.appsecinc.com
Agenda
Introduction Landscape Database Vulnerabilities Are The New Front-Lines
Attacking Where the Data Resides Planning an Attack Attacking Database Vulnerabilities
How Do You Protect Your Database? What is Application Security direction/Vision?
www.appsecinc.com
Old Data Processing Environment
Winchester IMS Array
Glass House HalonReleaseSwitch
CICS Controller
BIG IRON
HyperchannelHalon
www.appsecinc.com
StoredData
New Data Processing Requirement
Increasingly Focused Attacks Directly on applications (75%!) Including insiders (80+%!) As perimeter crumbles
Demand for Pervasive Access By anyone To any application Increasingly direct
Compliance Requirements Info ultimately in Db apps:
Privacy / confidentiality Integrity
Compliance must be: Repeatable Demonstrable
www.appsecinc.com
Typical Network Landscape
www.appsecinc.com
Database Vulnerabilities
A decade ago, databases were Physically secure Housed in central data centers – not distributed External access mediated Security issues rarely reported
Now, databases are externally accessible Suppliers directly connected Customers directly connected Customers and partners directly sharing data
www.appsecinc.com
Database Vulnerability Exploitation
A decade ago, attacks were Broad based Launched by disaffected “Hackers” Intended to disrupt, gain respect / notoriety in the community
Now, attacks are Targeted against specific resources Launched by sophisticated professionals Intended to bring monetary gain to the attacker
Data is a valuable resource in your company Value increases with greater integration and aggregation But so does the threat of data theft, modification, or destruction
www.appsecinc.com
Databases Are Under Attack
106 Incidents in 2005 Flurry of new data breaches disclosed: More
than 190 such incidents have been reported since February 2005, Jaikumar Vijayan and Todd Weiss; June 19, 2006 (Computerworld)
We’re not Winning!
www.appsecinc.com
Recent Incidents
Company/Organization # of Affected Customers
Date of InitialDisclosure
Department of Energy’s nuclear weapons 1500 22-May-06
Georgetown University 41,000 5-Mar-06
Misc retail debit card compromise (OfficeMax?) 200,000 9-Feb-06
Dept of Agriculture 350,000 15-Feb-06
Card Systems 40,000,000 17-Jun-05
Citigroup 3,900,000 6-Jun-05
DSW Shoe Warehouse 1,400,000 8-Mar-05
Bank of America 1,200,000 25-Feb-05
LexisNexis 310,000 9-Mar-05
Ameritrade 200,000 19-Apr-05
ChoicePoint 145,000 15-Feb-05
Etc, etc, etc.
# of customers affected ~50,000,000+
Source: Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm
www.appsecinc.com
Top 5 Issues in Enterprise Security
Attackers have gone pro Want personal data they can sell – Personal data like credit card and
social security numbers are relatively easy to monetize Attacks are moving to the source
Why pull a single credit card via compromising the network? It's relatively hard with a meager pay off. Instead, take over the corporate database and get them ALL
The perimeter provides little defense Insiders don't go through the firewall thus perimeters provide no
protection from this growing source of risk Inside the perimeter, enterprises have little-to-no protection
Beyond anti-virus, enterprises are only just now getting started to build a layered defense. For example, how does a largely signature-based security solution protect you from an insider that doesn't need to run a vulnerability against a system to get access? They've got plenty of privileges already ;-)
Everyone is watching Everyone is very-much clued in to the increased threats against
personal data. Any mistakes are likely to be very public
www.appsecinc.com
How Do You Secure Apps?
Key Components of Enterprise Applications
Vulnerabilities exist within each of these components
www.appsecinc.com
Database Vulnerabilities:
Default & Weak Passwords
Denial of Services (DoS) & Buffer Overflows
Misconfigurations & Resource Privilege Management Issues
www.appsecinc.com
Database Vulnerabilities:Default & Weak Passwords
Databases have their own user accounts and passwords
Oracle Microsoft SQL
Server
Sybase IBM DB2 MySQL
Default & Weak Passwords
www.appsecinc.com
Database VulnerabilitiesDefault Passwords
Oracle Defaults (Over 200 of them)- User Account: internal / Password: oracle
- User Account: system / Password: manager
- User Account: sys / Password: change_on_install
- User Account: dbsnmp / Password: dbsnmp
IBM DB2 Defaults- User Account: db2admin / Password: db2admin
- User Account: db2as / Password: ibmdb2
- User Account: dlfm / Password: ibmdb2
www.appsecinc.com
Database VulnerabilitiesDefault Passwords
MySQL Defaults- User Account: root / Password: null
- User Account: admin / Password: admin
- User Account: myusername / Password: mypassword
Sybase Defaults- User Account: SA / Password: null
Microsoft SQL Server Defaults- User Account: SA / Password: null
www.appsecinc.com
Database VulnerabilitiesWeak Passwords
It is important that you have all of the proper safeguards against password crackers because:
- Most databases do not have Account Lockout- Database Login activity is seldom monitored- Scripts and Tools for exploiting weak
identification control mechanisms and default passwords are widely available
www.appsecinc.com
Database Vulnerabilities:Denial of Services (DoS) & Buffer Overflows
Databases have their own DoS’s & Buffer Overflows
Oracle Microsoft SQL
Server
Sybase IBM DB2 MySQL
Default & Weak Passwords
Denial of Services & Buffer Overflows
www.appsecinc.com
Denial of ServicesDatabases Have Their Own Class of DoS Attacks
Category of attacks that could result in the database crashing or failing to respond to connect requests or SQL Queries.
Significant Database Denial of Services:
Oracle8i: NSPTCN data offset DoShttps://www.appsecinc.com/Policy/PolicyCheck31.html
Oracle9i: SNMP DoShttps://www.appsecinc.com/Policy/PolicyCheck45.html
Microsoft SQL Server: Resolution Service DoShttps://www.appsecinc.com/Policy/PolicyCheck2066.html
IBM DB2: Date/Varchar DoShttps://www.appsecinc.com/Policy/PolicyCheck3014.html
www.appsecinc.com
Buffer OverflowsDatabases Have Their Own Buffer Overflows
Category of vulnerabilities that could result in an unauthorized user causing the application to perform an action the application was not intended to perform.
Most dangerous are those that allow arbitrary commands to be executed by authenticated users.
- No matter how strongly you’ve set passwords and other authentication features.
Significant Database Buffer Overflows:- Oracle9i: TZ_OFFSET buffer overflow- Microsoft: pwdencrypt buffer overflow / Resolution Stack Overflow- Sybase: xp_freedll buffer overflow
www.appsecinc.com
Database VulnerabilitiesMisconfigurations & Resource Privilege Management Issues
Misconfigurations can make a database vulnerable
Oracle Microsoft SQL
Server
Sybase IBM DB2 MySQL
Default & Weak Passwords
Denial of Services & Buffer Overflows
Misconfigurations & Resource Privilege
Management
www.appsecinc.com
Misconfigurations & Resource PrivilegesMisconfigurations Can Make a Database Vulnerable
Oracle• External Procedure Service• Default HTTP Applications• Privilege to Execute UTL_FILE
Microsoft SQL Server• Standard SQL Server Authentication Allowed• Permissions granted on xp_cmdshell and xp_regread
Sybase• Permission granted on xp_cmdshell
IBM DB2• CREATE_NOT_FENCED privilege granted
• This privilege allows logins to create stored procedures
MySQL• Permissions on User Table (mysql.user)
www.appsecinc.com
Database Vulnerabilities Wrap-up
Oracle Microsoft SQL
Server
Sybase
Misconfigurations & Resource Privilege
Management
Denial of Services & Buffer Overflows
Default & Weak Passwords
MySQLIBM DB2
www.appsecinc.com
Planning an Attack
Create a Map What does the network look like?
Reconnoiter Collect information about the layout of the target What looks intere$ting?
Probe, Progress, Plot What can we do? Build the springboard for further activity Plan the strike
Retreat and Re-attack
www.appsecinc.com
How are search engines used for attacks?
First thing an attacker needs is information Where to attack What a site is vulnerable to
Search engine is a large repository of information Every web page in your application Every domain on the Internet
Search engines provide an attacker: Ability to search for attack points on the Internet Ability to search for an attack point in a specific website Ability to look for specific URLs or files
http://johnny.ihackstuff.com/index.php?module=prodreviews
www.appsecinc.com
Example – looking for iSQL*Plus
Oracle HTTP Servers Provides a way to run queries on database using an HTTP
form Accessed using the URL /isqlplus By default runs on any Oracle HTTP server installed with:
Oracle Applications Server Oracle Database Server
Search can be performed on Google or Yahoo looking for Oracle HTTP servers Using the “allinurl” advanced search feature
www.appsecinc.com
Using Google Advanced Search
www.appsecinc.com
Results of Google Advanced Search
www.appsecinc.com
Yahoo! Advanced Search Works Too…..
www.appsecinc.com
Connect with default username/password
www.appsecinc.com
Attacker can execute any query
www.appsecinc.com
Example – SQL Injection in demo applications
Oracle HTTP Servers Provided default web applications /demo/sql/jdbc/JDBCQuery.jsp /demo/sql/tag/sample2.jsp
Contains SQL Injection Google search value of “allinurl:JDBCQuery.jsp”
www.appsecinc.com
Vulnerable Oracle HTTP Servers
www.appsecinc.com
Oracle
X’ UNION SELECT password FROM dba_users WHERE username=‘SYSTEM
Oracle Example
www.appsecinc.com
Password Hash Returned
Customer address: EED9B65CCECDB2E9
http://www.pentest.co.uk/sql/check_users.sql
www.appsecinc.com
SQLINJECTION1
www.appsecinc.com
SQLINJECTION1
7778/demo/sql/jdbc/JDBCQuery.jsp
www.appsecinc.com
SQLINJECTION2
sys.database_name
www.appsecinc.com
SQLINJECTION3
www.appsecinc.com
SQLINJECTION4
sys.login_user
www.appsecinc.com
SQLINJECTION5
www.appsecinc.com
SQLINJECTION6
NUMTOYMINTERVAL
www.appsecinc.com
SQLINJECTION7
www.appsecinc.com
Hackers Can Find Credit Cards
Recent posting to security newsgroups To: [email protected] Subject: New google's
top query? Instructions on finding credit cards on the Internet
Involves using Numrange searches in Google http://www.google.com/search?q=visa+4356000000000000..435
699999999999
Can focus in on a single domain Can focus in on a single person “Numrange can be used to specify that results contain
numbers in a range you set. You can conduct a numrange search by specifying two numbers, separated by two periods, with no spaces. Be sure to specify a unit of measure or some other indicator of what the number range represents.”
www.appsecinc.com
Google Advanced Search Page
www.appsecinc.com
How Do You Address These Vulnerabilities?
Stay Patched Stay on top of all the security alerts and bulletins
Defense in Depth Multiple Levels of Security
Regularly perform audits and penetration tests on your database
Encryption of data-in-motion / data-at-rest / data-in-use Monitor database activity log files Implement application layer intrusion detection
Especially if you can’t stay patched!
www.appsecinc.com
How Do You Address These Vulnerabilities?
“I’m running auditing, vulnerability assessment, and IDS tools for the network/OS. Am I secure?” NO!!!!
Databases are extremely complex beasts Databases store your most valuable assets Significantly more effort securing databases is
necessary“If your workstation gets hacked, that’s bad. But if your database gets hacked, you’re out of business.”
http://www.devx.com/dbzone/Article/11961
www.appsecinc.com
Best Practices Provided by Database Vendors & Notable Third Parties
Oracle Oracl9i Security Checklist
SANS Institute (SysAdmin, Audit, Network, Security) Oracle Database Checklist
Microsoft 10 Steps to Secure SQL Server
SQLSecurity.com SQLSecurity Checklist
www.appsecinc.com
Oracle9i Security Checklist A Security Checklist for Oracle9i
Install Only What is Required Lock and Expire Default User
Accounts Change Default User
Passwords Enable Data Dictionary
Protection Practice Principle of Least
Privilege Enforce Access Controls
Effectively Restrict Network Access Apply Security Patches and
Workaroundshttp://otn.oracle.com/deploy/security/oracle9i/index.html
www.appsecinc.com
10 Steps to Secure SQL Server 2000 AppDetective Compliance Capabilities
1) Install the most recent service pack
2) Assess your server’s security with Microsoft Baseline Security Analyzer
((We’d suggest AppDetective!!))
3) Use Windows Authentication Mode
4) Isolate your server and back it up regularly
5) Assign a strong password
6) Limit privilege level of SQL Server Services
7) Disable SQL Server ports on your firewall
8) Use the most secure file system
9) Delete or secure old setup files
10) Audit connections to SQL Server
http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
www.appsecinc.com
Database Security Resources
SQL Server Security www.SQLSecurity.com www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp
Oracle Security www.sans.org/score/checklists/Oracle_Database_Checklist.doc otn.oracle.com/deploy/security/oracle9i/index.html
Database Security alerts www.appsecinc.com/resources/mailinglist.html
Database Security Discussion Board www.appsecinc.com/cgi-bin/ubb/ultimatebb.cgi
www.appsecinc.com
Baseline/Discover
Prioritize
Shield and Mitigate
Monitor
How Do You Secure Apps?
Apply the vulnerability management lifecycle... Determine risk and
prioritize based on vulnerability data, threat data, asset classification
High-priority vulnerabilities Establish controls
and eliminate root causes
Baseline compliance
Vulnerabilities Threat environment
Establish “as is” position Identify vulnerabilities Develop ideal
baseline
Maintain
www.appsecinc.com
Proactive HardeningComplete Database Vulnerability Assessment
Database Discovery Penetration Testing Security Audit Reporting Remediation: Fix Scripts Keep current: ASAP
updates protect against latest threats
Baseline/Discover
Prioritize
Shield and Mitigate
Monitor
www.appsecinc.com
Real-Time MonitorSecurity Alerts + Focused, Granular Monitoring
Microsoft SQL Server Oracle Sybase IBM DB2
Baseline/Discover
Prioritize
Shield and Mitigate
Monitor
Who, What and When
Activity Monitoring & Alerting All User Activity and System
Changes Complex Attacks and Threats Misuse and Malicious Behavior
Configurable Detection User Defined Alert Rules User Defined Threat Signatures
Regularly Updated ASAP Updates™
www.appsecinc.com
Security Industry Direction
More focused and complex attacks
Blended attacks
Increased audit and tracking requirements
Mixed Database vendors with less resources Oracle Microsoft SQL Server
www.appsecinc.com
Baseline/Discover
Prioritize
Shield and Mitigate
Monitor
AppSecInc Direction
Product working closer to together Vulnerability scan feeding IDS monitoring Reporting across functions for compliance issues Security Change Audit tracking
www.appsecinc.com
Contact Info
Ben Brieger – Northwest Regional Manager 650-796-4919 [email protected] www.appsecinc.com
James Bleecker – Senior Systems Engineer 949-310-4639 [email protected] www.appsecinc.com