Information Security Analytics Dr. Bhavani Thuraisingham The University of Texas at Dallas Attacks to Databases October 2011

Outline of the Unit 1. Brute-force (or not) cracking of weak or default usernames/passwords 2. Privilege escalation 3. Exploiting unused and unnecessary database services and functionality 4. Targeting unpatched database vulnerabilities 5. Stolen backup (unencrypted) tapes 6. SQL injection http://www.darkreading.com/security/encryption/211201064/index.ht ml

Brute-force (or not) cracking of weak or default usernames/passwords Older versions of Oracle and others database systems used well known default passwords New versions have changed this practice and don’t allow database systems to keep default passwords Even unique, non-default database passwords aren’t hacker-safe – with Bruce Force attacks and password cracking tools Steer clear of default passwords, and institute tight password management and regular change-ups.

Privilege Escalation There have been several insider attacks that came as a result of a malicious user possessing more system privileges than he or she should have had. Outside attackers sometimes have higher-level privileges by compromising the operating system. Privilege escalation usually has more to do with misconfiguration: A user is mistakenly granted more access and privileges on the database or related applications than he actually needs to do his job. Sometimes an inside attacker (or an outsider who has taken over a victim’s machine) can go from one application to the database, even if he doesn't have database credentials. Solution: Give users only the access and rights they need on the database, nothing more

Exploiting unused and unnecessary database services and functionality One of the first things an outside attacker will look for is whether his potential victim is running the Listener feature on its Oracle database. Listener seeks out and forwards network connections to the Oracle database, and thus can expose users and database links. Via Google, an attacker can search and find exposed Listener services on databases. Other features, such as hooks between operating systems and the database, can leave the database exposed to an attack. Such a hook can become a communications link to the database. Often, database administrators run too many services and services may be open up to vulnerabilities Solution: Install only the database features you need.

Targeting unpatched database vulnerabilities Oracle and other database vendors patch their vulnerabilities. However difficult for organizations to keep up with the patches Database vendors are careful not to disclose many details about the vulnerabilities and their patches fix so that attackers are not notified Some hacker sites post exploit scripts for known database vulnerabilities Solution: Organizations must be vigilant about installing patches in a timely manner.

Stolen backup (unencrypted) tapes If the database data on the stolen are not encrypted and the tapes get into the wrong hands then there is a huge problem But this type of attack is more likely to occur with an insider selling the media to an attacker. Solution: Encrypt the critical data. Use a safe for sensitive database tapes

SQL Injection SQL injection attacks occur where the fields available for user input let SQL statements through to query the database directly. Outside of the client, Web applications typically are the weakest link. In some cases, if the attacker gets a screen on the application for username and password, all he has to do is provide a SQL statement or database command and that goes directly to the database If the application does not examine the content of the logon. “The problem is that the authentication and authorization has been moved to the application server. Now instead of a user name, it is a SQL command put into a packet and sent by the application server to the database. The database reads the SQL command, and it could shut down a database altogether

SQL Injection Solution is to look at the content the user is providing. SQL injection attacks can occur both from the Web application to the database, and from within the database itself. There are some programming practices that help prevent SQL injection flaws in applications, such as using what are called “bind variables,” or parameters for queries. In languages such as Java, that means using question marks as placeholders in the SQL statement and binding the “received” values to those placeholders Another practice is to avoid displaying certain database error messages to avoid giving away potentially sensitive information to a would-be attacker

SQL Injection Conasier ing a very simple web application that processes customer orders. Suppose Acme Widgets has a simple page for existing customers where they simply enter their customer number to retrieve all of their current order information. The page itself might be a basic HTML form that contains a textbox called CustomerNumber and a submit button. When the form is submitted, the following SQL query is executed: SELECT * FROM Orders WHERE CustomerNumber = CustomerNumber The results of this query are then displayed on the results page. During a normal customer inquiry, this form works quite well.

SQL Injection Suppose John visits the page and enters his customer ID (14). The following query would retrieve his results: SELECT * FROM Orders WHERE CustomerNumber = 14 However, the same code can be a dangerous weapon in the hands of a malicious user. Imagine that Mal comes along and enters the following data in the CustomerNumber field: “14; DROP TABLE Orders”. This would cause the following query to execute: SELECT * FROM Orders WHERE CustomerNumber = 14; DROP TABLE Orders

SQL Injection Solutions: Implement parameter checking on all applications. For example, if you’re asking someone to enter a customer number, make sure the input is numeric before executing the query. You may wish to go a step further and perform additional checks to ensure the customer number is the proper length, valid, Limit the permissions of the account that executes SQL queries. The rule of least privilege applies. If the account used to execute the query doesn’t have permission to drop tables, the table dropping will not succeed! Use stored procedures (or similar techniques) to prevent users from directly interacting with SQL code. As with many security principles, an ounce of prevention is worth a pound of cure. Take the time to verify the code running on your servers

Analysis of Feldman et al Malicious software running on a single voting machine can steal votes with little if any risk of detection. The malicious software can modify all of the records, audit logs, and counters kept by the voting machine, so that even careful forensic examination of these records will find nothing amiss. The authors have constructed demonstration software that carries out this vote-stealing attack. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute. In practice, poll workers and others often have unsupervised access to the machines.

Analysis of Feldman et al AccuVote-TS machines are susceptible to voting-machine viruses; computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post election activity. Authors have constructed a demonstration virus that spreads in this way, installing their demonstration vote-stealing program on every machine it infects. While some of these problems can be eliminated by improving Diebold’s software, others cannot be remedied without replacing the machines’ hardware. Changes to election procedures would also be required to ensure security.