Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013
Serge Frezefond - Databases Security
Companies are under permanent attacks
• Stealing valuable data - Customer base
• Deny Of Service - Make your database unresponsive
• Corrup;on of data - Totally or par;ally
• Doing transac;ons / money transfers on behalf of X
Cost of a@acks is in millions of $
May 28th 2013 2 Serge Frezefond - Databases Security
Recent attacks are not sophisticated SQL injection
On March 27, 2011, mysql.com, the official homepage for MySQL, was compromised by a hacker using SQL blind injec;on
On June 1, 2011, "hack;vists" of the group LulzSec were accused of using SQLI to steal coupons, download keys, and passwords that were stored in plaintext on Sony's website, accessing the personal informa;on of a million users.
In July 2012 a hacker group was reported to have stolen 450,000 login creden;als from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a "union-‐based SQL injec;on technique".
May 28th 2013 3 Serge Frezefond - Databases Security
Many companies have major lacks in security
• Most use basic authen;ca;on : User / Password • Database open to IP with no origin check ( Firewall ) • No strong authen;fica;on • No data encryp;on • No traffic encryp;on SSL • No true audi;ng - Rarely database ac;vity audit (too costly)
• IDS rarely used • Many of them lack a security officer understanding the
cri;city of databases
May 28th 2013 4 Serge Frezefond - Databases Security
Some companies need to fullfill extra security obligations
• PCI DSS • SOX • HIPAA / HITECH • EU Data Protec;on Direc;ve ( Right to Privacy )
• -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐
• Fullfilling these rules is not enough to be secure
May 28th 2013 5 Serge Frezefond - Databases Security
Inside vs Outside is not a meaningful differenciation
• Many subcrontactors • Not always happy / honest employees • Network open to third par;es to ease processes : - Partners, Customers, Suppliers
• Most internal databases are very cri;cal / valuable assets ( even if not part of a web exposed applica;on)
• BYOD policy introduces risk.
May 28th 2013 6 Serge Frezefond - Databases Security
Open source is a building block of Secure Architectures
• Open SSL / YASSL • Open SSH • Open radius • Open LDAP • PAM • PKI (EJBCA, OPENCA) • Key management (StrongAuth) • 2 factors authen;ca;on / OTP • IDS (Suricata)
May 28th 2013 7 Serge Frezefond - Databases Security
Database is a key part of an architecture
• When Data is destroyed or corrupted it is very difficult
or impossible to restore. • The impact on image is important - Many companies prefer silence
• Data need anyway to be exposed : to be manipulated / shared / saved / tested / audited
Financial impact of this kind of a;ack is huge
May 28th 2013 8 Serge Frezefond - Databases Security
All Open Source Databases are vulnerable
• PostgreSQL : - Has suffered major issues recently (April 2013)
• MySQL : - Has suffered major issues recently
• SQLite : no real security model as target is embeded - Cipher solu;ons availables
• NoSQL database Big Data : very weak security models
May 28th 2013 9 Serge Frezefond - Databases Security
MySQL Vulnerabilities
• CVE 2012 5613 ( a 0day Exploit ) • MySQL 5.5.19 and …, when configured to assign the
FILE privilege to users who should not have administra;ve privileges, allows remote authen;cated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator.
create a user with FULL ACCESS to database
May 28th 2013 10 Serge Frezefond - Databases Security
MySQL Vulnerabilities
• CVE 2012 5611 • Stack-‐based buffer overflow in the acl_get func;on in
Oracle MySQL 5.5.19 and other versions ... allows remote authen;cated users to execute arbitrary code via a long argument to the GRANT FILE command.
Execute any arbitrary code
May 28th 2013 11 Serge Frezefond - Databases Security
MySQL Vulnerabilities
• CVE 2012 2122 a simple loop give root access :
• $ for i in `seq 1 1000`; do mysql -‐u root -‐-‐password=bad -‐h 127.0.0.1 2>/dev/null; done
• mysql> • assump;on that the memcmp() func;on would always
return a value within the range -‐128 to 127
Able to login root to the database
May 28th 2013 12 Serge Frezefond - Databases Security
PostgreSQL Major Vulnerability
“Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable”
• PostgreSQL team Locked down the Repository - Fear that code work lead to 0day exploit
• All linux distribu;ons need to released patch simultaneously
• Plavorm As a ServiceS HEROKU was exposed and received patch before other : - Controversy regarding open source principles
May 28th 2013 13 Serge Frezefond - Databases Security
MySQL Vulnerabilities : What to do ?
• Follow them systema;cally in a ;mely manner • Patch your system / upgrade version • 0Days exploit should trigger major alert • Apply best prac;ce • Most vulnerabili;es do not apply in all cases - database not open to network , - -‐-‐secure-‐file-‐priv op;on
May 28th 2013 14 Serge Frezefond - Databases Security
Authentication
• Standard authen;ca;on : user/password • Authen;ca;on plugin - SHA256 (5.6) - PAM - Windows - Mul; factor authen;ca;on / use hardware token
• Do not expose passwords on command line or in conf files (5.6)
May 28th 2013 15 Serge Frezefond - Databases Security
Data traffic encryption
• SSL based • keys & cer;ficates for both server and client • OpenSSL or yaSSL as SSL library
May 28th 2013 16 Serge Frezefond - Databases Security
Stored Data Encryption
• Encrypt Column through func;on call • Encrypt at the File system level - zNcrypt
• Specialized storage Engine can do encryp;on - MyDiamo
• No Transparent Data Encryp;on in MySQL - No declara;ve way to say that a column is encrypted
• Data Masking : keep your data secure for tests
May 28th 2013 17 Serge Frezefond - Databases Security
MySQL backup secured ?
• Backups are a vulnerable point - Very easy to reuse
• They should be crypted • Xtrabackup can encrypt backup with AES256 - Key in keyfile
• Symetric key ? Stored where ? Pvk / PbK
May 28th 2013 18 Serge Frezefond - Databases Security
Security model for developpers
• No grant to access the data through select • Restrict Access to : - Stored proc - Triggers - Views
May 28th 2013 19 Serge Frezefond - Databases Security
Database Proxy / Firewall
• Used to audit or implement policies at the client/server protocol level by being true proxy or sniffing the protocol - MySQL proxy - GreenSQL / closed source - Oracle Database firewall
• Usefull to filter traffic • They can be bypassed ;-‐)
May 28th 2013 20 Serge Frezefond - Databases Security
Database auditing
• A mandatory requirement for compliance • MySQL audit API available (improved by MariaDB) • Used by : - MacFee audit plugin - Oracle Audit plugin - MariaDB Audit Plugin ( work in progress )
• Associated with Database Ac;vity Monitoring Solu;ons
May 28th 2013 21 Serge Frezefond - Databases Security
Do not neglect SQL injections
• The applica;on is the weak point by allowing unpredicted queries to be run
• F5 router hacking through embeded MySQL (now solved)
• To avoid it : - Sane;zing the input - Use Prepared statements
May 28th 2013 22 Serge Frezefond - Databases Security
MySQL & PHP : SQL injection
$query = "SELECT * FROM customers WHERE username = '$name'"; $name_bad = "' OR 1'"; $name_evil = "'; DELETE FROM customers WHERE 1 or username = '"; Normal: SELECT * FROM customers WHERE username = ';mmy' Injec;on: SELECT * FROM customers WHERE username = '' OR 1''
May 28th 2013 23 Serge Frezefond - Databases Security
Best practice
• Have you architecture audited by third party - Do not believe in self evalua;on - Do regular internal pen test
• Keep informed about vulnerabili;es of all your components.
• Train people that remain the weakest point • Keep up to date with best pra;ces (BYOD, …)
May 28th 2013 24 Serge Frezefond - Databases Security
Is you database more secure in the cloud ?
• AWS / HP CLOUD / AZURE / … • The same principle applies except : - You have no clear idea of how it is internally
architectured and operated - Quality of isola;on is not clear
• You have to have confidence in your cloud provider and/or be more carefull : - Full encryp;on of filesystem and backup files - Key management outside the cloud
May 28th 2013 25 Serge Frezefond - Databases Security
If you detect a security breach
• Take a snapshot of the whole system - Including key elements of the architecture
• Be sure your logs are safe • When did it first started • Who did it : do not loose evidences
May 28th 2013 26 Serge Frezefond - Databases Security
May 28th 2013 27 Serge Frezefond - Databases Security
Thanks Q&A
[email protected] @sfrezefond
http://Serge.frezefond.com
Top Related