What's going on with databases? Why so prone to attacks yet still used

[Psinter]

I'm taking a course this year called Databases. I've noticed in the past many news regarding breaches on corporate and government systems and in almost all of them something happened to a database. Microsoft, Apple, FBI, medical records across the country, government agencies, banks, etc. Have all at one point or another being hacked and gotten their databases stolen or something done to them. Most of the headlines with the words: "SQL Injection..."

It appears to me this whole database subject is very security-hole prone yet it is still widely used across the world wide web and in most informational systems around the world.

Why keep using such a way to store and manage data when it is obvious that there is something wrong with it since it gets hacked so frequently? What's going on here?

(I realize the whole concept of relations and set theory make it easier to make different layers of abstraction and create a very structured way of storing and managing data and at the end offers simplicity and efficiency, but could this be the problem to begin with? That the math behind databases is so well defined that it makes it super easy to exploit? Or is the problem at the software implementations of databases?)

 

[jedishrfu]

The security hole isn't in the database interface, it's how the web application uses the database. A SQL injection attack is when someone inputs a SQL statement in a web application input field and the web application doesn't validate the field. As an example, if the web application asks for your name they should be limiting input to alphabetic or alphanumeric characters only. It should not allow quotes, back quotes, double quotes or any other kinds of punctuation.

In the old days, scripting languages like Perl were used to process web input and they would simply take an input field and insert it into a SQL query statement. If the user carefully crafted the input they could insert SQL that could extract additional data from the database. They could even extract enough info to understand the database schema and from that get to all data stored.

http://en.m.wikipedia.org/wiki/SQL_injection

 

[FactChecker]

When Willie Sutton was asked why he robbed banks, his answer was "That's where the money is." Likewise, people hack databases because that's where the data is. You are pinning the blame on the wrong thing. Once a system is "hacked", information can be obtained no matter how the data is stored. The data can be encrypted, but that is a different subject.

 

[Psinter]

The security hole isn't in the database interface, it's how the web application uses the database.

Oh, so in the end the security holes are introduced in the View Level. The one in charge to connect the data with the user. I had read about SQL injections before, but what doesn't ring correctly in my mind is how they keep getting hacked time after time. Why they keep failing to properly implement a secure View Level? Anyway I think this last question is not all really about databases, but about proper implementation of said level so I'm not really expecting an answer in this thread to it.

Thanks for clearing that up.

 

[FactChecker]

The vulnerabilities are everywhere and at every level. Carnegie Mellon is working on a government study to classify the software vulnerabilities. There are many hundreds -- maybe thousands, and growing. Other companies market programs that scan code looking for vulnerabilities and warning programmers.

 

[Psinter]

The vulnerabilities are everywhere and at every level. Carnegie Mellon is working on a government study to classify the software vulnerabilities. There are many hundreds -- maybe thousands, and growing. Other companies market programs that scan code looking for vulnerabilities and warning programmers.

Interesting.

 

[phinds]

Making things secure is expensive. Big companies HATE expenses. They are only now (some of them, not all) seeing that they have been doing short term gain for long term pain and they STILL aren't all doing much about it.

 

[jedishrfu]

Another hole in web applications is that sometimes the web programmer will make his web app server admin userid and password match the database admin userid and password. This is a very bad move as when one interface is breached the other is breached. Web applications shouldn't need database admin access to any database unless the apps are for database admins and on a closed network.

 

[AlephZero]

Other companies market programs that scan code looking for vulnerabilities and warning programmers.

They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently?

 

[FactChecker]

They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently?

Ha! Touche. I was actually thinking of static analysis tools like Polyspace, LDRA, Coverity, Parasoft and Fortify. I know there are a lot more, but I am not familiar with them.

That brings up a good point though. As far as I know, the scanners for malware (Norton, etc.) only check for threats and do not check for vulnerabilities. Do they warn if you are using an old code version that has vulnerabilities? It seems like would be a good thing for them to do.

 

[phinds]

Do they warn if you are using an old code version that has vulnerabilities? It seems like would be a good thing for them to do.

That's really more the responsibility of the vendor of the original software, not of a 3rd party testing app. THEY are the ones that know when their updates are ready.

 

[Borek]

Why keep using such a way to store and manage data when it is obvious that there is something wrong with it since it gets hacked so frequently?

Suggest something different, something that will be capable of replacing databases as such, yet it will offer better security.

 

[Psinter]

Suggest something different, something that will be capable of replacing databases as such, yet it will offer better security.

That's harsh... but correct. I don't know, I have to check my schedule.

They certainly do. Seen any adverts on the internet to scan your PC for malware/viruses/Windows Registry problems/out of date drivers/whatever recently?

This is one amazing piece of information. I'm a little astonished to learn this. I would have never guessed. Very clever they have been.

EDIT: I have to make a project for this class. A crowd-sourced database application. With a web interface. I want to make it right. Reduce hacking possibilities to almost none. And probably get some bonus points?

 

[enorbet]

While up to date penetration testing is probably best handled by accredited companies who do that for a living, there do exist ways that are quite good for the individual to at least do preliminary assessment. The Nessus Suite by Tenable still has a free version and the "Pro" version isn't prohibitive for a web app that is likely to be actually employed.

There are also bootable systems, for use on CDs, DVDs, thumbdrives, etc., that are devoted to pentesting such as Kali. Many can be found here - http://www.livecdlist.com/

 

[phinds]

This is one amazing piece of information. I'm a little astonished to learn this. I would have never guessed. Very clever they have been.

Yeah, but be aware, a lot of such programs are specifically out there to INTRODUCE malware into your system. Be sure to stick with reputable, known companies, or at least ones that get good reviews from independent reviewers. There are a lot of them.

 

[AlephZero]

Yeah, but be aware, a lot of such programs are specifically out there to INTRODUCE malware into your system.

Absolutely. My post was meant to be ironic (hence the smiley). I'm not sure whether "This is one amazing piece of information..." was ironic or not!

 

[jedishrfu]

With respect to your project, you could consider Grails. You write groovy scripts (superset of java) and grails tools will generate the web pages (with the option to customize them) with protection from sql injection attacks as part of the underlying GORM framework. Other web attacks must be handled using third party plugins and custom code.

https://grails.org/Security

 

[phinds]

Absolutely. My post was meant to be ironic (hence the smiley). I'm not sure whether "This is one amazing piece of information..." was ironic or not!

Oh, I KNEW yours was, it was his I was worried about

 

[FactChecker]

That's really more the responsibility of the vendor of the original software, not of a 3rd party testing app. THEY are the ones that know when their updates are ready.

I agree that the vendors are responsible for fixing their software, but there are a variety of reasons that software doesn't get updated. I think it would be a selling point if the code scanners included warnings. Not that it is their responsibility.

 

[Psinter]

With respect to your project, you could consider Grails. You write groovy scripts (superset of java) and grails tools will generate the web pages (with the option to customize them) with protection from sql injection attacks as part of the underlying GORM framework. Other web attacks must be handled using third party plugins and custom code.

https://grails.org/Security

Thanks.

Oh, I KNEW yours was, it was his I was worried about

Mine wasn't. I was telling the truth.

 

[phinds]

Mine wasn't. I was telling the truth.

Then it's good that I warned you about scams.

 

[harborsparrow]

SQL Injection attacks can easily be prevented by programming correctly to prevent them. Companies continue to cut corners and there is a stupid belief that hiring untraining self-taught programmers is as good as, or better than, people who have studied computer science. No one should have made it through a database course in college without having learned to prevent SQL injection. That is not to say that self-taught programmers cannot also learn to prevent SQL injection attacks. But the managers who manage the programmers also often don't even know about these things, and they don't know to ask about them in job interviews. It's really quite amazing the level of database incompetence that is out there in corporations. I speak from direct experience (and I am largely self-taught about database technology specifically).

Computer security is hard, just like any security. But most breakins are like, people forgot to lock the door. SQL injection attacks are like people forgetting to lock the door.

The first line of defense against injection is to use a stored procedure to process form data, rather than raw SQL. The stored procedure will take each piece of data submitted in the web form and validate it for sensible values, rejecting any that are not within expected ranges or of the correct type. It takes a few minutes longer to write a SP, and then in corporations, you have to get the database administrator to create/install the SP for you and set up its security, and not all of the admins even know how to do it. So to get around that, people just hack up SQL directly to handle web forms--probably 'cause they are in a hurry--and it's quite easy to attack a database using such web forms. Instead of filling out the form with real data, you fill it out with SQL code that, if it executes, will delete things. And the code handling the form includes the strings from the form right in a bunch of SQL that gets compiled and run on the spot, thus executing the malicious SQL code typed into the form. Dumbest and oldest trick in the book, and it still happens all the time. It's a teaching failure, and a coding culture failure, and a management failure.

Other companies, OTOH, go overboard with paranoia and start treating all databases like they are going to get attacked. I currently manage a bunch of biology data that no one is going to want to steal. It's all free anyway. There is no financial data, no personal identification information, anywhere on my servers. Nonetheless, the servers are getting the same kind of rigorous rules and audits applied to them that sensitive financial or military servers would get, thus making it nearly impossible to share data as needed for doing scientific research.

The unreasonableness of the workplace can be really astonishing, at times.