A security expert is warning database administrators about a
continued loophole in database communication protocols that would
allow an attacker to bypass access controls and gain access to
critical files.
 | | | | | This is a new threat because
we're only starting to look at these protocols. For years, they
were not scrutinized by researchers.
Amichai Shulman,
chief technology officerImperva
Inc. |
| | | | | |
| |
|
In his presentation to attendees at the recent Black Hat DC
training conference, Amichai Shulman, chief technology officer and
founder of database-monitoring vendor Imperva explained that the
client-server protocols, which are used to exchange data and
commands between client software and database servers over TCP/IP,
are ripe for attack.
The method can be used to victimize nearly all brands of
database servers, including IBM's DB2, Oracle Corp., and
Microsoft's SQL Server. The loopholes allow an attacker to
manipulate structured information and work below the radar of the
database built-in mechanisms, Shulman said.
"Using very simple changes to network messages you can deliver
SQL queries to the database server bypassing any access control in
the database server," Shulman said.
 |
| Podcast: Amichai Shulman |
Security Wire Weekly -- Mar. 5, 2007: In
this special edition of Security Wire Weekly from the Black Hat
DC Conference, database security expert Amichai Shulman explains
why attackers are targeting communication protocols to gain
access to critical files. Shulman, chief technology officer and
founder of Imperva calls the threat serious and also gives
mitigation steps to defend against it.
Download
MP3 |
|
| |
|
The protocol vulnerabilities that Shulman noted currently pose
only an internal network threat, but he added that researchers are
investigating ways to exploit the flaws remotely through SQL
injection.
"This is a new threat because we're only starting to look at
these protocols. For years, they were not scrutinized by
researchers," Shulman said.
The threat can be mitigated reactively by ensuring database
management systems have up-to-date patches, or by installing a
database security gateway, he said. While Shulman represents a
vendor that sells database security gateways, analysts agree that
the threat is serious enough to warrant additional security.
In his presentation, Shulman illustrated the flaw using Oracle's
database server, showing that an attacker can bypass access
controls with a simple text editor on a client machine. He said
Oracle has released a patch.
"People are finally becoming aware that you cannot rely on
built-in database mechanisms," he said. "You need a defense line in
front of your database server."
Database security gateway market heats up
Noel Yuhanna, a senior industry analyst at Cambridge, Mass.-based
Forrester Research Inc. said enterprises are taking the threat very
seriously. The market for database security gateways has been
steadily growing with a number of small startups selling the
products, he said.
In addition to Imperva, Waltham, Mass.-based Guardium Inc. sells
gateways and currently has more than 250 customers, Yuhanna said.
Maynard, Mass.-based Tizor Systems is also another startup. There
are signs that larger security and network vendors may follow,
Yuhanna said. Cisco Systems Inc. has a stake in Guardium and
security giant Symantec Corp. got into the business last year.
"All private data in an organization is stored in a database and
even if that organization has the best firewall, it's not good
enough," Yuhanna said. "You need to do intelligent monitoring to
prevent attackers from breaking in."
Yuhanna estimates that about 75% of database intrusions are
internal, making flaws in database monitoring a logical priority.
He said automated tools that monitor database server queries are a
good fit for DBAs because they enable them to monitor employee
database usage while preventing the task from becoming
burdensome.
"DBAs are spending less than 7% of their time on security,"
Yuhanna said. "They don't have the time; they're doing upgrades,
migrations and tuning, so security is a lower priority and that's
why there's a need for automated solutions."