February 08, 2010

Litchfield DBMS_JVM_EXP_PERMS 0-day on Oracle

At last week’s BlackHat D.C., David Litchfield revealed 0-day vulnerabilities in Aurora, the Java implementation built into Oracle.

Vulnerabilities in the following packages:

  • DBMS_JAVA
  • DBMS_JAVA_TEST
  • DBMS_JVM_EXP_PERMS

allow an attacker to escalate their privileges to sysdba and take complete control of the database. It was successfully demonstrated how a low privileged user can grant themselves sysdba privileges, access on every file on the Oracle host server and execute those files, including a shell. It was also shown how to load binary code into the Oracle process and execute it. Finally a way to bypass Oracle Label Security was demonstrated.

There is currently no fix available from Oracle, however Oracle’s access control features allow for a workaround. By default EXECUTE is granted to PUBLIC for the above mentioned packages.

In order to protect against these current threats, database administrators should revoke execution privileges on these packages from PUBLIC and any other user that does not require them. The AppDetective and DbProtect ‘Object privilege granted to PUBLIC’ Oracle Vulnerability Assessment checks can be used to help find and remediate these privileges.

Application Security has also made available for download a custom policy and check to specifically find these privileges and learn if your Oracle databases are vulnerable. With Application Security, Inc.’s User Rights Review (URR) platform, customers will also be able to determine which users can exploit the vulnerability as well as an explanation of how to fix the vulnerability.

Team SHATTER also suggests adhering to the following general security considerations to minimize the risk of new attacks like this:

  • Always stay up-to-date on the latest security patches
  • Minimize the attack surface by only installing and enabling functionality that is required for the business task
  • Remove all unused default components, accounts and databases
  • Assign only minimal privileges required
  • Assign privileges through roles, not directly to users

Related links:
SHATTER Security Bulletin

Posted by Alex Rothacker on February 08, 2010 at 12:37 PM in Current Affairs, Database Security (general), Oracle, Vulnerability Assessment | | Comments (0) | TrackBack (0)

|

January 19, 2010

How Do You Assess Your Vulnerability Management Profile?

hand_with_globeIt’s interesting today when you’re thumbing through analyst reports and the like to find what the hot trends in security and compliance are. Sometimes you feel as though you never really find what you are looking for, exactly.

Dark Reading recently created some Tech Centers that address very specific IT Security and Compliance components with news and analysis. Real analysis, it’s cool.

The freshly minted Vulnerability Management Tech Center published a report from InformationWeek Analytics that recommends a very straight-forward process by which organizations can address overall vulnerability management. (You have to register and its free)

What’s unique about this report is that it looks through a regulatory lens, keeping continuous compliance the goal. It’s also chock full ‘o survey data, we at AppSec love. But what is interesting about Richard  Dreger’s report is that you could pull this up and use it as a quick-reference guide to check your steps throughout an implementation process.

Here’s a few highlights:

· Of the 379 business professionals surveyed, 65% cited HIPAA as the most common regulatory requirement they are concerned with.

· 35% of organizations say they have 4+ regulations their companies are required to comply with.

· As far as compliance drivers, 59% say they fear legal ramifications being found in non-compliance. 38% fear negative audit results, 36% fear negative publicity. That’s a lot of fear, and it proves fear still makes companies do stuff.

· But you have to get down to the 36% who want to implement a comprehensive security program where you scratch your head. Why isn’t this the number one driver? Just speaks to how folks want to avoid interim strikes against them but have no intention of being proactive.

· As for recommendations, starting at the security level is good – and integrating operational guys, technical guys and management into the process is key – agreed.

· At this point I won’t give the whole thing away – but the recommended process is excellent, starting with knowing your goals, an initial configuration check, discovery, deep testing, pen testing your environment for proactive security and compliance – and finally reporting.

· The most telling figure is that only 23% of respondents said their info sec program is very secure and well-documented.

Check this report out and tell these guys they created a nice resource for our market.

Posted by Tom Bain on January 19, 2010 at 11:28 PM in Compliance (General), Database Security (general), HIPAA, Vulnerability Assessment | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

|

January 14, 2010

How Do You Protect 27% of the World’s Wealth?

bankofamerica An interesting story broke today that is flying under the radar. It’s being reported that Swiss Banks are in conversations with the government on sharing sensitive data. Switzerland has been called out by France for the lack of a cohesive policy around how they share highly confidential customer information.

The bulk of this discussion centers around taxes, and how foreign tax authorities are requiring information – basically because Switzerland had to make some deals with the UK, US and France to stave off a blacklisting by the OECG as being a tax haven for evasion.

What’s interesting are the data security challenges associated with whatever mandate the Swiss government enacts. Why? Because 27% of the world’s privately vested offshore wealth resides in Swiss bank accounts. Not a small chunk of change. And likely a LOT of data.

Guess where the data at most of those Swiss banks probably lives? Oh yes, multiple databases. And guess where the most coveted information exists? You guessed it, in those databases.

But the million-dollar question is do all those banks have the right database controls and protection deployed so that they can ensure that confidential information remains confidential? And will the Swiss government require the right levels of protection to comply? And once they roll out the requirements (and its announced publicly) will the hacker community pounce on it, knowing some of the banks won’t implement what they need to during this equivalent of a patch gap? Probably.

This all speaks to the issue of continuous compliance in the database and the need for a methodology that should enable an organization to know what the audit result will be before that database is audited. And it speaks to the need for the right combination of scanning and monitoring functionality to avoid that ‘gap’ which can leave systems extremely vulnerable to attack.

Posted by Tom Bain on January 14, 2010 at 01:28 PM in Activity Monitoring, Compliance (General), Database Security (general) | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , , ,

|

December 28, 2009

Only As Strong As The Weakest Link

By now we have all heard about how hacker, Albert Gonzales, and a cohort of his victimized Heartland Payment Systems, Hannaford Brothers, 7-Eleven by stealing over 130 million credit and debit card numbers by exploiting SQL Injection vulnerabilities.  The same hacker is also accused of breaching TJX Companies, Dave & Busters, and the Boston Market chains.

Because of the enormous size of the breaches, there have been a number of lively responses by the security and compliance industry regarding the technical details of the breaches as well as renewed scrutiny of the industry PCI-DSS regulation.  Details are sketchy but one thing we know for certain is that it starts with an exposed application and a database.  The rest of the breach involves getting into the network and navigating around, which brings me to my point.  Security pundits have taken to heart long ago that your IT environment is only as strong as your weakest link.  In these cases, the entry point to the network was though the application and the database, but the anatomy of the attack certainly went well beyond that.  They got into the network, installed software, and presumably navigated around the corporate network performing reconnaissance, before digging for the payload, getting it out and covering their tracks.  Once a hacker gets in, they start to exploit found vulnerabilities to take on the credentials of privileged applications, and armed with what is pretty much a fake passport, digitally travel around the corporate network.

We work with many companies on their security & compliance programs and one thing everyone tries to do is to reduce the scope of what needs to be protected-- draw a circle around a defined set of systems and apply specific controls to them.  It's the practical thing to do because a company only has so many resources. This is done by identifying the systems and applications that house the most critical information-- usually systems that contain information that is regulated by SOX, PCI, HIPAA, FISMA, etc.  But one area that tends to be forgotten is that networks are connected, and the network is "only as strong as its weakest link." We always have to remain keenly aware that threats can start outside of the scoped network, and any vulnerabilities or misconfigurations, is fair game to a person with malicious intentions.  So remember to consider and keep connected networks just as secured.

It is certainly not hopeless.  Today's existing technology combined with security best practices are up to the task today.  Companies just need to apply it, and certainly most don't do enough today.Skd283367sdc

Posted by Richard Tsai on December 28, 2009 at 11:06 AM in Breaches, Database Security (general) | | Comments (0) | TrackBack (0)

|

December 23, 2009

$25.95 is all it takes…

Jet_fighter Let's get this straight – insurgents in Iraq made a monumental hack last week into our military’s communications system that powers the Predator drones. These drones are perhaps one of the more effective weapons used in modern warfare to monitor areas and movements of the enemy.

But now with SkyGrabber, a Russian-developed, offline satellite internet downloader, which can be purchased for the low, low price of $25.95, you can put yourself on the path toward intercepting messages and information that have traditionally given the U.S. the leading edge in intelligence and surveillance.

That’s right, the Russian-developed program is all it takes. But this is just the tip of the iceberg. It’s been reported this year that U.S. military systems are fending off close to 3 million probes on its systems every day.

This speaks to the fact that even sophisticated criminals, have demonstrated an unyielding thirst for information, whether they’re attacking corporate networks, storefront systems or military systems.

To quote Brian Krebs, who writes the Security Fix blog for the Washington Post, “I’ve said it before, and I’ll say it again: cyber gets no respect until people start dying because of vulnerabilities.” Maybe a hack like this will put things in perspective to wrap up a year that saw over 220 million records stolen because of vulnerable systems – someone out there is making a lot of money.

Posted by Tom Bain on December 23, 2009 at 11:53 AM in Current Affairs, Database Security (general) | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , ,

|

December 08, 2009

Is it possible we have hit the crisis point?

Our annual study with Enterprise Strategy Group usually generates a lot of buzz around what firms aren't doing to protect their most critical applications that house sensitive information - you guessed it, the database.

But what we've seen in our survey that we launched today isn't just a bunch of statistics – it’s a grim reminder that we are facing perhaps the worst of threats to our confidential data, and there are things we are either overlooking, don't understand...or, simply doing nothing about.

We polled 175 IT Security execs at large organizations, and based on some of the staggering numbers, it’s possible we may have a crisis on our hands...

The study reveals that 60% of organizations don’t feel their existing database controls adequately protect their organization’s confidential data. Coming from security executives, this doesn't inspire a lot of confidence.

In addition, the data reports that nearly 70% of organizations do not feel that their existing database controls are well-defined. Again, considering the source, if controls aren't spelled out and communicated appropriately, how can IT Security even do its job?

The survey reveals that despite the fact that over two-thirds of organizations are spending moderate to significant amounts of time writing custom scripts, remediating compliance issues, and engaging in associated tasks - which means costly manual processes are the norm. 

38% of organizations still failed database security audits, which tells us that while companies may be better this year in identifying database audits as important, they aren't taking a continuous approach to compliance. Therefore they may be passing one audit, but what happens in the next one a month or even a week later? 

The study further reveals the troubling statistic that less than 4% of IT budgets are spent protecting the data where it lives – in the database. Why is it troubling? Well, if companies looked at their overall IT Security spend and re-prioritized their misplaced spending, they'd be able to ground both their compliance initiatives and protections in the database.

 

Posted by Tom Bain on December 08, 2009 at 01:02 PM in Activity Monitoring, Breaches, Compliance (General), Database Security (general), General Security | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

December 01, 2009

IBM's Guardium acquisition

By acquiring Guardium at such a significant multiple, IBM has validated the database security, risk and compliance marketplace. However, this acquisition adds yet another point solution to their already disparate database tools portfolio, and such an "rfp check box" architecture approach will not satisfy the integrated platform requirements of serious customers seeking enterprise wide data governance.      

- John Ottman, President & CEO, Application Security, Inc.

Posted by John Ottman on December 01, 2009 at 03:59 PM in Current Affairs, Database Security (general) | | Comments (0) | TrackBack (0)

|

November 17, 2009

Stolen Customer Data Indicates Things Are Getting Worse

 The recent insider attack at T-Mobile where an employee stole personal details of thousands of mobile phone customers and was sold to its competitors is the biggest data breach of its kind, according to the Guardian.

This breach isn’t shocking given that the threat environment has seen a massive uptick in recent weeks. Malicious insiders are the root cause of approximately 75% of all breaches - especially in the still-dire economy, people are disgruntled and are looking to capitalize on the sensitive enterprise data that they may have access to.

What’s compelling is that the breach put T-Mobile’s customer information directly in the hands of their competitors in the UK. So now, their competitors know when customer contracts are expiring – so there is a major risk for loss of revenue.

What’s perhaps more scary, and it’s probably too early to tell, is that the customer info being leaked to competitors is bad, but the potential for fraudulent activity is likely very high. So now T-Mobile is going to have to undertake a massive effort at a massive cost to somehow curb the effect of this thing. 

Is there a silver bullet to stop data loss on such a large scale? Well, a few things have to be considered.  First, a thorough review of access controls on the database regularly is critical to maintaining a protected DBMS environment - and passing database audits.

Second, there is something to be said for knowing what those with access are up to. So database activity monitoring would have alerted administrators that inappropriate activity was happening, which would have in turn allowed administrators and management to take corrective action immediately.

IOUG also reported a 50% increase in breaches from 2007 to 2008, and that about 35% of organizations have their databases are configured securely. With only one in four databases protected, clearly, this is an enormous issue, possibly that contributed this breach, although it seems it was a number of factors.

Organizations really have to look at database security, risk and compliance as an ongoing, continuous and business-critical process that doesn't start when you are breached – it needs to be driven by the security organization with management.  We wish them luck and hope they call us to help!

Posted by Tom Bain on November 17, 2009 at 07:10 PM in Breaches, Database Security (general) | | Comments (0) | TrackBack (0)

Technorati Tags: , , , ,

|

November 16, 2009

Authorized Database Roles - Where do they go when someone leaves?

Laptop2 By now you know the drill - another data breach, more identity theft, more records potentially compromised. MassMutual experienced a database breach of employee information over the weekend through a contracted vendor database.

There's some information that's come to the surface already, and it appears they've been able to curb the damages and take the proactive steps to protect employees.

What this breach underscores is the fact that organizations are still not taking the right steps to protect sensitive, confidential information in a comprehensive way. What also persists to be a major issue is the lack of segregation of duties in the database.

As the unemployment rate hovers around 10% and organizations are still slashing headcount, roles and privileges to data still exist, possibly even if that employee has been let go, has moved on or has been reassigned. When those access controls still exist, organizations are at risk.

Databases contain sensitive information are large, enterprise organizations. 99% of enterprise data exists in some form inside a database. Yet with breach numbers up to 340,102,273 you'd think there would be a massive call to action for organizations who have are facing a radically scaled-up threat environment.

Posted by Tom Bain on November 16, 2009 at 02:15 PM in Activity Monitoring, Breaches, Database Security (general), General Security, Vulnerability Assessment | | Comments (0) | TrackBack (0)

Technorati Tags: , , , , , , ,

|

October 12, 2009

Now Showing...The Unprotected!

Its not everyday you see an enterprise software organization have this much fun...or be this creative...but that's just us! Today we launched a new, original dramatic Web film series entitled “The Unprotected.”   Echoing the gritty, fast-paced, dramatic style of "The Wire" and "24", the five-part "webisodic" series highlights real world database security, risk and compliance issues that enterprise organizations face every day.

“The Unprotected" is the first film project developed by Application Security, Inc. The trailer can be viewed immediately and the pilot episode will debut on October 19, with weekly releases of new “webisodes” through mid-November. I mean, we have to keep you in suspense...

The Unprotected" tells the story of Greencrest Financial, a financial services firm that must achieve compliance by the end of the quarter. Unfortunately, Greencrest is failing its audit and also realized they were hacked, compromising tens of thousands of sensitive customer records.

For more information on our exciting new film series, visit www.theunprotected.net yourself, and check out the press release.

Posted by Tom Bain on October 12, 2009 at 05:18 PM | | Comments (0) | TrackBack (0)

|

Oracle World begins

The show has started and our first session was jam packed." Know what you're up against" is our theme and world champion Byamba is here promoting the message. Stop by if you are in San Fran.
Jeff Coveney

Sent via wireless BlackBerry. Please excuse brevity or typos.

IMG00033-20091012-1040.jpg

Posted by Jeff Coveney on October 12, 2009 at 01:46 PM | | Comments (0) | TrackBack (0)

|

August 28, 2009

Are Financial Services Organizations Protecting Themselves Better?

Interesting article by Linda McGlasson of Bank Information Security tracking the biggest breaches of 2009. The Identity Theft Center is reporting 356 total data breaches in 2009, 46 or which occurred at financial services organizations.

Of the 46 financial services breaches, IDTC categorized them:

  • Insider theft: 12 breaches;
  • Skimming: 8;
  • Missing paper documents: 10 of the breaches
  • Exposure of data on the Internet: 4;
  • Accidental breaches: 2;
  • Stolen or missing hard drives/laptops: 5;
  • Outside network intrusions: 2;
  • Unknown cause: 3.

    So between IDTC reporting that fraud cost consumers $1.8 billion and the classification of breach method, doesn't it beg the fact that the thieves are scoring this data from somewhere?

    Wait, can you hear that? It sounds like a database being cracked open to steal that information that lead to all that theft. And isn't it more important to protect data where it resides as opposed to focusing on the conduits?

    • Posted by Tom Bain on August 28, 2009 at 04:05 PM in Breaches, Current Affairs, Database Security (general) | | Comments (1) | TrackBack (0)

    |

    Next »