Security related aspects of databases and database access.
6
votes
3answers
265 views
How are large tech sites such as LivingSocial, Zappos, LinkedIn and Evernote hacked?
How are large tech sites such as LivingSocial, Zappos, LinkedIn and Evernote hacked? (i.e. how is their entire dataset of users obtained?)
LivingSocial - 50 Million Users Exposed
Zappos - 24 Million ...
4
votes
2answers
116 views
Secure yet reversible encryption for local data store
I'm working on a piece of software to store and manage records for a youth group. They've found that a lot of the time they spend on record-keeping and admin is taken up by scanning through looking ...
1
vote
1answer
88 views
Isolating database? Is it possible?
I have been assigned CTF project for IT Security for my final year project in school.
We are planning to have a flag that are base on SQL injection but for the user to overcome the challenge, they ...
7
votes
2answers
124 views
Privacy violation even when queries with too few results are rejected
I was reading a Computing security book1 and saw a question regarding database security and privacy. I can't quite figure out the answer, so I thought I will ask here.
One approach to ensure ...
4
votes
2answers
102 views
How dangerous are direct references to database keys?
An OWASP note suggests that direct object references are considered insecure in some contexts. They defined "direct object reference" as follows:
“A direct object reference occurs when a developer ...
2
votes
1answer
107 views
Does Web Apps and Databases running on AWS EC2 need a IDS/IPS?
I have googled around for information about Web Apps or Databases running on AWS EC2 needing a IDS/IPS or not.
I will present my findings so far here, but it will be good if you guys can confirm ...
2
votes
2answers
88 views
Database security: Remove superuser role
I've recently heard on some IT-SEC conference, that good idea to secure database (probably against privilege-escalation attack) is to remove superuser role, and leave only user roles.
I imagine that ...
3
votes
4answers
125 views
Anonymized Votes
Background
Looking to create an anonymous voting system. The system must track whether or not a user voted on an item (public information), but only that user is ever allowed to know whether they ...
4
votes
4answers
177 views
What kind of attacks result in an attacker only being able to leak a site's database?
Of the public disclosures I've seen from recently compromised sites, it seems common for only the database to be leaked, rather than the application code, or rather than a complete takeover. Is this ...
2
votes
2answers
113 views
MySQL Access Control?
I have read somewhere that it is better to have two different MySQL logins in order to prevent hacking. What I mean is having one MySQL login for read access (SELECT permission) and another login for ...
5
votes
2answers
201 views
How did Evernote detect the security breach?
http://blog.evernote.com/blog/2013/03/02/security-notice-service-wide-password-reset/
Evernote's official message says little about technical details of the attack and how it was detected.
...
2
votes
1answer
54 views
Can we reverse engineer binlog with row format to make MySQL AES_ENCRYPT visible?
Suppose if I am using the mysql database based encryption using AES_ENCRYPT function & insert records, is it possible to decode the row formatted binlogs generated by MySQL to obtain the actual ...
0
votes
2answers
115 views
Encrypting Fields in Database
I'm working on an ASP.NET web application that will have to store sensitive information. I would like to encrypt the sensitive fields to protect against any possible SQL injection vulnerabilities. ...
2
votes
7answers
224 views
How to provide security for passwords stored in Database? [duplicate]
Passwords of end Users are stored in Database which is encrypted (using one way hash like MD5). Apart from me, there are 'other' people belonging to other teams who have access to Database which means ...
3
votes
4answers
268 views
Database hardening techniques
So as I understand it database hardening is a process in which you remove the vulnerabilities that result from lax con-figuration options. This can sometimes compensate for exploitable vendor bugs.
...
0
votes
1answer
135 views
How Twitter got hacked and preventing [closed]
I have been seeing in the news recently that Twitter (including Wall Street Journal and New York Times) got hacked by a sophisticated hacker (group), but I would have assumed they would have ...
3
votes
4answers
146 views
Generate DB Password from license key - a good idea?
There's this web app which has a SQLServer database, and the connection string it uses to access the database is not stored in any configuration file. Rather, the designers decided it would be a good ...
3
votes
4answers
182 views
When hashing passwords, is it okay to store the algorithm used right there in the database?
Since hashing password has become a hot topic recently, it is only natural to expect things to change and assume that some time down the road you might want to replace/tweak the algorithm used in your ...
3
votes
3answers
155 views
Security/Malware implications of storing data in a BLOB as opposed to the file system
From a programming perspective, there has long been a debate over whether to store files in a BLOB or Binary field in a database, or on the file system. The debate always seems to center around ...
3
votes
2answers
260 views
Security of NoSQL databases
Hopefully this isn't too broad.
I've got little experience with NoSQL databases, but I know that they are rising in popularity. As a developer that is extremely concerned with security, I'm ...
5
votes
4answers
217 views
Does any database let you disable non-parameterized queries and therefore disable SQL injection?
Is there a database that allows this already?
If not, here is how I think it could be done. I think it would require modifying the database software and the driver or code that is assembling the SQL ...
7
votes
2answers
146 views
Sending data form registration forms
I understand that sending data from the user to the server, unencrypted, is a bad practice. That is logical.
So how do I encrypt 'userside' and send the data to the server in encrypted form?
Can ...
11
votes
4answers
884 views
How to know which database is behind a web application?
I've read that different databases (mysql, sql server,...) have different vulnerabilities and that they are vulnerable to some specific sql injections.
When attacker try to perform a database attack ...
8
votes
3answers
137 views
Is it preferable to perform encryption using database functions or code?
Several databases I am familiar with provide functions or modules for encryption. Examples include dbms_crypto for oracle databases and built-in functions for MySQL.
Most of the commonly used ...
2
votes
4answers
275 views
Code, Data and Passwd encrypted? sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SID
Lots of our *NIX scripts use "sqlplus $USER/$PASSWORD@$ORACLE_REMOTE_SID"
I know that not good to have clear text password in scripts (there is no alternative at the moment). But question
is the ...
0
votes
1answer
160 views
Protect database resources from fake data inputs via web forms
Scenario:
I'm working on a project that needs to accept large amounts of data (customer data) from its users. So it can be normal to have a user trying to add 10,000 or 100,000 records at a time. In ...
3
votes
2answers
170 views
User authentication + database encryption with same password
I'm working on a private project where I need to store a users financial data in a database. I'll encrypt this data using AES, and I'll be using scrypt to generate a AES ecnryption key from a more ...
2
votes
3answers
252 views
Why are triggers not often used to secure a database?
I did an intern for a company becoming PCI compliant and instead of using triggers to prevent SQL injection, I went through 1000s (if not more) lines of web-app code and called functions every time ...
5
votes
1answer
291 views
Practices for storing username/password in Web applications
I have read the following question: Storing password in Java application but I don't find the answers useful for my case.
So here is my question somehow related to that. I have a Java Web application ...
3
votes
2answers
88 views
Local Network Data Sync and Access Log
We have some confidential data for our research. Currently, we use an encrypted hard drive for storing the data and any researcher using the data takes it off the drive.
However, we do not have any ...
