On Monday, November 19, 2007, David Litchfield will be releasing the Database Exposure Survey for 2007 on his databasesecurity.com website. According to CIO.com, Litchfield estimates that there are roughly 500,000 database servers on the Internet that are openly accessible (with no firewall protection).

I believe many sysadmins overlook database security believing that “no one knows its there so how could be attacked?” It’s a foolish notion. I think other admins believe that database servers are no vulnerable to attack in the same way that other services are. We hear about worms and trojans targeting desktop users, IM clients, and web applications, but less often we hear about buffer overflows in server applications. However, vulnerabilities in RDBMS services do occur, and often enough to make you worry. Remote code execution is a potential problem for any services that you can connect to directly.

Even if your database server is patched-up you have to worry about accounts on the database server. Do all your database users accounts have passwords? I have seen poor password selection on database accounts far too often. It makes my skin crawl actually. It’s hard to explain to programmers sometimes why password choice is important or sometimes even why passwords are necessary at all.

Many people believe that database servers are “behind the scenes” and inaccessible to Internet. Litchfield’s survey demonstrates how often that assumption is wrong.

Defense-in-depth applies to database security as much as any other network service:

• You need a firewall configured to deny access to your database server except to the few people that really need to connect.
• Ever account on your database should have a non-empty password and it should be a strong password.
• Accounts should have limited access to database. Read-only access should be your default. No account should have access to all your database unless necassary.
• You should monitor database access. Do you have logs showing which users logged in and when and from where?
• When put together, “limiting account access” and “monitoring” mean you should be able to tell who accessed which database from what application. Each web application should use a different account to access your databases (at the very minimum).
• Finally, you should have a process for auditing data integrity. Would you be able to tell if data in a database had been inserted or if data was invalid or inconsistent?

A UCLA student was tasered by police after being asked to leave a library computer lab and creating a disturbance on his way out. Another student in the library took a video with a cameraphone and capture some shocking footage. The police tasered the man and then demanded he get up. Bystanders pleaded with the police to let the man rest since he had be tasered. The police then threatened the man saying he would be tasered again if he did not get up. They then tasered him. Bystanders asked for police identification but none was produced.

If you are running Mozilla, Firefox, or Netscape, you need to upgrade now due to the IDN URI Buffer Overflow. In short, internationalized domain name characters in URLs can be used to compromise your PC. While this vulnerability has been known for more than a week, exploit code has been made publicly available now so it just a matter of time before we start seeing attacks based on this vulnerability.

Don’t confuse that vulnerability with another new one that affects Unix only and also affects Thunderbird.

If you are running Firefox, Mozilla, or Thunderbird on Unix (Linux, OpenBSD, MacOS-X, Solaris) you need to upgrade now. According to The SANS Institute, “This vulnerability in Mozilla/FireFox browsers and Thunderbird email client can be exploited to execute arbitrary commands on UNIX systems.” More information is available at SecurityFocus.

Go to http://www.mozilla.org/ for information on how to download the latest versions.

A common problem in security is deciding how to scan PCs that are suspected to be infected with a computer virus. One approach is to use anti-virus software already installed on the PC, however mistrust of that anti-virus software may be wise considering that there exist a number of viruses that disable or alter anti-virus software. An alternative approach is to boot the computer from some other media (CDROM, Floppy Disk, USB Mass Storage, PXE) and run an anti-virus program from that media. This approach increases the trustworthiness of the the anti-virus software but brings up the question of how to ensure that the latest anti-virus definitions are available.

Knoppix is a bootable linux distribution that comes with Clam Anti-virus and support the downloading of anti-virus definitions to a ramdisk. Thus, you can boot from the CDROM which has a complete read-only operating system installed already and then run the included virus-scanner which will get the latest virus updates over the net. This provides you with a safe and easy method to initially respond to suspected infections.

Knoppix can be obtained by direct download from a number of mirror sites or via BitTorrent.

Wireless ethernet (WI-FI) makes Internet access convenient, easy, and more pervasive. However, the nature of WI-FI exposes users to dramatically increased security risk compared to traditional ethernet connections. Wireless connections can be intercepted and “sniffed” by any party within range of the signal. An attacker need not have physical access to a victim’s computer or LAN and could even be mobile (wardriving). One way to mitigate the risk associated with wireless Internet access is to encrypt the WI-FI connection. There are several commonly supported methods for WI-FI encryption. WPA2 (aka 802.11i) is the latest method but you must download and install special software to enable WPA2 support in Windows XP.

Prior to WPA2 there were WEP and WPA. WEP has many known weaknesses. WPA is improved but it is widely reported that WPA is only secure “if you do it right.” WPA2 is the latest standard and offers improvements over WPA that make it easier to “get it right.”

WPA2 support is available under Windows XP but only if you download an install special software from Microsoft. Microsoft Support has an article that explains the process. You will need to prove that your version of Windows XP is “genuine” before you are allowed to download the WPA2 software. And how do you prove that? You need the Microsoft Genuine Advantage thingy that they recently started forcing users to install in order to get updates.

When I tried to the download the WPA2 software I was asked to copy a code from a windows dialog box into the download page. It was not at all clear what that code meant or what generated it. The bizarre public-relations-speak wording on the download page made me guess that it had something to do with the recent “windows genuine advantage” campaign and the activex control that all Microsoft customers must have in order to get software updates.

After copying the code, I was able to download the WPA2 software and install it. The install went smoothly and after a reboot I was able to switch my laptop and Linksys WRT54G wireless access point over to using WPA2.

One question that comes to mind is: why isn’t the WPA2 software available through windows/microsoft update?! The genuine advantage software seems like a genuine disadvantage if I am going to be required to manually download all software updates myself.

One final note, beyond implementing WPA2 there are others steps you can take. You can enable MAC address filtering, disable SSID broadcasting, change your pre-shared key often, and run an encrypted VPN over your encrypted wireless connection.