Presentation is loading. Please wait.

Presentation is loading. Please wait.

Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales.

Published byAlondra Hockey Modified over 10 years ago

Similar presentations

Presentation on theme: "Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales."— Presentation transcript:

1 Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales

2 Application Security Inc. All rights reserved. Confidential2Agenda  Data, Databases, Data Theft  Database Attack Examples – Oracle: Stealth Password Cracking – SQL Server: Escalate a Database Owners Privileges to Sys Admin – Sybase: Escalate Any User’s Privileges to Sys Admin – DB2: Create Remote OS Admin Users  Database Security Top 10 Checklist  How to Protect Your Databases with DbProtect

3 Application Security Inc. All rights reserved. Confidential3 Data, Databases, Data Theft Over 90% of records stolen from databases (Verizon DBIR) Over 330,000,000 records stolen in 2011 (DataLossDB) Over 330,000,000 records stolen in 2011 (DataLossDB) Too many organizations have failed to take database security seriously.

4 Application Security Inc. All rights reserved. Confidential4 Did You Know?

5 Application Security Inc. All rights reserved. Confidential5 So….Is Anyone Actually Surprised?

6 Application Security Inc. All rights reserved. Confidential6 Default and Weak Passwords Not only DBMS have own default accounts, but applications install them too Default accounts are never good Just google “ password cracker” – dozens of them out there Names, places, dictionary words make poor passwords Rainbow tables make anything under 7 or 8 characters weak Weak passwords can be cracked If you’re not watching, an attacker can guess passwords all day Database login activity seldom monitored

7 Application Security Inc. All rights reserved. Confidential7 User/Password the Same: DBSNMP Default Account Examples User: sys / Password: change_on_install User: scott / Password: tiger User: SA / Password: null User: db2admin / Password: db2admin User: db2as / Password: ibmdb2 User: root / Password: null User: admin / Password: admin User: SA / Password: null User/Password the Same: DATABASE SECURITY NOT MY PROBLEM

8 Application Security Inc. All rights reserved. Confidential8 Attacking Oracle  Attack Target: – Oracle 11g Release 2  Privilege Level: – Any user on the network  Outcome: – Obtain any user’s password (login as SYS)  Vulnerabilities Exploited: – Oracle Stealth Password Cracking  Reported by: – Esteban Martinez Fayo - Team SHATTER - AppSecInc  Patched by Vendor: – Oct 2012 CPU

9 Application Security Inc. All rights reserved. Confidential9 Attacking Oracle: Failed Login + Packet Capture

10 Application Security Inc. All rights reserved. Confidential10 Attacking Oracle: Run Password Brute Force Tool

11 Application Security Inc. All rights reserved. Confidential11 Attacking Oracle: Login As SYS

12 Application Security Inc. All rights reserved. Confidential12 Attacking Oracle

13 Application Security Inc. All rights reserved. Confidential13 Attacking MS SQL Server: SQL Injection  Attack Target: – Microsoft SQL Server 2008  Privilege Level: – CREATE DATABASE  Outcome: – Full control of SQL Server (become SA)  Vulnerabilities Exploited: – Privilege escalation via SQL injection in RESTORE function  Reported By: – Martin Rakhmanov – Team SHATTER – AppSecInc  Patched By Vendor: – Unpatched

14 Application Security Inc. All rights reserved. Confidential14 Attacking Sybase  Attack Target: – Sybase ASE v15.5  Privilege Level: – Login only  Outcome: – Full control of Sybase server (become SA)  Vulnerabilities Exploited: – Privilege escalation via SQL injection in DBCC IMPORT_METADATA  Reported by: – Martin Rakhmanov - Team SHATTER - AppSecInc  Patched by Vendor: – Sybase ASE 15.7 ESD #2 (Sept 2012)

15 Application Security Inc. All rights reserved. Confidential15 Attacking DB2  Attack Target: – IBM DB2 LUW v9.7 (Windows only)  Privilege Level: – Login only  Outcome: – Full control of database and the server it runs on (become OS admin)  Vulnerabilities Exploited: – Arbitrary Code Execution in SQLJ.DB2_INSTALL_JAR  Reported by: – Martin Rakhmanov - Team SHATTER - AppSecInc  Patched by Vendor: – DB2 9.1 FixPack 12 – August 2012

16 Application Security Inc. All rights reserved. Confidential16 Database Security Top 10 Checklist 1: Inventory Databases2: Tag Critical Systems3: Change Default Passwords4: Implement Strong Password Controls5: Enact and Enforce Patch Management Policies6: Maintain and Enforce Configuration Standards7: Document and Enforce Least Privilege Controls8: Audit Privileged Access9: Monitor For and Respond To Attacks10: Encrypt Sensitive Data – At Rest and In Motion

17 Application Security Inc. All rights reserved. Confidential17 A Process To Secure Your Databases Precision Security DbProtect

18 Application Security Inc. All rights reserved. Confidential18 Team SHATTERSecurity Heuristics of Application Testing Technology for Enterprise Research http://www.teamshatter.com Top 10 Database Vulnerabilities http://www.teamshatter.com/topics/general/team-shatter- exclusive/top-10-database-vulnerabilities-and-misconfigurations/ BookPractical Oracle Security By Josh Shaul CTO, Application Security, Inc.References Josh Shaul Chief Technology Officer Application Security, Inc.

Download ppt "Effective Database Defense Hacking The Big 4 Databases Frank Grottola VP – North American Sales."

Similar presentations

PAM4Exchange Date Metalogix – Training Documentation.

PAM4Exchange Date Metalogix – Training Documentation.
Patch Management Patch Management in a Windows based environment

Patch Management Patch Management in a Windows based environment
Module XIV SQL Injection

Module XIV SQL Injection
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.
Yahoo! In South America South America Interconnection LACNIC XIII 2010.

Yahoo! In South America South America Interconnection LACNIC XIII 2010.
© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.

© 2008 Security-Assessment.com 1 Time Based SQL Injection Presented by Muhaimin Dzulfakar.
© 2009 Virtual Computer Inc. – Company Confidential1 Maintaining a Desktop SLA.

© 2009 Virtual Computer Inc. – Company Confidential1 Maintaining a Desktop SLA.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
1 System Level Verification of OCP-IP based SoCs using OCP-IP eVC Himanshu Rawal eInfochips, Inc.,4655 Old Ironsides Drive, Suite 385,Santa Clara, CA 95054.

1 System Level Verification of OCP-IP based SoCs using OCP-IP eVC Himanshu Rawal eInfochips, Inc.,4655 Old Ironsides Drive, Suite 385,Santa Clara, CA
Data. Insight. Action. © 2011-2012 DataXu, Inc. Privileged & Confidential1.

Data. Insight. Action. © DataXu, Inc. Privileged & Confidential1.
ProQuest Confidential1 ProQuest Agricultural Journals Marika Janouskova Area Sales Manager.

ProQuest Confidential1 ProQuest Agricultural Journals Marika Janouskova Area Sales Manager.
CONFIDENTIAL1 Good Afternoon! Let's get started learning about COMPARING AND ORDERING DECIMALS Choose the letter of the point that corresponds to each.

CONFIDENTIAL1 Good Afternoon! Let's get started learning about COMPARING AND ORDERING DECIMALS Choose the letter of the point that corresponds to each.
Introducing ClientTrack 13 1Company Confidential WEBINAR SERIES | August 15, 2013 Presentation will be recorded Callers muted Written questions are welcome.

Introducing ClientTrack 13 1Company Confidential WEBINAR SERIES | August 15, 2013 Presentation will be recorded Callers muted Written questions are welcome.
13 Copyright © Oracle Corporation, 2001. All rights reserved. Controlling User Access.

13 Copyright © Oracle Corporation, All rights reserved. Controlling User Access.
An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Understand Database Security Concepts

Understand Database Security Concepts
SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.

SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Cryptography and Network Security Chapter 20 Intruders

Cryptography and Network Security Chapter 20 Intruders
Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Software Security Threats Threats have been an issue since computers began to be used widely by the general public.

Similar presentations

Ads by Google