Hell of Hackerz
Welcome to HELL OF HACKERZ

Login or Register for connect with us

Because many features only for registered users.

Now enjoy without verification....

Thanks

________________________________________
HELL OF HACKERZ
Administrator
Ady Blaze
www.twitter.com/LukistUnlucky

Hell of Hackerz

Learn hacking & cracking
 
HomeHell Of HackerzFAQSearchMemberlistUsergroupsRegisterLog inDownloadTop 10 database attacks 1510
ChatBox
Subscribe our youtube channel to be updated with latest technology and techniques. Subscribe button is given on the left and right side. Thank you
Latest topics
» onlineshopingshirt.com Fake Company
Top 10 database attacks I_icon_minitime06/03/18, 03:39 pm by Hacker iam

» Keygen, crack, serial
Top 10 database attacks I_icon_minitime29/05/15, 10:14 pm by Karl Marx

» Hello everyone
Top 10 database attacks I_icon_minitime19/04/15, 12:35 am by Hacker iam

» Keygen for Moneydance 2015
Top 10 database attacks I_icon_minitime23/01/15, 10:02 pm by iota

» key gen request for Basic Inventory Control Desktop
Top 10 database attacks I_icon_minitime19/01/15, 03:15 pm by dexterdidi

» Keygen request for paralog
Top 10 database attacks I_icon_minitime30/11/14, 01:42 am by MarkV

» Microkinetics Turnmaster Pro 2014
Top 10 database attacks I_icon_minitime07/10/14, 02:22 pm by Machine_Man

» Keygen for Forex Tester 2.9
Top 10 database attacks I_icon_minitime03/10/14, 01:29 am by ocean7

» Make your Internet Download Manager for lifetime
Top 10 database attacks I_icon_minitime24/08/14, 03:52 pm by Hacker iam

» Make your Internet Download Manager for lifetime
Top 10 database attacks I_icon_minitime24/08/14, 03:50 pm by Hacker iam

» HACK FACEBOOK ID OFFER BY IMRAN
Top 10 database attacks I_icon_minitime10/08/14, 03:11 pm by Hacker iam

» Ethical Hacking classes and many more courses
Top 10 database attacks I_icon_minitime08/08/14, 06:43 pm by Hacker iam

» Ethical Hacking classes Gonna Start
Top 10 database attacks I_icon_minitime08/08/14, 06:28 pm by Hacker iam

» Banned From Group On Facebook
Top 10 database attacks I_icon_minitime19/07/14, 08:22 pm by Hacker iam

» Winpass 12 keygen needed
Top 10 database attacks I_icon_minitime18/07/14, 01:34 am by lvilleda

» Simfatic Forms 4.0
Top 10 database attacks I_icon_minitime11/06/14, 01:15 pm by kachi4gud

» SA Techietools
Top 10 database attacks I_icon_minitime02/06/14, 10:34 pm by Hacker iam

» immo tool 3.2
Top 10 database attacks I_icon_minitime16/05/14, 03:16 pm by adisby

» urgent help need. Pls create the keygen for DewanEja Pro 8
Top 10 database attacks I_icon_minitime05/05/14, 03:34 am by hamizal

» Track my IMEI
Top 10 database attacks I_icon_minitime27/04/14, 08:28 pm by rajesh

» Advanced WIFI hacker
Top 10 database attacks I_icon_minitime20/03/14, 07:04 pm by wasam

» Enounce Myspeed windows Keygen Requires
Top 10 database attacks I_icon_minitime16/03/14, 12:03 pm by devkaagra

» Can anyone provide keygen for below software ?
Top 10 database attacks I_icon_minitime04/03/14, 12:04 pm by akmakm2005

» Flaming Cliffs 3 - Keygen request please
Top 10 database attacks I_icon_minitime17/02/14, 02:58 pm by moejo

» CalMAN 5 Keygen
Top 10 database attacks I_icon_minitime14/02/14, 12:22 pm by droid

» Clearscada license key request
Top 10 database attacks I_icon_minitime10/02/14, 07:52 pm by mahpayma

» Huawei unlocker
Top 10 database attacks I_icon_minitime04/01/14, 08:24 pm by dennis1990

» tack imei no. of mobile..
Top 10 database attacks I_icon_minitime09/11/13, 08:09 pm by lawendy

» tack imei no. of mobile..
Top 10 database attacks I_icon_minitime28/10/13, 04:47 pm by akki4all

» Alt-n Relayfax 7.0.6 keygen or activation patch
Top 10 database attacks I_icon_minitime08/10/13, 03:43 am by fuggin

Learn hacking & cracking


Share | 
 

 Top 10 database attacks

View previous topic View next topic Go down 
AuthorMessage
Hacker iam
Admin
Admin
Hacker iam

Posts : 272
Points : 2652
Reputation : 3
Join date : 2010-11-26
Age : 27
Location : Lucknow

Top 10 database attacks Empty
PostSubject: Top 10 database attacks   Top 10 database attacks I_icon_minitime30/05/11, 10:03 pm

Enterprise database infrastructures, which often contain the crown jewels of an organization, are subject to a wide range of attacks. Amichai Schulman, CTO, Imperva, lists the most critical of these, followed by recommendations for mitigating the risk of each.
1. Excessive privileges
When users (or applications) are granted database privileges that exceed the
requirements of their job function, these privileges may be used to gain access to confidential information. For example, a university administrator whose job requires read-only access to student records may take advantage of excessive update privileges to change grades. The solution to this problem (besides good hiring policies) is query-level access control. Query-level access control restricts privileges to minimum-required operations and data. Most native database security platforms offer some of these capabilities (triggers, RLS, and so on), but the manual design of these tools make them impractical in all but the most limited deployments.
2. Privilege abuse
Users may abuse legitimate data access privileges for unauthorized purposes. For example, a user with privileges to view individual patient records via a custom healthcare application client may abuse that privilege to retrieve all
patient records via a MS-Excel client.The solution is access control policies that apply not only to what data is accessible, but how data is accessed. By enforcing policies for time of day, location, and application client and volume of data retrieved, it is possible to identify users who are abusing access
privileges.
3. Unauthorized privilege elevation
Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges. For example, an attacker might take advantage of a database buffer overflow
vulnerability to gain administrative privileges. Privilege elevation exploits can be defeated with a combination of query-level access control and traditional intrusion prevention systems (IPS). Query-level access control can detect a user who suddenly uses an unusual SQL operation, while an IPS can identify a specific documented threat within the operation.
4. Platform vulnerabilities
Vulnerabilities in underlying operating systems may lead to unauthorized data access and corruption. For example, the Blaster worm took advantage of a Windows 2000 vulnerability to take down target servers. IPS tools are a good way to identify and/or block attacks designed to exploit known database platform vulnerabilities.
5. SQL injection
SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database. Query-level access control detects unauthorized queries injected via web applications and/or stored procedures.
6. Weak audit
Weak audit policy and technology represent risks in terms of compliance, deterrence, detection, forensics and recovery. Unfortunately, native database management system (DBMS) audit capabilities result in unacceptable performance degradation and are vulnerable to privilege-related attacks -- i.e. developers or database administrators (DBAs) can turn off auditing. Most DBMS audit solutions also lack necessary granularity. For example, DBMS products rarely log what application was used to access the database, the source IP addresses and failed queries. Network-based audit appliances are a good solution. Such appliances should have no impact on database performance, operate independently of all users and offer granular data collection.
7. Denial of service
Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked. DoS prevention should occur at multiple layers including the network, applications and databases. Database-related recommendations include deploying an IPS and connection rate controls. By rapidly opening a large number of connections, connection rate controls can prevent individual users from consuming database server resources.
8. Database protocol vulnerabilities
Vulnerabilities in database protocols may allow unauthorized data access, corruption or availability. For example, the SQL Slammer worm took advantage of a Microsoft SQL Server protocol vulnerability to execute attack code on target database servers. Protocol attacks can be defeated by parsing and validating SQL communications to make sure they are not malformed.
9. Weak authentication
Weak authentication schemes allow attackers to assume the identity of legitimate database users. Specific attack strategies include brute force attacks, social engineering, and so on. Implementation of passwords or two-factor authentication is a must. For scalability and ease-of-use, authentication mechanisms should be integrated with enterprise directory/user management infrastructures.
10. Exposure of backup data
Some recent high profile attacks have involved theft of database backup tapes and hard disks. All backups should be encrypted. In fact, some vendors have suggested that future DBMS products may not support the creation of unencrypted backups. Encryption of online production database information is a poor substitute for granular privilege controls.
Back to top Go down
View user profile http://adyblaze.com
 

Top 10 database attacks

View previous topic View next topic Back to top 
Page 1 of 1

Permissions in this forum:You cannot reply to topics in this forum
Hell of Hackerz :: Tip and Tricks :: Web Server and Database Attacks-
ChatBox
Free forum | © phpBB | Free forum support | Contact | Report an abuse | Forumotion.com