What's going on with databases? Why so prone to attacks yet still used

  1. I'm taking a course this year called Databases. I've noticed in the past many news regarding breaches on corporate and government systems and in almost all of them something happened to a database. Microsoft, Apple, FBI, medical records across the country, government agencies, banks, etc. Have all at one point or another being hacked and gotten their databases stolen or something done to them. Most of the headlines with the words: "SQL Injection..."

    It appears to me this whole database subject is very security-hole prone yet it is still widely used across the world wide web and in most informational systems around the world.

    Why keep using such a way to store and manage data when it is obvious that there is something wrong with it since it gets hacked so frequently? What's going on here?

    (I realize the whole concept of relations and set theory make it easier to make different layers of abstraction and create a very structured way of storing and managing data and at the end offers simplicity and efficiency, but could this be the problem to begin with? That the math behind databases is so well defined that it makes it super easy to exploit? Or is the problem at the software implementations of databases?)
     
  2. jcsd
  3. jedishrfu

    Staff: Mentor

    The security hole isn't in the database interface, it's how the web application uses the database. A SQL injection attack is when someone inputs a SQL statement in a web application input field and the web application doesn't validate the field. As an example, if the web application asks for your name they should be limiting input to alphabetic or alphanumeric characters only. It should not allow quotes, back quotes, double quotes or any other kinds of punctuation.

    In the old days, scripting languages like Perl were used to process web input and they would simply take an input field and insert it into a SQL query statement. If the user carefully crafted the input they could insert SQL that could extract additional data from the database. They could even extract enough info to understand the database schema and from that get to all data stored.

    http://en.m.wikipedia.org/wiki/SQL_injection
     
    1 person likes this.
  4. FactChecker

    FactChecker 712
    Gold Member

    When Willie Sutton was asked why he robbed banks, his answer was "That's where the money is." Likewise, people hack databases because that's where the data is. You are pinning the blame on the wrong thing. Once a system is "hacked", information can be obtained no matter how the data is stored. The data can be encrypted, but that is a different subject.
     
  5. Oh, so in the end the security holes are introduced in the View Level. The one in charge to connect the data with the user. I had read about SQL injections before, but what doesn't ring correctly in my mind is how they keep getting hacked time after time. Why they keep failing to properly implement a secure View Level? Anyway I think this last question is not all really about databases, but about proper implementation of said level so I'm not really expecting an answer in this thread to it.

    Thanks for clearing that up.
     
  6. FactChecker

    FactChecker 712
    Gold Member

    The vulnerabilities are everywhere and at every level. Carnegie Mellon is working on a government study to classify the software vulnerabilities. There are many hundreds -- maybe thousands, and growing. Other companies market programs that scan code looking for vulnerabilities and warning programmers.
     
  7. Interesting.
     
  8. phinds

    phinds 8,533
    Gold Member

    Making things secure is expensive. Big companies HATE expenses. They are only now (some of them, not all) seeing that they have been doing short term gain for long term pain and they STILL aren't all doing much about it.
     
  9. jedishrfu

    Staff: Mentor

    Another hole in web applications is that sometimes the web programmer will make his web app server admin userid and password match the database admin userid and password. This is a very bad move as when one interface is breached the other is breached. Web applications shouldn't need database admin access to any database unless the apps are for database admins and on a closed network.
     
  10. AlephZero

    AlephZero 7,300
    Science Advisor
    Homework Helper

    They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently? :devil:
     
  11. FactChecker

    FactChecker 712
    Gold Member

    Ha! Touche. I was actually thinking of static analysis tools like Polyspace, LDRA, Coverity, Parasoft and Fortify. I know there are a lot more, but I am not familiar with them.

    That brings up a good point though. As far as I know, the scanners for malware (Norton, etc.) only check for threats and do not check for vulnerabilities. Do they warn if you are using an old code version that has vulnerabilities? It seems like would be a good thing for them to do.
     
    Last edited: Sep 4, 2014
  12. phinds

    phinds 8,533
    Gold Member

    That's really more the responsibility of the vendor of the original software, not of a 3rd party testing app. THEY are the ones that know when their updates are ready.
     
  13. Borek

    Staff: Mentor

    Suggest something different, something that will be capable of replacing databases as such, yet it will offer better security.
     
  14. That's harsh... but correct. I don't know, I have to check my schedule. :wink:
    This is one amazing piece of information. I'm a little astonished to learn this. I would have never guessed. Very clever they have been.

    EDIT: I have to make a project for this class. A crowd-sourced database application. With a web interface. I want to make it right. Reduce hacking possibilities to almost none. And probably get some bonus points?
     
    Last edited: Sep 4, 2014
  15. While up to date penetration testing is probably best handled by accredited companies who do that for a living, there do exist ways that are quite good for the individual to at least do preliminary assessment. The Nessus Suite by Tenable still has a free version and the "Pro" version isn't prohibitive for a web app that is likely to be actually employed.

    There are also bootable systems, for use on CDs, DVDs, thumbdrives, etc., that are devoted to pentesting such as Kali. Many can be found here - http://www.livecdlist.com/
     
  16. phinds

    phinds 8,533
    Gold Member

    Yeah, but be aware, a lot of such programs are specifically out there to INTRODUCE malware into your system. Be sure to stick with reputable, known companies, or at least ones that get good reviews from independent reviewers. There are a lot of them.
     
  17. AlephZero

    AlephZero 7,300
    Science Advisor
    Homework Helper

    Absolutely. My post was meant to be ironic (hence the smiley). I'm not sure whether "This is one amazing piece of information...." was ironic or not!
     
  18. jedishrfu

    Staff: Mentor

    With respect to your project, you could consider Grails. You write groovy scripts (superset of java) and grails tools will generate the web pages (with the option to customize them) with protection from sql injection attacks as part of the underlying GORM framework. Other web attacks must be handled using third party plugins and custom code.

    https://grails.org/Security
     
  19. phinds

    phinds 8,533
    Gold Member

    Oh, I KNEW yours was, it was his I was worried about
     
  20. FactChecker

    FactChecker 712
    Gold Member

    I agree that the vendors are responsible for fixing their software, but there are a variety of reasons that software doesn't get updated. I think it would be a selling point if the code scanners included warnings. Not that it is their responsibility.
     
  21. Thanks.

    Mine wasn't. I was telling the truth.
     
Know someone interested in this topic? Share a link to this question via email, Google+, Twitter, or Facebook

Have something to add?

0
Draft saved Draft deleted