Hell of Hackerz
Welcome to HELL OF HACKERZ

Login or Register for connect with us

Because many features only for registered users.

Now enjoy without verification....

Thanks

________________________________________
HELL OF HACKERZ
Administrator
Ady Blaze
www.twitter.com/LukistUnlucky

Hell of Hackerz

Learn hacking & cracking
 
HomeHell Of HackerzFAQSearchMemberlistUsergroupsRegisterLog inDownload
ChatBox
Subscribe our youtube channel to be updated with latest technology and techniques. Subscribe button is given on the left and right side. Thank you
Latest topics
» Keygen, crack, serial
29/05/15, 10:14 pm by Karl Marx

» Hello everyone
19/04/15, 12:35 am by Hacker iam

» Keygen for Moneydance 2015
23/01/15, 10:02 pm by iota

» key gen request for Basic Inventory Control Desktop
19/01/15, 03:15 pm by dexterdidi

» Keygen request for paralog
30/11/14, 01:42 am by MarkV

» Microkinetics Turnmaster Pro 2014
07/10/14, 02:22 pm by Machine_Man

» Keygen for Forex Tester 2.9
03/10/14, 01:29 am by ocean7

» Make your Internet Download Manager for lifetime
24/08/14, 03:52 pm by Hacker iam

» Make your Internet Download Manager for lifetime
24/08/14, 03:50 pm by Hacker iam

» HACK FACEBOOK ID OFFER BY IMRAN
10/08/14, 03:11 pm by Hacker iam

» Ethical Hacking classes and many more courses
08/08/14, 06:43 pm by Hacker iam

» Ethical Hacking classes Gonna Start
08/08/14, 06:28 pm by Hacker iam

» Banned From Group On Facebook
19/07/14, 08:22 pm by Hacker iam

» Winpass 12 keygen needed
18/07/14, 01:34 am by lvilleda

» Simfatic Forms 4.0
11/06/14, 01:15 pm by kachi4gud

» SA Techietools
02/06/14, 10:34 pm by Hacker iam

» immo tool 3.2
16/05/14, 03:16 pm by adisby

» urgent help need. Pls create the keygen for DewanEja Pro 8
05/05/14, 03:34 am by hamizal

» Track my IMEI
27/04/14, 08:28 pm by rajesh

» Advanced WIFI hacker
20/03/14, 07:04 pm by wasam

» Enounce Myspeed windows Keygen Requires
16/03/14, 12:03 pm by devkaagra

» Can anyone provide keygen for below software ?
04/03/14, 12:04 pm by akmakm2005

» Flaming Cliffs 3 - Keygen request please
17/02/14, 02:58 pm by moejo

» CalMAN 5 Keygen
14/02/14, 12:22 pm by droid

» Clearscada license key request
10/02/14, 07:52 pm by mahpayma

» Huawei unlocker
04/01/14, 08:24 pm by dennis1990

» tack imei no. of mobile..
09/11/13, 08:09 pm by lawendy

» tack imei no. of mobile..
28/10/13, 04:47 pm by akki4all

» Alt-n Relayfax 7.0.6 keygen or activation patch
08/10/13, 03:43 am by fuggin

» SQL injection manually
04/10/13, 11:52 am by Ardilla

Learn hacking & cracking


Share | 
 

 Top 10 database attacks

View previous topic View next topic Go down 
AuthorMessage
Hacker iam
Admin
Admin
avatar

Posts : 271
Points : 2649
Reputation : 3
Join date : 2010-11-26
Age : 25
Location : Lucknow

PostSubject: Top 10 database attacks   30/05/11, 10:03 pm

Enterprise database infrastructures, which often contain the crown jewels of an organization, are subject to a wide range of attacks. Amichai Schulman, CTO, Imperva, lists the most critical of these, followed by recommendations for mitigating the risk of each.
1. Excessive privileges
When users (or applications) are granted database privileges that exceed the
requirements of their job function, these privileges may be used to gain access to confidential information. For example, a university administrator whose job requires read-only access to student records may take advantage of excessive update privileges to change grades. The solution to this problem (besides good hiring policies) is query-level access control. Query-level access control restricts privileges to minimum-required operations and data. Most native database security platforms offer some of these capabilities (triggers, RLS, and so on), but the manual design of these tools make them impractical in all but the most limited deployments.
2. Privilege abuse
Users may abuse legitimate data access privileges for unauthorized purposes. For example, a user with privileges to view individual patient records via a custom healthcare application client may abuse that privilege to retrieve all
patient records via a MS-Excel client.The solution is access control policies that apply not only to what data is accessible, but how data is accessed. By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify users who are abusing access
privileges.
3. Unauthorized privilege elevation
Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges. For example, an attacker might take advantage of a database buffer overflow
vulnerability to gain administrative privileges. Privilege elevation exploits can be defeated with a combination of query-level access control and traditional intrusion prevention systems (IPS). Query-level access control can detect a user who suddenly uses an unusual SQL operation, while an IPS can identify a specific documented threat within the operation.
4. Platform vulnerabilities
Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. For example, the Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers. IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.
5. SQL injection
SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database. Query-level access control detects unauthorized queries injected via web applications and/or stored procedures.
6. Weak audit
Weak audit policy and technology represent risks in terms of compliance, deterrence, detection, forensics and recovery. Unfortunately, native database management system (DBMS) audit capabilities result in unacceptable performance degradation and are vulnerable to privilege-related attacks -- i.e. developers or database administrators (DBAs) can turn off auditing. Most DBMS audit solutions also lack necessary granularity. For example, DBMS products rarely log what application was used to access the database, the source IP addresses and failed queries. Network-based audit appliances are a good solution. Such appliances should have no impact on database performance, operate independently of all users and offer granular data collection.
7. Denial of service
Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked. DoS prevention should occur at multiple layers including the network, applications and databases. Database-related recommendations include deploying an IPS and connection rate controls. By rapidly opening a large number of connections, connection rate controls can prevent individual users from consuming database server resources.
8. Database protocol vulnerabilities
Vulnerabilities in database protocols may allow unauthorized data access, corruption or availability. For example, the SQL Slammer worm took advantage of a Microsoft SQL Server protocol vulnerability to execute attack code on target database servers. Protocol attacks can be defeated by parsing and validating SQL communications to make sure they are not malformed.
9. Weak authentication
Weak authentication schemes allow attackers to assume the identity of legitimate database users. Specific attack strategies include brute force attacks, social engineering, and so on. Implementation of passwords or two-factor authentication is a must. For scalability and ease-of-use, authentication mechanisms should be integrated with enterprise directory/user management infrastructures.
10. Exposure of backup data
Some recent high profile attacks have involved theft of database backup tapes and hard disks. All backups should be encrypted. In fact, some vendors have suggested that future DBMS products may not support the creation of unencrypted backups. Encryption of online production database information is a poor substitute for granular privilege controls.
Back to top Go down
View user profile http://adyblaze.com
 

Top 10 database attacks

View previous topic View next topic Back to top 

 Similar topics

-
» selenium with database testing
» How can i store all the commandsused by rc in a database??
» Lexapro, Xanax and Anxiety attacks
» Gang Tag Database
» Windows 10 ESD Database Update Log
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Hell of Hackerz :: Tip and Tricks :: Web Server and Database Attacks-

Similar topics

+
ChatBox
Free forum | © phpBB | Free forum support | Contact | Report an abuse | Free forum