Monday 27 July 2009

Let the Script-Kiddies Loose – One click database hacking

Should we panic? Researchers at Black Hat have just announced plans to package their hacking knowledge so that it can become part of a generic vulnerability exploit framework Metasploit. This will definitely lower the skill level needed to attack databases so that even a script-kiddie should be able to use it.

The reality is that ‘yes’ databases are very vulnerable and that system's owners from database administrators to network security professionals should be taking action. However, the deployment posture of databases changes their threat landscape – especially for external attack. Very few databases are directly connected to the outside world as they are nearly always connected via-applications. So in this situation the standard 'pre-packaged' exploits can have limited efficacy.

It is well known that the application layers are the worst offenders for holding exploitable bugs and security issues. As each application has been built to do a specific job, each application has its unique set of security issues. With some access to the application, it does not take much effort from an attacker to get at data they should not. Web sites are simply applications that provide access to everyone – including external attackers. Databases are also threatened by insiders often using their own login account. Sometimes data is accessed inappropriately simply out of curiosity rather than out of malice whilst highly privileged users make accidental mistakes resulting in corrupted data.

So back to my question at the top – “should we panic” about script kiddies attacking our databases? No – but we must not believe our databases are effectively secured. We must take calm and consistent measures to pro-actively defend our databases from poorly written applications, nosy internal users, and the bumbling error-prone high-privileged administrator.