Showing entries 1 to 10 of 328
10 Older Entries »
Displaying posts with tag: Security (reset)
MySQL Role-Based Security, Data Masking and Auditing Presentation

At our September 2016 New York City MySQL Meetup was a demonstration of how to implement role-based security in MySQL using Hexatier. In addition, several other important security features demonstrated included role based dynamic data masking down to a per column level and full statement auditing.

Thanks to Scott Unrick, Lead Database Administrator at Teladoc for the great presentation. Slides are available here.

Hexatier – MySQL Role-based Security & Data Masking from

[Read more]
Percona XtraDB Cluster 5.6.30-25.16.2 is now available (CVE-2016-6662 fix)

Percona  announces the new release of Percona XtraDB Cluster 5.6 on September 15, 2016. Binaries are available from the downloads area or our software repositories.

Percona XtraDB Cluster 5.6.30-25.16.2 is now the current release, based on the following:

  • Percona Server 5.6.30-76.3
  • Galera Replication library 3.16
  • Codership wsrep API version 25

This release provides a …

[Read more]
About Oracle MySQL and CVE-2016-6662

The issue On 12 September 2016 (three days ago) a MySQL security vulnerability was announced. The CVE id is CVE-2016-6662.

There are 3 claims:

  1. By setting malloc-lib in the configuration file access to an OS root shell can be gained.
  2. By using the general log a configuration file can be written in any place which is writable for the OS mysql user.
  3. By using SELECT...INTO DUMPFILE... it is possible to elevate privileges from a database user with the FILE privilege to any database account including root.

How it is supposed to be used

  1. Find an SQL Injection in a website or otherwise gain access to a MySQL account.
  2. Now create a …
[Read more]
Is Your Database Affected by CVE-2016-6662?

In this blog post, I will discuss the CVE-2016-6662 vulnerability, how to tell if it affects you, and how to prevent the vulnerability from affecting you if you have an older version of MySQL.

I’ll also list which MySQL versions include the vulnerability fixes.

As we announced in a previous post, there are certain scenarios in Percona Server (and MySQL) that can allow a remote root code execution (CVE-2016-6662).

Vulnerability approach

The website legalhackers.com contains the full, current explanation of the …

[Read more]
Get MySQL Passwords in Plain Text from .mylogin.cnf

This post will tell you how to get MySQL passwords in plain text using the .mylogin.cnf file.

Since MySQL 5.6.6, it became possible to store MySQL credentials in an encrypted login path file named .mylogin.cnf, using the mysql_config_editor tool. This is better than in plain text anyway.

What if I need to read this password in plain text?

Perhaps because I didn’t save it? It might be that I don’t need it for long (as I can reset it), but it’s important that I get it.

Unfortunately (or intentionally),

mysql_config_editor

 doesn’t allow it.

[root@db01 ~]# cat /root/.mylogin.cnf
????uUd????ٞN??3k??ǘ);??Ѻ0
                         ?'?(??W.???Xܽ<'?C???ha?$
?? …
[Read more]
Take Percona’s One-Click Database Security Downtime Poll

Take Percona’s database security downtime poll.

As Peter Zaitsev mentioned recently in his blog post on database support, the data breach costs can hit both your business reputation and your bottom line. Costs vary depending on the company size and market, but recent studies estimate direct costs ranging in average from $1.6M to 7.01M. Everyone agrees leaving rising security risks and costs unchecked is a recipe for disaster.

Reducing security-based outages doesn’t have a simple answer, but can be a combination of internal and external monitoring, support contracts, enhanced security systems, and a better understanding of …

[Read more]
SQL Injection Detection and Alerting are Vital For Secure Data

The recent Mossack Fonesca “Panama Papers” hack is the latest security breach to drive home how much an impact an SQL injection can have on modern-day organizations. Though that hack ultimately revealed massive professional fraud by companies and governments around the world, it involved the exposure of 11.5 million confidential documents. The 2.6 terabytes of data stolen were a powerful reminder that the history of web-based business has been riddled with instances of SQL injections. They remain common and potentially devastating to organizations.

Other high-profile examples of SQL injection include an instance when NASA sites were hacked in 2009, yielding site administrator info; when …

[Read more]
Configuring LDAP Authentication and Group Mapping With MariaDB

In this blog post, I will demonstrate how to configure MariaDB to use LDAP authentication and group mapping. I have previously written blog posts about configuring PAM authentication and user mapping with MariaDB and configuring PAM authentication and group mapping with MariaDB. If you’ve read those blog posts, a lot of this information will be familiar to you. However, a ... Read More

MySQL 5.7: New Audit Log Filtering Feature – Part 1

Security auditing plays important role in the process of securing a database system. Thanks to the MySQL Enterprise Audit extension, we can record all activities, such as client connections and execution of queries into a single log file, for later inspection.…

VividCortex's SQL Injection Detection

For data-driven applications, security is of absolute importance. Virtually all modern tech-driven organizations must treat the protection of sensitive information as an imperative. At VividCortex, we know that our customers value the premium we put on data-security, along with the specific defenses we have in place that keep their data out of the wrong hands.

One such defense is VividCortex’s SQL injection detection. As all DBAs know, SQL injections are one of the most nefarious threats to a data system. For those less familiar, a SQL injection is an attack that exploits poorly validated or sanitized user inputs as they are used to construct database queries. An injection aims to gain access or destroy data by using those unsanitized inputs to alter the structure of an SQL query in ways unanticipated by its developer.

Of course, destroyed or …

[Read more]
Showing entries 1 to 10 of 328
10 Older Entries »