Database Security

Yuli Stremovsky
 Agenda

• Database Security
• What is GreenSQL ?
• Management Console
• Demo
• GreenSQL Roadmap
 The need

There are business SQL Injection attacks are becoming

Hackers have models that increasingly sophisticated and
become professional finance them difficult to combat.

It uses stealth
techniques to go
unnoticed for as long Hackers create
as possible. much more SQL
Injection attacks
Pricelist
 Latest Victims
• Oct 2009 - One of NASA's was vulnerable to a SQL injection attacks.
All of this despite the fact that the agency’s IT budget in fiscal year
2009 was $1.6 billion, of which $15 million was dedicated to IT
security.

• Mar 2009 & Nov 2009 - SQL injection attack exposes sensitive
customer data on Symantec web server.

• Nov 2009 - Russian cyber gang uses SQL injection attack crack deep
inside the network of a giant U.S. debit and credit-card processor.

• Nov 2009 - An SQL injection flaw has been detected on the Yahoo!
Website. The vulnerability was on the Yahoo job section.

• Dec 2009 - Wall Street Journal website, Intel, Apple

 Who uses the Database ?
CMS E-commerce

Testing
Application
connections

Wiki Replication

Forums Reporting

Blog Backup
Financial data

Database
Private data Monitoring
connections

Customer data
User

High privileged
users Administrators

Casual users Application

Users
 Using Shared Hosting Services ?
You are under attack !!!

• Hundreds of websites are on the same

database server - hundreds of attack vectors

• If your neighbor's web site database is

vulnerable, then so are you, no matter how
carefully you've vetted your own code.
 What is SQL Injection?

• Legitimate Query:
SELECT * from users
WHERE username = ‘admin’ and
password = ‘123’

• Injected SQL code:

SELECT * from users where username = ‘admin’
and password = ‘XXX’ or ‘1’=‘1’
 SQL Injection after effect

• Bypass login page

• DOS - Deny of service
• Install web shell
• Iframe injection
• Access system files
• Install db backdoor
• Theft of sensitive information / credit cards
• Additional step of the attack:
– Attack computers on the LAN
 How iframe injection works

• Automated SQL Injection

• Injecting <iframe src=http://xxxxx.com>
• User visits infected site/page
• Trojan horse drive by installation
• Your PC is controlled by black hat hackers
– Send SPAM
– Records all login information
– Records all transactions with bank websites
– Online money transfer
Buzus Trojan
 GreenSQL History

• Open Source project

• Started at 2007
• Hosted at sourceforce
• More than 30,000 downloads
• Version 1.2 - 3k downloads in it’s first month
 What is GreenSQL

• GreenSQL is a database firewall solution

• Protects against SQL injections and other
known and unknown Database attacks
• Cool web based management interface
• MySQL / PostgreSQL built in support
Database Firewall
GreenSQL – High Level Architecture

Web Apps
Client/Server Apps
Web services/ SOAP
Legacy Apps
SQL Proxy

Risk Matrix
Calculation

SQL Queries
/WL/Policy

Good / Block/
Warn / Learn

Forward and
DB Server 1 DB Server 2 DB Server 3 DB Server N Integration
 How it works?

• Reverse Proxy
• Number of databases
• Number of backend DB servers
• Deployment options:
– Can be installed together with the DB server
– Can be installed on dedicated server / VPS
 Using the Database Securely
Ecommerce
CMS
Testing
Wiki

Replication
Application
connections

Forums
Reporting

Blog Backup

Database

Monitoring
connections
User

High privileged Administrators

users
Casual users
Application
Users
GreenSQL management console
Multiple Databases / Proxies
Alert Example
 GreenSQL Advantages

• Multiple modes
– IDS/IPS / learning / Firewall
• Easy to use
• Pattern Recognition (signatures)
• Heuristics (risk calculation)
• Open Source
 GreenSQL Advantages – Cont’

• Cross Platform (any Linux and Unix system)

• Rapid Deployment (pre built packages)
• Well established (30,000 downloads and counting)
• Web application independent
• The only free security solution for MySQL
• The only security solution for PostgreSQL
• User Friendly WEB GUI/Management tool
 GreenSQL IPS / IDS

• Sensitive tables
• Multiple queries ( ; / UNION )
• SQL comments
• Empty password
• SQL tautology - true statements (1=1)
• Administrative commands
• Information disclosure commands
 But, I’m a kick ass developer
So why should I use GreenSQL

• Legacy code
• Not only Web application and web
services use your database
• Protects the database console access
• 0 day database attacks prevention
• No direct access to the database machine
 GreenSQL: Demonstration

http://demo.greensql.net/

http://www.greensql.net/sql-injection-test
 Open Source Roadmap

• Native Joomla / Drupal / Wordpres plugins

• Integrated GreenSQL Console as CMS plugin
(you will use Joomla Admin to manage GreenSQL)
• Web user name / IP address reporting in
GreenSQL alerts
• Auditing
 GreenSQL Support Program

Installation GreenSQL
Support Optimization

E-mail
Submission
Consulting

Service
portal Software
Updates
Questions
 Thank You

• Yuli Stremovsky
• [email protected]

http://blog.greensql.com
http://twitter.com/greensql