A few months ago, while surfing the net and trying to open Orkut i got a strange message on my computer screen which said “Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!” and the browser closed. I didnt think it was a virus as i had AVG installed on my system and i had faith in it. I tried it on different machines which were part of the Local Area Network and each gave the same message while opening Orkut and Youtube. Each machine had AVG or Norton installed. I ran an Antivirus scan and it also didnt detect any virus or spyware. I decided to search on the net for this problem and thats when i discovered that my computer was infected with the W32.USBWorm virus which displayed such messages while opening Orkut and Youtube. Here are a few simple steps which you can follow to remove this virus if this has infected your system too.
*
o Open the Task Manager by pressing Ctrl + Alt + Del and go to processes tab
o Locate svchost.exe under the image name. There will be many processes by that name but look for the ones which have your username under the username. Just kill these processes by pressing Del key.Only kill those which have your username under the username and leave the rest
o Open the run command and type C:\heap41a and press enter. This is a hidden folder. Delete all the contents of this folder
o Open the registry by typing regedit in the run box
o Search for heap41a in the registry by using the find command
o You will get something like this “[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt“. Just delete the entries by pressing the del key
o Close the registry editor
Now the virus will be gone. The virus mainly spreads through USB disks so be sure to delete Autorun.inf file and any folder which has a .exe extension in the pen drive you use. Avast and Nod32 are able to detect it. Even AVG, Norton and macfee failed to detect it.
The above mentioned are not guaranteed to work everytime. In one of my machines, the virus disabled the Task Manager and registry editor also so i was unable to perform the above steps. In such cases, try doing a full system scan with Avast in the boot mode and delete all files which are infected. If a lot of system files get infected, then you would have to format your computer to remove it successfully. The viruse also spreads quicly through Flash drives and Local Area Network so always scan the flash disks in such cases.
With so many viruses being discovered everyday, it becomes difficult to protect your PC completely. The best you can do prevent such things is to use an Antivirus and keep it updated. Have you ever been infected by this virus? What measures do you use to protect your PC from such malwares?
copied from http://www.whoismadhur.com/2007/11/16/how-to-remove-orkut-is-banned-virus/
Friday, May 30, 2008
How to remove Virus from USB Drives
One of the ways by which a virus can infect your PC is through USB/Pen drives. Common viruses such as ’Ravmon’ , ‘New Folder.exe’, ‘Orkut is banned’ etc are spreading through USB drives. Most anti virus programs are unable to detect them and even if they do, in most cases they are unable to delete the file, only quarantine it. Here are the things which you can do if you want to remove such viruses from your USB drives
Whenever you plug a USB drive in your system, aautorun window will appear !
Don’t click on Ok , just choose ‘Cancel’. Open the Command Prompt by typing ‘cmd‘ in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.
This will display a list of the files in the pen drive. Check whether the following files are there or not
* Autorun.inf
* Ravmon.exe
* New Folder.exe
* svchost.exe
* Heap41a
* or any other exe file which may be suspicious.
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the “Autorun.inf” file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
Security Tip
Disable the Autoplay feature of USB drives. If you disable the Autoplay feature of USB drives, then there are lesser chances of the virus spreading. A tool which can perform such a function is Tweak UI. Download it from here install it.
Tweak UI
Run the program. Now you can disable the Autoplay feature of the removable drives as shown above. By following the above steps, you can keep your USB drives clean. If there are any other methods which you use, then share it with me through comments.
Whenever you plug a USB drive in your system, aautorun window will appear !
Don’t click on Ok , just choose ‘Cancel’. Open the Command Prompt by typing ‘cmd‘ in the run box. In the command prompt type the drive letter: and press enter . Now type dir /w/a and press enter.
This will display a list of the files in the pen drive. Check whether the following files are there or not
* Autorun.inf
* Ravmon.exe
* New Folder.exe
* svchost.exe
* Heap41a
* or any other exe file which may be suspicious.
If any of the above files are there, then probably the USB drive is infected. In command prompt type attrib -r -a -s -h *.* and press enter. This will remove the Read Only, Archive, System and hidden file attribute from all the files. Now just delete the files using the command del filename. example del Ravmon.exe. Delete all the files that are suspicious. To be on a safer side, just scan the USB drive with an anti virus program to check whether it is free of virus or not. Now remove the drive and plug it again. In most of the cases, the real culprit turns out to be the “Autorun.inf” file which mostly gets executed when someone clicks Ok in the dialog window which appears above. Thus the infections can spread
Security Tip
Disable the Autoplay feature of USB drives. If you disable the Autoplay feature of USB drives, then there are lesser chances of the virus spreading. A tool which can perform such a function is Tweak UI. Download it from here install it.
Tweak UI
Run the program. Now you can disable the Autoplay feature of the removable drives as shown above. By following the above steps, you can keep your USB drives clean. If there are any other methods which you use, then share it with me through comments.
Sunday, April 27, 2008
Prevent your Orkut account from Hacking
Here are some points you need to take care of, to prevent your Orkut account being hacked !!!!
Java script: You must have seen the circulating scraps that asks you to paste this code in your address bar and see what happens! Well sometimes they also leak out your information. Check the code and if you are unsure of what to do, then I recommend not to use it.
Community Links: Many times you are provided with a link to a community in a scrap. Read the link carefully, It may be something like http://www.okrut.com/Community.aspx?cmm=22910233 OKRUT not ORKUT. Clicking on this link will take you to a fake login page and there you loose up your password.
Phishing Attack is the most popular way of stealing other's password. Popular by the name of fake login (among those who knows it) the users land on a page where they are asked for their login information and they enter their username and password thinking it to be a real page but actually it is other way round. It submits all the details entered to the programmer or the coder.
Orkut New Features: I have come across a page that looks like they are giving the user a choice of selecting new features for orkut with your ID and password, of course!! When user submit the page, there goes his ID and password mailed to the coder
Primary mail address: If by some means a hacker came to know password of your Yahoo mail or Gmail, which users normally keeps as their primary mail address in their Orkut account, then hacker can hack Orkut account by simply using USER ID and clicking on 'forget password'.This way Google will send link to the already hacked primary email id to change the password of the Orkut account. Hence the email hacker will change your Orkut account's password. Hence your Orkut account hacked too.
So a better thing would be to keep a very unknown or useless email id of yours as primary email id so that if the hacker clicks on 'Forgot password' the password changing link goes to an unknown email id i.e. not known to the hacker.
Java script: You must have seen the circulating scraps that asks you to paste this code in your address bar and see what happens! Well sometimes they also leak out your information. Check the code and if you are unsure of what to do, then I recommend not to use it.
Community Links: Many times you are provided with a link to a community in a scrap. Read the link carefully, It may be something like http://www.okrut.com/Community.aspx?cmm=22910233 OKRUT not ORKUT. Clicking on this link will take you to a fake login page and there you loose up your password.
Phishing Attack is the most popular way of stealing other's password. Popular by the name of fake login (among those who knows it) the users land on a page where they are asked for their login information and they enter their username and password thinking it to be a real page but actually it is other way round. It submits all the details entered to the programmer or the coder.
Orkut New Features: I have come across a page that looks like they are giving the user a choice of selecting new features for orkut with your ID and password, of course!! When user submit the page, there goes his ID and password mailed to the coder
Primary mail address: If by some means a hacker came to know password of your Yahoo mail or Gmail, which users normally keeps as their primary mail address in their Orkut account, then hacker can hack Orkut account by simply using USER ID and clicking on 'forget password'.This way Google will send link to the already hacked primary email id to change the password of the Orkut account. Hence the email hacker will change your Orkut account's password. Hence your Orkut account hacked too.
So a better thing would be to keep a very unknown or useless email id of yours as primary email id so that if the hacker clicks on 'Forgot password' the password changing link goes to an unknown email id i.e. not known to the hacker.
Restoring System against common attacks !
Registry editing has been disabled
If you ever encountered above error, i.e. "Registry editing has been disabled by your administrator" on Windows XP or any other Windows NT Operating system, this may help you.
I have encountered the above error while patching registry. Even manual "regedit" was not working.
Here is simple solution.
Click "Start >> Run" or press "[window key + R ]" and type this command exactly as given below (or you can copy-paste it too)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Options Disabled
Go to run
Type "control folders"
If it doesnt work, try:
Solution 1:
->Run -> Type gpedit.msc
Then:->User Configuration ->Administrative Templates --> Windows Components --> Windows Explorer-> Removes the Folder Options menu item from the Tools menu.
Right click:-> Properties -> Disable ->Apply -> Again set it to not configured
Solution 2:
Go to Startmenu->Run and enter regedit there and press ok to execute regedit (registry editor).
There you’ll see a tree like structure of folders like stuff in left.
There navigate to registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and on right side you’ll see many values.
Out of these values in right see a value (key) named “NoFolderOptions” .Double click after highlighting it, if there under value box it’s written 1 then change it to 0 and press enter. Exit the registry editor and close any folder and open again to see the settings.
If you want to disable Folder Options then set the value of “NoFolderOptions” to 1 (and to retrieve it back change it to 0).
Orkut is banned u fool..MUHAHAHA...
How to fix the Orkut is banned you fool! Virus
Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!! with title ORKUT IS BANNED.
Well, a similar message was displayed for YouTube also.
Solution given here:
1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
8. Now go to Start --> Run and type Regedit
9. Go to the menu Edit --> Find
10. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
11. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
12. Now close the registry editor.
Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
UPDATE
It seems that they have named this malware as w32.USBWorm and according my friend, Avast is able to detect and remove it. I hope the other antivirus software will also be able to remove it soon.
Remove ntde1ect.com virus=show hidden files problem
First method
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Second method
RUN>> type "regedit"(without quotes) & press enter >> then go to>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
Now u can see two keys CheckedValue and DefaultValue
Double Click on CheckedValue and set the value 1 from 0
Double Click on DefaultValue and set the value 2 from 1
Now exit and watch
If you ever encountered above error, i.e. "Registry editing has been disabled by your administrator" on Windows XP or any other Windows NT Operating system, this may help you.
I have encountered the above error while patching registry. Even manual "regedit" was not working.
Here is simple solution.
Click "Start >> Run" or press "[window key + R ]" and type this command exactly as given below (or you can copy-paste it too)
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
Folder Options Disabled
Go to run
Type "control folders"
If it doesnt work, try:
Solution 1:
->Run -> Type gpedit.msc
Then:->User Configuration ->Administrative Templates --> Windows Components --> Windows Explorer-> Removes the Folder Options menu item from the Tools menu.
Right click:-> Properties -> Disable ->Apply -> Again set it to not configured
Solution 2:
Go to Startmenu->Run and enter regedit there and press ok to execute regedit (registry editor).
There you’ll see a tree like structure of folders like stuff in left.
There navigate to registry entry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
and on right side you’ll see many values.
Out of these values in right see a value (key) named “NoFolderOptions” .Double click after highlighting it, if there under value box it’s written 1 then change it to 0 and press enter. Exit the registry editor and close any folder and open again to see the settings.
If you want to disable Folder Options then set the value of “NoFolderOptions” to 1 (and to retrieve it back change it to 0).
Orkut is banned u fool..MUHAHAHA...
How to fix the Orkut is banned you fool! Virus
Orkut is banned you fool, The administrators didnt write this program guess who did?? MUHAHAHA!!! with title ORKUT IS BANNED.
Well, a similar message was displayed for YouTube also.
Solution given here:
1. Press CTRL+ALT+DEL and go to the processes tab
2. Look for svchost.exe under the image name. There will be many but look for the ones which have your username under the username
3. Press DEL to kill these files. It will give you a warning, Press Yes
4. Repeat for more svchost.exe files with your username and repeat. Do not kill svchost.exe with system, local service or network service!
5. Now open My Computer
6. In the address bar, type C:\heap41a and press enter. It is a hidden folder, and is not visible by default.
7. Delete all the files here
8. Now go to Start --> Run and type Regedit
9. Go to the menu Edit --> Find
10. Type "heap41a" here and press enter. You will get something like this "[winlogon] C:\heap41a\svchost.exe C:\heap(some number)\std.txt"
11. Select that and Press DEL. It will ask "Are you sure you wanna delete this value", click Yes
12. Now close the registry editor.
Now the virus is gone. But be sure to delete the autorun.inf file and any folder whose name ends with .exe in the pen drive.
UPDATE
It seems that they have named this malware as w32.USBWorm and according my friend, Avast is able to detect and remove it. I hope the other antivirus software will also be able to remove it soon.
Remove ntde1ect.com virus=show hidden files problem
First method
1) Open up Task Manager (Ctrl-Alt-Del)
2) If wscript.exe is running, end it.
3) If explorer.exe is running, end it.
4) Open up “File | New Task (Run)” in the Task manager
5) Run cmd
6) Run the following command on all your drives by replacing c:\ with other drives in turn
del c:\autorun.* /f /a /s /q
7) Go to your Windows\System32 directory by typing cd c:\windows\system32
8) Type dir /a avp*.*
9) If you see any files names avp0.dll or avpo.exe or avp0.exe, use the following commands to delete each of them:
attrib -r -s -h avpo.exe
del avpo.exe
10) Use the Task Manager’s Run command to fire up regedit
11) Navigate to HKEY_CURRENT_USER \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run
12) If there are any entries for avpo.exe, delete them.
13) Do a complete search of your registry for ntde1ect.com and delete any entries you find.
14) Restart your computer.
Second method
RUN>> type "regedit"(without quotes) & press enter >> then go to>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\
Now u can see two keys CheckedValue and DefaultValue
Double Click on CheckedValue and set the value 1 from 0
Double Click on DefaultValue and set the value 2 from 1
Now exit and watch
Saturday, April 26, 2008
The science of computer forensics
This week, I am introducing some tools used in computer forensics and investigations. This will probably be so much “ho-hum” to those of you already in the trade, but I thought this would be of interest to other TechRepublic members.
As usual, I have linked to specific products that I’m familiar with. Some readers have previously expressed concern that it represents unfair advertising. All I can say is that I don’t get paid for linking to anyone, but have personally found that I learn faster when pointed to actual products with specifications and prices to refer to.
Feel free to suggest other such products in the comments section.
HotPlug
The HogPlug device basically allows a running computer to be seized and brought back to a computer forensic lab for further study — without having to first shut it off.
Assuming a suspect could be caught by surprise when using his terminal, it is a means to effectively circumvent any disk encryption as well as login passwords or biometric schemes that might be in place.
Used together with a fully-charged UPS, the connectors are slipped into place when the system is still running. When main power is switched off, the power load will be transparently switched over to the UPS. The entire system — with the UPS, can then be loaded onto a trolley to be carted off.
Extrication from a power strip is literally a plug-and-switch event. For systems plugged directly into a wall socket, some dismantling of the face place is required. Check out the demonstration video at the top for the power strip method, or click here for the advanced method — it’s quite fascinating, really.
Write protection devices
As their name suggests, write protection devices actively prevent the writing of data onto the attached hard disk. It works on the hardware level by directly blocking write commands — be it while duplicating the data or performing a forensic analysis.
You can also use it as a way to protect your portable hard disk when transferring files to an unknown or hostile environment.
The DriveLock line supports data protection and enables blocking hard drives of various kinds such as IDE, laptop drives, Serial ATA and flash cards connected through a computer’s P-ATA interface, PCI Card, USB, and FireWire ports.
ICS sells a whole bunch of write-protect devices for various hard disk interfaces. This ranges from SATA to IDE and even compact flash readers. You can check it out here.
Mouse Jiggler
This nifty little device represents yet another reason why screen saver passwords are a flimsy deterrence at best. When plugged into a USB port, it emulates a mouse, albeit one that moves autonomously.
The movement effectively prevents a system from automatically switching to a screen saver, or from going into suspend mode.
Wiebetech sells two versions, including a “Slow Jiggler” in which the mouse movement is barely perceptible. With it, an investigator is able to continue working simultaneously from a real mouse. There is also a “Fast Jiggler,” whose only use is as part of a practical joke.
The Mouse Jiggler was originally designed to be used in tandem with the HotPlug to seize computers.
Network Taps
As the name suggests, a network tap allows an investigator to sample all traffic on a network while remaining undetected. These phantom devices are not addressable and are designed with the sole role of replicating transmission streams out via a monitoring port. Physical access to the actual cables is required, though. Network tapes are generally available for both copper and fiber solutions and for networks of varying speeds.
Do note that some higher-end network switches come with a “monitoring port” that can be used to the same effect.
catch this at http://blogs.techrepublic.com.com/security/?p=437&tag=rbxccnbtr1 !
As usual, I have linked to specific products that I’m familiar with. Some readers have previously expressed concern that it represents unfair advertising. All I can say is that I don’t get paid for linking to anyone, but have personally found that I learn faster when pointed to actual products with specifications and prices to refer to.
Feel free to suggest other such products in the comments section.
HotPlug
The HogPlug device basically allows a running computer to be seized and brought back to a computer forensic lab for further study — without having to first shut it off.
Assuming a suspect could be caught by surprise when using his terminal, it is a means to effectively circumvent any disk encryption as well as login passwords or biometric schemes that might be in place.
Used together with a fully-charged UPS, the connectors are slipped into place when the system is still running. When main power is switched off, the power load will be transparently switched over to the UPS. The entire system — with the UPS, can then be loaded onto a trolley to be carted off.
Extrication from a power strip is literally a plug-and-switch event. For systems plugged directly into a wall socket, some dismantling of the face place is required. Check out the demonstration video at the top for the power strip method, or click here for the advanced method — it’s quite fascinating, really.
Write protection devices
As their name suggests, write protection devices actively prevent the writing of data onto the attached hard disk. It works on the hardware level by directly blocking write commands — be it while duplicating the data or performing a forensic analysis.
You can also use it as a way to protect your portable hard disk when transferring files to an unknown or hostile environment.
The DriveLock line supports data protection and enables blocking hard drives of various kinds such as IDE, laptop drives, Serial ATA and flash cards connected through a computer’s P-ATA interface, PCI Card, USB, and FireWire ports.
ICS sells a whole bunch of write-protect devices for various hard disk interfaces. This ranges from SATA to IDE and even compact flash readers. You can check it out here.
Mouse Jiggler
This nifty little device represents yet another reason why screen saver passwords are a flimsy deterrence at best. When plugged into a USB port, it emulates a mouse, albeit one that moves autonomously.
The movement effectively prevents a system from automatically switching to a screen saver, or from going into suspend mode.
Wiebetech sells two versions, including a “Slow Jiggler” in which the mouse movement is barely perceptible. With it, an investigator is able to continue working simultaneously from a real mouse. There is also a “Fast Jiggler,” whose only use is as part of a practical joke.
The Mouse Jiggler was originally designed to be used in tandem with the HotPlug to seize computers.
Network Taps
As the name suggests, a network tap allows an investigator to sample all traffic on a network while remaining undetected. These phantom devices are not addressable and are designed with the sole role of replicating transmission streams out via a monitoring port. Physical access to the actual cables is required, though. Network tapes are generally available for both copper and fiber solutions and for networks of varying speeds.
Do note that some higher-end network switches come with a “monitoring port” that can be used to the same effect.
catch this at http://blogs.techrepublic.com.com/security/?p=437&tag=rbxccnbtr1 !
Friday, November 16, 2007
Database Security (Common-sense Principles)
Lately, database security issues have been flooding the media and Internet news-wires. First with the Slammer worm and most recently criminals accessing over 8 million credit card numbers.
So I sit back and say to myself, "Did the sysadmins fall asleep behind the wheel?" As the internet has boomed and we've increased our reliance on the convenience and relative low cost of web-enabled information systems, we have become lazy in our implementation of basic security practices.
Now part of this problem is the pressure placed on today's system admin's by the upper-crust of corporate America. The first question to every sysadmin is, "How soon can this be up?" and not "How much of a security risk is this?". In light of current events it has become painfully obvious we need to re-adjust our thinking.
So, let me begin this article with a brief synopsis of how security policies should be implemented and then move into actual system configuration.
Basic Security Structure
Through my travels as a Network Security Specialist I have consistently come across companies with a single focus in mind, "Software Security". They place so much emphasis on this single portion of security that they loose sight of the big picture. The big picture is of course, "Without a structured security hierarchy any basic security policy will fail!"
To often system administrators are left to their own accord, managing the security of their systems with little or no oversight by a higher security administrator. This raises the following questions:
* Who ensures system administrators are following security guide-lines?
* How does an organization ensure all system administrators are applying the latest patches?
* What organization ensures that the latest patches have been tested to ensure they do not cause additional system faults
* Who performs security audits on the corporation as a whole?
Without a proper structure you begin to get chaos when it comes to such an important topic as security, chaos could be cataclismic. For example:
Jim of the East Coast Office has all of his patches up to date, but he has an insecure link with Bill on the west-coast, who has failed to properly configure his firewall. This situation would allow for a full system compromise.
To ensure a situation such as this does not occur someone or a group of someone's should be looking at the big picture.
Now that I have gotten that basic security organization rant out of my system, let me begin a technical look at database security.
Database Vulnerabilities (The many fronts of the security war!)
Basically database security can be broken down into the following key points of interest.
* Server Security
* Database Connections
* Table Access Control
* Restricting Database Access
Server Security
Server security is the process of limiting actual access to the database server itself, and in my humble opinion it is the most important angle of security and should be carefully planned.
The basic idea is this, "You can't access what you can't see". Why in the name of the Almighty (or whoever else you believe in, or if you are an Atheist, substitute your own name here) would you let your database server be visible to the world. This is not a web server here, there should be no such thing as an anonymous connection. Now some people would say, "Well, what if your database server is supplying information to dynamic web pages?", well I'll turn that around and say, "Your database back end should never be on the same machine as your web server, not just for security, but for performance!" If your database server is supplying information to a web server then it should be configure to allow connections only from that web server. Now that bring mes to the next point of discussion:
Here Trusted IP Access has
limited the database server
to only answering information
requests from the known IP of
the web server.
Trusted IP addresses
Every server, should be configured to only allow trusted IP addresses. You don't allow just anyone to come into your house and talk to your children. In the same respect you should know exactly who should be allowed to "talk" to your database server.
If it's a back end for a web server., then only that web server's address should be allowed to access that database server. If the database server is supplying information to a homegrown application that is running on the internal network, then it should only answer to addresses from within the internal network.
Also please none of this cheap mentality of hosting your web databases on the same server that houses internal database information. Why would you have internal information out in the DMZ, its not called the DMZ for nothing.
Database Connections
These days with the number of Dynamic Applications it becomes tempting to allow immediate unauthenticated updates to a database. I say, "Ney!" to such laziness. If you are going to allow users to make updates to a database via a web page, ensure that you validate all updates to ensure that all updates are warranted and safe. For example ensure that you are removing any possible SQL code from a user supplied input. If a normal user should never be inputting it don't allow the data to ever be submitted.
If you are one of those administrators that feels the need to use ODBC connections ensure that every connection uses it's own unique user to access the shared data. It personally makes my skin crawl when I see the user account "sa" used for every connection and data source on the server. Does every employee in your company have keys to every room in the building? I'll let you address that problem quietly if they do.
Table Access Control
Table access control is probably one of the most overlooked forms of database security because of the inherent difficult in applying it. Properly using Table access control will require the collaboration of both system administrator and database developer, and we all know that "collaboration" is a foreign word in the IT industry.
An example would be allowing read access to user imputed information to the public. If a user just imputed the information whey would they have to look at it within the same session. Or, if a table is just used for system reference why should it have any other permissions beside read available?
Unfortunately table structure and proper relational database structure and development is a little out of the scope of this article. But, keep a look out for it in my upcoming articles.
Restricting Database Access
Now being that we have completed a basic overview of database security I want to dive a little further into the specifics of server security. Mainly into the network access of the system. Specifically targeting Internet based databases, since they have been the most recent targets of attacks. All web-enabled applications have ports that they listen to ( I know this is pretty basic to most of you but, it needs to be said for the beginners!).
Most cyber criminals ( I always refrain from the media sensationalized term "Hackers" or "Crackers") are going to do a simple "port scan" to look for ports that are open that popular database systems use by default. Now I say by default, because you can change the ports a service listens on, which I personally feel is a great way to throw off a criminal.
First they will attempt to determine if a machine is even at a specific address. They will do this by pinging the system. (If you don't know what ping is quietly close this article, you need to do some studying first!) This is done by simply opening up a command line and typing "ping".
C:\ ping 127.0.0.1
or
root@localhost: ~$: ping 127.0.0.1
The response should look like this:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
An example of the ping command
being used on a windows box.
Click to enlarge .
The criminal now knows there is a system answering at this address. First thing to prevent this is to disable any ICMP packets. This will prevent ping requests from being replied to.
There are many ways to prevent open access from the Internet and each database system has it's own set of unique features as well as each OS. So I am merely going to touch on a few methods.
* Trusted IP addresses - UNIX servers are configured to answer only pings from a list of trusted hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
* Server account disabling- If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
* Special tools -Products such as RealSecure by ISS send an alert when an external server is attempting to breach your system's security.
Oracle has a wealth of authentication methods:
* Kerberos security- This popular "ticket"-based authentication system sidesteps several security risks.
* Virtual private databases- VPD technology can restrict access to selected rows of tables.
* Role-based security- Object privileges can be grouped into roles, which can then be assigned to specific users.
* Grant-execute security- Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure.
* Authentication servers-Secure authentication servers provide positive identification for external users.
* Port access security - All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access.
I hope that I have broadened your view of database security, and quite possibly helped eliminate or at least lower the threat of criminals looking for the "easy kill". (I know that is a little egotistical of me)
So I sit back and say to myself, "Did the sysadmins fall asleep behind the wheel?" As the internet has boomed and we've increased our reliance on the convenience and relative low cost of web-enabled information systems, we have become lazy in our implementation of basic security practices.
Now part of this problem is the pressure placed on today's system admin's by the upper-crust of corporate America. The first question to every sysadmin is, "How soon can this be up?" and not "How much of a security risk is this?". In light of current events it has become painfully obvious we need to re-adjust our thinking.
So, let me begin this article with a brief synopsis of how security policies should be implemented and then move into actual system configuration.
Basic Security Structure
Through my travels as a Network Security Specialist I have consistently come across companies with a single focus in mind, "Software Security". They place so much emphasis on this single portion of security that they loose sight of the big picture. The big picture is of course, "Without a structured security hierarchy any basic security policy will fail!"
To often system administrators are left to their own accord, managing the security of their systems with little or no oversight by a higher security administrator. This raises the following questions:
* Who ensures system administrators are following security guide-lines?
* How does an organization ensure all system administrators are applying the latest patches?
* What organization ensures that the latest patches have been tested to ensure they do not cause additional system faults
* Who performs security audits on the corporation as a whole?
Without a proper structure you begin to get chaos when it comes to such an important topic as security, chaos could be cataclismic. For example:
Jim of the East Coast Office has all of his patches up to date, but he has an insecure link with Bill on the west-coast, who has failed to properly configure his firewall. This situation would allow for a full system compromise.
To ensure a situation such as this does not occur someone or a group of someone's should be looking at the big picture.
Now that I have gotten that basic security organization rant out of my system, let me begin a technical look at database security.
Database Vulnerabilities (The many fronts of the security war!)
Basically database security can be broken down into the following key points of interest.
* Server Security
* Database Connections
* Table Access Control
* Restricting Database Access
Server Security
Server security is the process of limiting actual access to the database server itself, and in my humble opinion it is the most important angle of security and should be carefully planned.
The basic idea is this, "You can't access what you can't see". Why in the name of the Almighty (or whoever else you believe in, or if you are an Atheist, substitute your own name here) would you let your database server be visible to the world. This is not a web server here, there should be no such thing as an anonymous connection. Now some people would say, "Well, what if your database server is supplying information to dynamic web pages?", well I'll turn that around and say, "Your database back end should never be on the same machine as your web server, not just for security, but for performance!" If your database server is supplying information to a web server then it should be configure to allow connections only from that web server. Now that bring mes to the next point of discussion:
Here Trusted IP Access has
limited the database server
to only answering information
requests from the known IP of
the web server.
Trusted IP addresses
Every server, should be configured to only allow trusted IP addresses. You don't allow just anyone to come into your house and talk to your children. In the same respect you should know exactly who should be allowed to "talk" to your database server.
If it's a back end for a web server., then only that web server's address should be allowed to access that database server. If the database server is supplying information to a homegrown application that is running on the internal network, then it should only answer to addresses from within the internal network.
Also please none of this cheap mentality of hosting your web databases on the same server that houses internal database information. Why would you have internal information out in the DMZ, its not called the DMZ for nothing.
Database Connections
These days with the number of Dynamic Applications it becomes tempting to allow immediate unauthenticated updates to a database. I say, "Ney!" to such laziness. If you are going to allow users to make updates to a database via a web page, ensure that you validate all updates to ensure that all updates are warranted and safe. For example ensure that you are removing any possible SQL code from a user supplied input. If a normal user should never be inputting it don't allow the data to ever be submitted.
If you are one of those administrators that feels the need to use ODBC connections ensure that every connection uses it's own unique user to access the shared data. It personally makes my skin crawl when I see the user account "sa" used for every connection and data source on the server. Does every employee in your company have keys to every room in the building? I'll let you address that problem quietly if they do.
Table Access Control
Table access control is probably one of the most overlooked forms of database security because of the inherent difficult in applying it. Properly using Table access control will require the collaboration of both system administrator and database developer, and we all know that "collaboration" is a foreign word in the IT industry.
An example would be allowing read access to user imputed information to the public. If a user just imputed the information whey would they have to look at it within the same session. Or, if a table is just used for system reference why should it have any other permissions beside read available?
Unfortunately table structure and proper relational database structure and development is a little out of the scope of this article. But, keep a look out for it in my upcoming articles.
Restricting Database Access
Now being that we have completed a basic overview of database security I want to dive a little further into the specifics of server security. Mainly into the network access of the system. Specifically targeting Internet based databases, since they have been the most recent targets of attacks. All web-enabled applications have ports that they listen to ( I know this is pretty basic to most of you but, it needs to be said for the beginners!).
Most cyber criminals ( I always refrain from the media sensationalized term "Hackers" or "Crackers") are going to do a simple "port scan" to look for ports that are open that popular database systems use by default. Now I say by default, because you can change the ports a service listens on, which I personally feel is a great way to throw off a criminal.
First they will attempt to determine if a machine is even at a specific address. They will do this by pinging the system. (If you don't know what ping is quietly close this article, you need to do some studying first!) This is done by simply opening up a command line and typing "ping".
C:\ ping 127.0.0.1
or
root@localhost: ~$: ping 127.0.0.1
The response should look like this:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
An example of the ping command
being used on a windows box.
Click to enlarge .
The criminal now knows there is a system answering at this address. First thing to prevent this is to disable any ICMP packets. This will prevent ping requests from being replied to.
There are many ways to prevent open access from the Internet and each database system has it's own set of unique features as well as each OS. So I am merely going to touch on a few methods.
* Trusted IP addresses - UNIX servers are configured to answer only pings from a list of trusted hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
* Server account disabling- If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
* Special tools -Products such as RealSecure by ISS send an alert when an external server is attempting to breach your system's security.
Oracle has a wealth of authentication methods:
* Kerberos security- This popular "ticket"-based authentication system sidesteps several security risks.
* Virtual private databases- VPD technology can restrict access to selected rows of tables.
* Role-based security- Object privileges can be grouped into roles, which can then be assigned to specific users.
* Grant-execute security- Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure.
* Authentication servers-Secure authentication servers provide positive identification for external users.
* Port access security - All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access.
I hope that I have broadened your view of database security, and quite possibly helped eliminate or at least lower the threat of criminals looking for the "easy kill". (I know that is a little egotistical of me)
Database Security (Common-sense Principles)
Lately, database security issues have been flooding the media and Internet news-wires. First with the Slammer worm and most recently criminals accessing over 8 million credit card numbers.
So I sit back and say to myself, "Did the sysadmins fall asleep behind the wheel?" As the internet has boomed and we've increased our reliance on the convenience and relative low cost of web-enabled information systems, we have become lazy in our implementation of basic security practices.
Now part of this problem is the pressure placed on today's system admin's by the upper-crust of corporate America. The first question to every sysadmin is, "How soon can this be up?" and not "How much of a security risk is this?". In light of current events it has become painfully obvious we need to re-adjust our thinking.
So, let me begin this article with a brief synopsis of how security policies should be implemented and then move into actual system configuration.
Basic Security Structure
Through my travels as a Network Security Specialist I have consistently come across companies with a single focus in mind, "Software Security". They place so much emphasis on this single portion of security that they loose sight of the big picture. The big picture is of course, "Without a structured security hierarchy any basic security policy will fail!"
To often system administrators are left to their own accord, managing the security of their systems with little or no oversight by a higher security administrator. This raises the following questions:
* Who ensures system administrators are following security guide-lines?
* How does an organization ensure all system administrators are applying the latest patches?
* What organization ensures that the latest patches have been tested to ensure they do not cause additional system faults
* Who performs security audits on the corporation as a whole?
An example of a good clean
and effective network security
organization.
Without a proper structure you begin to get chaos when it comes to such an important topic as security, chaos could be cataclismic. For example:
Jim of the East Coast Office has all of his patches up to date, but he has an insecure link with Bill on the west-coast, who has failed to properly configure his firewall. This situation would allow for a full system compromise.
To ensure a situation such as this does not occur someone or a group of someone's should be looking at the big picture.
Now that I have gotten that basic security organization rant out of my system, let me begin a technical look at database security.
Database Vulnerabilities (The many fronts of the security war!)
Basically database security can be broken down into the following key points of interest.
* Server Security
* Database Connections
* Table Access Control
* Restricting Database Access
Server Security
Server security is the process of limiting actual access to the database server itself, and in my humble opinion it is the most important angle of security and should be carefully planned.
The basic idea is this, "You can't access what you can't see". Why in the name of the Almighty (or whoever else you believe in, or if you are an Atheist, substitute your own name here) would you let your database server be visible to the world. This is not a web server here, there should be no such thing as an anonymous connection. Now some people would say, "Well, what if your database server is supplying information to dynamic web pages?", well I'll turn that around and say, "Your database back end should never be on the same machine as your web server, not just for security, but for performance!" If your database server is supplying information to a web server then it should be configure to allow connections only from that web server. Now that bring mes to the next point of discussion:
Here Trusted IP Access has
limited the database server
to only answering information
requests from the known IP of
the web server.
Trusted IP addresses
Every server, should be configured to only allow trusted IP addresses. You don't allow just anyone to come into your house and talk to your children. In the same respect you should know exactly who should be allowed to "talk" to your database server.
If it's a back end for a web server., then only that web server's address should be allowed to access that database server. If the database server is supplying information to a homegrown application that is running on the internal network, then it should only answer to addresses from within the internal network.
Also please none of this cheap mentality of hosting your web databases on the same server that houses internal database information. Why would you have internal information out in the DMZ, its not called the DMZ for nothing.
Database Connections
These days with the number of Dynamic Applications it becomes tempting to allow immediate unauthenticated updates to a database. I say, "Ney!" to such laziness. If you are going to allow users to make updates to a database via a web page, ensure that you validate all updates to ensure that all updates are warranted and safe. For example ensure that you are removing any possible SQL code from a user supplied input. If a normal user should never be inputting it don't allow the data to ever be submitted.
If you are one of those administrators that feels the need to use ODBC connections ensure that every connection uses it's own unique user to access the shared data. It personally makes my skin crawl when I see the user account "sa" used for every connection and data source on the server. Does every employee in your company have keys to every room in the building? I'll let you address that problem quietly if they do.
Table Access Control
Table access control is probably one of the most overlooked forms of database security because of the inherent difficult in applying it. Properly using Table access control will require the collaboration of both system administrator and database developer, and we all know that "collaboration" is a foreign word in the IT industry.
An example would be allowing read access to user imputed information to the public. If a user just imputed the information whey would they have to look at it within the same session. Or, if a table is just used for system reference why should it have any other permissions beside read available?
Unfortunately table structure and proper relational database structure and development is a little out of the scope of this article. But, keep a look out for it in my upcoming articles.
Restricting Database Access
Now being that we have completed a basic overview of database security I want to dive a little further into the specifics of server security. Mainly into the network access of the system. Specifically targeting Internet based databases, since they have been the most recent targets of attacks. All web-enabled applications have ports that they listen to ( I know this is pretty basic to most of you but, it needs to be said for the beginners!).
Most cyber criminals ( I always refrain from the media sensationalized term "Hackers" or "Crackers") are going to do a simple "port scan" to look for ports that are open that popular database systems use by default. Now I say by default, because you can change the ports a service listens on, which I personally feel is a great way to throw off a criminal.
First they will attempt to determine if a machine is even at a specific address. They will do this by pinging the system. (If you don't know what ping is quietly close this article, you need to do some studying first!) This is done by simply opening up a command line and typing "ping".
C:\ ping 127.0.0.1
or
root@localhost: ~$: ping 127.0.0.1
The response should look like this:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
An example of the ping command
being used on a windows box.
Click to enlarge .
The criminal now knows there is a system answering at this address. First thing to prevent this is to disable any ICMP packets. This will prevent ping requests from being replied to.
There are many ways to prevent open access from the Internet and each database system has it's own set of unique features as well as each OS. So I am merely going to touch on a few methods.
* Trusted IP addresses - UNIX servers are configured to answer only pings from a list of trusted hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
* Server account disabling- If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
* Special tools -Products such as RealSecure by ISS send an alert when an external server is attempting to breach your system's security.
Oracle has a wealth of authentication methods:
* Kerberos security- This popular "ticket"-based authentication system sidesteps several security risks.
* Virtual private databases- VPD technology can restrict access to selected rows of tables.
* Role-based security- Object privileges can be grouped into roles, which can then be assigned to specific users.
* Grant-execute security- Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure.
* Authentication servers-Secure authentication servers provide positive identification for external users.
* Port access security - All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access.
I hope that I have broadened your view of database security, and quite possibly helped eliminate or at least lower the threat of criminals looking for the "easy kill". (I know that is a little egotistical of me)
So I sit back and say to myself, "Did the sysadmins fall asleep behind the wheel?" As the internet has boomed and we've increased our reliance on the convenience and relative low cost of web-enabled information systems, we have become lazy in our implementation of basic security practices.
Now part of this problem is the pressure placed on today's system admin's by the upper-crust of corporate America. The first question to every sysadmin is, "How soon can this be up?" and not "How much of a security risk is this?". In light of current events it has become painfully obvious we need to re-adjust our thinking.
So, let me begin this article with a brief synopsis of how security policies should be implemented and then move into actual system configuration.
Basic Security Structure
Through my travels as a Network Security Specialist I have consistently come across companies with a single focus in mind, "Software Security". They place so much emphasis on this single portion of security that they loose sight of the big picture. The big picture is of course, "Without a structured security hierarchy any basic security policy will fail!"
To often system administrators are left to their own accord, managing the security of their systems with little or no oversight by a higher security administrator. This raises the following questions:
* Who ensures system administrators are following security guide-lines?
* How does an organization ensure all system administrators are applying the latest patches?
* What organization ensures that the latest patches have been tested to ensure they do not cause additional system faults
* Who performs security audits on the corporation as a whole?
An example of a good clean
and effective network security
organization.
Without a proper structure you begin to get chaos when it comes to such an important topic as security, chaos could be cataclismic. For example:
Jim of the East Coast Office has all of his patches up to date, but he has an insecure link with Bill on the west-coast, who has failed to properly configure his firewall. This situation would allow for a full system compromise.
To ensure a situation such as this does not occur someone or a group of someone's should be looking at the big picture.
Now that I have gotten that basic security organization rant out of my system, let me begin a technical look at database security.
Database Vulnerabilities (The many fronts of the security war!)
Basically database security can be broken down into the following key points of interest.
* Server Security
* Database Connections
* Table Access Control
* Restricting Database Access
Server Security
Server security is the process of limiting actual access to the database server itself, and in my humble opinion it is the most important angle of security and should be carefully planned.
The basic idea is this, "You can't access what you can't see". Why in the name of the Almighty (or whoever else you believe in, or if you are an Atheist, substitute your own name here) would you let your database server be visible to the world. This is not a web server here, there should be no such thing as an anonymous connection. Now some people would say, "Well, what if your database server is supplying information to dynamic web pages?", well I'll turn that around and say, "Your database back end should never be on the same machine as your web server, not just for security, but for performance!" If your database server is supplying information to a web server then it should be configure to allow connections only from that web server. Now that bring mes to the next point of discussion:
Here Trusted IP Access has
limited the database server
to only answering information
requests from the known IP of
the web server.
Trusted IP addresses
Every server, should be configured to only allow trusted IP addresses. You don't allow just anyone to come into your house and talk to your children. In the same respect you should know exactly who should be allowed to "talk" to your database server.
If it's a back end for a web server., then only that web server's address should be allowed to access that database server. If the database server is supplying information to a homegrown application that is running on the internal network, then it should only answer to addresses from within the internal network.
Also please none of this cheap mentality of hosting your web databases on the same server that houses internal database information. Why would you have internal information out in the DMZ, its not called the DMZ for nothing.
Database Connections
These days with the number of Dynamic Applications it becomes tempting to allow immediate unauthenticated updates to a database. I say, "Ney!" to such laziness. If you are going to allow users to make updates to a database via a web page, ensure that you validate all updates to ensure that all updates are warranted and safe. For example ensure that you are removing any possible SQL code from a user supplied input. If a normal user should never be inputting it don't allow the data to ever be submitted.
If you are one of those administrators that feels the need to use ODBC connections ensure that every connection uses it's own unique user to access the shared data. It personally makes my skin crawl when I see the user account "sa" used for every connection and data source on the server. Does every employee in your company have keys to every room in the building? I'll let you address that problem quietly if they do.
Table Access Control
Table access control is probably one of the most overlooked forms of database security because of the inherent difficult in applying it. Properly using Table access control will require the collaboration of both system administrator and database developer, and we all know that "collaboration" is a foreign word in the IT industry.
An example would be allowing read access to user imputed information to the public. If a user just imputed the information whey would they have to look at it within the same session. Or, if a table is just used for system reference why should it have any other permissions beside read available?
Unfortunately table structure and proper relational database structure and development is a little out of the scope of this article. But, keep a look out for it in my upcoming articles.
Restricting Database Access
Now being that we have completed a basic overview of database security I want to dive a little further into the specifics of server security. Mainly into the network access of the system. Specifically targeting Internet based databases, since they have been the most recent targets of attacks. All web-enabled applications have ports that they listen to ( I know this is pretty basic to most of you but, it needs to be said for the beginners!).
Most cyber criminals ( I always refrain from the media sensationalized term "Hackers" or "Crackers") are going to do a simple "port scan" to look for ports that are open that popular database systems use by default. Now I say by default, because you can change the ports a service listens on, which I personally feel is a great way to throw off a criminal.
First they will attempt to determine if a machine is even at a specific address. They will do this by pinging the system. (If you don't know what ping is quietly close this article, you need to do some studying first!) This is done by simply opening up a command line and typing "ping".
C:\ ping 127.0.0.1
or
root@localhost: ~$: ping 127.0.0.1
The response should look like this:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
An example of the ping command
being used on a windows box.
Click to enlarge .
The criminal now knows there is a system answering at this address. First thing to prevent this is to disable any ICMP packets. This will prevent ping requests from being replied to.
There are many ways to prevent open access from the Internet and each database system has it's own set of unique features as well as each OS. So I am merely going to touch on a few methods.
* Trusted IP addresses - UNIX servers are configured to answer only pings from a list of trusted hosts. In UNIX, this is accomplished by configuring the rhosts file, which restricts server access to a list of specific users.
* Server account disabling- If you suspend the server ID after three password attempts, attackers are thwarted. Without user ID suspension, an attacker can run a program that generates millions of passwords until it guesses the user ID and password combination.
* Special tools -Products such as RealSecure by ISS send an alert when an external server is attempting to breach your system's security.
Oracle has a wealth of authentication methods:
* Kerberos security- This popular "ticket"-based authentication system sidesteps several security risks.
* Virtual private databases- VPD technology can restrict access to selected rows of tables.
* Role-based security- Object privileges can be grouped into roles, which can then be assigned to specific users.
* Grant-execute security- Execution privileges on procedures can be tightly coupled to users. When a user executes the procedures, they gain database access, but only within the scope of the procedure.
* Authentication servers-Secure authentication servers provide positive identification for external users.
* Port access security - All Oracle applications are directed to listen at a specific port number on the server. Like any standard HTTP server, the Oracle Web Listener can be configured to restrict access.
I hope that I have broadened your view of database security, and quite possibly helped eliminate or at least lower the threat of criminals looking for the "easy kill". (I know that is a little egotistical of me)
Subscribe to:
Posts (Atom)
