Home |  MySQL Buzz |  FAQ |  Feeds |  Submit your blog feed |  Feedback |  Archive |  Aggregate feed RSS 2.0 English Deutsch Español Français Italiano 日本語 Русский Português 中文
Previous 30 Newer Entries Showing entries 61 to 90 of 243 Next 30 Older Entries

Displaying posts with tag: Security (reset)

How will IPv6 changes in 5.6.6 affect you?
Employee +2 Vote Up -0Vote Down

As stated in the 5.6.6 release notes, the default value of –bind-address has changed from IPv4-specific “0.0.0.0″ to “*” – the latter value which allows MySQL to bind to IPv6 interfaces by default.  There are a few implications to this change.

First, make sure you’ve hardened both your IPv4 and your IPv6 access points to your MySQL server.  If you are running IPv4 interfaces only, you can also change the –bind-address value back to the previous default value of “0.0.0.0″.  Because MySQL now listens by default on both IPv4 and IPv6 interfaces, an installation that has only hardened IPv4 interfaces may

  [Read more...]
Useful modification to MySQL security feature in Percona Server
+2 Vote Up -1Vote Down
In cloud environments or other secure environments, you may want to lock your database down, allowing or disallowing certain grants or capabilities outside the database. One potential security issue is the use of LOAD DATA INFO and SELECT INTO OUTFILE, depending on what files that exist in directories the MySQL server has access to, or even if you have concerns with any database user ever having any access to the file system outside of the database. A few months ago, with version 5.5-25a-27.1, Percona extended this security feature so that you can disable LOAD DATA INFILE and SELECT INTO OUTFILE, simply called "secure-file-priv". This feature is extremely easy to use-- simply specify it in your my.cnf. You can set it a number of ways:

For instance, if you wanted to limit LOAD DATA INFILE or SELECT INTO OUTFILE to /var/tmp:

secure-file-priv = /var/tmp

Or if you wanted to





  [Read more...]
MySQL on S3: security and backups
+1 Vote Up -0Vote Down

I got a few questions like the ones below that I’d like to address to avoid further confusion.
How exactly secure is ClouSE for MySQL, the first secure database in the cloud? Am I protected against standard application level security attacks or even accidental admin mistakes?
With the help of ClouSE I get instantaneous backup for my database on the highly durable cloud storage. But how would I protect my data in case a malicious attack or an accident did occur?

Re: security

I’ve got a comment pointing out that data encryption on the storage level doesn’t protect from SQL injections.  Of course, data encryption does not protect from SQL injections (as long as there is SQL involved, there will be a risk of a SQL



  [Read more...]
Linus on Instantiation and Armadaification
+0 Vote Up -1Vote Down

I feel a sense of pride when I think that I was involved in the development and maintenance of what was probably the first piece of software accepted into Debian which then had and still has direct up-stream support from Microsoft. The world is a better place for having Microsoft in it. The first operating system I ever ran on an 08086-based CPU was MS-DOS 2.x. I remember how thrilled I was when we got to see how my friend’s 80286 system ran BBS software that would cause a modem to dial a local system and display the application as if it were running on a local machine. Totally sweet.

When we were living at 6162 NE Middle in the nine-eight 292, we got an 80386 which ran Doom. Yeah, the original one, not the fancy new one with the double barrel shotgun, but it would probably run that one, too.

  [Read more...]
Transparent encryption does not make your database secure
+5 Vote Up -0Vote Down
Transparently encrypted storage of *any* kind (storage engine based data encryption, truecrypt volume encryption, bitkeeper, etc) is *just as insecure* to most types of attack as non-encrypted data.  SQL injection or security escalation vulnerabilities, operating system vulnerabilities and cross site scripting attacks could give attackers access to the database data.  It doesn't matter if you encrypt the database's physical storage in the database itself (in the storage engine layer) or on disk (at the filesystem level) since either way the data is presented unencrypted through the SQL interface. 

Transparent encryption is great for protecting your laptop data from theft by stealing your laptop.  It is very unlikely someone will attack your server by stealing it.

It doesn't protect you from a malicious SQL injection which drops all your tables or reads



  [Read more...]
MySQL with ClouSE is the first Secure Database in the Cloud
+1 Vote Up -0Vote Down

Want to learn how you can store your sensitive data in the cloud storage? Take a look at the thorough and honest security analysis of the approach you can take to deploy your existing MySQL workloads to cloud.

keep reading in August issue of Hackin9 security magazine.

The blog was down yesterday
+0 Vote Up -0Vote Down

The brief outage was due to a scheduled move of the servers to a separate rack and subnet dedicated to our work with the Center for Information Assurance & Cybersecurity (ciac) at the University of Washington Bothell (uwb), and a11y.com

I am currently exercising the new (to us) equipment and hope to winnow the less than awesome equipment over the next quarter. I spent the last six months finding the best in breed of the surplussed DL385 and DL380 chassis we (work) were going to have recycled. The team and I were able to find enough equipment to bring up one of each with eight and six gigs of memory, respectively. These will make excellent hypervisors for provisioning embedded instances of Slackware, Fedora, RHEL, CentOS, Debian, FreeBSD, OpenSolaris, OpenIndiana, FreeDOS, etc.

When I initially configured this xen paravirt environment, I failed to plan for integration with libvirt, so I am

  [Read more...]
Security fixes in MySQL & critical patch updates
+4 Vote Up -0Vote Down

This is the third time MySQL has made an entry into the Oracle Critical Patch Update Advisory service. The first time, we at Team MariaDB came up with an analysis: Oracle’s 27 MySQL security fixes and MariaDB.

Security is important to a DBA. Having vague explanations does no one any good. Even Oracle ACE Director Ronald Bradford chooses to ask some tough questions on this issue. Recently we found a bug in MySQL & MariaDB and did some

  [Read more...]
NIST::NVD::Store::SQLite3 1.00.00
+0 Vote Up -0Vote Down

It’s been released. Use this with NIST::NVD 1.00.00 and you will be able to perform immediate look-ups of CVE and CWE data given a CPE URN. For instance:

cjac@foxtrot:/usr/src/git/f5/NIST-NVD-Store-SQLite3$ perl Makefile.PL ; make ; make test ; cjac@foxtrot:/usr/src/git/f5/NIST-NVD-Store-SQLite3$ perl -MNIST::NVD::Query -MData::Dumper -e '
$q = NIST::NVD::Query->new(store    => q{SQLite3},database => q{t/data/nvdcve-2.0.db});
$cve_list = $q->cve_for_cpe( cpe => q{cpe:/a:microsoft:ie:7.0.5730.11} );
print Data::Dumper::Dumper { cve_list => $cve_list, first_cvss => $q->cve( cve_id => $cve_list->[0] )->{q{vuln:cvss}} }
'
$VAR1 = {
          'cve_list' => [
                          'CVE-2002-2435',
                          'CVE-2010-5071'
                        ],
          'first_cvss' => {
  [Read more...]
Encrypting your MySQL backups and more
+4 Vote Up -0Vote Down

Assuming you have a backup and recovery strategy in place, how secure is your data? Does a hacker need to obtain access to your production system bypassing all the appropriate security protection you have in place, or just the unencrypted data on the backup server?

Encryption with zNcrypt

The following steps demonstrate how I setup a mysqldump encrypted backup with zNcrypt, a product from Gazzang. You can request a free trial evaluation of the software from http://gazzang.com/request-a-trial. I asked for a AWS EC2 instance, and was able to provide my bootstrap instructions for OS and MySQL installation. Following installation and configuration, the first step is to verify the zNcrypt process is running:

$ sudo ezncrypt-service status
  ezncrypt |
  [Read more...]
One-way Password Crypting Flaws
+0 Vote Up -0Vote Down

I was talking with a client and the topic of password crypting came up. From my background as a C coder, I have a few criteria to regard a mechanism to be safe. In this case we’ll just discuss things from the perspective of secure storage, and validation in an application.

  • use a digital fingerprint algorithm, not a hash or CRC. A hash is by nature lossy (generates evenly distributed duplicates) and a CRC is intended to identify bit errors in transmitted data, not compare potentially different data.
  • Store/use all of the fingerprint, not just part (otherwise it’s lossy again).
  • SHA1 and its siblings are not ideal for this purpose, but ok. MD5 and that family of “message digests” has been proven flawed long ago, they can be “freaked” to create a
  •   [Read more...]
    NIST::NVD 1.00.00
    +0 Vote Up -0Vote Down

    I’m leaving myself some room for bug fixes. It works for us in house. I would love to help others to give it a try. especially those who could benefit from making nearly immediately answered queries to the NIST’s NVD database.

    The code in this release cannot by itself track the feed from the feds in real time. The nvd entry loader needs a little bit of love in the area of record merging before this starts working. It’s on my TODO list.

    I’m sorry for the outage of git.colliertech.org. I’ll get that back up here shortly. In the meantime, feel free to grab it from this location while the CPAN indexes and processes my submission.

    http://www.colliertech.org/federal/NIST/NIST-NVD-1.00.00.tar.bz2

    don’t forget to check the cryptographic signature:

      [Read more...]
    Monty Program & SkySQL: a statement on the serious security vulnerability that was found in MariaDB and MySQL
    +8 Vote Up -0Vote Down

    Over the past few days extensive conversations around a new security vulnerability in MariaDB and MySQL have taken place.

    It all started as a chain reaction when Monty Program publicly disclosed information about the flaw they had found and about how to make sure your MariaDB and MySQL installations can be fixed. The initial information got assigned the security vulnerabitlity identifier CVE-2012-2122 and the contents can be seen e.g. here http://seclists.org/oss-sec/2012/q2/493 .

    The bug was found two months ago on April 4th.

    read more

    A security flaw in MySQL authentication. Is your system vulnerable?
    +2 Vote Up -0Vote Down

    A few days ago Sergei Golubchik of Monty Program sent an e-mail to the Open Source Security mailing list informing about a security vulnerability in MySQL authentication system. Under certain circumstances a remote attacker may easily gain access to MySQL database as any user and all they need to know is a valid user name (e.g. root user exists in nearly all installations). The problem has only been addressed in the most recent database versions.

    The full details are covered in Sergei’s post linked above. Not all MySQL releases are affected as the cause appears to be related to the build environment and the options used in the binary build process. For instance binaries distributed by Oracle appear to be safe as well as

      [Read more...]
    Why your pre-4.1 client won’t like MySQL 5.6
    Employee +0 Vote Up -0Vote Down

    I have to think that the “Client does not support authentication protocol” error message may be the single most common error ever encountered for MySQL. While it’s not exactly coming back in 5.6, those users who have implemented workarounds in support of older client libraries will find they need to add an additional step if they upgrade to 5.6. This is because in 5.6.5, a change was made to default the secure_auth option to ON. Here’s what the manual has to say about this:

    This option causes the server to block connections by clients that attempt to use accounts that have passwords stored in the old (pre-4.1) format. Use it to prevent all use of passwords employing the old format (and hence insecure

      [Read more...]
    Scary Words – Apparently
    +0 Vote Up -0Vote Down

    The US Department of Homeland Security (you know that fast growing entity that didn’t exist pre-2001, that no politician wants to be responsible for shrinking for fear of being blamed in case anything happens) has been forced to release their list of keywords they monitor. An article was published by the Daily Mail online: Hundreds of words to avoid using online if you don’t want the government spying on you

    Relevance for this blog? Near the bottom, in the category “Cyber Security”, we spotted a keyword “Mysql injection”. How exciting!

    Here’s a challenge for you: can you write an innocuous story containing as many words as possible from this list? You can post it as comment here. I will

      [Read more...]
    The cost of improved security on a MySQL server
    +0 Vote Up -0Vote Down

    Security-Enhanced Linux or SELinux is a Linux kernel feature that provides a mechanism for supporting access control security policies. It enables a system administrator to create an extra set of rules that define allowed operations for programs even after the standard controls are checked. In other words, SELinux can help improving system security by restricting access of an application to only a few resources it actually needs, which makes it more difficult for an attacker to gain access to the entire system through exploiting any possible vulnerabilities in the application.

    However as rarely anything in life is free, is there any price we have to pay to use SELinux on a MySQL server?

    I ran a simple MySQL benchmark first with database working in a system with SELinux enabled (SELINUX=enforcing), and then also with

      [Read more...]
    SQL Injections, Again…
    +0 Vote Up -0Vote Down
    Last Friday the Dutch TV program Zembla aired part two of the "verzuimpolitie" series. The first part was mainly about how employers could access medical information about employees. There is a news article about the second part here (with google translate).



      [Read more...]
    MySQL DoS
    +1 Vote Up -1Vote Down
    There is a nice demo of  MySQL Bug 13510739 on Eric Romang's blog

    I've published this blog to make this content available on planet.mysql.com.
    NIST::NVD CWE development – follow along
    +0 Vote Up -0Vote Down

    I’m in the process of getting the tests passing for the 0.03 release of NIST::NVD::Store::SQLite3 wherein our hero imports the CWE data and cross-indexes it with CVEs and CPEs.

    Follow along and suggest some patches. I’m developing on Debian Wheezy, but I would very much like input from devs on other platforms.

    http://git.colliertech.org/?p=NIST-NVD-Store-SQLite3.git;a=summary

    cjac@foxtrot:/tmp$ time git clone http://git.colliertech.org/git/NIST-NVD-Store-SQLite3.git
    Cloning into 'NIST-NVD-Store-SQLite3'...
    
    real	0m32.757s
    user	0m0.200s
    sys	0m0.088s
    cjac@foxtrot:/tmp$ ls NIST-NVD-Store-SQLite3/t/data/
    cwec_v2.1.xml  nvdcve-2.0-test.xml
    

    Publish your patches and I’ll fetch them, or you can submit them in udiff format and I’ll review/apply. Thanks for playing

      [Read more...]
    MySQL Security Essentials Presentation
    +2 Vote Up -0Vote Down

    Today at the RMOUG Training Days 2012 event I gave an introduction presentation on MySQL Security Essentials covering the following topics:

    • MySQL Security defaults
    • MySQL Security Improvements
    • OS Security
    • User Privileges
    • Data Integrity
    • Installation Practices
    • Auditing Options
    • Better Security
    • Further References

    Download slides for MySQL Security Essentials.

    NIST::NVD::Store::SQLite3
    +0 Vote Up -0Vote Down

    I published an SQLite3 storage back-end to NIST::NVD on the CPAN. It’s pretty quick. About as fast as the DB_File one, but without the down side of being tied to DB_File. It shouldn’t be too difficult to re-factor this code to any DBI-based database. MariaDB anyone?

    I know it works on Debian. The nightly CPAN test results should come back shortly and I’ll find out how well it works on other platforms.

    Some guidelines for MySQL security
    +0 Vote Up -0Vote Down
    Don’t share root user password and mysql.user table acess with anyone till you have full trust on it. Because that encrypted password is real password in MySQL so if anyone knows that than he/she can easily login with any user if he has access to his host. Check with “mysql -uroot ” command, If you … Continue Reading   [Read more...]
    MariaDB: Improve Security with Two-Step Verification
    +3 Vote Up -0Vote Down

    In this primer I will show how to improve the security of your MariaDB installation by using two-step verification and how to use it from your Windows GUI client.

    Let’s suppose you have your data in MariaDB, installed, say, on Ubuntu. And your users connect to it to run ad hoc queries, using some sort of a Windows GUI client. You don’t want them to write the access password on post-it notes or have it auto-entered by the client. And you don’t want anyone see the password when one of the salespersons connects to the mother ship from his laptop in the Internet café. So you decide to use the two-step verification, just like Google does, to secure the access to the data.

    If you don’t know what a “two-step verification” is, see, for example, this introductory

      [Read more...]
    Perl interface to processing / querying NIST’s NVD feed
    +0 Vote Up -0Vote Down

    For a work project, I wrote a library in perl that can be used to query the NVD feed that NIST publishes here:

    http://nvd.nist.gov/download.cfm

    Here’s a snippit from the perldoc:

    use NIST::NVD::Query;
     
    # use convert_nvdcve to generate these files from the XML dumps at
    # http://nvd.nist.gov/download.cfm
     
    my( $path_to_db, $path_to_idx_cpe ) = @ARGV;
     
    my $q = NIST::NVD::Query->new( database => $path_to_db,
                                   idx_cpe  => $path_to_idx_cpe,
                                  );
     
    # Given a Common Platform Enumeration urn, returns a list of known
    # CVE IDs
     
    my $cve_id_list = $q->cve_for_cpe( cpe => 'cpe:/a:zaal:tgt:1.0.6' );
     
    my @entry;
     
    foreach my $cve_id ( @$cve_id_list ){
     
      # Given a CVE ID, returns a CVE
      [Read more...]
    pam modules for MySQL: What is wrong with these people?
    +5 Vote Up -0Vote Down
    Percona just released their MySQL PAM Authentication insanity, just as Oracle did before, for MySQL 5.5 and MariaDB is no better.

    The Oracle module requires a module to be loaded into your client, which is done automatically if the module is present and the server supports PAM auth. The module is called ominously "mysql_clear_password" and does what it says on the tin: Your database server access password is henceforth sent from the client to the server in clear, not encrypted, hashed, salted or otherwise protected.

    I suppose the Percona module does the same, although it is not being



      [Read more...]
    OurSQL Episode 65: Security Blanket - The Missing Link
    +3 Vote Up -0Vote Down

    This week we have a big announcement about Sarah, 3 hosts and an extra special guest.

    News
    Call for papers for Percona Live: MySQL Conference & Expo 2012 is open until Monday, December 5th. The MySQL Conference & Expo is Tuesday April 10 - Thursday, April 12, 2012 in Santa Clara, CA.

    To submit a paper, first register as a speaker at http://www.percona.com/live/mysql-conference-2012/user/register and then go to My Account -> Submit Proposal.

    Main content
    Previous podcasts about securing MySQL

    read more

    18 LAMP Security Tips for MySQL
    +0 Vote Up -0Vote Down

    Linux, Apache, MySQL and PHP — altogether they mean LAMP. I’m not talking about watts and bulbs.

    And if you desire is for a comprehensive, robust server, your IT infrastructure has to include all of these systems.

    Monitis has put together a checklist of 101 actions you can take to maximize security around LAMP.  Hopefully we’re shedding a little light around this issue for you to give you some new ideas on how to make

      [Read more...]
    Better MySQL Security and Administration
    +0 Vote Up -0Vote Down

    Download PDF Presentation

    With the recent cyber attacks and breaches with data from large organizations including Sony, is your MySQL data safe? What are the best practices for securing and administering your MySQL environment? In this presentation we will cover the essential steps for better MySQL security. We will also cover the different installation and administration tasks necessary to ensure your data is managed.

    Presenter: Ronald Bradford
    Schedule: Insight Out DB Showcase. October 2011 Tokyo, Japan

    OurSQL Episode 61: Security Blankets, Part 2
    +1 Vote Up -0Vote Down

    We go over the open calls for papers, upcoming conferences, conversations with Oracle, and finish up our 2-part series on MySQL security.

    Calls for papers:
    Call for papers for Percona Live: MySQL Conference & Expo 2012 is open! They opened it on Friday, September 15th and the call will close on Monday, December 5th. The MySQL Conference & Expo is Tuesday April 10 - Thursday, April 12, 2012 in Santa Clara, CA.

    To submit a paper, first register as a speaker at http://www.percona.com/live/mysql-conference-2012/user/register and then go to My Account -> Submit Proposal.

    read more

    Previous 30 Newer Entries Showing entries 61 to 90 of 243 Next 30 Older Entries

    Planet MySQL © 1995, 2014, Oracle Corporation and/or its affiliates   Legal Policies | Your Privacy Rights | Terms of Use

    Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.