My last post about Basic MySQL Security generated a number of interesting comments, thanks for all your feedback! I'd like to address a few points that were mentioned there:

While the problem seems to be a non-issue on Linux, Keith Murphy stated that the password might still be visible on other Unix operating systems (e.g. Solaris), as described in Bug#11952 in our bug database. According to the bug report, it depends on the implementation of "ps" — there seems to be a BSD variant (/usr/ucb/ps) as well as a SysV implementation (/usr/bin/ps).

…

Reading through the comments in Ronald's second post about More Basic MySQL Security, I noticed that there seems to be a misunderstanding about the implications of providing passwords to the mysql command line client via the "-p" option:

Jaka Jančar wrote:

What’s more insecure is passing password as an argument to MySQL, like you’ve written (-p[password]), since that can really be seen by anyone.

Shlomi Noach wrote:

While Linux security is often considered good, an astonishing weakness is “ps aux”, where every user can see …

Augusto Bott and myself had a wonderful time at April’s MySQL Conference in Santa Clara, California, and also at the coinciding MySQL Camp and Percona Performance Conference.

We presented two sessions at the conference, and we wanted to share the slides with you. The first one is called Proactive Operational Measures.

The second one is called 8 Simple Rules to Design Secure Applications.

Augusto and I promised that we would make the slides available online, so we’re sorry for the slight delay in getting them published. Enjoy!

Thanks to Expandrive . You can now use Subversion (SVN) on websites hosted at Mosso . The idea of mounting a directory you’d normally ftp/sftp to, and then using SVN on it, at first seemed oddly implausible to me. But, I tried it recently, and got exactly the results I wanted. I even had the repository hosted at Unfuddle . I think this post is fairly obvious, but if you have any questions feel free to ask in the comments.

Simple password authentication schemes are usually guarding against one of two evils – either leaked password tables, or sniffed network traffic. In 4.1 MySQL introduced challenge-response scheme, that is guarding against both, just not both at the same time. How does one obtain the token required to log into the server? There are few methods:

• Use gdb, dtrace or any other deep-inspection method to grab ‘buf’ in check_scramble()
• Grab mysql.user table, sniff network traffic, calculate the hash_stage1 value out of public_seed (initial server packet), client’s reply and actual password hash
• Intercept the password client-side at libmysqlclient level (again, gdb, dtrace, etc ;-)
• Mix ethyl alcohol with the carbohydrate-based bipedal DBA, until it becomes quadrupedal and tells the password (might not be able to tell anything else at that moment).

…

Grab your calendars and mark the following dates :

• T-Dose 2009 will be held on 3 and 4 october in Eindhoven again.

  Last year we had a nice Drupal track, some great MySQL talks and , a great unplanned Cloud talk , and different other interesting talks, so this year promises also to be very interesting.
  (PS. Drupal Themers.. you might want to propose a new theme for the T-Dose site, who knows you'll even win something)

• For the first time , 2009 will be the year that Belgium will have it's own Security Conference, BruCon has just announced Christofer Hoff as a KeyNote speaker , BruCon will take place on 18 and 19 september... obviously in Brussels ;)
• While we mention VirtSec …

How To Add Two-Factor Authentication To phpBB

This document describes how to add WiKID two-factor authentication to phpBB through Apache using mod_auth_xradius. Given the recent attack against phpBB and the exposure of it's users' passwords, we thought two-factor authentication might be timely.

Introduction

Clickjacking is a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function (credit: Wikipedia).

Clickjacking is hard to combat. From a technical standpoint, the attack is executed using a combination of CSS and iFrames, which are both harmless web technologies, and relies mostly on tricking users by means of social engineering. Additionally, the only server side technique against …

I was working on a client’s server that was recently compromised.  Interestingly the attacker had replaced the OpenSSH server with “trojan” binaries that accomplished two things:

• All logins to the system had the username/password logged in a plain-text file (this was how I discovered the problem with OpenSSH)
• It gives the attacker a remote backdoor that is undetected to the system. Another words, when the attacker logs in using the compromised sshd they do not show up in top or ps.

This is bad enough, but it gets worse. The system had been compromised for a week before I began working on it. There is no telling how many other binaries were changed. I did find that the ssl certs had been modded. At this point there is no way that the current setup can be cleaned with any assurance that it is completely secure. No baseline of the system with a tool such as tripwire …

Actually, what I really wanted to blog about before getting carried away with irony yesterday was an old idea on how to force my developers to use placeholders exclusively for SQL queries in applications. As should be apparent from yesterdays blog entry, I am strongly in favour of using placeholders for interpolating values into SQL queries, due to the great reduction in potential bugs (including, but not limited to, SQL injections).

Basically, wrap the database API so that all database access passes through the wrapper. This can usually be achieved, for example by subclassing DBI (for Perl) and returning such subclasses from the application connection pool, or other similar methods. Probably many large web applications already have such wrappers or use APIs that can be patched or extended appropriately.

Now add code that basically bombs out with a big …