Database Security

Database Security, Secerno Solutions {6}

Database Security (IT’s biggest problem)

            The author of this article, a security guru and managing director of UK company NGS David Litchfield, discusses database security and IT’s biggest problem by referencing the Black Hat conference where he exposed over 20 vulnerabilities in IBMs Informix database products. In this presentation I will discuss the top two most prevalent areas of weaknesses in database and new technology introduced as Secerno to supplement data security offerings and protect against hackers and data breaches.

read more...

McAfee and Sentrigo Data Security {3}

For my last blog post I read an article by Leena Rao called, “Intel’s McAfee Acquires Sentrigo to Boost Database Security Offerings.” The article talks about how McAfee announced the acquisition of Sentrigo. Sentrigo had raised $19 million in venture funding and offers host based software that protects enterprise databases. It does so by monitoring all of the databases activity in real time and the providing alerts, audit trail, virtual patching, and automatic intrusion capabilities. This is was all done via a program called Hedgehog which has a very small footprint and allows for complete monitoring of all database activities with no interference of any kind. McAfee had actualy partnered with Sentrigo in 2010 and in 2011 they acquired them. Mcafee’s Vulnerability Manager is a product that both companies had worked on before the acquisition, it automatically discovers all databases on a network, scans them, collects a full inventory of configuration details and determines if the latest patches have been applied. Their Database Activity Monitoring (DAM) not only tracks the changes in the database but protects the data from external threats as well with real time alerts and session termination.

read more...

Removing Vulnerabilities in SQL Code {3}

The article I chose for this week is titled “Using Automated Fix Generation to Secure SQL Statements”.  The main purpose of the article is to propose a certain method of securing code from SQL injection attacks.  The article starts by stating that since 2002, more than half of all cyber attacks were done by exploiting input validation vulnerabilities.  SQL injection attacks accounted for 20% of all of those attacks.  For those who don’t know, an SQL injection attack is when a hacker inputs his or her own SQL statement in order to gain access to certain information.  The author’s proposed method of helping to prevent this kind of attack to java code is by using prepared statements rather than just plain text SQL statements.  His reasoning for this is that prepared statements limit the input that could affect the statement.  The author tested this by using prepared statements in five mock java programs which contained vulnerabilities.  Their conclusion was that the vulnerabilities were removed in each program.

read more...

Defending Against SQL Hackers {1}

The article talked about preventing SQL injection attacks.  Basically, an SQL injection attack targets interactive web applications that deal with database services.  As a result, an attacker may provide malicious or inaccurate information in place of what the user inputs.  Thus, an attacker could obtain and modify sensitive information.  The solution that the author comes up with is to use runtime validation in a procedure to call and check the SQL statements that the user inputs.  There is an algorithm that the author uses that verifies that the user inputs are consistent and that there are no discrepancies in their inputs.  In order to reduce the runtime analysis of the program, the program only scans portions of the queries instead of the entire query to improve efficiency and reduce execution time.  SQL injection is a common technique employed by hackers for attacking databases and the author makes solid points on how to prevent these attacks.

read more...

More Than 50,000 Accounts Have Been Hacked from ITWallStreet.com {3}

The article I read this week is “Hacker claims breach of 50,000 accounts from Wall Street IT recruiting firm” by Jaikumar Vijayan. On July 18 2012, a hacker named Masakaki who’s a member of a group called TeamGhostShell hacked into ITWallStreet.com. ITWallStreet.com is a website for who are seeking IT jobs in Wall Street firms. The hacker breached into resume database and snipped out more then 50,000 accouts with highly detailed data including person’s userID, name, phone number, address, and email.The list contains most of the major Wall Street firms including Morgan Stanley, Goldman Sachs, Nasdaq, Dow Jones, and etc. Interest fact I found from article was that candidates have ranged from 40,000 to 400,000 for their salary. And everyone from entry-level junior developer to senior technology executives.

read more...

Using Database to Combat Cellphone Theft {4}

In the article AT&T to Start Blocking Stolen Cellphones This Week, the author talks about At&t’s program as announced in April. At&t created a database to store information for every cellphone which on its network; and allowed its customers to report stolen cellphones, then At&t can disable any stolen cellphones to prevent reactivation of stolen devices on its own network, and make it more difficult for cellphone thieves to sell the devices back on the black market. The National Database planned to work toward a cross-carrier solution.

read more...

Multimedia Databases and Security {1}

The author first examines the different types of architecture available for constructing a  multimedia database. The roles of managing both metadata and multimedia can be delegated to the database management software, or a separate file manager can be delegated to handle the multimedia alone. Metadata is discussed, as audio and video data can require a great quantity of metadata. The author says “in the case of video data, one may need to maintain information about the various frames.” Multimedia data mining is also of concern, as it differs from data mining in a traditional database. The author explains that “data mining models data as a collection of similar but independent entities. The goal of data mining is to search for patterns that are common to many of these entities. ” The subtle details for identifying things we see in pictures and videos makes it difficult to fit multimedia data mining to traditional data mining. The author demonstrates this with an example, saying “pictures and video of different buildings have some similarity—each represents a view of a building—but without clear structure such as ‘these are pictures of the front of buildings’ it is difficult to relate multimedia mining to traditional data mining.” Due to the complexity of multimedia, the author suggests an end-to-end security approach, where we ensure every component of the system is secured.

read more...

Network database security {3}

The article title “The Security Mechanism of Network Database”, covers most of the application that can be apply to protect network database. Some of the network threats that are listed in the article include, but not limited to, Replay, Trapdoor, Deny of Service or Modification of message. Such threats can be harmful to any network database that is affect by these viruses.  The author notes that administrator have to develop C2-level security standard to protect the network database. C2-level security standard is just another layer of security added on to the other 2 layers of security. Others ways to protect the network database that the author mentions is to have password tactics, audit tactics, encrypted data etc.  Planning during the system design processes can only get rid of some of the threats, only through consists improvement of the security in the database can an administrator protect the network database.

read more...

LogMeIn vs. Dropbox {4}

Dropbox have been the leader of cloud storage for a good amount of time. LogMeIn announced their beta ‘Cubby’ service to compete with Dropbox. Cubby offers more data and they are “a P2P data sync feature and the promise of user-managed encryption keys.” (Dunn, 2012) With P2P sync service, it means their are no data limit, but computers needs to be to do it. Cubby cloud save and sync that is pre-defined, so it works kind of like a backup service. Files that are saved have visual notification that tells the user what is happening. Users can also sync their files onto their smart devices. Cubby is easy to set up and during beta they did not experience any crashes or freezes. Cubby beta offers data encryption keys assigned by the user. They most of the data will be hosted on US for now. They have data where there are laws protecting these data. Pricing is not announced, but they are going to be up against Google, Microsoft, and other cloud services in the near future.
During class, a lot of the questions have been raised up in where the data is being stored and how secure it is. LogMeIn announced that their data will be stored in US for now. This can assure that if other country were to have a disaster, people who have their data saved in Cubby will be safe. They don’t need to worry if their data will be gone due to natural disaster or other unknown governmental factors. Cubby allow users to encrypt their data with their own encryption key, so it is harder for other people to gain access to the data even if it was hacked.
Cubby seems like a reliable cloud computing service in this article. They allow more storage space for free and they have not experience any crashes or freezes during testing. It can prove to users that they are stable and reliable. They answered a lot of the questions  people have about cloud services. They provide stability and security which have been the biggest issue for businesses to implement their system into cloud. Cubby might just be the new guy that everyone dislike in the near future.
Dunn, J. (2012, April 16). Logmein takes on dropbox with ‘cubb’y cloud storage. Retrieved from http://www.pcworld.com/article/253845/logmein_takes_on_dropbox_with_cubby_cloud_storage.html

read more...

Stolen-Cellpone Database to Combat Mobile Theft {2}

The article talks about how the major companies that provide wireless services are making a joint effort to produce a database that keeps track of stolen cellphones. As technology helps to improve cellphones, it  also increases the value of and demand for smartphones on the market. According to the article, the Metropolitan Police Department say “in Washington, D.C., cellphone-related robberies jumped 54% from 2007 to 2011″. The providers will come out with their own databases before merging them into a single national database. The article lists some important issues that need to be addressed in designing the database, starting with how to deal with the different technologies the providers use. It also talks about the way some phones are currently identified, such as the SIM card for AT&T & T-mobile phones, can make them more attractive to thieves.   There are stolen cellphone databases currently in use in the United Kingdom, Germany, France, and Australia.

read more...