Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Open Sources DatabasesSecuritySerge Frezefond@sfrezefondhttp://Serge.frezefond.com29 / 05 / 2013Serge Frezefond - Database...
Companies are under permanent attacks•  Stealing	  valuable	  data	  	  -  Customer	  base	  •  Deny	  Of	  Service	  -  M...
Recent attacks are not sophisticated SQLinjectionOn	  March	  27,	  2011,	  mysql.com,	  the	  official	  homepage	  for	  M...
Many companies havemajor lacks in security•  Most	  use	  basic	  authen;ca;on	  :	  User	  /	  Password	  •  Database	  o...
Some companies need to fullfillextra security obligations•  PCI	  DSS	  •  SOX	  •  HIPAA	  /	  	  HITECH	  •  EU	  Data	 ...
Inside vs Outsideis not a meaningful differenciation•  Many	  subcrontactors	  •  Not	  always	  happy	  /	  honest	  empl...
Open source is a building blockof Secure Architectures•  Open	  SSL	  /	  YASSL	  •  Open	  SSH	  •  Open	  radius	  •  Op...
Database is a key part of an architecture	  •  When	  Data	  is	  destroyed	  or	  corrupted	  it	  is	  very	  difficult	  ...
All Open Source Databases are vulnerable•  PostgreSQL	  :	  	  -  Has	  suffered	  major	  issues	  recently	  (April	  201...
MySQL Vulnerabilities•  CVE	  2012	  5613	  	  (	  a	  0day	  Exploit	  )	  •  MySQL	  5.5.19	  and	  …,	  when	  configure...
MySQL Vulnerabilities•  CVE	  2012	  5611	  	  •  Stack-­‐based	  buffer	  overflow	  in	  the	  acl_get	  func;on	  in	  Or...
MySQL Vulnerabilities•  CVE	  2012	  2122	  a	  simple	  loop	  give	  root	  access	  :	  •  $	  for	  i	  in	  `seq	  1	...
PostgreSQL Major Vulnerability“Any	  system	  that	  allows	  unrestricted	  access	  to	  the	  PostgreSQL	  network	  po...
MySQL Vulnerabilities :What to do ?•  Follow	  them	  systema;cally	  in	  a	  ;mely	  manner	  •  Patch	  your	  system	 ...
Authentication•  Standard	  authen;ca;on	  :	  user/password	  •  Authen;ca;on	  plugin 	  	  -  SHA256	  (5.6)	  -  PAM	 ...
Data traffic encryption•  SSL	  based	  	  •  keys	  &	  cer;ficates	  for	  both	  server	  and	  client 	  	  •  OpenSSL	...
Stored Data Encryption•  Encrypt	  Column	  through	  func;on	  call	  •  Encrypt	  at	  the	  File	  system	  level	  -  ...
MySQL backup secured ?•  Backups	  are	  a	  vulnerable	  point	  -  Very	  easy	  to	  reuse	  •  They	  should	  be	  cr...
Security model for developpers•  No	  grant	  to	  access	  the	  data	  through	  select	  •  Restrict	  Access	  to	  :	...
Database Proxy / Firewall•  Used	  to	  audit	  or	  implement	  policies	  at	  the	  client/server	  protocol	  level	  ...
Database auditing•  A	  mandatory	  requirement	  for	  compliance	  •  MySQL	  audit	  API	  available	  (improved	  by	 ...
Do not neglect SQL injections•  The	  applica;on	  is	  the	  weak	  point	  by	  allowing	  unpredicted	  queries	  to	  ...
MySQL & PHP :SQL injection$query	  =	  "SELECT	  *	  FROM	  customers	  WHERE	  username	  =	  $name";	  	  $name_bad	  =	...
Best practice•  Have	  you	  architecture	  audited	  by	  third	  party	  -  Do	  not	  believe	  in	  self	  evalua;on	 ...
Is you databasemore secure in the cloud ?•  AWS	  /	  HP	  CLOUD	  /	  AZURE	  /	  …	  •  The	  same	  principle	  applies...
If you detect a security breach•  Take	  a	  snapshot	  of	  the	  whole	  system	  -  Including	  key	  elements	  of	  t...
May 28th 2013 27Serge Frezefond - DatabasesSecurityThanksQ&ASerge.Frezefond@skysql.com@sfrezefondhttp://Serge.frezefond.com
Prochain SlideShare
Chargement dans…5
×

Open Source Databases Security

1 676 vues

Publié le

Open Source Databases Security.
at 2013 "Linux and Free/Open Source Solution" Paris Conference
by Serge Frezefond

Publié dans : Technologie, Formation
  • Hi there! Get Your Professional Job-Winning Resume Here - Check our website! http://bit.ly/resumpro
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

Open Source Databases Security

  1. 1. Open Sources DatabasesSecuritySerge Frezefond@sfrezefondhttp://Serge.frezefond.com29 / 05 / 2013Serge Frezefond - Databases Security
  2. 2. Companies are under permanent attacks•  Stealing  valuable  data    -  Customer  base  •  Deny  Of  Service  -  Make  your  database  unresponsive  •  Corrup;on  of  data  -  Totally  or  par;ally  •  Doing  transac;ons  /  money  transfers  on  behalf  of  X      Cost  of  a@acks  is  in  millions  of  $    May 28th 2013 2Serge Frezefond - DatabasesSecurity
  3. 3. Recent attacks are not sophisticated SQLinjectionOn  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,  was  compromised  by  a  hacker  using  SQL  blind  injec;on  On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of  using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that  were  stored  in  plaintext  on  Sonys  website,  accessing  the  personal  informa;on  of  a  million  users.  In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000  login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text  and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!  Voices.  The  group  breached  Yahoos  security  by  using  a  "union-­‐based  SQL  injec;on  technique".  May 28th 2013 3Serge Frezefond - DatabasesSecurity
  4. 4. Many companies havemajor lacks in security•  Most  use  basic  authen;ca;on  :  User  /  Password  •  Database  open  to  IP  with  no  origin  check  (  Firewall  )    •  No  strong  authen;fica;on  •  No  data  encryp;on  •  No  traffic  encryp;on  SSL  •  No  true  audi;ng  -  Rarely  database  ac;vity  audit  (too  costly)  •  IDS  rarely  used    •  Many  of  them  lack  a  security  officer  understanding  the  cri;city  of  databases  May 28th 2013 4Serge Frezefond - DatabasesSecurity
  5. 5. Some companies need to fullfillextra security obligations•  PCI  DSS  •  SOX  •  HIPAA  /    HITECH  •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )  •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐  •  Fullfilling  these  rules  is  not  enough  to  be  secure  May 28th 2013 5Serge Frezefond - DatabasesSecurity
  6. 6. Inside vs Outsideis not a meaningful differenciation•  Many  subcrontactors  •  Not  always  happy  /  honest  employees  •  Network  open  to  third  par;es  to  ease  processes  :  -  Partners,  Customers,  Suppliers  •  Most  internal  databases  are  very  cri;cal  /  valuable  assets  (  even  if  not  part  of  a  web  exposed  applica;on)  •  BYOD  policy  introduces  risk.  May 28th 2013 6Serge Frezefond - DatabasesSecurity
  7. 7. Open source is a building blockof Secure Architectures•  Open  SSL  /  YASSL  •  Open  SSH  •  Open  radius  •  Open  LDAP  •  PAM  •  PKI  (EJBCA,  OPENCA)  •  Key  management  (StrongAuth)  •  2  factors  authen;ca;on  /  OTP  •  IDS  (Suricata)  May 28th 2013 7Serge Frezefond - DatabasesSecurity
  8. 8. Database is a key part of an architecture  •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult  or  impossible  to  restore.  •  The  impact  on  image  is  important  -  Many  companies  prefer  silence  •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /  shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge  May 28th 2013 8Serge Frezefond - DatabasesSecurity
  9. 9. All Open Source Databases are vulnerable•  PostgreSQL  :    -  Has  suffered  major  issues  recently  (April  2013)  •  MySQL  :  -  Has  suffered  major  issues  recently  •  SQLite  :  no  real  security  model  as  target  is  embeded  -  Cipher  solu;ons  availables  •  NoSQL  database  Big  Data  :  very  weak  security  models  May 28th 2013 9Serge Frezefond - DatabasesSecurity
  10. 10. MySQL Vulnerabilities•  CVE  2012  5613    (  a  0day  Exploit  )  •  MySQL  5.5.19  and  …,  when  configured  to  assign  the  FILE  privilege  to  users  who  should  not  have  administra;ve  privileges,  allows  remote  authen;cated  users  to  gain  privileges  by  leveraging  the  FILE  privilege  to  create  files  as  the  MySQL  administrator.    create  a  user  with  FULL  ACCESS  to  database    May 28th 2013 10Serge Frezefond - DatabasesSecurity
  11. 11. MySQL Vulnerabilities•  CVE  2012  5611    •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in  Oracle  MySQL  5.5.19  and  other  versions    ...  allows  remote  authen;cated  users  to  execute  arbitrary  code  via  a  long  argument  to  the  GRANT  FILE  command.  Execute  any  arbitrary  code  May 28th 2013 11Serge Frezefond - DatabasesSecurity
  12. 12. MySQL Vulnerabilities•  CVE  2012  2122  a  simple  loop  give  root  access  :  •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad  -­‐h  127.0.0.1  2>/dev/null;  done  •  mysql>    •  assump;on  that  the  memcmp()  func;on  would  always  return  a  value  within  the  range  -­‐128  to  127  Able  to  login  root  to  the  database  May 28th 2013 12Serge Frezefond - DatabasesSecurity
  13. 13. PostgreSQL Major Vulnerability“Any  system  that  allows  unrestricted  access  to  the  PostgreSQL  network  port,  such  as  users  running  PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”  •  PostgreSQL  team  Locked  down  the  Repository    -  Fear  that  code  work  lead  to  0day  exploit  •  All  linux  distribu;ons  need  to  released  patch  simultaneously  •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and  received  patch  before  other  :  -  Controversy  regarding  open  source  principles  May 28th 2013 13Serge Frezefond - DatabasesSecurity
  14. 14. MySQL Vulnerabilities :What to do ?•  Follow  them  systema;cally  in  a  ;mely  manner  •  Patch  your  system  /  upgrade  version  •  0Days  exploit  should  trigger  major  alert  •  Apply  best  prac;ce  •  Most  vulnerabili;es  do  not  apply  in  all  cases  -   database  not  open  to  network  ,  -  -­‐-­‐secure-­‐file-­‐priv  op;on    May 28th 2013 14Serge Frezefond - DatabasesSecurity
  15. 15. Authentication•  Standard  authen;ca;on  :  user/password  •  Authen;ca;on  plugin    -  SHA256  (5.6)  -  PAM  -  Windows  -  Mul;  factor  authen;ca;on  /  use  hardware  token  •  Do  not  expose  passwords  on  command  line  or  in  conf  files  (5.6)  May 28th 2013 15Serge Frezefond - DatabasesSecurity
  16. 16. Data traffic encryption•  SSL  based    •  keys  &  cer;ficates  for  both  server  and  client    •  OpenSSL  or  yaSSL  as  SSL  library  May 28th 2013 16Serge Frezefond - DatabasesSecurity
  17. 17. Stored Data Encryption•  Encrypt  Column  through  func;on  call  •  Encrypt  at  the  File  system  level  -  zNcrypt  •  Specialized  storage  Engine  can  do  encryp;on  -  MyDiamo  •  No  Transparent  Data  Encryp;on  in  MySQL    -  No  declara;ve  way  to  say  that  a  column  is  encrypted  •  Data  Masking  :  keep  your  data  secure  for  tests  May 28th 2013 17Serge Frezefond - DatabasesSecurity
  18. 18. MySQL backup secured ?•  Backups  are  a  vulnerable  point  -  Very  easy  to  reuse  •  They  should  be  crypted  •  Xtrabackup  can  encrypt  backup  with  AES256  -  Key  in  keyfile  •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK  May 28th 2013 18Serge Frezefond - DatabasesSecurity
  19. 19. Security model for developpers•  No  grant  to  access  the  data  through  select  •  Restrict  Access  to  :    -  Stored  proc  -  Triggers  -  Views  May 28th 2013 19Serge Frezefond - DatabasesSecurity
  20. 20. Database Proxy / Firewall•  Used  to  audit  or  implement  policies  at  the  client/server  protocol  level  by  being  true  proxy  or  sniffing  the  protocol  -  MySQL  proxy  -  GreenSQL  /  closed  source  -  Oracle  Database  firewall  •  Usefull  to  filter  traffic  •  They  can  be  bypassed  ;-­‐)  May 28th 2013 20Serge Frezefond - DatabasesSecurity
  21. 21. Database auditing•  A  mandatory  requirement  for  compliance  •  MySQL  audit  API  available  (improved  by  MariaDB)  •  Used  by  :  -  MacFee  audit  plugin  -  Oracle  Audit  plugin  -  MariaDB  Audit  Plugin  (  work  in  progress  )  •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons  May 28th 2013 21Serge Frezefond - DatabasesSecurity
  22. 22. Do not neglect SQL injections•  The  applica;on  is  the  weak  point  by  allowing  unpredicted  queries  to  be  run  •  F5  router  hacking  through  embeded  MySQL  (now  solved)  •  To  avoid  it  :  -  Sane;zing  the  input  -  Use  Prepared  statements  May 28th 2013 22Serge Frezefond - DatabasesSecurity
  23. 23. MySQL & PHP :SQL injection$query  =  "SELECT  *  FROM  customers  WHERE  username  =  $name";    $name_bad  =  "  OR  1";  $name_evil  =  ";  DELETE  FROM  customers  WHERE  1  or  username  =  ";        Normal:  SELECT  *  FROM  customers  WHERE  username  =  ;mmy  Injec;on:  SELECT  *  FROM  customers  WHERE  username  =    OR  1  May 28th 2013 23Serge Frezefond - DatabasesSecurity
  24. 24. Best practice•  Have  you  architecture  audited  by  third  party  -  Do  not  believe  in  self  evalua;on  -  Do  regular  internal  pen  test  •  Keep  informed  about  vulnerabili;es  of  all  your  components.  •  Train  people  that  remain  the  weakest  point  •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)    May 28th 2013 24Serge Frezefond - DatabasesSecurity
  25. 25. Is you databasemore secure in the cloud ?•  AWS  /  HP  CLOUD  /  AZURE  /  …  •  The  same  principle  applies  except  :  -  You  have  no  clear  idea  of  how  it  is  internally  architectured  and  operated  -  Quality  of  isola;on    is  not  clear  •  You  have  to  have  confidence  in  your  cloud  provider  and/or  be  more  carefull  :    -  Full  encryp;on  of  filesystem  and  backup  files  -  Key  management  outside  the  cloud    May 28th 2013 25Serge Frezefond - DatabasesSecurity
  26. 26. If you detect a security breach•  Take  a  snapshot  of  the  whole  system  -  Including  key  elements  of  the  architecture  •  Be  sure  your  logs  are  safe  •  When  did  it  first  started  •  Who  did  it  :  do  not  loose  evidences  May 28th 2013 26Serge Frezefond - DatabasesSecurity
  27. 27. May 28th 2013 27Serge Frezefond - DatabasesSecurityThanksQ&ASerge.Frezefond@skysql.com@sfrezefondhttp://Serge.frezefond.com

×