Showing entries 31 to 40 of 353
« 10 Newer Entries | 10 Older Entries »
Displaying posts with tag: Security (reset)
SQL Injection Detection and Alerting are Vital For Secure Data

The recent Mossack Fonesca “Panama Papers” hack is the latest security breach to drive home how much an impact an SQL injection can have on modern-day organizations. Though that hack ultimately revealed massive professional fraud by companies and governments around the world, it involved the exposure of 11.5 million confidential documents. The 2.6 terabytes of data stolen were a powerful reminder that the history of web-based business has been riddled with instances of SQL injections. They remain common and potentially devastating to organizations.

Other high-profile examples of SQL injection include an instance when NASA sites were hacked in 2009, yielding site administrator info; when …

[Read more]
Configuring LDAP Authentication and Group Mapping With MariaDB

In this blog post, I will demonstrate how to configure MariaDB to use LDAP authentication and group mapping. I have previously written blog posts about configuring PAM authentication and user mapping with MariaDB and configuring PAM authentication and group mapping with MariaDB. If you’ve read those blog posts, a lot of this information will be familiar to you. However, a ... Read More

MySQL 5.7: New Audit Log Filtering Feature – Part 1

Security auditing plays important role in the process of securing a database system. Thanks to the MySQL Enterprise Audit extension, we can record all activities, such as client connections and execution of queries into a single log file, for later inspection.…

VividCortex's SQL Injection Detection

For data-driven applications, security is of absolute importance. Virtually all modern tech-driven organizations must treat the protection of sensitive information as an imperative. At VividCortex, we know that our customers value the premium we put on data-security, along with the specific defenses we have in place that keep their data out of the wrong hands.

One such defense is VividCortex’s SQL injection detection. As all DBAs know, SQL injections are one of the most nefarious threats to a data system. For those less familiar, a SQL injection is an attack that exploits poorly validated or sanitized user inputs as they are used to construct database queries. An injection aims to gain access or destroy data by using those unsanitized inputs to alter the structure of an SQL query in ways unanticipated by its developer.

Of course, destroyed or …

[Read more]
Keyring framework

Security these days is bigger than ever. This statement needs no proof. It seems like it is getting easier and easier to get access to ‘secure data’. As system grows it becomes really hard to secure all endpoints. This is why encrypting data is now the hot topic in the database world.…

Properly removing users in MySQL

Removing users in MySQL is an easy task, but there are some drawbacks to check carefully before dropping a user. Not taking these possible issues into consideration can render your application unusable.

First it is important to understand the concept of user in MySQL. A user has three main functions: authentication, privileges and resources. This is different from other databases: in MySQL users don’t own objects. An object belongs to a database and there is no direct relationship between objects and users. This simplifies the process of deleting a user because no objects will be erased.

But users, as I wrote before, have an associated set of privileges that define what database sessions can do, and the privileges applied both in stored programs and view execution.

At the same time, procedures, functions, triggers, and views have two possible security contexts: invoker and definer. If they are created using the invoker …

[Read more]
MariaDB AWS Key Management Service (KMS) Encryption Plugin

MariaDB 10.1 introduced Data at Rest Encryption. By default we provide a file_key_management plugin. This is a basic plugin storing keys in a file that can be itself encrypted. This file can come from a usb stick removed once keys have been brought into memory. But this remains a basic solution not suitable for security [...]

Data Encryption at Rest in Oracle MySQL 5.7

 

I’ve previously evaluated MariaDB’s 10.1 implementation of data encryption at rest (https://www.pythian.com/blog/data-encryption-rest), and recently did the same for Oracle’s implementation (https://dev.mysql.com/doc/refman/5.7/en/innodb-tablespace-encryption.html) in their MySQL 5.7.

 

First, here’s a walkthrough of enabling encryption for MySQL 5.7:

1. Install keyring plugin.

1a. Add the following to the [mysqld] section of /etc/my.cnf:

View the code on Gist.

1b. Restart the server:

...
service mysqld restart

1c. Verify:

... …
[Read more]
New MySQL Online Training

Oracle University recently unveiled a new online training offering – the MySQL Learning Subscription.  The combination of freely-accessible and compelling paid content makes this an exciting development to me, and should prove valuable to the community and customer base alike.  This post will briefly explore this new MySQL educational resource.

Organization

The subscription content is organized into topical “channels”.  Current top-level channels are:

  • Getting Started
  • Development
  • Administration
  • Security

These channels have sub-channels as well – for example, the Getting Started channel includes Getting Started With MySQL New Features and MySQL For Beginners, …

[Read more]
SQL Injection with MySQL SLEEP()

Recently we’ve received an alert from one of our clients that running threads are high on one of their servers. Once we logged in, we noticed that all the selects were waiting for table level read lock. We scrolled through the process list, and found the selects which were causing the problems. After killing it, everything went back to normal.
At first we couldn’t understand why the query took so long, as it looked like all the others. Then we noticed, that one of the WHERE clauses was strange. There, we found a SLEEP(3) attached with OR to the query. Obviously, this server was the victim of a SQL injection attack.

What is SQL injection?

I think most of us know what SQL injection is, but as a refresher, SQL injection is when someone provides malicious input into WHERE, to run their own statements as well.
Typically this occurs when you ask a user for input, like username, but instead of a real name they give you a …

[Read more]
Showing entries 31 to 40 of 353
« 10 Newer Entries | 10 Older Entries »