SlideShare une entreprise Scribd logo
1  sur  27
Télécharger pour lire hors ligne
Open Sources Databases
Security
Serge Frezefond
@sfrezefond
http://Serge.frezefond.com
29 / 05 / 2013
Serge Frezefond - Databases Security
Companies are under permanent attacks
•  Stealing	
  valuable	
  data	
  	
  
-  Customer	
  base	
  
•  Deny	
  Of	
  Service	
  
-  Make	
  your	
  database	
  unresponsive	
  
•  Corrup;on	
  of	
  data	
  
-  Totally	
  or	
  par;ally	
  
•  Doing	
  transac;ons	
  /	
  money	
  transfers	
  on	
  behalf	
  of	
  X	
  
	
  	
  
Cost	
  of	
  a@acks	
  is	
  in	
  millions	
  of	
  $	
  	
  
May 28th 2013 2
Serge Frezefond - Databases
Security
Recent attacks are not sophisticated SQL
injection
On	
  March	
  27,	
  2011,	
  mysql.com,	
  the	
  official	
  homepage	
  for	
  MySQL,	
  
was	
  compromised	
  by	
  a	
  hacker	
  using	
  SQL	
  blind	
  injec;on	
  
On	
  June	
  1,	
  2011,	
  "hack;vists"	
  of	
  the	
  group	
  LulzSec	
  were	
  accused	
  of	
  
using	
  SQLI	
  to	
  steal	
  coupons,	
  download	
  keys,	
  and	
  passwords	
  that	
  
were	
  stored	
  in	
  plaintext	
  on	
  Sony's	
  website,	
  accessing	
  the	
  
personal	
  informa;on	
  of	
  a	
  million	
  users.	
  
In	
  July	
  2012	
  a	
  hacker	
  group	
  was	
  reported	
  to	
  have	
  stolen	
  450,000	
  
login	
  creden;als	
  from	
  Yahoo!.	
  The	
  logins	
  were	
  stored	
  in	
  plain	
  text	
  
and	
  were	
  allegedly	
  taken	
  from	
  a	
  Yahoo	
  subdomain,	
  Yahoo!	
  
Voices.	
  The	
  group	
  breached	
  Yahoo's	
  security	
  by	
  using	
  a	
  "union-­‐
based	
  SQL	
  injec;on	
  technique".	
  
May 28th 2013 3
Serge Frezefond - Databases
Security
Many companies have
major lacks in security
•  Most	
  use	
  basic	
  authen;ca;on	
  :	
  User	
  /	
  Password	
  
•  Database	
  open	
  to	
  IP	
  with	
  no	
  origin	
  check	
  (	
  Firewall	
  )	
  	
  
•  No	
  strong	
  authen;fica;on	
  
•  No	
  data	
  encryp;on	
  
•  No	
  traffic	
  encryp;on	
  SSL	
  
•  No	
  true	
  audi;ng	
  
-  Rarely	
  database	
  ac;vity	
  audit	
  (too	
  costly)	
  
•  IDS	
  rarely	
  used	
  	
  
•  Many	
  of	
  them	
  lack	
  a	
  security	
  officer	
  understanding	
  the	
  
cri;city	
  of	
  databases	
  
May 28th 2013 4
Serge Frezefond - Databases
Security
Some companies need to fullfill
extra security obligations
•  PCI	
  DSS	
  
•  SOX	
  
•  HIPAA	
  /	
  	
  HITECH	
  
•  EU	
  Data	
  	
  Protec;on	
  Direc;ve	
  (	
  Right	
  to	
  Privacy	
  )	
  
•  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐	
  
•  Fullfilling	
  these	
  rules	
  is	
  not	
  enough	
  to	
  be	
  secure	
  
May 28th 2013 5
Serge Frezefond - Databases
Security
Inside vs Outside
is not a meaningful differenciation
•  Many	
  subcrontactors	
  
•  Not	
  always	
  happy	
  /	
  honest	
  employees	
  
•  Network	
  open	
  to	
  third	
  par;es	
  to	
  ease	
  processes	
  :	
  
-  Partners,	
  Customers,	
  Suppliers	
  
•  Most	
  internal	
  databases	
  are	
  very	
  cri;cal	
  /	
  valuable	
  
assets	
  (	
  even	
  if	
  not	
  part	
  of	
  a	
  web	
  exposed	
  applica;on)	
  
•  BYOD	
  policy	
  introduces	
  risk.	
  
May 28th 2013 6
Serge Frezefond - Databases
Security
Open source is a building block
of Secure Architectures
•  Open	
  SSL	
  /	
  YASSL	
  
•  Open	
  SSH	
  
•  Open	
  radius	
  
•  Open	
  LDAP	
  
•  PAM	
  
•  PKI	
  (EJBCA,	
  OPENCA)	
  
•  Key	
  management	
  (StrongAuth)	
  
•  2	
  factors	
  authen;ca;on	
  /	
  OTP	
  
•  IDS	
  (Suricata)	
  
May 28th 2013 7
Serge Frezefond - Databases
Security
Database is a key part of an architecture
	
  
•  When	
  Data	
  is	
  destroyed	
  or	
  corrupted	
  it	
  is	
  very	
  difficult	
  
or	
  impossible	
  to	
  restore.	
  
•  The	
  impact	
  on	
  image	
  is	
  important	
  
-  Many	
  companies	
  prefer	
  silence	
  
•  Data	
  need	
  anyway	
  to	
  be	
  exposed	
  :	
  to	
  be	
  manipulated	
  /	
  
shared	
  /	
  saved	
  /	
  tested	
  /	
  audited	
  
	
  Financial	
  impact	
  of	
  this	
  kind	
  of	
  a;ack	
  is	
  huge	
  
May 28th 2013 8
Serge Frezefond - Databases
Security
All Open Source Databases are vulnerable
•  PostgreSQL	
  :	
  	
  
-  Has	
  suffered	
  major	
  issues	
  recently	
  (April	
  2013)	
  
•  MySQL	
  :	
  
-  Has	
  suffered	
  major	
  issues	
  recently	
  
•  SQLite	
  :	
  no	
  real	
  security	
  model	
  as	
  target	
  is	
  embeded	
  
-  Cipher	
  solu;ons	
  availables	
  
•  NoSQL	
  database	
  Big	
  Data	
  :	
  very	
  weak	
  security	
  models	
  
May 28th 2013 9
Serge Frezefond - Databases
Security
MySQL Vulnerabilities
•  CVE	
  2012	
  5613	
  	
  (	
  a	
  0day	
  Exploit	
  )	
  
•  MySQL	
  5.5.19	
  and	
  …,	
  when	
  configured	
  to	
  assign	
  the	
  
FILE	
  privilege	
  to	
  users	
  who	
  should	
  not	
  have	
  
administra;ve	
  privileges,	
  allows	
  remote	
  authen;cated	
  
users	
  to	
  gain	
  privileges	
  by	
  leveraging	
  the	
  FILE	
  privilege	
  
to	
  create	
  files	
  as	
  the	
  MySQL	
  administrator.	
  
	
  
create	
  a	
  user	
  with	
  FULL	
  ACCESS	
  to	
  database	
  	
  
May 28th 2013 10
Serge Frezefond - Databases
Security
MySQL Vulnerabilities
•  CVE	
  2012	
  5611	
  	
  
•  Stack-­‐based	
  buffer	
  overflow	
  in	
  the	
  acl_get	
  func;on	
  in	
  
Oracle	
  MySQL	
  5.5.19	
  and	
  other	
  versions	
  	
  ...	
  allows	
  
remote	
  authen;cated	
  users	
  to	
  execute	
  arbitrary	
  code	
  
via	
  a	
  long	
  argument	
  to	
  the	
  GRANT	
  FILE	
  command.	
  
Execute	
  any	
  arbitrary	
  code	
  
May 28th 2013 11
Serge Frezefond - Databases
Security
MySQL Vulnerabilities
•  CVE	
  2012	
  2122	
  a	
  simple	
  loop	
  give	
  root	
  access	
  :	
  
•  $	
  for	
  i	
  in	
  `seq	
  1	
  1000`;	
  do	
  mysql	
  -­‐u	
  root	
  -­‐-­‐password=bad	
  
-­‐h	
  127.0.0.1	
  2>/dev/null;	
  done	
  
•  mysql>	
  	
  
•  assump;on	
  that	
  the	
  memcmp()	
  func;on	
  would	
  always	
  
return	
  a	
  value	
  within	
  the	
  range	
  -­‐128	
  to	
  127	
  
Able	
  to	
  login	
  root	
  to	
  the	
  database	
  
May 28th 2013 12
Serge Frezefond - Databases
Security
PostgreSQL Major Vulnerability
“Any	
  system	
  that	
  allows	
  unrestricted	
  access	
  to	
  the	
  
PostgreSQL	
  network	
  port,	
  such	
  as	
  users	
  running	
  
PostgreSQL	
  on	
  a	
  public	
  cloud,	
  is	
  especially	
  vulnerable”	
  
•  PostgreSQL	
  team	
  Locked	
  down	
  the	
  Repository	
  	
  
-  Fear	
  that	
  code	
  work	
  lead	
  to	
  0day	
  exploit	
  
•  All	
  linux	
  distribu;ons	
  need	
  to	
  released	
  patch	
  
simultaneously	
  
•  Plavorm	
  As	
  a	
  ServiceS	
  HEROKU	
  was	
  exposed	
  and	
  
received	
  patch	
  before	
  other	
  :	
  
-  Controversy	
  regarding	
  open	
  source	
  principles	
  
May 28th 2013 13
Serge Frezefond - Databases
Security
MySQL Vulnerabilities :
What to do ?
•  Follow	
  them	
  systema;cally	
  in	
  a	
  ;mely	
  manner	
  
•  Patch	
  your	
  system	
  /	
  upgrade	
  version	
  
•  0Days	
  exploit	
  should	
  trigger	
  major	
  alert	
  
•  Apply	
  best	
  prac;ce	
  
•  Most	
  vulnerabili;es	
  do	
  not	
  apply	
  in	
  all	
  cases	
  
-  	
  database	
  not	
  open	
  to	
  network	
  ,	
  
-  -­‐-­‐secure-­‐file-­‐priv	
  op;on	
  	
  
May 28th 2013 14
Serge Frezefond - Databases
Security
Authentication
•  Standard	
  authen;ca;on	
  :	
  user/password	
  
•  Authen;ca;on	
  plugin 	
  	
  
-  SHA256	
  (5.6)	
  
-  PAM	
  
-  Windows	
  
-  Mul;	
  factor	
  authen;ca;on	
  /	
  use	
  hardware	
  token	
  
•  Do	
  not	
  expose	
  passwords	
  on	
  command	
  line	
  or	
  in	
  conf	
  
files	
  (5.6)	
  
May 28th 2013 15
Serge Frezefond - Databases
Security
Data traffic encryption
•  SSL	
  based	
  	
  
•  keys	
  &	
  cer;ficates	
  for	
  both	
  server	
  and	
  client 	
  	
  
•  OpenSSL	
  or	
  yaSSL	
  as	
  SSL	
  library	
  
May 28th 2013 16
Serge Frezefond - Databases
Security
Stored Data Encryption
•  Encrypt	
  Column	
  through	
  func;on	
  call	
  
•  Encrypt	
  at	
  the	
  File	
  system	
  level	
  
-  zNcrypt	
  
•  Specialized	
  storage	
  Engine	
  can	
  do	
  encryp;on	
  
-  MyDiamo	
  
•  No	
  Transparent	
  Data	
  Encryp;on	
  in	
  MySQL 	
  	
  
-  No	
  declara;ve	
  way	
  to	
  say	
  that	
  a	
  column	
  is	
  encrypted	
  
•  Data	
  Masking	
  :	
  keep	
  your	
  data	
  secure	
  for	
  tests	
  
May 28th 2013 17
Serge Frezefond - Databases
Security
MySQL backup secured ?
•  Backups	
  are	
  a	
  vulnerable	
  point	
  
-  Very	
  easy	
  to	
  reuse	
  
•  They	
  should	
  be	
  crypted	
  
•  Xtrabackup	
  can	
  encrypt	
  backup	
  with	
  AES256	
  
-  Key	
  in	
  keyfile	
  
•  Symetric	
  key	
  ?	
  Stored	
  where	
  ?	
  Pvk	
  /	
  PbK	
  
May 28th 2013 18
Serge Frezefond - Databases
Security
Security model for developpers
•  No	
  grant	
  to	
  access	
  the	
  data	
  through	
  select	
  
•  Restrict	
  Access	
  to	
  :	
  	
  
-  Stored	
  proc	
  
-  Triggers	
  
-  Views	
  
May 28th 2013 19
Serge Frezefond - Databases
Security
Database Proxy / Firewall
•  Used	
  to	
  audit	
  or	
  implement	
  policies	
  at	
  the	
  client/server	
  
protocol	
  level	
  by	
  being	
  true	
  proxy	
  or	
  sniffing	
  the	
  
protocol	
  
-  MySQL	
  proxy	
  
-  GreenSQL	
  /	
  closed	
  source	
  
-  Oracle	
  Database	
  firewall	
  
•  Usefull	
  to	
  filter	
  traffic	
  
•  They	
  can	
  be	
  bypassed	
  ;-­‐)	
  
May 28th 2013 20
Serge Frezefond - Databases
Security
Database auditing
•  A	
  mandatory	
  requirement	
  for	
  compliance	
  
•  MySQL	
  audit	
  API	
  available	
  (improved	
  by	
  MariaDB)	
  
•  Used	
  by	
  :	
  
-  MacFee	
  audit	
  plugin	
  
-  Oracle	
  Audit	
  plugin	
  
-  MariaDB	
  Audit	
  Plugin	
  (	
  work	
  in	
  progress	
  )	
  
•  Associated	
  with	
  Database	
  Ac;vity	
  Monitoring	
  Solu;ons	
  
May 28th 2013 21
Serge Frezefond - Databases
Security
Do not neglect SQL injections
•  The	
  applica;on	
  is	
  the	
  weak	
  point	
  by	
  allowing	
  
unpredicted	
  queries	
  to	
  be	
  run	
  
•  F5	
  router	
  hacking	
  through	
  embeded	
  MySQL	
  (now	
  
solved)	
  
•  To	
  avoid	
  it	
  :	
  
-  Sane;zing	
  the	
  input	
  
-  Use	
  Prepared	
  statements	
  
May 28th 2013 22
Serge Frezefond - Databases
Security
MySQL & PHP :
SQL injection
$query	
  =	
  "SELECT	
  *	
  FROM	
  customers	
  WHERE	
  username	
  =	
  
'$name'";	
  
	
  
$name_bad	
  =	
  "'	
  OR	
  1'";	
  
$name_evil	
  =	
  "';	
  DELETE	
  FROM	
  customers	
  WHERE	
  1	
  or	
  
username	
  =	
  '";	
  	
  	
  
	
  
Normal:	
  SELECT	
  *	
  FROM	
  customers	
  WHERE	
  username	
  =	
  
';mmy'	
  
Injec;on:	
  SELECT	
  *	
  FROM	
  customers	
  WHERE	
  username	
  =	
  ''	
  
OR	
  1''	
  
May 28th 2013 23
Serge Frezefond - Databases
Security
Best practice
•  Have	
  you	
  architecture	
  audited	
  by	
  third	
  party	
  
-  Do	
  not	
  believe	
  in	
  self	
  evalua;on	
  
-  Do	
  regular	
  internal	
  pen	
  test	
  
•  Keep	
  informed	
  about	
  vulnerabili;es	
  of	
  all	
  your	
  
components.	
  
•  Train	
  people	
  that	
  remain	
  the	
  weakest	
  point	
  
•  Keep	
  up	
  to	
  date	
  with	
  best	
  pra;ces	
  (BYOD,	
  	
  …)	
  	
  
May 28th 2013 24
Serge Frezefond - Databases
Security
Is you database
more secure in the cloud ?
•  AWS	
  /	
  HP	
  CLOUD	
  /	
  AZURE	
  /	
  …	
  
•  The	
  same	
  principle	
  applies	
  except	
  :	
  
-  You	
  have	
  no	
  clear	
  idea	
  of	
  how	
  it	
  is	
  internally	
  
architectured	
  and	
  operated	
  
-  Quality	
  of	
  isola;on	
  	
  is	
  not	
  clear	
  
•  You	
  have	
  to	
  have	
  confidence	
  in	
  your	
  cloud	
  provider	
  
and/or	
  be	
  more	
  carefull	
  : 	
  	
  
-  Full	
  encryp;on	
  of	
  filesystem	
  and	
  backup	
  files	
  
-  Key	
  management	
  outside	
  the	
  cloud	
  	
  
May 28th 2013 25
Serge Frezefond - Databases
Security
If you detect a security breach
•  Take	
  a	
  snapshot	
  of	
  the	
  whole	
  system	
  
-  Including	
  key	
  elements	
  of	
  the	
  architecture	
  
•  Be	
  sure	
  your	
  logs	
  are	
  safe	
  
•  When	
  did	
  it	
  first	
  started	
  
•  Who	
  did	
  it	
  :	
  do	
  not	
  loose	
  evidences	
  
May 28th 2013 26
Serge Frezefond - Databases
Security
May 28th 2013 27
Serge Frezefond - Databases
Security
Thanks
Q&A
Serge.Frezefond@skysql.com
@sfrezefond
http://Serge.frezefond.com

Contenu connexe

Tendances

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsMajor Hayden
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsOlivier DASINI
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinOlivier DASINI
 
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0Olivier DASINI
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_securityWisecube AI
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure  BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure BlueHat Security Conference
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...Olivier DASINI
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
 
MySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryMySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryOlivier DASINI
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?Olivier DASINI
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamOlivier DASINI
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloadsRuncy Oommen
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016Teri Radichel
 

Tendances (19)

Holistic Security for OpenStack Clouds
Holistic Security for OpenStack CloudsHolistic Security for OpenStack Clouds
Holistic Security for OpenStack Clouds
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirementsMySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
 
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
MySQL Day Paris 2018 - Upgrade from MySQL 5.7 to MySQL 8.0
 
12 steps to_cloud_security
12 steps to_cloud_security12 steps to_cloud_security
12 steps to_cloud_security
 
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure  BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
BlueHat v17 || All Your Cloud Are Belong to Us; Hunting Compromise in Azure
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015Michael Jones-Resume-OCT2015
Michael Jones-Resume-OCT2015
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
 
Practical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber SecurityPractical White Hat Hacker Training - Introduction to Cyber Security
Practical White Hat Hacker Training - Introduction to Cyber Security
 
MySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features SummaryMySQL 8.0.16 New Features Summary
MySQL 8.0.16 New Features Summary
 
ION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network OperatorsION Santiago: Lock It Up: TLS for Network Operators
ION Santiago: Lock It Up: TLS for Network Operators
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
MySQL Day Paris 2018 - What’s New in MySQL 8.0 ?
 
Five years of Persistent Threats
Five years of Persistent ThreatsFive years of Persistent Threats
Five years of Persistent Threats
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
 
Security for cloud native workloads
Security for cloud native workloadsSecurity for cloud native workloads
Security for cloud native workloads
 
AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016AWS Security Ideas - re:Invent 2016
AWS Security Ideas - re:Invent 2016
 

Similaire à Open Source Databases Security

Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishMarkus Eisele
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
Presentation (6).pptx
Presentation (6).pptxPresentation (6).pptx
Presentation (6).pptxMSMuthu5
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishMarkus Eisele
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudTobias Koprowski
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptxmissionsk81
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMark Swarbrick
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit ERPScan
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantKamruzzamansohel2
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...M Mehdi Ahmadian
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgEric Vanderburg
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!MarketingArrowECS_CZ
 

Similaire à Open Source Databases Security (20)

Java EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFishJava EE 6 Security in practice with GlassFish
Java EE 6 Security in practice with GlassFish
 
Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881Slides for the #JavaOne Session ID: CON11881
Slides for the #JavaOne Session ID: CON11881
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
Presentation (6).pptx
Presentation (6).pptxPresentation (6).pptx
Presentation (6).pptx
 
Encrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted CloudEncrypted Databases for Untrusted Cloud
Encrypted Databases for Untrusted Cloud
 
Security in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFishSecurity in practice with Java EE 6 and GlassFish
Security in practice with Java EE 6 and GlassFish
 
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloudKoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
KoprowskiT_SQLSatHolland_SQLServerSecurityInTheCloud
 
MobileDBSecurity.pptx
MobileDBSecurity.pptxMobileDBSecurity.pptx
MobileDBSecurity.pptx
 
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
 
Attacking SAP users with sapsploit
Attacking SAP users with sapsploit Attacking SAP users with sapsploit
Attacking SAP users with sapsploit
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
Let's Discuss Security with SFWelly
Let's Discuss Security with SFWellyLet's Discuss Security with SFWelly
Let's Discuss Security with SFWelly
 
Data security
Data securityData security
Data security
 
Database Security Presentation Why database Security is important
Database Security Presentation Why database Security is importantDatabase Security Presentation Why database Security is important
Database Security Presentation Why database Security is important
 
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme... هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
هک پایگاه داده و راهکارهای مقابلهDatabases hacking, safeguards and counterme...
 
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
DataStax | Best Practices for Securing DataStax Enterprise (Matt Kennedy) | C...
 
Information Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric VanderburgInformation Security Lesson 4 - Baselines - Eric Vanderburg
Information Security Lesson 4 - Baselines - Eric Vanderburg
 
Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!Využijte svou Oracle databázi na maximum!
Využijte svou Oracle databázi na maximum!
 
Encryption in the Cloud
Encryption in the CloudEncryption in the Cloud
Encryption in the Cloud
 

Dernier

Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfwill854175
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?Rustici Software
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 

Dernier (20)

Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Arti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdfArti Languages Pre Seed Pitchdeck 2024.pdf
Arti Languages Pre Seed Pitchdeck 2024.pdf
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Which standard is best for your content?
Which standard is best for your content?Which standard is best for your content?
Which standard is best for your content?
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 

Open Source Databases Security

  • 1. Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013 Serge Frezefond - Databases Security
  • 2. Companies are under permanent attacks •  Stealing  valuable  data     -  Customer  base   •  Deny  Of  Service   -  Make  your  database  unresponsive   •  Corrup;on  of  data   -  Totally  or  par;ally   •  Doing  transac;ons  /  money  transfers  on  behalf  of  X       Cost  of  a@acks  is  in  millions  of  $     May 28th 2013 2 Serge Frezefond - Databases Security
  • 3. Recent attacks are not sophisticated SQL injection On  March  27,  2011,  mysql.com,  the  official  homepage  for  MySQL,   was  compromised  by  a  hacker  using  SQL  blind  injec;on   On  June  1,  2011,  "hack;vists"  of  the  group  LulzSec  were  accused  of   using  SQLI  to  steal  coupons,  download  keys,  and  passwords  that   were  stored  in  plaintext  on  Sony's  website,  accessing  the   personal  informa;on  of  a  million  users.   In  July  2012  a  hacker  group  was  reported  to  have  stolen  450,000   login  creden;als  from  Yahoo!.  The  logins  were  stored  in  plain  text   and  were  allegedly  taken  from  a  Yahoo  subdomain,  Yahoo!   Voices.  The  group  breached  Yahoo's  security  by  using  a  "union-­‐ based  SQL  injec;on  technique".   May 28th 2013 3 Serge Frezefond - Databases Security
  • 4. Many companies have major lacks in security •  Most  use  basic  authen;ca;on  :  User  /  Password   •  Database  open  to  IP  with  no  origin  check  (  Firewall  )     •  No  strong  authen;fica;on   •  No  data  encryp;on   •  No  traffic  encryp;on  SSL   •  No  true  audi;ng   -  Rarely  database  ac;vity  audit  (too  costly)   •  IDS  rarely  used     •  Many  of  them  lack  a  security  officer  understanding  the   cri;city  of  databases   May 28th 2013 4 Serge Frezefond - Databases Security
  • 5. Some companies need to fullfill extra security obligations •  PCI  DSS   •  SOX   •  HIPAA  /    HITECH   •  EU  Data    Protec;on  Direc;ve  (  Right  to  Privacy  )   •  -­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐-­‐   •  Fullfilling  these  rules  is  not  enough  to  be  secure   May 28th 2013 5 Serge Frezefond - Databases Security
  • 6. Inside vs Outside is not a meaningful differenciation •  Many  subcrontactors   •  Not  always  happy  /  honest  employees   •  Network  open  to  third  par;es  to  ease  processes  :   -  Partners,  Customers,  Suppliers   •  Most  internal  databases  are  very  cri;cal  /  valuable   assets  (  even  if  not  part  of  a  web  exposed  applica;on)   •  BYOD  policy  introduces  risk.   May 28th 2013 6 Serge Frezefond - Databases Security
  • 7. Open source is a building block of Secure Architectures •  Open  SSL  /  YASSL   •  Open  SSH   •  Open  radius   •  Open  LDAP   •  PAM   •  PKI  (EJBCA,  OPENCA)   •  Key  management  (StrongAuth)   •  2  factors  authen;ca;on  /  OTP   •  IDS  (Suricata)   May 28th 2013 7 Serge Frezefond - Databases Security
  • 8. Database is a key part of an architecture   •  When  Data  is  destroyed  or  corrupted  it  is  very  difficult   or  impossible  to  restore.   •  The  impact  on  image  is  important   -  Many  companies  prefer  silence   •  Data  need  anyway  to  be  exposed  :  to  be  manipulated  /   shared  /  saved  /  tested  /  audited    Financial  impact  of  this  kind  of  a;ack  is  huge   May 28th 2013 8 Serge Frezefond - Databases Security
  • 9. All Open Source Databases are vulnerable •  PostgreSQL  :     -  Has  suffered  major  issues  recently  (April  2013)   •  MySQL  :   -  Has  suffered  major  issues  recently   •  SQLite  :  no  real  security  model  as  target  is  embeded   -  Cipher  solu;ons  availables   •  NoSQL  database  Big  Data  :  very  weak  security  models   May 28th 2013 9 Serge Frezefond - Databases Security
  • 10. MySQL Vulnerabilities •  CVE  2012  5613    (  a  0day  Exploit  )   •  MySQL  5.5.19  and  …,  when  configured  to  assign  the   FILE  privilege  to  users  who  should  not  have   administra;ve  privileges,  allows  remote  authen;cated   users  to  gain  privileges  by  leveraging  the  FILE  privilege   to  create  files  as  the  MySQL  administrator.     create  a  user  with  FULL  ACCESS  to  database     May 28th 2013 10 Serge Frezefond - Databases Security
  • 11. MySQL Vulnerabilities •  CVE  2012  5611     •  Stack-­‐based  buffer  overflow  in  the  acl_get  func;on  in   Oracle  MySQL  5.5.19  and  other  versions    ...  allows   remote  authen;cated  users  to  execute  arbitrary  code   via  a  long  argument  to  the  GRANT  FILE  command.   Execute  any  arbitrary  code   May 28th 2013 11 Serge Frezefond - Databases Security
  • 12. MySQL Vulnerabilities •  CVE  2012  2122  a  simple  loop  give  root  access  :   •  $  for  i  in  `seq  1  1000`;  do  mysql  -­‐u  root  -­‐-­‐password=bad   -­‐h  127.0.0.1  2>/dev/null;  done   •  mysql>     •  assump;on  that  the  memcmp()  func;on  would  always   return  a  value  within  the  range  -­‐128  to  127   Able  to  login  root  to  the  database   May 28th 2013 12 Serge Frezefond - Databases Security
  • 13. PostgreSQL Major Vulnerability “Any  system  that  allows  unrestricted  access  to  the   PostgreSQL  network  port,  such  as  users  running   PostgreSQL  on  a  public  cloud,  is  especially  vulnerable”   •  PostgreSQL  team  Locked  down  the  Repository     -  Fear  that  code  work  lead  to  0day  exploit   •  All  linux  distribu;ons  need  to  released  patch   simultaneously   •  Plavorm  As  a  ServiceS  HEROKU  was  exposed  and   received  patch  before  other  :   -  Controversy  regarding  open  source  principles   May 28th 2013 13 Serge Frezefond - Databases Security
  • 14. MySQL Vulnerabilities : What to do ? •  Follow  them  systema;cally  in  a  ;mely  manner   •  Patch  your  system  /  upgrade  version   •  0Days  exploit  should  trigger  major  alert   •  Apply  best  prac;ce   •  Most  vulnerabili;es  do  not  apply  in  all  cases   -   database  not  open  to  network  ,   -  -­‐-­‐secure-­‐file-­‐priv  op;on     May 28th 2013 14 Serge Frezefond - Databases Security
  • 15. Authentication •  Standard  authen;ca;on  :  user/password   •  Authen;ca;on  plugin     -  SHA256  (5.6)   -  PAM   -  Windows   -  Mul;  factor  authen;ca;on  /  use  hardware  token   •  Do  not  expose  passwords  on  command  line  or  in  conf   files  (5.6)   May 28th 2013 15 Serge Frezefond - Databases Security
  • 16. Data traffic encryption •  SSL  based     •  keys  &  cer;ficates  for  both  server  and  client     •  OpenSSL  or  yaSSL  as  SSL  library   May 28th 2013 16 Serge Frezefond - Databases Security
  • 17. Stored Data Encryption •  Encrypt  Column  through  func;on  call   •  Encrypt  at  the  File  system  level   -  zNcrypt   •  Specialized  storage  Engine  can  do  encryp;on   -  MyDiamo   •  No  Transparent  Data  Encryp;on  in  MySQL     -  No  declara;ve  way  to  say  that  a  column  is  encrypted   •  Data  Masking  :  keep  your  data  secure  for  tests   May 28th 2013 17 Serge Frezefond - Databases Security
  • 18. MySQL backup secured ? •  Backups  are  a  vulnerable  point   -  Very  easy  to  reuse   •  They  should  be  crypted   •  Xtrabackup  can  encrypt  backup  with  AES256   -  Key  in  keyfile   •  Symetric  key  ?  Stored  where  ?  Pvk  /  PbK   May 28th 2013 18 Serge Frezefond - Databases Security
  • 19. Security model for developpers •  No  grant  to  access  the  data  through  select   •  Restrict  Access  to  :     -  Stored  proc   -  Triggers   -  Views   May 28th 2013 19 Serge Frezefond - Databases Security
  • 20. Database Proxy / Firewall •  Used  to  audit  or  implement  policies  at  the  client/server   protocol  level  by  being  true  proxy  or  sniffing  the   protocol   -  MySQL  proxy   -  GreenSQL  /  closed  source   -  Oracle  Database  firewall   •  Usefull  to  filter  traffic   •  They  can  be  bypassed  ;-­‐)   May 28th 2013 20 Serge Frezefond - Databases Security
  • 21. Database auditing •  A  mandatory  requirement  for  compliance   •  MySQL  audit  API  available  (improved  by  MariaDB)   •  Used  by  :   -  MacFee  audit  plugin   -  Oracle  Audit  plugin   -  MariaDB  Audit  Plugin  (  work  in  progress  )   •  Associated  with  Database  Ac;vity  Monitoring  Solu;ons   May 28th 2013 21 Serge Frezefond - Databases Security
  • 22. Do not neglect SQL injections •  The  applica;on  is  the  weak  point  by  allowing   unpredicted  queries  to  be  run   •  F5  router  hacking  through  embeded  MySQL  (now   solved)   •  To  avoid  it  :   -  Sane;zing  the  input   -  Use  Prepared  statements   May 28th 2013 22 Serge Frezefond - Databases Security
  • 23. MySQL & PHP : SQL injection $query  =  "SELECT  *  FROM  customers  WHERE  username  =   '$name'";     $name_bad  =  "'  OR  1'";   $name_evil  =  "';  DELETE  FROM  customers  WHERE  1  or   username  =  '";         Normal:  SELECT  *  FROM  customers  WHERE  username  =   ';mmy'   Injec;on:  SELECT  *  FROM  customers  WHERE  username  =  ''   OR  1''   May 28th 2013 23 Serge Frezefond - Databases Security
  • 24. Best practice •  Have  you  architecture  audited  by  third  party   -  Do  not  believe  in  self  evalua;on   -  Do  regular  internal  pen  test   •  Keep  informed  about  vulnerabili;es  of  all  your   components.   •  Train  people  that  remain  the  weakest  point   •  Keep  up  to  date  with  best  pra;ces  (BYOD,    …)     May 28th 2013 24 Serge Frezefond - Databases Security
  • 25. Is you database more secure in the cloud ? •  AWS  /  HP  CLOUD  /  AZURE  /  …   •  The  same  principle  applies  except  :   -  You  have  no  clear  idea  of  how  it  is  internally   architectured  and  operated   -  Quality  of  isola;on    is  not  clear   •  You  have  to  have  confidence  in  your  cloud  provider   and/or  be  more  carefull  :     -  Full  encryp;on  of  filesystem  and  backup  files   -  Key  management  outside  the  cloud     May 28th 2013 25 Serge Frezefond - Databases Security
  • 26. If you detect a security breach •  Take  a  snapshot  of  the  whole  system   -  Including  key  elements  of  the  architecture   •  Be  sure  your  logs  are  safe   •  When  did  it  first  started   •  Who  did  it  :  do  not  loose  evidences   May 28th 2013 26 Serge Frezefond - Databases Security
  • 27. May 28th 2013 27 Serge Frezefond - Databases Security Thanks Q&A Serge.Frezefond@skysql.com @sfrezefond http://Serge.frezefond.com