Lately there has been quite some talk about security on MySQL, and I've decided to GPL a package I wrote, implmenting Roles on MySQL. This technology has been available on other databases for quite some time, but hasn't quite yet made it to MySQL's feature list and apart from this tool, the only solution I know of is google's patches for MySQL 5.0.

Lenz Grimmer recently wrote two blogs about password security on MySQL. Both are worth reading in detail. You’ll find them in Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.

Although I wrote a comment on the latter one, there is one point I thought was worth its own blog.

GRANT … IDENTIFIED BY PASSWORD…

You can work around having to specify the password in the open following these steps:

1. Use a local or non-public instance (for example using MySQL Sandbox) to define the user / password combination you need:

   CREATE USER 'name'@'host' IDENTIFIED BY 'secret';

2. Use SHOW GRANTS to …

My last post about Basic MySQL Security generated a number of interesting comments, thanks for all your feedback! I'd like to address a few points that were mentioned there:

While the problem seems to be a non-issue on Linux, Keith Murphy stated that the password might still be visible on other Unix operating systems (e.g. Solaris), as described in Bug#11952 in our bug database. According to the bug report, it depends on the implementation of "ps" — there seems to be a BSD variant (/usr/ucb/ps) as well as a SysV implementation (/usr/bin/ps).

…

Reading through the comments in Ronald's second post about More Basic MySQL Security, I noticed that there seems to be a misunderstanding about the implications of providing passwords to the mysql command line client via the "-p" option:

Jaka Jančar wrote:

What’s more insecure is passing password as an argument to MySQL, like you’ve written (-p[password]), since that can really be seen by anyone.

Shlomi Noach wrote:

While Linux security is often considered good, an astonishing weakness is “ps aux”, where every user can see …

Augusto Bott and myself had a wonderful time at April’s MySQL Conference in Santa Clara, California, and also at the coinciding MySQL Camp and Percona Performance Conference.

We presented two sessions at the conference, and we wanted to share the slides with you. The first one is called Proactive Operational Measures.

The second one is called 8 Simple Rules to Design Secure Applications.

Augusto and I promised that we would make the slides available online, so we’re sorry for the slight delay in getting them published. Enjoy!

Thanks to Expandrive . You can now use Subversion (SVN) on websites hosted at Mosso . The idea of mounting a directory you’d normally ftp/sftp to, and then using SVN on it, at first seemed oddly implausible to me. But, I tried it recently, and got exactly the results I wanted. I even had the repository hosted at Unfuddle . I think this post is fairly obvious, but if you have any questions feel free to ask in the comments.

Simple password authentication schemes are usually guarding against one of two evils – either leaked password tables, or sniffed network traffic. In 4.1 MySQL introduced challenge-response scheme, that is guarding against both, just not both at the same time. How does one obtain the token required to log into the server? There are few methods:

• Use gdb, dtrace or any other deep-inspection method to grab ‘buf’ in check_scramble()
• Grab mysql.user table, sniff network traffic, calculate the hash_stage1 value out of public_seed (initial server packet), client’s reply and actual password hash
• Intercept the password client-side at libmysqlclient level (again, gdb, dtrace, etc ;-)
• Mix ethyl alcohol with the carbohydrate-based bipedal DBA, until it becomes quadrupedal and tells the password (might not be able to tell anything else at that moment).

…

Grab your calendars and mark the following dates :

• T-Dose 2009 will be held on 3 and 4 october in Eindhoven again.

  Last year we had a nice Drupal track, some great MySQL talks and , a great unplanned Cloud talk , and different other interesting talks, so this year promises also to be very interesting.
  (PS. Drupal Themers.. you might want to propose a new theme for the T-Dose site, who knows you'll even win something)

• For the first time , 2009 will be the year that Belgium will have it's own Security Conference, BruCon has just announced Christofer Hoff as a KeyNote speaker , BruCon will take place on 18 and 19 september... obviously in Brussels ;)
• While we mention VirtSec …

How To Add Two-Factor Authentication To phpBB

This document describes how to add WiKID two-factor authentication to phpBB through Apache using mod_auth_xradius. Given the recent attack against phpBB and the exposure of it's users' passwords, we thought two-factor authentication might be timely.

Introduction

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function (credit: Wikipedia).

Clickjacking is hard to combat. From a technical standpoint, the attack is executed using a combination of CSS and iFrames, which are both harmless web technologies, and relies mostly on tricking users by means of social engineering. Additionally, the only server side technique against …