Database targeting

Networking/Security Forums -> Databases

Author: hnprabhuLocation: Mumbai, India PostPosted: Wed Aug 22, 2007 4:42 pm    Post subject:
    ----
How can a legitimate user with limited access rights, modify tables.in a database ?

I do not think this is possible. In my opinion most of the hacking does not happen through legitimate logins

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Wed Aug 22, 2007 6:09 pm    Post subject:
    ----
Quote:
How can a legitimate user with limited access rights, modify tables.in a database ?


They can't; at least not leaving a trail big enough for prosecution. At any rate, and article I was reading on darknet cites that only 15 of companies interviewed extend best practices to database security. Database security is pretty simple. Allow users only those privileges they need, on only those tables they need, and only in the database they need. As much as is possible, allow users only a controlled vocabulary to access the dtabase. Where it is not possible, sanitize the input. Catch the errors generated by the database so they don't get back to the attacker (this is assuming that the database is being accessed by some viewer). Don't allow command line access from outside the network (if possible). If not, use VPN.

Once an attacker has raw access to the database, they own it, and it is only a matter of time before they get what they need. doing a mysqldump will give you a flat file representing all of the data in the file. It may be a huge file, but a file can be searched for stings of interest.

I don't think it is so much a question of who attacks the database, but how they are able to get access in the first place.



Networking/Security Forums -> Databases


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group