Database Attacks,

How to protect the corporate assets

Presented by: James Bleecker

www.appsecinc.com

Agenda

Introduction Landscape Database Vulnerabilities Are The New Front-Lines

Attacking Where the Data Resides Planning an Attack Attacking Database Vulnerabilities

How Do You Protect Your Database? What is Application Security direction/Vision?

www.appsecinc.com

Old Data Processing Environment

Winchester IMS Array

Glass House HalonReleaseSwitch

CICS Controller

BIG IRON

HyperchannelHalon

www.appsecinc.com

StoredData

New Data Processing Requirement

Increasingly Focused Attacks Directly on applications (75%!) Including insiders (80+%!) As perimeter crumbles

Demand for Pervasive Access By anyone To any application Increasingly direct

Compliance Requirements Info ultimately in Db apps:

Privacy / confidentiality Integrity

Compliance must be: Repeatable Demonstrable

www.appsecinc.com

Typical Network Landscape

www.appsecinc.com

Database Vulnerabilities

A decade ago, databases were Physically secure Housed in central data centers – not distributed External access mediated Security issues rarely reported

Now, databases are externally accessible Suppliers directly connected Customers directly connected Customers and partners directly sharing data

www.appsecinc.com

Database Vulnerability Exploitation

A decade ago, attacks were Broad based Launched by disaffected “Hackers” Intended to disrupt, gain respect / notoriety in the community

Now, attacks are Targeted against specific resources Launched by sophisticated professionals Intended to bring monetary gain to the attacker

Data is a valuable resource in your company Value increases with greater integration and aggregation But so does the threat of data theft, modification, or destruction

www.appsecinc.com

Databases Are Under Attack

106 Incidents in 2005 Flurry of new data breaches disclosed: More

than 190 such incidents have been reported since February 2005, Jaikumar Vijayan and Todd Weiss; June 19, 2006 (Computerworld)

We’re not Winning!

www.appsecinc.com

Recent Incidents

Company/Organization # of Affected Customers

Date of InitialDisclosure

Department of Energy’s nuclear weapons 1500 22-May-06

Georgetown University 41,000 5-Mar-06

Misc retail debit card compromise (OfficeMax?) 200,000 9-Feb-06

Dept of Agriculture 350,000 15-Feb-06

Card Systems 40,000,000 17-Jun-05

Citigroup 3,900,000 6-Jun-05

DSW Shoe Warehouse 1,400,000 8-Mar-05

Bank of America 1,200,000 25-Feb-05

LexisNexis 310,000 9-Mar-05

Ameritrade 200,000 19-Apr-05

ChoicePoint 145,000 15-Feb-05

Etc, etc, etc.

# of customers affected ~50,000,000+

Source: Privacy Rights Clearinghouse, http://www.privacyrights.org/ar/ChronDataBreaches.htm

www.appsecinc.com

Top 5 Issues in Enterprise Security

Attackers have gone pro Want personal data they can sell – Personal data like credit card and

social security numbers are relatively easy to monetize Attacks are moving to the source

Why pull a single credit card via compromising the network? It's relatively hard with a meager pay off. Instead, take over the corporate database and get them ALL

The perimeter provides little defense Insiders don't go through the firewall thus perimeters provide no

protection from this growing source of risk Inside the perimeter, enterprises have little-to-no protection

Beyond anti-virus, enterprises are only just now getting started to build a layered defense. For example, how does a largely signature-based security solution protect you from an insider that doesn't need to run a vulnerability against a system to get access? They've got plenty of privileges already ;-)

Everyone is watching Everyone is very-much clued in to the increased threats against

personal data. Any mistakes are likely to be very public

www.appsecinc.com

How Do You Secure Apps?

Key Components of Enterprise Applications

Vulnerabilities exist within each of these components

www.appsecinc.com

Database Vulnerabilities:

Default & Weak Passwords

Denial of Services (DoS) & Buffer Overflows

Misconfigurations & Resource Privilege Management Issues

www.appsecinc.com

Database Vulnerabilities:Default & Weak Passwords

Databases have their own user accounts and passwords

Oracle Microsoft SQL

Server

Sybase IBM DB2 MySQL

Default & Weak Passwords

www.appsecinc.com

Database VulnerabilitiesDefault Passwords

Oracle Defaults (Over 200 of them)- User Account: internal / Password: oracle

- User Account: system / Password: manager

- User Account: sys / Password: change_on_install

- User Account: dbsnmp / Password: dbsnmp

IBM DB2 Defaults- User Account: db2admin / Password: db2admin

- User Account: db2as / Password: ibmdb2

- User Account: dlfm / Password: ibmdb2

www.appsecinc.com

Database VulnerabilitiesDefault Passwords

MySQL Defaults- User Account: root / Password: null

- User Account: admin / Password: admin

- User Account: myusername / Password: mypassword

Sybase Defaults- User Account: SA / Password: null

Microsoft SQL Server Defaults- User Account: SA / Password: null

www.appsecinc.com

Database VulnerabilitiesWeak Passwords

It is important that you have all of the proper safeguards against password crackers because:

- Most databases do not have Account Lockout- Database Login activity is seldom monitored- Scripts and Tools for exploiting weak

identification control mechanisms and default passwords are widely available

www.appsecinc.com

Database Vulnerabilities:Denial of Services (DoS) & Buffer Overflows

Databases have their own DoS’s & Buffer Overflows

Oracle Microsoft SQL

Server

Sybase IBM DB2 MySQL

Default & Weak Passwords

Denial of Services & Buffer Overflows

www.appsecinc.com

Denial of ServicesDatabases Have Their Own Class of DoS Attacks

Category of attacks that could result in the database crashing or failing to respond to connect requests or SQL Queries.

Significant Database Denial of Services:

Oracle8i: NSPTCN data offset DoShttps://www.appsecinc.com/Policy/PolicyCheck31.html

Oracle9i: SNMP DoShttps://www.appsecinc.com/Policy/PolicyCheck45.html

Microsoft SQL Server: Resolution Service DoShttps://www.appsecinc.com/Policy/PolicyCheck2066.html

IBM DB2: Date/Varchar DoShttps://www.appsecinc.com/Policy/PolicyCheck3014.html

www.appsecinc.com

Buffer OverflowsDatabases Have Their Own Buffer Overflows

Category of vulnerabilities that could result in an unauthorized user causing the application to perform an action the application was not intended to perform.

Most dangerous are those that allow arbitrary commands to be executed by authenticated users.

- No matter how strongly you’ve set passwords and other authentication features.

Significant Database Buffer Overflows:- Oracle9i: TZ_OFFSET buffer overflow- Microsoft: pwdencrypt buffer overflow / Resolution Stack Overflow- Sybase: xp_freedll buffer overflow

www.appsecinc.com

Database VulnerabilitiesMisconfigurations & Resource Privilege Management Issues

Misconfigurations can make a database vulnerable

Oracle Microsoft SQL

Server

Sybase IBM DB2 MySQL

Default & Weak Passwords

Denial of Services & Buffer Overflows

Misconfigurations & Resource Privilege

Management

www.appsecinc.com

Misconfigurations & Resource PrivilegesMisconfigurations Can Make a Database Vulnerable

Oracle• External Procedure Service• Default HTTP Applications• Privilege to Execute UTL_FILE

Microsoft SQL Server• Standard SQL Server Authentication Allowed• Permissions granted on xp_cmdshell and xp_regread

Sybase• Permission granted on xp_cmdshell

IBM DB2• CREATE_NOT_FENCED privilege granted

• This privilege allows logins to create stored procedures

MySQL• Permissions on User Table (mysql.user)

www.appsecinc.com

Database Vulnerabilities Wrap-up

Oracle Microsoft SQL

Server

Sybase

Misconfigurations & Resource Privilege

Management

Denial of Services & Buffer Overflows

Default & Weak Passwords

MySQLIBM DB2

www.appsecinc.com

Planning an Attack

Create a Map What does the network look like?

Reconnoiter Collect information about the layout of the target What looks intere$ting?

Probe, Progress, Plot What can we do? Build the springboard for further activity Plan the strike

Retreat and Re-attack

www.appsecinc.com

How are search engines used for attacks?

First thing an attacker needs is information Where to attack What a site is vulnerable to

Search engine is a large repository of information Every web page in your application Every domain on the Internet

Search engines provide an attacker: Ability to search for attack points on the Internet Ability to search for an attack point in a specific website Ability to look for specific URLs or files

http://johnny.ihackstuff.com/index.php?module=prodreviews

www.appsecinc.com

Example – looking for iSQL*Plus

Oracle HTTP Servers Provides a way to run queries on database using an HTTP

form Accessed using the URL /isqlplus By default runs on any Oracle HTTP server installed with:

Oracle Applications Server Oracle Database Server

Search can be performed on Google or Yahoo looking for Oracle HTTP servers Using the “allinurl” advanced search feature

www.appsecinc.com

Using Google Advanced Search

www.appsecinc.com

Results of Google Advanced Search

www.appsecinc.com

Yahoo! Advanced Search Works Too…..

www.appsecinc.com

Connect with default username/password

www.appsecinc.com

Attacker can execute any query

www.appsecinc.com

Example – SQL Injection in demo applications

Oracle HTTP Servers Provided default web applications /demo/sql/jdbc/JDBCQuery.jsp /demo/sql/tag/sample2.jsp

Contains SQL Injection Google search value of “allinurl:JDBCQuery.jsp”

www.appsecinc.com

Vulnerable Oracle HTTP Servers

www.appsecinc.com

Oracle

X’ UNION SELECT password FROM dba_users WHERE username=‘SYSTEM

Oracle Example

www.appsecinc.com

Password Hash Returned

Customer address: EED9B65CCECDB2E9

http://www.pentest.co.uk/sql/check_users.sql

www.appsecinc.com

SQLINJECTION1

www.appsecinc.com

SQLINJECTION1

7778/demo/sql/jdbc/JDBCQuery.jsp

www.appsecinc.com

SQLINJECTION2

sys.database_name

www.appsecinc.com

SQLINJECTION3

www.appsecinc.com

SQLINJECTION4

sys.login_user

www.appsecinc.com

SQLINJECTION5

www.appsecinc.com

SQLINJECTION6

NUMTOYMINTERVAL

www.appsecinc.com

SQLINJECTION7

www.appsecinc.com

Hackers Can Find Credit Cards

Recent posting to security newsgroups To: bugtraq@securityfocus.com Subject: New google's

top query? Instructions on finding credit cards on the Internet

Involves using Numrange searches in Google http://www.google.com/search?q=visa+4356000000000000..435

699999999999

Can focus in on a single domain Can focus in on a single person “Numrange can be used to specify that results contain

numbers in a range you set. You can conduct a numrange search by specifying two numbers, separated by two periods, with no spaces. Be sure to specify a unit of measure or some other indicator of what the number range represents.”

www.appsecinc.com

Google Advanced Search Page

www.appsecinc.com

How Do You Address These Vulnerabilities?

Stay Patched Stay on top of all the security alerts and bulletins

Defense in Depth Multiple Levels of Security

Regularly perform audits and penetration tests on your database

Encryption of data-in-motion / data-at-rest / data-in-use Monitor database activity log files Implement application layer intrusion detection

Especially if you can’t stay patched!

www.appsecinc.com

How Do You Address These Vulnerabilities?

“I’m running auditing, vulnerability assessment, and IDS tools for the network/OS. Am I secure?” NO!!!!

Databases are extremely complex beasts Databases store your most valuable assets Significantly more effort securing databases is

necessary“If your workstation gets hacked, that’s bad. But if your database gets hacked, you’re out of business.”

http://www.devx.com/dbzone/Article/11961

www.appsecinc.com

Best Practices Provided by Database Vendors & Notable Third Parties

Oracle Oracl9i Security Checklist

SANS Institute (SysAdmin, Audit, Network, Security) Oracle Database Checklist

Microsoft 10 Steps to Secure SQL Server

SQLSecurity.com SQLSecurity Checklist

www.appsecinc.com

Oracle9i Security Checklist A Security Checklist for Oracle9i

Install Only What is Required Lock and Expire Default User

Accounts Change Default User

Passwords Enable Data Dictionary

Protection Practice Principle of Least

Privilege Enforce Access Controls

Effectively Restrict Network Access Apply Security Patches and

Workaroundshttp://otn.oracle.com/deploy/security/oracle9i/index.html

www.appsecinc.com

10 Steps to Secure SQL Server 2000 AppDetective Compliance Capabilities

1) Install the most recent service pack

2) Assess your server’s security with Microsoft Baseline Security Analyzer

((We’d suggest AppDetective!!))

3) Use Windows Authentication Mode

4) Isolate your server and back it up regularly

5) Assign a strong password

6) Limit privilege level of SQL Server Services

7) Disable SQL Server ports on your firewall

8) Use the most secure file system

9) Delete or secure old setup files

10) Audit connections to SQL Server

http://www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

www.appsecinc.com

Database Security Resources

SQL Server Security www.SQLSecurity.com www.microsoft.com/sql/techinfo/administration/2000/security/securingsqlserver.asp

Oracle Security www.sans.org/score/checklists/Oracle_Database_Checklist.doc otn.oracle.com/deploy/security/oracle9i/index.html

Database Security alerts www.appsecinc.com/resources/mailinglist.html

Database Security Discussion Board www.appsecinc.com/cgi-bin/ubb/ultimatebb.cgi

www.appsecinc.com

Baseline/Discover

Prioritize

Shield and Mitigate

Monitor

How Do You Secure Apps?

Apply the vulnerability management lifecycle... Determine risk and

prioritize based on vulnerability data, threat data, asset classification

High-priority vulnerabilities Establish controls

and eliminate root causes

Baseline compliance

Vulnerabilities Threat environment

Establish “as is” position Identify vulnerabilities Develop ideal

baseline

Maintain

www.appsecinc.com

Proactive HardeningComplete Database Vulnerability Assessment

Database Discovery Penetration Testing Security Audit Reporting Remediation: Fix Scripts Keep current: ASAP

updates protect against latest threats

Baseline/Discover

Prioritize

Shield and Mitigate

Monitor

www.appsecinc.com

Real-Time MonitorSecurity Alerts + Focused, Granular Monitoring

Microsoft SQL Server Oracle Sybase IBM DB2

Baseline/Discover

Prioritize

Shield and Mitigate

Monitor

Who, What and When

Activity Monitoring & Alerting All User Activity and System

Changes Complex Attacks and Threats Misuse and Malicious Behavior

Configurable Detection User Defined Alert Rules User Defined Threat Signatures

Regularly Updated ASAP Updates™

www.appsecinc.com

Security Industry Direction

More focused and complex attacks

Blended attacks

Increased audit and tracking requirements

Mixed Database vendors with less resources Oracle Microsoft SQL Server

www.appsecinc.com

Baseline/Discover

Prioritize

Shield and Mitigate

Monitor

AppSecInc Direction

Product working closer to together Vulnerability scan feeding IDS monitoring Reporting across functions for compliance issues Security Change Audit tracking

www.appsecinc.com

Contact Info

Ben Brieger – Northwest Regional Manager 650-796-4919 bbrieger@appsecinc.com www.appsecinc.com

James Bleecker – Senior Systems Engineer 949-310-4639 jbleecker@appsecinc.com www.appsecinc.com