Black Hat 2007: Researchers highlight new database attack method

Database insecurity has been a recurring theme at the annual Black Hat conference, and this year is no exception. Among this year's presentations, researchers from Core Security Technologies will demonstrate a new attack technique cyberthieves could exploit to steal credit card and Social Security numbers.

Damian Saura and Ariel Waissbein, two researchers from the penetration testing technology firm, are showing off a technique attackers could use to gain the access rights of legitimate users and steal confidential data without having to exploit a specific software flaw.

According to Core Security CTO Ivan Arce, digital miscreants could use a so-called timing attack to lift sensitive information from database tables. He described timing attacks as a technique typically used to break cipher system implementations and pinpoint inherent weaknesses in the indexing algorithms used by most commercial database management systems. Attackers can extract private data from a database by performing record insertion operations that are typically available to all database users, including anonymous users of front-end Web applications, he said.

"Because databases are so widely used to house confidential information, it is important for security-conscious organisations to proactively identify potential database threats and start planning for appropriate countermeasures," Arce said. "While this new attack method is still far from widespread use, our research showed that the threat is plausible. It's one more possible risk database administrators have to be aware of."

As part of the presentation, Saura and Waissbein will explain how they found the attack method and demonstrate its effectiveness both in theory and by describing their experiments implementing the attack against a default MySQL database installation. They will also talk about ways to detect or prevent attacks.

Asked about defensive measures, Arce said, "If you have confidential data, don't index it. Don't use confidential data as the index key." He also suggested monitoring the database for insertion attempts. "If you see a bunch of inserts into a table over a short period, something's up," he said.

In recent years, database-related news at Black Hat has been dominated by David Litchfield, managing director at NGS (Next Generation Security) Software. He has focused mostly on flaws in Oracle databases, though last year he focused instead on flaws in IBM's Informix family of database products.

"In my opinion, database security is riddled with holes and it's the biggest problem we face in IT today," he said during the Informix presentation last year.

Other security experts have made similar statements in the last two years, pointing to an epidemic of corporate data breaches as proof.

The biggest example so far this year is the data breach at TJX Companies, where at least 45.7 million credit and debit card holders were exposed to identity fraud.