There cannot be many people who have put the fear of God into Oracle, but database security expert David Litchfield has arguably done more to further our understanding of the security limitations of Oracle and other databases than anyone else.
Litchfield founded NGS Software in 2001, having identified a niche in the IT security market. "I was researching buffer overflow attacks, but no one was looking at database security," he says.
This was around the time when Larry Ellison, the colourful chief executive office of Oracle, was vying with Bill Gates as to who topped Fortune magazine's Rich List. Oracle had built a portfolio of products, which it planned to offer as Microsoft alternatives. Its flagship database was the pinnacle of Oracle's engineering excellence. In a deft marketing ploy, the company announced that its database was unbreakable.
However, Litchfield was about to dispel the myth - and become the thorn in Ellison's side. He demonstrated an inherent flaw in databases that could allow an intruder to take control of the database system.
Litchfield says, "Imagine an online book store where the user wants to search for a book by Charles Dickens." This produces the SQL code that looks something like: Select books where author is 'Charles Dickens'
Databases cannot easily differentiate between the search phrase, ie 'Charles Dickens', and SQL syntax. A SQL Injection attack simply involves replacing text in the search with SQL commands. So an intruder could simply ask the database to present (ie select) all passwords, or credit card numbers.
Microsoft got caught out in a spectacular fashion on January 25 2003 with SQL Slammer, which infected over 75000 computers in the first ten minutes of being released. Litchfield had predicted the vulnerability and demonstrated a proof of concept at the Black Hat security conference.
Microsoft released a patch, but users failed to update, assuming the database would be protected by corporate network security and the firewall. SQL Slammer demonstrated to the world that databases could be attacked. Litchfield says Microsoft learnt its lesson. "If you look at SQL Server 2005, it only had five bugs. SQL Server 2008 has zero," he says.
But what about Oracle? "Oracle failed to grasp the risk of database vulnerabilities," says Litchfield. "It has the farthest to go, but is it on the right track now?"
Errors will inevitably creep into commercial products, but database security risks can be minimised if web applications are written in a way that validates user input. Litchfield says, "Web applications must have more security and validate user input to ensure that if, for instance, the application is expecting numeric data, then only numbers are accepted from the user."
He recommends that application programmers also use host variables in their code. These act as placeholders in the database, to prevent rogue users from attempting to manipulate input data to take control of the application or database.
Changes and challenges
NCC Group acquired NGS Software in 2008, leaving Litchfield free to move on to new areas of research. He says, "NGS Software had grown as large as it could. The sale has worked out well for everyone."
For Litchfield, this has meant an extended stay in Perth, and he is keen to make it permanent.
On the IT security front, SQL Injection and database security have run their course. Litchfield is now looking for a new challenge. He says, "There are hundreds of data breaches each year, but there is not a single product available that can forensically analyse a database that has suffered a data breach."
Litchfield has been developing such a product and will have a demo version available by the summer. Once the code is available Litchfield is planning to open it up for peer review.