Ever realized how delicate and important your website’s databases are? From banking websites to online dating websites, hacked databases in the wrong hands can prove to be costly. Just ask Ashley Madison, an online dating websites whose databases of more than 25GB were breached a few months ago and their user’s information were left open for the world to see. So, to avoid getting there yourself, it’s about time you seriously gave it a thought.
Hacking is a growing threat for every business both large and small. Unfortunately, security exploits towards servers have increased tremendously. In a world driven by computers, most companies rely on systems that are entirely built around databases. You should understand the importance of database servers if you own or run a website which rely on databases. It is the primary target for any attacker, as it holds the most important information about your website or business. Losing full control, or even partial control, could bring any business down. Databases generally hold sensitive information such as personal customer details, payment transaction statements, credit card data – among many other things. So attacks on database servers like MySQL, MariaDB, Microsoft SQL server etc can be expected. Our focus here is on the MySQL database server – the various attacks, exploits, vulnerabilities and their prevention methods.
Is MySQL breakable?
Owing to great performance and compatibility, MySQL server is one of the most successful open source products. However, it is also plagued with security challenges, just as any other open source database solution. Utmost care needs to be taken to configure MySQL in order to strengthen its security. Because of its immense popularity, MySQL has been a regular target for malicious users or hackers wanting to exploit and steal data. This type of exploit can be serious; it can include putting malicious software on your web server and using the website to host malware. SQL injection constituted 29% of attack vectors against Web Applications in Q1 of the year 2015 as per Akamai. SQLi/SQL injection is an attack where user content is passed to an SQL statement without proper validation. It is necessary to consider fully protecting the entire server host (and not just the MySQL server) against all types of applicable attacks. Let’s discuss about some serious attacks that exploit a MySQL server.
Network eavesdropping to compromise connection
Eavesdropping on database communication is relatively easy if your server belongs to an untrusted network because database communications are mostly in clear text or close enough to clear text. The default connection to the MySQL server is not encrypted (for most hosting companies), which could be a problem if you are sending sensitive data to the MySQL server. Using simple utilities and free tools, a hacker can listen in and steal information.
Brute force attacks to your MySQL server
If your website involves user authentication then you are a good target for this kind of attack. MySQL commonly asks for authentication if someone needs to log in to the server and access sensitive data. By default, the MySQL database accepts user logins as root with no passwords. An attacker can use tools to test network blocks to identify MySQL instances that accept a blank root password which makes it much simpler for the attacker to access the database server. Similarly, are you using phpMyAdmin to remotely connect to the database? If Yes, then your server is again susceptible to brute force attacks. Some CMS’s such as WordPress provide phpMyAdmin plugins, and using it without properly implementing security measures is more likely to be noticed by hackers. PhpMyAdmin being a web-based tool, it can be easily accessed via https://yourwebsite.com/phpMyAdmin if no authentication control has been set during phpMyAdmin installation. In most cases, MySQL server administrators fail to impose any limits to the number of login attempts, so this again is a good vector for exploiting weak passwords. An attacker would systematically try every possible combination until he discovers the correct one.
During Q1 2015, Akamai observed that SQLi attacks accounted for 29.16% of web application attacks. 40% of all SQLi attacks target retail web sites. SQL injection is an attack where user content is passed to an SQL statement without proper validation. This attack is not a pure database attack, but in fact a combination of database and web application vulnerability. It’s a very well known type, in which an attacker uses webpages to plant the attack. It takes advantage of flawed coding of the web application which allows attackers to inject SQL statements into, predefined back-end SQL statements such as those used in a website login form. This in turn may allow the attacker to gain access to the data stored within your database among other potential malicious actions. Goal of SQL injection would be to attempt Information leakage, disclose and manipulate stored data, by-pass authorization and client-side SQL injection.
DDoS, or Distributed Denial of Service Attacks
Databases are the most vulnerable to application layer DDoS attacks. Using GET requests is probably the most convenient way to execute queries stored in the database and/or retrieve contents from it via a web browser. DDoS attackers exploit databases by issuing a flood of complex GET requests that require the database to return an extremely large amount of data. For example, if a site’s home page generates a large number of database queries, in a DDoS attack that action could crash the database and expose the entire site to the threat.
Broken authentication and session management attacks
Each user’s requests are tracked using sessions in a web application. In a retail site which has a list of products a user wants to purchase, without session management implemented, a user will have to login after each request. Let’s say, when a user logins into the site, he/she will have to login to search for a product first, once again login to add the item to his shopping cart and check out, then yet again login to supply payment details and complete the payment. With session management, user needs to supply this login information only once and the web application will remember this when the user adds items to the shopping cart until he makes the payment and logs out. Web development frameworks such as ASP.NET, PHP, J2EE have inbuilt session management features that are widely used and implemented. However, there are a number of vulnerabilities and weaknesses associated with this. Such as Session IDs must be stored securely so that they are protected against local or remote accidental disclosure or unauthorized access. Similarly, attackers can compromise passwords, keys, session tokens or other implemented flaws to assume other legitimate user’s identity.
Like any intangible assets such as patents, trademark, copyrights etc., valuable information regarding Corporate, customer, financial data, stored in database servers are probably the most precious data assets of a company. Malicious insiders and hackers can easily steal these data if the server is not patched for vulnerabilities and if there still exists accounts in the system with default passwords and administrative rights.
The loss any business will have to endure after such an attack on database servers can be categorized as:
- Availability: When a database or data disappear, business stops. Assuming you have working backups, you can restore from, this is the least of all concerns. However, there is something that the company will have to lose until the data is restored, if its a retail site, all prospective customers purchases are lost.
- Confidentiality: Your secrets, private information of your customers , Credit Card details and anything else that you decided not to make publicly available may be leaked, sold or will be used to blackmail for ransom in exchange.
- Privacy: Personal information which, under certain laws, you may be legally liable for, may be stolen and used for malicious purpose such as identity theft or impersonation.
- Integrity: Without your knowledge, data may be modified to serve someone else’s purpose. Altering the content of web pages stored in a database will be difficult to identify. Here, the attacker can accomplish this with the write privileges of a stolen account.
The consequence of MySQL or any other database server being attacked is not limited to those stated above and the level at which a company’s finance and credibility gets affected can vary. How you value the information provided and are protective about them should be in proportion to the security measures you must take. MySQL security requirements should touch all networking layers, and hence needs careful design and implementation. The correct way to secure a database server starts with hardening the OS on which it is installed.
About the Author: