What's going on with databases? Why so prone to attacks yet still used

  • Thread starter Psinter
  • Start date
In summary, databases have been the subject of many security breaches in recent years, causing concern over their vulnerability. However, the issue lies not with the databases themselves, but with how they are used in web applications. SQL injections, where malicious code is inserted into a web application's input field, have been a common method of hacking databases. The responsibility for securing databases lies with proper implementation of the View Level, which connects the data with the user. However, ensuring security can be expensive and many companies prioritize short term gain over long term security. There are also vulnerabilities at every level of web applications, and third party tools are available to scan for these and warn programmers. It is ultimately up to the original software vendors to provide updates and address any
  • #1
Psinter
278
787
I'm taking a course this year called Databases. I've noticed in the past many news regarding breaches on corporate and government systems and in almost all of them something happened to a database. Microsoft, Apple, FBI, medical records across the country, government agencies, banks, etc. Have all at one point or another being hacked and gotten their databases stolen or something done to them. Most of the headlines with the words: "SQL Injection..."

It appears to me this whole database subject is very security-hole prone yet it is still widely used across the world wide web and in most informational systems around the world.

Why keep using such a way to store and manage data when it is obvious that there is something wrong with it since it gets hacked so frequently? What's going on here?

(I realize the whole concept of relations and set theory make it easier to make different layers of abstraction and create a very structured way of storing and managing data and at the end offers simplicity and efficiency, but could this be the problem to begin with? That the math behind databases is so well defined that it makes it super easy to exploit? Or is the problem at the software implementations of databases?)
 
Computer science news on Phys.org
  • #2
The security hole isn't in the database interface, it's how the web application uses the database. A SQL injection attack is when someone inputs a SQL statement in a web application input field and the web application doesn't validate the field. As an example, if the web application asks for your name they should be limiting input to alphabetic or alphanumeric characters only. It should not allow quotes, back quotes, double quotes or any other kinds of punctuation.

In the old days, scripting languages like Perl were used to process web input and they would simply take an input field and insert it into a SQL query statement. If the user carefully crafted the input they could insert SQL that could extract additional data from the database. They could even extract enough info to understand the database schema and from that get to all data stored.

http://en.m.wikipedia.org/wiki/SQL_injection
 
  • Like
Likes 1 person
  • #3
When Willie Sutton was asked why he robbed banks, his answer was "That's where the money is." Likewise, people hack databases because that's where the data is. You are pinning the blame on the wrong thing. Once a system is "hacked", information can be obtained no matter how the data is stored. The data can be encrypted, but that is a different subject.
 
  • #4
jedishrfu said:
The security hole isn't in the database interface, it's how the web application uses the database.
Oh, so in the end the security holes are introduced in the View Level. The one in charge to connect the data with the user. I had read about SQL injections before, but what doesn't ring correctly in my mind is how they keep getting hacked time after time. Why they keep failing to properly implement a secure View Level? Anyway I think this last question is not all really about databases, but about proper implementation of said level so I'm not really expecting an answer in this thread to it.

Thanks for clearing that up.
 
  • #5
The vulnerabilities are everywhere and at every level. Carnegie Mellon is working on a government study to classify the software vulnerabilities. There are many hundreds -- maybe thousands, and growing. Other companies market programs that scan code looking for vulnerabilities and warning programmers.
 
  • #6
FactChecker said:
The vulnerabilities are everywhere and at every level. Carnegie Mellon is working on a government study to classify the software vulnerabilities. There are many hundreds -- maybe thousands, and growing. Other companies market programs that scan code looking for vulnerabilities and warning programmers.
Interesting.
 
  • #7
Making things secure is expensive. Big companies HATE expenses. They are only now (some of them, not all) seeing that they have been doing short term gain for long term pain and they STILL aren't all doing much about it.
 
  • #8
Another hole in web applications is that sometimes the web programmer will make his web app server admin userid and password match the database admin userid and password. This is a very bad move as when one interface is breached the other is breached. Web applications shouldn't need database admin access to any database unless the apps are for database admins and on a closed network.
 
  • #9
FactChecker said:
Other companies market programs that scan code looking for vulnerabilities and warning programmers.

They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently? :devil:
 
  • #10
AlephZero said:
They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently? :devil:

Ha! Touche. I was actually thinking of static analysis tools like Polyspace, LDRA, Coverity, Parasoft and Fortify. I know there are a lot more, but I am not familiar with them.

That brings up a good point though. As far as I know, the scanners for malware (Norton, etc.) only check for threats and do not check for vulnerabilities. Do they warn if you are using an old code version that has vulnerabilities? It seems like would be a good thing for them to do.
 
Last edited:
  • #11
FactChecker said:
Do they warn if you are using an old code version that has vulnerabilities? It seems like would be a good thing for them to do.

That's really more the responsibility of the vendor of the original software, not of a 3rd party testing app. THEY are the ones that know when their updates are ready.
 
  • #12
Psinter said:
Why keep using such a way to store and manage data when it is obvious that there is something wrong with it since it gets hacked so frequently?

Suggest something different, something that will be capable of replacing databases as such, yet it will offer better security.
 
  • #13
Borek said:
Suggest something different, something that will be capable of replacing databases as such, yet it will offer better security.
That's harsh... but correct. I don't know, I have to check my schedule. :wink:
AlephZero said:
They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently? :devil:
This is one amazing piece of information. I'm a little astonished to learn this. I would have never guessed. Very clever they have been.

EDIT: I have to make a project for this class. A crowd-sourced database application. With a web interface. I want to make it right. Reduce hacking possibilities to almost none. And probably get some bonus points?
 
Last edited:
  • #14
While up to date penetration testing is probably best handled by accredited companies who do that for a living, there do exist ways that are quite good for the individual to at least do preliminary assessment. The Nessus Suite by Tenable still has a free version and the "Pro" version isn't prohibitive for a web app that is likely to be actually employed.

There are also bootable systems, for use on CDs, DVDs, thumbdrives, etc., that are devoted to pentesting such as Kali. Many can be found here - http://www.livecdlist.com/
 
  • #15
Psinter said:
This is one amazing piece of information. I'm a little astonished to learn this. I would have never guessed. Very clever they have been.

Yeah, but be aware, a lot of such programs are specifically out there to INTRODUCE malware into your system. Be sure to stick with reputable, known companies, or at least ones that get good reviews from independent reviewers. There are a lot of them.
 
  • #16
phinds said:
Yeah, but be aware, a lot of such programs are specifically out there to INTRODUCE malware into your system.

Absolutely. My post was meant to be ironic (hence the smiley). I'm not sure whether "This is one amazing piece of information..." was ironic or not!
 
  • #17
With respect to your project, you could consider Grails. You write groovy scripts (superset of java) and grails tools will generate the web pages (with the option to customize them) with protection from sql injection attacks as part of the underlying GORM framework. Other web attacks must be handled using third party plugins and custom code.

https://grails.org/Security
 
  • #18
AlephZero said:
Absolutely. My post was meant to be ironic (hence the smiley). I'm not sure whether "This is one amazing piece of information..." was ironic or not!

Oh, I KNEW yours was, it was his I was worried about
 
  • #19
phinds said:
That's really more the responsibility of the vendor of the original software, not of a 3rd party testing app. THEY are the ones that know when their updates are ready.
I agree that the vendors are responsible for fixing their software, but there are a variety of reasons that software doesn't get updated. I think it would be a selling point if the code scanners included warnings. Not that it is their responsibility.
 
  • #20
jedishrfu said:
With respect to your project, you could consider Grails. You write groovy scripts (superset of java) and grails tools will generate the web pages (with the option to customize them) with protection from sql injection attacks as part of the underlying GORM framework. Other web attacks must be handled using third party plugins and custom code.

https://grails.org/Security
Thanks.

phinds said:
Oh, I KNEW yours was, it was his I was worried about
Mine wasn't. I was telling the truth.
 
  • #21
Psinter said:
Mine wasn't. I was telling the truth.

Then it's good that I warned you about scams.
 
  • #22
SQL Injection attacks can easily be prevented by programming correctly to prevent them. Companies continue to cut corners and there is a stupid belief that hiring untraining self-taught programmers is as good as, or better than, people who have studied computer science. No one should have made it through a database course in college without having learned to prevent SQL injection. That is not to say that self-taught programmers cannot also learn to prevent SQL injection attacks. But the managers who manage the programmers also often don't even know about these things, and they don't know to ask about them in job interviews. It's really quite amazing the level of database incompetence that is out there in corporations. I speak from direct experience (and I am largely self-taught about database technology specifically).

Computer security is hard, just like any security. But most breakins are like, people forgot to lock the door. SQL injection attacks are like people forgetting to lock the door.

The first line of defense against injection is to use a stored procedure to process form data, rather than raw SQL. The stored procedure will take each piece of data submitted in the web form and validate it for sensible values, rejecting any that are not within expected ranges or of the correct type. It takes a few minutes longer to write a SP, and then in corporations, you have to get the database administrator to create/install the SP for you and set up its security, and not all of the admins even know how to do it. So to get around that, people just hack up SQL directly to handle web forms--probably 'cause they are in a hurry--and it's quite easy to attack a database using such web forms. Instead of filling out the form with real data, you fill it out with SQL code that, if it executes, will delete things. And the code handling the form includes the strings from the form right in a bunch of SQL that gets compiled and run on the spot, thus executing the malicious SQL code typed into the form. Dumbest and oldest trick in the book, and it still happens all the time. It's a teaching failure, and a coding culture failure, and a management failure.

Other companies, OTOH, go overboard with paranoia and start treating all databases like they are going to get attacked. I currently manage a bunch of biology data that no one is going to want to steal. It's all free anyway. There is no financial data, no personal identification information, anywhere on my servers. Nonetheless, the servers are getting the same kind of rigorous rules and audits applied to them that sensitive financial or military servers would get, thus making it nearly impossible to share data as needed for doing scientific research.

The unreasonableness of the workplace can be really astonishing, at times.
 
Last edited:

1. Why are databases prone to attacks?

There are several reasons why databases are prone to attacks. One of the main reasons is that databases often contain sensitive and valuable information, making them a target for hackers. Additionally, databases are usually connected to the internet and accessible from remote locations, making them vulnerable to cyber attacks. Moreover, databases can have vulnerabilities in their software or configuration, which can be exploited by attackers.

2. What types of attacks are databases susceptible to?

Databases can be targeted by various types of attacks, including SQL injection, cross-site scripting (XSS), denial of service (DoS), and data breaches. SQL injection attacks are the most common and involve inserting malicious code into a database through user input. XSS attacks exploit vulnerabilities in web applications that interact with databases, while DoS attacks flood a system with traffic, causing it to crash. Data breaches can occur when a database is hacked or accessed without authorization, resulting in the theft of sensitive information.

3. How can database attacks be prevented?

To prevent database attacks, it is crucial to have robust security measures in place. This includes implementing strong authentication and access control mechanisms, regularly updating and patching software, and using encryption to protect sensitive data. Regular vulnerability scans and penetration testing can also help identify and address any weaknesses in the database's security.

4. Why are databases still used despite their vulnerability to attacks?

Databases are an essential tool for storing, organizing, and retrieving data, making them a crucial component of many businesses and organizations. While databases may be vulnerable to attacks, proper security measures can significantly reduce the risk of a successful attack. Additionally, databases are continuously improving their security features, making them a more reliable and secure option for data storage.

5. What should be done in the event of a database attack?

In the event of a database attack, it is crucial to act quickly to mitigate the damage and prevent further attacks. This includes identifying the source of the attack, patching any vulnerabilities, and implementing stricter security measures. It is also essential to notify affected parties and take necessary steps to protect any compromised data. Additionally, organizations should have a contingency plan in place to restore data and resume operations in case of a successful attack.

Similar threads

I could really use some help picking my optional module [GameDev]
    • STEM Academic Advising
Replies
2
Views
878
News Eye on Americans - the FBI's Database on YOU
    • General Discussion
3
Replies
81
Views
9K
Current and Future AI Threats to Humanity and the Human Response
    • Computing and Technology
Replies
10
Views
2K
What are the drawbacks of using non-anonymous cryptocurrencies like Bitcoin?
    • General Discussion
Replies
12
Views
928
Natural selection, evolution "why are we still sick"
    • Biology and Medical
Replies
17
Views
3K
Anonimity: Time to take the internet back.
    • Computing and Technology
Replies
4
Views
3K
B Is information the 5th state of matter?
    • Classical Physics
Replies
18
Views
2K
SciFi Idea: What do you think about very long lifespans?
    • Science Fiction and Fantasy Media
2
Replies
51
Views
8K
What can we learn from a friend's solar home data in Vermont?
    • General Engineering
Replies
1
Views
2K
The Scientist as Hero - or not
    • Art, Music, History, and Linguistics
Replies
1
Views
1K

Hot Threads

Recent Insights

Back
Top