Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Open Source Databases Security

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 27 Publicité
Publicité

Plus De Contenu Connexe

Diaporamas pour vous (19)

Similaire à Open Source Databases Security (20)

Publicité

Plus récents (20)

Open Source Databases Security

  1. 1. Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013 Serge Frezefond - Databases Security
  2. 2. Companies are under permanent attacks •  Stealing  valuable  data     -  Customer  base   •  Deny  Of  Service   -  Make  your  database  unresponsive   •  Corrup;on  of  data   -  Totally  or  par;ally   •  Doing  transac;ons  /  money  transfers  on  behalf  of  X       Cost  of  a@acks  is  in  millions  of  $     May 28th 2013 2 Serge Frezefond - Databases Security
  3. 3. Recent attacks are not sophisticated SQL injection On  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,   was  compromised  by  a  hacker  using  SQL  blind  injec;on   On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of   using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that   were  stored  in  plaintext  on  Sony's  website,  accessing  the   personal  informa;on  of  a  million  users.   In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000   login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text   and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!   Voices.  The  group  breached  Yahoo's  security  by  using  a  "union-­‐ based  SQL  injec;on  technique".   May 28th 2013 3 Serge Frezefond - Databases Security
  4. 4. Many companies have major lacks in security •  Most  use  basic  authen;ca;on  :  User  /  Password   •  Database  open  to  IP  with  no  origin  check  (  Firewall  )     •  No  strong  authen;fica;on   •  No  data  encryp;on   •  No  traffic  encryp;on  SSL   •  No  true  audi;ng   -  Rarely  database  ac;vity  audit  (too  costly)   •  IDS  rarely  used     •  Many  of  them  lack  a  security  officer  understanding  the   cri;city  of  databases   May 28th 2013 4 Serge Frezefond - Databases Security
  5. 5. Some companies need to fullfill extra security obligations •  PCI  DSS   •  SOX   •  HIPAA  /    HITECH   •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )   •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐   •  Fullfilling  these  rules  is  not  enough  to  be  secure   May 28th 2013 5 Serge Frezefond - Databases Security
  6. 6. Inside vs Outside is not a meaningful differenciation •  Many  subcrontactors   •  Not  always  happy  /  honest  employees   •  Network  open  to  third  par;es  to  ease  processes  :   -  Partners,  Customers,  Suppliers   •  Most  internal  databases  are  very  cri;cal  /  valuable   assets  (  even  if  not  part  of  a  web  exposed  applica;on)   •  BYOD  policy  introduces  risk.   May 28th 2013 6 Serge Frezefond - Databases Security
  7. 7. Open source is a building block of Secure Architectures •  Open  SSL  /  YASSL   •  Open  SSH   •  Open  radius   •  Open  LDAP   •  PAM   •  PKI  (EJBCA,  OPENCA)   •  Key  management  (StrongAuth)   •  2  factors  authen;ca;on  /  OTP   •  IDS  (Suricata)   May 28th 2013 7 Serge Frezefond - Databases Security
  8. 8. Database is a key part of an architecture   •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult   or  impossible  to  restore.   •  The  impact  on  image  is  important   -  Many  companies  prefer  silence   •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /   shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge   May 28th 2013 8 Serge Frezefond - Databases Security
  9. 9. All Open Source Databases are vulnerable •  PostgreSQL  :     -  Has  suffered  major  issues  recently  (April  2013)   •  MySQL  :   -  Has  suffered  major  issues  recently   •  SQLite  :  no  real  security  model  as  target  is  embeded   -  Cipher  solu;ons  availables   •  NoSQL  database  Big  Data  :  very  weak  security  models   May 28th 2013 9 Serge Frezefond - Databases Security
  10. 10. MySQL Vulnerabilities •  CVE  2012  5613    (  a  0day  Exploit  )   •  MySQL  5.5.19  and  …,  when  configured  to  assign  the   FILE  privilege  to  users  who  should  not  have   administra;ve  privileges,  allows  remote  authen;cated   users  to  gain  privileges  by  leveraging  the  FILE  privilege   to  create  files  as  the  MySQL  administrator.     create  a  user  with  FULL  ACCESS  to  database     May 28th 2013 10 Serge Frezefond - Databases Security
  11. 11. MySQL Vulnerabilities •  CVE  2012  5611     •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in   Oracle  MySQL  5.5.19  and  other  versions    ...  allows   remote  authen;cated  users  to  execute  arbitrary  code   via  a  long  argument  to  the  GRANT  FILE  command.   Execute  any  arbitrary  code   May 28th 2013 11 Serge Frezefond - Databases Security
  12. 12. MySQL Vulnerabilities •  CVE  2012  2122  a  simple  loop  give  root  access  :   •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad   -­‐h  127.0.0.1  2>/dev/null;  done   •  mysql>     •  assump;on  that  the  memcmp()  func;on  would  always   return  a  value  within  the  range  -­‐128  to  127   Able  to  login  root  to  the  database   May 28th 2013 12 Serge Frezefond - Databases Security
  13. 13. PostgreSQL Major Vulnerability “Any  system  that  allows  unrestricted  access  to  the   PostgreSQL  network  port,  such  as  users  running   PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”   •  PostgreSQL  team  Locked  down  the  Repository     -  Fear  that  code  work  lead  to  0day  exploit   •  All  linux  distribu;ons  need  to  released  patch   simultaneously   •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and   received  patch  before  other  :   -  Controversy  regarding  open  source  principles   May 28th 2013 13 Serge Frezefond - Databases Security
  14. 14. MySQL Vulnerabilities : What to do ? •  Follow  them  systema;cally  in  a  ;mely  manner   •  Patch  your  system  /  upgrade  version   •  0Days  exploit  should  trigger  major  alert   •  Apply  best  prac;ce   •  Most  vulnerabili;es  do  not  apply  in  all  cases   -   database  not  open  to  network  ,   -  -­‐-­‐secure-­‐file-­‐priv  op;on     May 28th 2013 14 Serge Frezefond - Databases Security
  15. 15. Authentication •  Standard  authen;ca;on  :  user/password   •  Authen;ca;on  plugin     -  SHA256  (5.6)   -  PAM   -  Windows   -  Mul;  factor  authen;ca;on  /  use  hardware  token   •  Do  not  expose  passwords  on  command  line  or  in  conf   files  (5.6)   May 28th 2013 15 Serge Frezefond - Databases Security
  16. 16. Data traffic encryption •  SSL  based     •  keys  &  cer;ficates  for  both  server  and  client     •  OpenSSL  or  yaSSL  as  SSL  library   May 28th 2013 16 Serge Frezefond - Databases Security
  17. 17. Stored Data Encryption •  Encrypt  Column  through  func;on  call   •  Encrypt  at  the  File  system  level   -  zNcrypt   •  Specialized  storage  Engine  can  do  encryp;on   -  MyDiamo   •  No  Transparent  Data  Encryp;on  in  MySQL     -  No  declara;ve  way  to  say  that  a  column  is  encrypted   •  Data  Masking  :  keep  your  data  secure  for  tests   May 28th 2013 17 Serge Frezefond - Databases Security
  18. 18. MySQL backup secured ? •  Backups  are  a  vulnerable  point   -  Very  easy  to  reuse   •  They  should  be  crypted   •  Xtrabackup  can  encrypt  backup  with  AES256   -  Key  in  keyfile   •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK   May 28th 2013 18 Serge Frezefond - Databases Security
  19. 19. Security model for developpers •  No  grant  to  access  the  data  through  select   •  Restrict  Access  to  :     -  Stored  proc   -  Triggers   -  Views   May 28th 2013 19 Serge Frezefond - Databases Security
  20. 20. Database Proxy / Firewall •  Used  to  audit  or  implement  policies  at  the  client/server   protocol  level  by  being  true  proxy  or  sniffing  the   protocol   -  MySQL  proxy   -  GreenSQL  /  closed  source   -  Oracle  Database  firewall   •  Usefull  to  filter  traffic   •  They  can  be  bypassed  ;-­‐)   May 28th 2013 20 Serge Frezefond - Databases Security
  21. 21. Database auditing •  A  mandatory  requirement  for  compliance   •  MySQL  audit  API  available  (improved  by  MariaDB)   •  Used  by  :   -  MacFee  audit  plugin   -  Oracle  Audit  plugin   -  MariaDB  Audit  Plugin  (  work  in  progress  )   •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons   May 28th 2013 21 Serge Frezefond - Databases Security
  22. 22. Do not neglect SQL injections •  The  applica;on  is  the  weak  point  by  allowing   unpredicted  queries  to  be  run   •  F5  router  hacking  through  embeded  MySQL  (now   solved)   •  To  avoid  it  :   -  Sane;zing  the  input   -  Use  Prepared  statements   May 28th 2013 22 Serge Frezefond - Databases Security
  23. 23. MySQL & PHP : SQL injection $query  =  "SELECT  *  FROM  customers  WHERE  username  =   '$name'";     $name_bad  =  "'  OR  1'";   $name_evil  =  "';  DELETE  FROM  customers  WHERE  1  or   username  =  '";         Normal:  SELECT  *  FROM  customers  WHERE  username  =   ';mmy'   Injec;on:  SELECT  *  FROM  customers  WHERE  username  =  ''   OR  1''   May 28th 2013 23 Serge Frezefond - Databases Security
  24. 24. Best practice •  Have  you  architecture  audited  by  third  party   -  Do  not  believe  in  self  evalua;on   -  Do  regular  internal  pen  test   •  Keep  informed  about  vulnerabili;es  of  all  your   components.   •  Train  people  that  remain  the  weakest  point   •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)     May 28th 2013 24 Serge Frezefond - Databases Security
  25. 25. Is you database more secure in the cloud ? •  AWS  /  HP  CLOUD  /  AZURE  /  …   •  The  same  principle  applies  except  :   -  You  have  no  clear  idea  of  how  it  is  internally   architectured  and  operated   -  Quality  of  isola;on    is  not  clear   •  You  have  to  have  confidence  in  your  cloud  provider   and/or  be  more  carefull  :     -  Full  encryp;on  of  filesystem  and  backup  files   -  Key  management  outside  the  cloud     May 28th 2013 25 Serge Frezefond - Databases Security
  26. 26. If you detect a security breach •  Take  a  snapshot  of  the  whole  system   -  Including  key  elements  of  the  architecture   •  Be  sure  your  logs  are  safe   •  When  did  it  first  started   •  Who  did  it  :  do  not  loose  evidences   May 28th 2013 26 Serge Frezefond - Databases Security
  27. 27. May 28th 2013 27 Serge Frezefond - Databases Security Thanks Q&A Serge.Frezefond@skysql.com @sfrezefond http://Serge.frezefond.com

×