“ATTENTION”… IMPORTANT NOTICE That Affects YOU! : MySQL Database Flaw Leaves Passwords Vulnerable

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  Comments Off
Jul 282012
 

MySQL Database Flaw Leaves Passwords Vulnerable

 

Major flaw in popular MySQL and MariaDB databases is trivial to exploit and leaves the databases highly vulnerable to brute-force attack.

InformationWeek

By Mathew J. Schwartz
June 12, 2012

 

***   Note: Highly Vulnerable if you’re using Google’s Gmail, Microsoft’s I.E. or Microsoft Office!

 

MySQL and MariaDB database servers are vulnerable to a brute-force attack that can reveal admin-level passwords in just seconds. The vulnerability stems from a flaw relating to how the databases verify password hashes.

Due to the flaw, there’s a chance that MySQL/MariaDB would think that the password is correct even while it is not, and then accept any password, according to Sergei Golubchi, security coordinator for MariaDB, in a security advisory posted to the oss-sec mailing list. The post continued, “Because the protocol uses random strings, the probability of hitting this bug is about [one in] 256.”

As a result, if an attacker knows a username, bypassing the password-checking mechanism would require–at most–just seconds. “If one knows a user name to connect (and “root” almost always exists), she can connect using *any* password by repeating connection attempts. [Around] 300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent,” said Golubchi.

Both MySQL and MariaDB are two of the most popular and widely used database platforms, not least because they’re free.

Thankfully, however, just because the vulnerable code is contained in a database that uses MySQL or MariaDB code doesn’t necessarily mean the database is at risk. “Although a wide range of MySQL and MariaDB versions use the vulnerable code, only some of these systems are exploitable,” said Metasploit founder, developer, and researcher H.D. Moore, in a blog post that includes workarounds for mitigating the vulnerability in exploitable systems.

To date, Moore said, researchers have found that the following implementations are vulnerable to the exploit: Ubuntu Linux 64-bit (versions 10.04, 10.10, 11.04, 11.10, 12.04), OpenSuSE 12.1 64-bit MySQL 5.5.23-log, Debian Unstable 64-bit 5.5.23-2, Fedora, and Arch Linux (versions not known). Notably, however, official builds from MySQL and MariaDB can’t be exploited, and Moore said Red Hat confirmed that the vulnerability can’t be exploited in Red Hat Enterprise Linux 4, 5, and 6.

Oracle, which develops MySQL, has patched the related flaw via its April 2012 critical patch update, while both MySQL and MariaDB have issued their own patches.

How widespread is the vulnerability? Based on Moore’s personal research, there are “approximately 1.74 million MySQL servers across the Internet [which are] at large,” he said, and about 50% of them–869,000 databases–are vulnerable to the exploit.

“This statistic includes only MySQL instances that were on hosts publicly exposed to the Internet and not bound to localhost,” Moore explained. Binding the database server to localhost means that it can’t be accessed remotely, which thus helps mitigate the attack. Likewise, putting access controls in place can block unapproved access from the Internet, which also mitigates the vulnerability.

Since vulnerable systems are easy to exploit, and many such systems likely won’t be patched for some time, expect attackers to quickly begin targeting this vulnerability. “If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come,” said Moore.

For example, he said, if a penetration tester knows the username and password for a database, then he can access it using the attack to dump the table to a local file. “This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access,” said Moore.

Moore also noted that a related exploit module for the free Metasploit penetration testing tool that targets the MySQL and MariaDB vulnerability has already been developed and released.

 

 

More than 900 IT and security professionals responded to InformationWeek’s 2012 Strategic Security Survey. Our results cover a variety of areas critical to information risk management, including cloud, mobility, and software development. Download the 2012 Strategic Security report now. (Free registration required.)

 

Direct Link:  http://www.informationweek.com/news/security/storage/240001921

 

More Security Insights

Webcasts

More >>

White Papers

 

[ Should the Obama administration have confirmed its role in Stuxnet? Read more at Was U.S. Government's Stuxnet Brag A Mistake? ]

 

Weak passwords still the downfall of enterprise security

 Articles of Interest, Crimes & Criminal Activity (Organized Crime, Narcotics, Predators, Cyber Crime, Cyber Stalking, UnSolved), Firearms, Weapons & Personal Safety, National security, Terrorism, Cyber Terrorism & Related Crimes, Social Media, Technology & Digital Security  No Responses »
Apr 202012
 

Weak passwords still the downfall of enterprise security

A pet’s name or a favorite movie just isn’t enough

Computer World
By Jaikumar Vijayan
April 12, 2012

Computerworld –

A recent data breach that exposed the Social Security numbers of more than 255,000 people in Utah has once again highlighted the longstanding but often underestimated risks posed to organizations by weak and default passwords.

The breach, involving a Medicaid server at the Utah Department of Health, resulted from a configuration error at the authentication layer of the server hosting the compromised data, according to state IT officials.

Many security analysts see that as a somewhat euphemistic admission by the state that the breached server was using a default administrative password or an easily guessable one. By taking advantage of the error, the attackers were able to bypass the perimeter-, network- and application-level security controls that IT administrators had put in place to protect the data on the server.

Such mistakes, though relatively easy to avoid, are surprisingly common.

 

What I think we are seeing is really what I like to call ‘the curse of the reusable password.’
Gartner analyst John Pescatore

In March, the inspector general of the U.S. Department of Energy released the results of an information security audit at the Bonneville Power Administration, which provides about 30% of wholesale power to regional utilities in the Pacific Northwest. According to the audit, vulnerability scans of nine applications used to support key financial, HR and security management functions at Bonneville identified 11 servers that had been configured with easily guessable passwords.

An attacker taking advantage of those vulnerabilities would have been able to gain complete access to the system. Four servers were configured to allow any remote user to access and modify shared files. One server hosted an administrator account that was protected only with a default password.

Earlier this month, a data breach at payment processing company Global Payments that exposed credit- and debit-card data belonging to about 1.5 million people was believed by analyst firm Gartner to have resulted from a weak authentication mechanism that allowed attackers to gain access to an administrative account. An attack on the U.S. Chamber of Commerce by Chinese hackers and a compromise of the open-source WineHQ database last year are also believed to have originated with compromised administrator accounts.

An enterprise can have anywhere from hundreds to thousands of account names and passwords. Many of these accounts often have privileged access to applications, databases, networks and operating systems. While not all of them are always critical to the enterprise, there are numerous accounts that, if abused, can cause serious disruptions enterprisewide.

Previous studies have shown that the number of people who require administrative access to a system for maintenance purposes, or for completing tasks such as patching and upgrading, is often far greater than the number that managers know about or track. Nevertheless, many companies allow users and administrators to apply easy passwords or even default passwords to protect access to such accounts.

When multifactor authentication is used, the measures often involve relatively easy-to-crack knowledge-based authentication (KBA) mechanisms where a user is prompted for an answer to a security question, such as a first pet’s name or the name of a favorite movie.

A report released by Verizon last month showed that attacks exploiting weak passwords are still endemic in the retail and hospitality industries. Attackers can still go to a vendor’s site, get a client list and “just hit those [clients] with the default or guessable username-password combination,” Verizon noted in its report. “These are relatively easy attacks that require little in-depth knowledge or creativity.”

The tendency by many people to use the same password for multiple accounts is another huge issue, said John Pescatore, a Gartner analyst.

“A lot of Anonymous’ recent success has been in attacks where they have obtained users’ passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems,” Pescatore said. “What I think we are seeing is really what I like to call ‘the curse of the reusable password.’ “

One of the most important measures companies can take to ramp up their security is to raise the bar for passwords and authentication mechanisms, he said. “Similar to how you can’t shift from ‘Park’ to ‘Drive’ without putting your foot on the brake, there ought to be ‘safety interlocks’ in any piece of software that make it very hard to shift into Drive without changing the default password,” he said.

Adam Bosnian, executive vice president of corporate development at Cyber-Ark, a vendor of software for managing administrative passwords, said the problem that companies face is complex. While it’s one thing to require that administrators use complex passwords, it’s another thing to manage those passwords, he said. What often happens is that multiple administrators might need access to one system, and it is easiest to use a default or easily remembered password to control access to it.

When a complex password is used, administrators need to have three processes: One for securely sharing that password with each other, another process for changing the password when needed, and a third for keeping everyone informed about the changes. These processes can get especially difficult in larger organizations where the number of privileged accounts can be staggering, he said.

“The truth is, anyone trying to protect non-trivial assets should be using multifactor authentication and/or complementary controls to protect themselves,” said Peter Lindstrom, an analyst with Spire Security. “The password has too many weaknesses, including the obvious human ones,” he said.

Most password schemes that aren’t protected by another form of authentication or lockout controls are susceptible to brute-force compromise, where automated tools are used to guess passwords, he said. “At this stage of the IT game, there is really no excuse for using default passwords.”

 

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld

 

Direct Link:  http://www.computerworld.com/s/article/9226152/Weak_passwords_still_the_downfall_of_enterprise_security_?taxonomyId=82