[The following is excerpted from "What Every Database Administrator Should Know About Security," a new report posted this week on Dark Reading's Database Security Tech Center.] To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly. Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is…Click for complete article >>
Category: MS SQL Server
TeamSHATTER keeps you up to date with the latest DBMS Security Patch levels to ensure you are protected with the latest security fixes. Last updated 3/21/2013 Oracle Edition Latest Patch Release Date Comments Database 11g R2 Database 11g R1 Database 10g R2 Critical Patch Update January 2013 January 15th 2013 Database 10gR1 Critical Patch Update January 2012 January 17th 2012 Out of support. This was the final patch for 10gR1. Database 9i Critical Patch Update July 2010…Click for complete article >>
I recently came upon a blog post by Adrian Lane of Securosis titled ‘Pain comes instantly – fixes come later’, in which he comments on yet another blog post ‘Pain comes instantly’ by Oracle’s CSO, Mary Ann Davidson. Anything ‘Oracle security’ always gets me curious, so I went ahead and worked my way through both articles. Let’s just say one of them is a rather lengthy read. The core point of Mary Ann Davidson’s post is an objection she has…Click for complete article >>
A mass-injection attack similar to the highly publicized LizaMoon attacks this past spring has infected more than 1 million ASP.NET Web pages, Armorize researchers said today. According to database security experts, the SQL injection technique used in this attack depends on the same sloppy misconfiguration of website servers and back-end databases that led to LizaMoon’s infiltration.”This is very similar to LizaMoon,” says Wayne Huang, CEO of Armorize, who, with his team, first reported of an injected script dropped on ASP.NET…Click for complete article >>
Traditionally, Relational Database Management Systems (RDBMS) ship with an auditing tool that allows database administrators to monitor the database from a security perspective. Information provided includes what events occur (logon/logoff), what database objects are being accessed, what data is queried, etc. The most common reason for using auditing is to determine when a database user executes some sort of SQL. The SQL statement is logged by the auditing subsystem in the form of a clear text log file, xml file,…Click for complete article >>
In this post I’ll discuss how SQL injection in stored procedures could be exploited in Microsoft SQL Server, Oracle, Sybase ASE databases. SQL injection is an attack that allows an unprivileged user to execute SQL code with elevated privileges due to a bug in the input sanitation used in dynamic SQL execution. There are two types of SQL injection: A user having no access to the database may inject and execute SQL via some application. A user having access to…Click for complete article >>
In this Q&A, Esteban talks about ERP application vulnerabilities and security issues and how they differ from those at the database level. How much of a target are ERP applications today compared with databases themselves? There are not many companies focused on ERP security and not many independent security researchers are dedicated to finding vulnerabilities in ERP software. Databases, on the other hand, have been the target of security researchers and security companies for several years now. It is important to note…Click for complete article >>
Today, we hosted a webinar to answer and clarify what the LizaMoon and Epsilon data breaches really mean to organizations and how to safeguard critical data from future threats.
While we agree Epsilon was a significant breach – we are finding more data and having conversations with folks that have actually been hit by LizaMoon – which is proving to potentially be more significant than realized.
Immediately after the webinar, my phone rang and it was a CISO telling me that his organization had been hit by LizaMoon. This CISO continued to tell me that his organization determined it was hit by LizaMoon on Friday. This CISO took snapshots and conducted analysis to confirm this attack. By Sunday, the attackers had come back and cleaned up all traces of the original attack. On Monday morning, when the CISO’s Webmaster came in and looked at his logs, he assumed this attack must have been a false positive, as there was no evidence of foul play.Click for complete article >>
In the past week, web security experts have been tracking a widespread SQL injection attack known as LizaMoon, named after the domain name of one of the various sites hosting a browser redirection payload. Most notably, content on iTunes was found to contain the injection link.1
The LizaMoon attack infects web sites by injecting code that is updating text columns in the backend database, whose content is used to build the pages displayed by the web server. The attack redirects visitors to a rogue AV vendor website that tries to install “scareware.” When redirected, visitors are presented with fake screens and prompted to purchase and download fake antivirus software.Click for complete article >>
One of the most insurmountable problems of database security today is figuring out what privileges users have in a database. This problem is mostly an artifact of complicated security models such as role-based access, but is compounded by the fact that many databases lack tools or queries to truly figure out users’ effective privileges are. Knowing users’ privileges in a database is important for maintaining regulatory compliance and lowering business risk. It allows you to assess whether or not users…Click for complete article >>