Published on March 5, 2014
Osama Mustafa Senior Oracle DBA Gurus Solutions
Overview • Introduction • Why Database security is important ? • How Database Are hacked ? • How to Protect against Database Attack ? • Conclusion • Reference • Q&A
Who Am I ? • • • • • • Certified OCP,OCE,OCS 10g,11g Oracle ACE Certified Ethical hacker / LPT Sun / Linux Certified Author Of Oracle Penetration testing book Presenter & Contributor in Oracle Community . email@example.com @OsamaOracle http://osamamustafa.blogspot.com Osama Mustafa
GoogIe Search Without Oracle With Oracle
Introduction • 10 January 2014 Target data theft affected 70 million customers. • Data Theft is Becoming Major Threat. • Data Theft is Bank of gold. • 90% of companies say they've been hacked. • Most of the Target Data are Personal Stuff Such as Credit Card, Account Number, and Passwords.
Introduction Revising the Top 10 Data Loss Incidents list
Introduction “Your Personal Data is Worth Pretty Penny, But it All Depends On Who Wants it” TrendMicro Average for personal Data Between 0$-1200$ If you want to know how much your Personal Data Worth Check this Website : http://www.ft.com/cms/s/2/927ca86e-d29b-11e2-88ed00144feab7de.html#axzz2ukFAZIUF
Introduction • In 2012 Report from Verizon Data Indicate that 96% of Records breached are from database. • Less Than 5% of Security Spend on Data Center (WW Security Products ) . Data Center 5% 95%
Why Database Security Is Important • Database is the most important Data Banking : • Financial Data • Client/Customer Data • Corporate/organization Data. • If the database stop working the company will lose money. • If the database is getting hacked, imagine what happened to the company.
Why Database Security Is Important • Ensure the data is confidential, and prevent any outsourcing modification. • Secure database provide an additional benefit which is data management become more efficient and effective. • Access to database should be only restricted to authorized people only unless one thing it’s Public Database. • Secure Database leads to monitor activity and knows authorized people.
Laws about Security • SOX Sarbanes Oxley • “protect investors by improving reliability of corporate” • PCI Payment Card industry • Related to Credit card companies such as Visa, Master card. • GLBA Gramm Leach Bliley Act • companies that offer consumers financial products or services like loans. • DATA Data Accountability and Trust Act • security policies and procedures to protect data containing personal information
How Database are Hacked ?
How Database are Hacked ? • As Database Administrator you need to know Threats that can effect on your database. • Definition of threats : context of computer security, refers to anything that has the potential to cause serious harm to a computer system. A threat is something that may or may not happen, but has the potential to cause serious damage. Threats can lead to attacks on computer systems, networks and more. • Vulnerability: Existence of a weakness design or implementation error that Existence of a weakness, design, or implementation error that can lead to an unexpected and undesirable event compromising the security of the system
Elements Of Security • Confidentiality : • The concealment of information or resources. • Authenticity • The identification and assurance of the origin of information. • Integrity • The trustworthiness of data or resources in terms of preventing improper and unauthorized changes. • Availability • The ability to use the desired information or resource
Triangle of Security Decide Before Moving The Ball
What The Hacker Do ? • Gather Information • Active : Directly Such as social engineering • Passive : Google search, Social media • Scanning : • use some tools for scan vulnerabilities of the system. • Gaining Access: • Penetration Phase, continue attacking to explore deeper into the target network. • Maintaining Access • Downloading Phase • Clearing Tracks “The more the hacker learns about your internal operations means the more likely he will be intrude and exploit. So be Secure.”
Attack Oracle-Database Server • Database servers are usually hacked to get the critical information • Mistakes made by the web designers can reveal the databases of the server to the hacker • Finding an Oracle database server on network is done using TCP port scan • Once Oracle Database Server has been discovered, First Port of call is TNS Listener.
Top Threats Effect on Database Server • Unused Privileges:• When user are Granted Database access Privileges that exceed requirement of their job these Privileges can lead to major issue if the user was know what he is doing. • • • • • • • • REVOKE CREATE DATABASE LINK FROM connect; REVOKE EXECUTE ON utl_tcp FROM public; REVOKE EXECUTE ON utl_smtp FROM public; REVOKE EXECUTE ON utl_http FROM public; REVOKE EXECUTE ON utl_mail FROM public; REVOKE EXECUTE ON utl_inaddr FROM public; REVOKE EXECUTE ON utl_file FROM public; REVOKE EXECUTE ON dbms_java FROm public;
Top Threats Effect on Database Server • http://support.oracle.com • Review database user privileges • Note 1020286.6 - Script to Create View to Show All User Privs Note 1050267.6 - SCRIPT: Script to show table privileges for users and roles Note 1020176.6 - SCRIPT: Script to Generate object privilege GRANTS • Revoke privileges from PUBLIC where not necessary • Note 247093.1 - Be Cautious When Revoking Privileges Granted to PUBLIC Note 234551.1 - PUBLIC Is it a User, a Role, a User Group, a Privilege ? Note 390225.1 - Execute Privileges Are Reset For Public After Applying Patchset
Top Threats Effect on Database Server • Weak Authentication • Most common Default Password for Database Username Password Sys Manager Sys System Sys Oracle System Same as sys Apps Apps ( EBS User ) scott tiger Oracle Default Password List By Pete Finnigan http://www.petefinnigan.com/default/default_password_list.htm
Voyager Beta worm • On 20-december 2005 an anonymous poster (firstname.lastname@example.org ) posted an variant of the Oracle Voyager Worm. • Read more About this Worm : • http://www.red-database-security.com/advisory/oracle_worm_voyager.html • attacks Oracle servers using default accounts and password • It attempts a TCP connection to TCP Port 1521 Where oracle connection Service listens. • If Ok Then Tries Series of Username and password • System/manager, sys/change_on_install , dbsnmp/dbsnmp, scott/tiger. • Authenticate Ok , It will create table to transfer payload.
Top Threats Effect on Database Server • Denial of service (DoS) :• Common DoS techniques include buffer overflows, data corruption, network flooding, and resource consumption. • It is an attack through which a person can render a system unusable or significantly slow it down for system unusable, or significantly slow it down for legitimate users, by overloading its resources. • Attackers may: • Attempt to flood a network, thereby preventing legitimate network traffic. • Attempt to disrupt connections between two machines thereby Attempt to disrupt connections between two machines, thereby preventing access to a service. • Attempt to prevent a particular individual from accessing a service. • Attempt to disrupt service to a specific system or person.
Top Threats Effect on Database Server • The Impact:• Disabled network • Disabled organization • Financial loss • Loss of goodwill • DoS Attack Classification:• • • • • Smurf :- Generates a large amount of ICMP echo (ping) Buffer Overflow Attack :- The program writes more information into the buffer. Ping of death :- Send IP Packets larger than the 65,536 Bytes. Teardrop :- IP Requires that packet that is too large for next Router. SYN Attack :- Sends bogus TCP SYN requests to a victim server.
Top Threats Effect on Database Server • Examples DoS Attack Tools :• • • • • • • • • • • Jolt2 Bubonic.c Land and LaTierra Targa Blast20 Nemesy Panther2 Crazy Pinger Some Trouble UDP Flood FSMax
Top Threats Effect on Database Server • SQL Injection • type of security exploit in which the attacker "injects" Structured Query Language (SQL) code through a web form input box to gain Structured Query Language (SQL) code through a web form input box, to gain access to resources, or make changes to data • Programmer use sequential commands with user inputs making it easier for attackers to inject commands. • Attacker can do SQL Commands through web application. • For Example when a user logs onto a web page by using a user name and password for validation a SQL query is user name and password for validation, a SQL query is used. • What I Need Any Web Browser.
Top Threats Effect on Database Server • What Should I look For in SQL Injection ? • HTML method • POST you cannot see any parameters in browser. • GET • Check HTML Source Code. <Form action=search.asp method=post> <input type=hidden name=X value=Z> </Form> • Examples • http:// www.mywebsite.com /index.asp?id=10
Top Threats Effect on Database Server If you get this error, then the website is vulnerable to an SQL injection attack
Top Threats Effect on Database Server • But Wait How Can I Test SQL Injection !!! • Different Way, Different Tools • Easy Way to use Single Quote in the input • Examples : • • blah’ or 1=1— • Login:blah’ or 1=1— • • Password:blah’ or 1=1— http:// www.mywebsite.com /index.asp?id=10 Will be like this http:// www.mywebsite.com/index.asp?id=blah’ or 1=1--
Top Threats Effect on Database Server • Another examples for single quote usage in SQL Injection : • ‘ or 1=1— • “ or 1=1— • ‘ or ‘a’=‘a • “ or “a”=“a • ‘) or (‘a’=‘a) • The hacker breaks into the system by injecting malformed SQL into the query because the executed query is formed by the concatenation of a fixed string and values entered by the user: • string strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'";
Top Threats Effect on Database Server • If the user enter valid username and password the query strQry will be changed Like this : SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password‘ • But The Hacker will not leave weak code Alone and he will enter :' Or 1=1 – • The New Query Will be SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password='' • 1=1 is always true for every row in the table, so assuming there is at least one row in the table this SQL always return nonzero count of records.
Top Threats Effect on Database Server • Weak Audit Trail
Top Threats Effect on Database Server Performance impacts. Determine what is important to be audited. Limited Resource. Which Mechanism Of Audit Trail I should Use ? No End-To-End Auditing
Top Threats Effect on Database Server
Top Threats Effect on Database Server • Whether database auditing is enabled or disabled, Oracle will always audit certain database actions into the OS audit trail. There is no way to change this behavior because it is a formal requirement of the security evaluation criteria. Documents Every DBA Should Read • • • • • NOTE:174340.1 - Audit SYS User Operations (How to Audit SYSDBA) NOTE:553225.1 - How To Set the AUDIT_SYSLOG_LEVEL Parameter? NOTE:1299033.1- Master Note For Oracle Database Auditing Note 174340.1 - Audit SYS User Operations note 1171314.1 Huge/Large/Excessive Number Of Audit Records Are Being Generated In The Database • Note 1509723.1 - Oracle Database Auditing Performance
Top Threats Effect on Database Server • Malware • is software designed to infiltrate or damage a computer system without the owner's informed consent The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Report From Verizon Data:“69% breaches incorporated malware” http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-DataBreach-Report-2012.pdf
Top Threats Effect on Database Server • Malware includes computer viruses, worms, trojan horses, spyware, adware, most rootkits, and other malicious programs. In law, malware is sometimes known as a computer contaminant, in various legal codes.
Top Threats Effect on Database Server Most Common Ports:Name Protocol Ports Back Office UDP 31337 Or 31338 Deep Throat UDP 2140 and 3150 Net Bus TCP 12345 and 12346 Whack-a-mole TCP 12361 and 12362 Net Bus 2 Pro TCP 20034 Girlfriend TCP 21544 Master Paradise TCP 3129, 40421, 40422, 40423 and 40426 Windows : netstat –an | findstr <port number> Linux : netstat –an | grep <port number>
Top Threats Effect on Database Server • Storage/Backup Media Exposure • When data is saved to tape, you want to be confident that data will be accessible decades from now, as well as tomorrow. • Backup database storage media is often completely unprotected from attack. As a result, several high profile security breaches have involved theft of database backup tapes and hard disks. • Always Remember Company Data Means Money to another Person.
Top Threats Effect on Database Server • Unpatched Database • Oracle Provide Something Called Critical Patch Updates. • Critical Patch Updates are collections of security fixes for Oracle products. • They are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are: • • • • • 17th day of January. 15 April 2014 15 July 2014 14 October 2014 20 January 2015 http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Top Threats Effect on Database Server
Top Threats Effect on Database Server • Another Thing should be follow and Monitored which is : • Security Alerts • Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch Update
Top Threats Effect on Database Server • Unsecure Sensitive Data:• Who has access to company data ? • Dose the company meet requirement ? • What Will make the Hacker Rich ? • What Could damage the reputation of the organization ?
Top Threats Effect on Database Server • Limited Education/Trained end users:• Humans are the weakest link in the information security. • The errors committed by the human elements of an organization remain a major contributor to data loss incidents worldwide. • What do we want to accomplish by making users aware of security? • • • • Encourage safe usage habits and discourage unsafe behavior Change user perceptions of information security Inform users about how to recognize and react to potential threats Educate users about information security techniques they can use
Top Threats Effect on Database Server • Challenges:• • • • Delivering a desired message to the end-user. Motivating users to take a personal interest in information security. Giving end user security awareness a higher priority within organizations. No Budget in the company for Security Awareness.
How to Secure Database • What Should I Do to Secure Database ? • Set a good password policy • No password reuse. • Strong passwords • Keep up to date with security patches • Check Firewall level • Trusted Connection Only • Block Unused Ports • Encryption • network level • SSL • File Level Such as Backup. • Database Such As Sensitive Data. • Monitor Database • Periodically check for users with database administration privileges
How to Secure Database • audit your web applications • Misconfigurations. • Log as much as possible • Failed logins. • Permissions errors • Your Data is your money protect it. • Train IT staff on database security. • Always Ask For Professional Services.
Thanks For LAOUC email@example.com @OsamaOracle http://osamamustafa.blogspot.com Osama Mustafa
Webinar done by Osama Mustafa on March 2014 for LAOUC. ... Top Ten Oracle Database Threats by Osama Mustafa ... Oracle Database 11g XE ...
You Can Join me In LAOUC Webinar 5 March the Topic for the Webinar will be Top 10 Database Threats You can Register Here All Thanks Goes to Francisco Munoz ...
... covering essential tools for comparing and deploying Oracle database ... webinar, database development ... be a threat to database performance ...
Threat Read database password hashes from user$ ... Upcoming Webinars Oracle EBS Account Password Decryption Threat Explored Thursday, May 23rd, 2013
This is a webinar done by Arup Nanda for LAOUC and NZOUG back in 2010. ... Oracle Database Performance Tuning for Admins and Architects ...
Learn about the expansion of the Oracle Database Appliance portfolio and how Oracle can provide a pathway to the cloud. Watch the webcast. Modern Best ...
Database webinar 20100309 1. technology navigationMichigan Nonproﬁt Association for n on proﬁts 2. Website BasicsAndy Wolber andy@highwayt. org @ ...
Share Database webinar 20100309.