Transparently encrypted storage of *any* kind (storage engine
based data encryption, truecrypt volume encryption, bitkeeper,
etc) is *just as insecure* to most types of attack as
non-encrypted data. SQL injection or security escalation
vulnerabilities, operating system vulnerabilities and cross site
scripting attacks could give attackers access to the database
data. It doesn't matter if you encrypt the database's
physical storage in the database itself (in the storage engine
layer) or on disk (at the filesystem level) since either way the
data is presented unencrypted through the SQL
interface.
Transparent encryption is great for protecting your laptop data
from theft by stealing your laptop. It is very unlikely
someone will attack your server by stealing it.
It doesn't protect you from a malicious SQL injection which drops
all your tables or reads all your data.
If you are …
Transparently encrypted storage of *any* kind (storage engine
based data encryption, truecrypt volume encryption, bitkeeper,
etc) is *just as insecure* to most types of attack as
non-encrypted data. SQL injection or security escalation
vulnerabilities, operating system vulnerabilities and cross site
scripting attacks could give attackers access to the database
data. It doesn't matter if you encrypt the database's
physical storage in the database itself (in the storage engine
layer) or on disk (at the filesystem level) since either way the
data is presented unencrypted through the SQL
interface.
Transparent encryption is great for protecting your laptop data
from theft by stealing your laptop. It is very unlikely
someone will attack your server by stealing it.
It doesn't protect you from a malicious SQL injection which drops
all your tables or reads all your data.
If you are …
Want to learn how you can store your sensitive data in the cloud storage? Take a look at the thorough and honest security analysis of the approach you can take to deploy your existing MySQL workloads to cloud.
keep reading in August issue of Hackin9 security magazine.
The brief outage was due to a scheduled move of the servers to a separate rack and subnet dedicated to our work with the Center for Information Assurance & Cybersecurity (ciac) at the University of Washington Bothell (uwb), and a11y.com
I am currently exercising the new (to us) equipment and hope to winnow the less than awesome equipment over the next quarter. I spent the last six months finding the best in breed of the surplussed DL385 and DL380 chassis we (work) were going to have recycled. The team and I were able to find enough equipment to bring up one of each with eight and six gigs of memory, respectively. These will make excellent hypervisors for provisioning embedded instances of Slackware, Fedora, RHEL, CentOS, Debian, FreeBSD, OpenSolaris, OpenIndiana, FreeDOS, etc.
When I initially configured this xen paravirt environment, I failed to plan for integration with libvirt, so I am now re-jiggering the software bridges so …
[Read more]This is the third time MySQL has made an entry into the Oracle Critical Patch Update Advisory service. The first time, we at Team MariaDB came up with an analysis: Oracle’s 27 MySQL security fixes and MariaDB.
Security is important to a DBA. Having vague explanations does no one any good. Even Oracle ACE Director Ronald Bradford chooses to ask some tough questions on this issue. Recently we found a bug in MySQL & MariaDB and did some …
[Read more]It’s been released. Use this with NIST::NVD 1.00.00 and you will be able to perform immediate look-ups of CVE and CWE data given a CPE URN. For instance:
cjac@foxtrot:/usr/src/git/f5/NIST-NVD-Store-SQLite3$ perl Makefile.PL ; make ; make test ; cjac@foxtrot:/usr/src/git/f5/NIST-NVD-Store-SQLite3$ perl -MNIST::NVD::Query -MData::Dumper -e '
$q = NIST::NVD::Query->new(store => q{SQLite3},database => q{t/data/nvdcve-2.0.db});
$cve_list = $q->cve_for_cpe( cpe => q{cpe:/a:microsoft:ie:7.0.5730.11} );
print Data::Dumper::Dumper { cve_list => $cve_list, first_cvss => $q->cve( cve_id => $cve_list->[0] )->{q{vuln:cvss}} }
'
$VAR1 = {
'cve_list' => [
'CVE-2002-2435',
'CVE-2010-5071'
],
'first_cvss' => {
'cvss:base_metrics' => { …[Read more]
Assuming you have a backup and recovery strategy in place, how secure is your data? Does a hacker need to obtain access to your production system bypassing all the appropriate security protection you have in place, or just the unencrypted data on the backup server?
Encryption with zNcrypt
The following steps demonstrate how I setup a mysqldump encrypted backup with zNcrypt, a product from Gazzang. You can request a free trial evaluation of the software from http://gazzang.com/request-a-trial. I asked for a AWS EC2 instance, and was able to provide my bootstrap instructions for OS and MySQL installation. Following installation and configuration, the first step is to verify the zNcrypt process is running:
$ sudo ezncrypt-service status ezncrypt | Checking system dependencies ** ezncrypt system is UP and …[Read more]
I was talking with a client and the topic of password crypting came up. From my background as a C coder, I have a few criteria to regard a mechanism to be safe. In this case we’ll just discuss things from the perspective of secure storage, and validation in an application.
- use a digital fingerprint algorithm, not a hash or CRC. A hash is by nature lossy (generates evenly distributed duplicates) and a CRC is intended to identify bit errors in transmitted data, not compare potentially different data.
- Store/use all of the fingerprint, not just part (otherwise it’s lossy again).
- SHA1 and its siblings are not ideal for this purpose, but ok. MD5 and that family of “message digests” has been proven flawed long ago, they can be “freaked” to create a desired outcome. Thus, it is possible to …
I’m leaving myself some room for bug fixes. It works for us in house. I would love to help others to give it a try. especially those who could benefit from making nearly immediately answered queries to the NIST’s NVD database.
The code in this release cannot by itself track the feed from the feds in real time. The nvd entry loader needs a little bit of love in the area of record merging before this starts working. It’s on my TODO list.
I’m sorry for the outage of git.colliertech.org. I’ll get that back up here shortly. In the meantime, feel free to grab it from this location while the CPAN indexes and processes my submission.
http://www.colliertech.org/federal/NIST/NIST-NVD-1.00.00.tar.bz2
don’t forget to check the cryptographic signature:
…
[Read more]Over the past few days extensive conversations around a new security vulnerability in MariaDB and MySQL have taken place.
It all started as a chain reaction when Monty Program publicly disclosed information about the flaw they had found and about how to make sure your MariaDB and MySQL installations can be fixed. The initial information got assigned the security vulnerabitlity identifier CVE-2012-2122 and the contents can be seen e.g. here http://seclists.org/oss-sec/2012/q2/493 .
The bug was found two months ago on April 4th.