Open Source Databases Security

Open Sources Databases Security Serge Frezefond @sfrezefond http://Serge.frezefond.com 29 / 05 / 2013

Serge Frezefond - Databases Security

Companies are under permanent attacks

•  Stealing valuable data -  Customer base

•  Deny Of Service -  Make your database unresponsive

•  Corrup;on of data -  Totally or par;ally

•  Doing transac;ons / money transfers on behalf of X

Cost of a@acks is in millions of $

May 28th 2013 2 Serge Frezefond - Databases Security

Recent attacks are not sophisticated SQL injection

On March 27, 2011, mysql.com, the official homepage for MySQL, was compromised by a hacker using SQL blind injec;on

On June 1, 2011, "hack;vists" of the group LulzSec were accused of using SQLI to steal coupons, download keys, and passwords that were stored in plaintext on Sony's website, accessing the personal informa;on of a million users.

In July 2012 a hacker group was reported to have stolen 450,000 login creden;als from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a "union-‐based SQL injec;on technique".


Many companies have major lacks in security

•  Most use basic authen;ca;on : User / Password •  Database open to IP with no origin check ( Firewall ) •  No strong authen;fica;on •  No data encryp;on •  No traffic encryp;on SSL •  No true audi;ng -  Rarely database ac;vity audit (too costly)

•  IDS rarely used •  Many of them lack a security officer understanding the

cri;city of databases


Some companies need to fullfill extra security obligations

•  PCI DSS •  SOX •  HIPAA / HITECH •  EU Data Protec;on Direc;ve ( Right to Privacy )

•  -‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐-‐

•  Fullfilling these rules is not enough to be secure


Inside vs Outside is not a meaningful differenciation

•  Many subcrontactors •  Not always happy / honest employees •  Network open to third par;es to ease processes : -  Partners, Customers, Suppliers

•  Most internal databases are very cri;cal / valuable assets ( even if not part of a web exposed applica;on)

•  BYOD policy introduces risk.


Open source is a building block of Secure Architectures

•  Open SSL / YASSL •  Open SSH •  Open radius •  Open LDAP •  PAM •  PKI (EJBCA, OPENCA) •  Key management (StrongAuth) •  2 factors authen;ca;on / OTP •  IDS (Suricata)


Database is a key part of an architecture

•  When Data is destroyed or corrupted it is very difficult

or impossible to restore. •  The impact on image is important -  Many companies prefer silence

•  Data need anyway to be exposed : to be manipulated / shared / saved / tested / audited

Financial impact of this kind of a;ack is huge


All Open Source Databases are vulnerable

•  PostgreSQL : -  Has suffered major issues recently (April 2013)

•  MySQL : -  Has suffered major issues recently

•  SQLite : no real security model as target is embeded -  Cipher solu;ons availables

•  NoSQL database Big Data : very weak security models


MySQL Vulnerabilities

•  CVE 2012 5613 ( a 0day Exploit ) •  MySQL 5.5.19 and …, when configured to assign the

FILE privilege to users who should not have administra;ve privileges, allows remote authen;cated users to gain privileges by leveraging the FILE privilege to create files as the MySQL administrator.

create a user with FULL ACCESS to database



•  CVE 2012 5611 •  Stack-‐based buffer overflow in the acl_get func;on in

Oracle MySQL 5.5.19 and other versions ... allows remote authen;cated users to execute arbitrary code via a long argument to the GRANT FILE command.

Execute any arbitrary code



•  CVE 2012 2122 a simple loop give root access :

•  $ for i in `seq 1 1000`; do mysql -‐u root -‐-‐password=bad -‐h 127.0.0.1 2>/dev/null; done

•  mysql> •  assump;on that the memcmp() func;on would always

return a value within the range -‐128 to 127

Able to login root to the database


PostgreSQL Major Vulnerability

“Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable”

•  PostgreSQL team Locked down the Repository -  Fear that code work lead to 0day exploit

•  All linux distribu;ons need to released patch simultaneously

•  Plavorm As a ServiceS HEROKU was exposed and received patch before other : -  Controversy regarding open source principles


MySQL Vulnerabilities : What to do ?

•  Follow them systema;cally in a ;mely manner •  Patch your system / upgrade version •  0Days exploit should trigger major alert •  Apply best prac;ce •  Most vulnerabili;es do not apply in all cases -  database not open to network , -  -‐-‐secure-‐file-‐priv op;on


Authentication

•  Standard authen;ca;on : user/password •  Authen;ca;on plugin -  SHA256 (5.6) -  PAM -  Windows -  Mul; factor authen;ca;on / use hardware token

•  Do not expose passwords on command line or in conf files (5.6)


Data traffic encryption

•  SSL based •  keys & cer;ficates for both server and client •  OpenSSL or yaSSL as SSL library


Stored Data Encryption

•  Encrypt Column through func;on call •  Encrypt at the File system level -  zNcrypt

•  Specialized storage Engine can do encryp;on -  MyDiamo

•  No Transparent Data Encryp;on in MySQL -  No declara;ve way to say that a column is encrypted

•  Data Masking : keep your data secure for tests


MySQL backup secured ?

•  Backups are a vulnerable point -  Very easy to reuse

•  They should be crypted •  Xtrabackup can encrypt backup with AES256 -  Key in keyfile

•  Symetric key ? Stored where ? Pvk / PbK


Security model for developpers

•  No grant to access the data through select •  Restrict Access to : -  Stored proc -  Triggers -  Views


Database Proxy / Firewall

•  Used to audit or implement policies at the client/server protocol level by being true proxy or sniffing the protocol -  MySQL proxy -  GreenSQL / closed source -  Oracle Database firewall

•  Usefull to filter traffic •  They can be bypassed ;-‐)


Database auditing

•  A mandatory requirement for compliance •  MySQL audit API available (improved by MariaDB) •  Used by : -  MacFee audit plugin -  Oracle Audit plugin -  MariaDB Audit Plugin ( work in progress )

•  Associated with Database Ac;vity Monitoring Solu;ons


Do not neglect SQL injections

•  The applica;on is the weak point by allowing unpredicted queries to be run

•  F5 router hacking through embeded MySQL (now solved)

•  To avoid it : -  Sane;zing the input -  Use Prepared statements


MySQL & PHP : SQL injection

$query = "SELECT * FROM customers WHERE username = '$name'"; $name_bad = "' OR 1'"; $name_evil = "'; DELETE FROM customers WHERE 1 or username = '"; Normal: SELECT * FROM customers WHERE username = ';mmy' Injec;on: SELECT * FROM customers WHERE username = '' OR 1''


Best practice

•  Have you architecture audited by third party -  Do not believe in self evalua;on -  Do regular internal pen test

•  Keep informed about vulnerabili;es of all your components.

•  Train people that remain the weakest point •  Keep up to date with best pra;ces (BYOD, …)


Is you database more secure in the cloud ?

•  AWS / HP CLOUD / AZURE / … •  The same principle applies except : -  You have no clear idea of how it is internally

architectured and operated -  Quality of isola;on is not clear

•  You have to have confidence in your cloud provider and/or be more carefull : -  Full encryp;on of filesystem and backup files -  Key management outside the cloud


If you detect a security breach

•  Take a snapshot of the whole system -  Including key elements of the architecture

•  Be sure your logs are safe •  When did it first started •  Who did it : do not loose evidences



Thanks Q&A

[email protected] @sfrezefond

http://Serge.frezefond.com

Date post:	05-Dec-2014
Category:	Technology
Upload:	serge-frezefond
View:	907 times
Download:	5 times

Open Source Databases Security

Technology