Usually when one says “SSL” or “TLS” it means not a specific protocol but a family of protocols. Wikipedia article has the details, but in short — SSL 2.0 and SSL 3.0 are deprecated and should not be used anymore (the well-known POODLE vulnerability exploits the flaw in SSL 3.0). TLS 1.0 is sixteen years […]
Knowing which privileges a given account has is easy – just issue SHOW GRANTS FOR user@host. But what about when you need visibility into privileges from the other direction – which accounts can access specific data? If you’re a DBA – or perform DBA duties, regardless of your title – you may have been asked this question. It’s an important question to ask in an audit or compliance review – but it can be a difficult question to answer. This post will walk through how to assess this, but if you’re impatient and need answers to this question immediately, jump to the end – there’s a simple shortcut.
Things to consider
There are a few things you’ll want to consider about the implementation of the MySQL privilege system as you try to sort out who has access to certain data.
MySQL can restrict privileges based on operations – somebody who has …[Read more]
There was some discussion a while back to maybe make MariaDB Server follow the Ubuntu release model, i.e. having a Long Term Release (LTS) and then having a few regular fast releases with a shorter support cycle.
However its good to note that the decision now going forward is to support each and every GA release for a period of five (5) years. However, regular releases will only happen for the latest three (3) GA releases, so at this moment, you are getting updates for MariaDB Server 5.5/10.0/10.1.
Practically, we’ve not seen an update for 5.1/5.2/5.3 since 30 Jan 2013 at the time of this writing. And its clear MariaDB Server 5.5 will have an extended support policy, as it ships in Red Hat Enterprise Linux 7.
At this time it’s worth …[Read more]
MySQL Connector/Java 5.1.38 was released earlier this week, and it includes a notable improvement related to secure connections. Here’s how the change log describes it:
When connecting to a MySQL server 5.7 instance that supports TLS, Connector/J now prefers a TLS over a plain TCP connection.
This mirrors changes made in 5.7 to the behavior of MySQL command-line clients and libmysql client library. Coupled with the streamlined/automatic generation of TLS key material to ensure TLS availability in MySQL Server 5.7 deployments, this is an important step towards providing secure communication in default deployments.
Secure communications is a core component of a robust security policy, and MySQL Server 5.7.10 – the first maintenance release of MySQL Server 5.7 – introduces needed improvements in this area. Support for TLS has been expanded from TLSv1.0 to include TLSv1.1 and TLSv1.2, default ciphers have been updated, and controls have been implemented allowing both server and client-side configuration of acceptable TLS protocol versions. This blog post will describe the changes, the context in which these changes were made, note important differences in capabilities between Community and Enterprise versions, and outline future plans.
SSL (Secure Sockets Layer) was superseded by TLS ( …[Read more]
Hello dear readers and attendees,
This is the post that I will be/ will have been referencing during my presentation to the Seattle Central Community College’s Byte club on Thursday, December 10th at 1500-1630.
I will begin with a bit of an autobio and find out what kind of students we have in attendance. Please feel free to comment if you’d like to keep in touch before or after the presentation. I will discuss some of the bits and pieces of some industry standard platforms which I’ve developed, deployed, maintained, managed, co-operated, administered and replaced. We can discuss some of the patterns that work well in the industry, and some that are a bit harder to tame.
Once we have touched most of the areas of specialization represented at the meeting, I will dive in to an AngularJS demo I am developing in github here:
So this year the Percona Live conference has a new name — it is the “Data Performance Conference” (presumably for a much broader appeal and the fact that Percona is now in the MongoDB world as well). And the next new thing to note? You have to go through a process of “community voting”, i.e. the speaker has to promote their talks before via their own channels to see how many votes they can get (we tried this before at the MySQL & Friends Devroom at FOSDEM; in this case, please remember you also need to create a new account and actually vote while logged in).
I hope you vote for Sergei, Monty and my proposals!
- Using and Managing MariaDB – a tutorial, …
Among the many New features introduced by MySQL 5.7, we can notice a strong trend towards improving the server security by default. Two features stand out in this respect:
- A password-less root is no longer the default for new
installations. Unless you say otherwise, the default installers
mysqld --initializeand the deprecated
mysql_install_dbwill generate a random password which the user needs to change.
- The anonymous accounts are no longer created by default. When you start MySQL, you only get the root user (and a new one: read on).
The above features are a great advance not only for security but also for usability. The anonymous users were a continuous source of mismatched connections, …[Read more]
Symantec published a blog post yesterday regarding MySQL and the Trojan.Chikdos.A as can be seen here
The Symantec post gives detail into the behavior of the Trojan and it’s effects on the Windows system registry, yet gives little detail as to how the required first stage (namely a malicious UDF) is injected, citing:
“In the latest Chikdos campaign that we observed, the attackers likely used an automated scanner or possibly a worm to compromise MySQL servers and install the UDF.”
I’m going to give my thoughts on the pre-requisites to infection here.
- The MySQL server has poor network isolation (i.e. is likely accessible from everywhere e.g. …