Hardening MySQL: MySQL Security Basics - MySQL security Tutorial - David Busby

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

okay I goat MySQL when I want to go to basics I apologize in advance for anyone that thought I was going to read from a textbook that's what the MySQL documentation is for that's not what I'm going to do I have approximately 20 minutes to change your mind on security and make you realize why you've got to do it so the best way to do that is with a little entertainment so let's get on so first of all I'm an information security architect at Percona I've been with vikarna since January 2013 in that time I've been a remote DBA and all the boring stuff I got to be the lead and in the security lead and then going to said hey do you want to do this full-time yeah gotta do so I've got several clocks on security slides will be made available another apologies my laptop decided he didn't want to do double displays and now some of the formatting is thoroughly boned so let's talk about the kubler-ross model now the kubler-ross model is the five stages of acceptance of grief which I'm going to have to go to my phone now because I can't see my notes these are denial anger bargaining depression and then finally acceptance so once you accept that you're going to be compromised at some point during your career you can start to focus on what you can do about it not worrying about all the poor people are going to come across and try to own your solution just pretend you already have been because chances are you have so we need to then get into damage minute limitation you need to isolate the parts of your solution it's going to cause you problems and then worry about the mitigation there you have to focus on what can can be controlled and like I said about the slides that corrupted for the second time on my trip over this is supposed to be an animated image so let's not talk about three-letter agencies we're not going to talk about the TSA who decided they were going to Pat me down three times and search my back twice we're not going to talk about the NSA it will probably listen to this talk right now hi guys we're not going to talk about your government which taps everything and funds the NSA in the first place we're not going to talk about espionage or the doomsday scenarios you know because when the world ends we don't care about the data because we're all going to be dead so let's talk about a solid foundation and it's not really rib on the poor so-and-so that's lost the house here it's more to borrow from the parable it was a foolish man that built his house on the sand okay you have to worry about what you're building your stuff on before you even put MySQL anywhere near it is it a virtual machine or is it bare metal doesn't really matter if the underlining their infrastructure is boned then so are you does your ISP have any sort form of security compliance have they been through soccer PCI HIPAA you know are they secure or are you just putting your data in somewhere where you can be owned like iCloud side-channel attacks moving swiftly on when you stick your stuff in a virtual machine environment you I have to worry about everyone else that's on that hypervisor you go to a cloud host you have your virtual machine but you also have any number of other people's virtual machines that may be on the same hypervisor as your data at that given moment in time KVM for instance has kernel same pages to try and save memory where it merges the same pages together unfortunately timing attacks has shown us how we can recover fit there we cover the data from other virtual machines including say the SSL private keys you've got to worry about phishing and spear phishing this has got to do more with your staff and their perception of things they haven't won a Ferrari okay that's no they haven't they haven't won some holiday after Hawaii instill it with these guys that's selling in their bank information to receive 10 million pounds from the king of Africa is not going to get them anywhere social engineering I would highly recommend checking out a guy on YouTube called Apollo Robbins he did a Def Con talk called the gentleman thief and in this he will take your watch your wallet your phone and your belt and you won't even know he's gone he's a pickpocket but he's also a great entertainer basically it's just the artists become the most famous example was Victor Lustig who in the eighteen hundreds decided he was going to sell the Eiffel Tower for scrap not once not twice three times I'm the third time he got caught but on the way to the police station after been arrested he convinced the officers to let him go Engineering at its best ladies and gentlemen unintentional emissions no I don't mean what happens after you kind of Mexican what I mean is you have frequencies on all of your laptops and all of your gear you have your FS being frontside boss of your CPU you have the frequency of your RAM you have the frequency of your display your LCD you see our teeth etc again there was a lady called Melissa Elliott she gave a great talk on this where you could use software-defined radio to intercept these signals and read the data out of them the NSA has been doing this for years where they can reconstruct what you have on your display so again broken but basically what it's supposed to see is you see this huge lock you turn it sideways and all of a sudden this bolt opens you can get to the gate so what I'm trying to get at is because we love acronyms in this industry access control lists if you have an improperly configured access control list on your firewall or even on your building you are going to get owned allow any OnStar dot star bad idea pol P that's not a type of Plouffe I promise it's path of least privilege basically the mantra of if you don't need it you don't get it not I want route because I want route provide a reason for it we've got Mac and Zack manage access controls and discretionary access controls they could be summed up as discretion access controls being your POSIX permissions so these your file permissions there is no reason to 77 anything ever okay managed access controls selinux Anna Parma these are the things that stop you from being owned once you've $77.00 things seven seven sevens all things we've got a web application firewall this is a specific type of firewall that looks at layer seven attacks of your application and tries to block SQL injection buffer overflows and various other things that's all the fun we have our IDs and IPS now other things like getting conversations a lot of people don't know what difference between IDs and IPS is so as something open a couple of nice images and IDs will tell you your house is on fire but it won't do anything about it an IPS then being an intrusion prevention system should stop it right well that gets a bit funny term it can do really really weird things if you in probably can it will attack things and probably not what you wanted to do in the first place so let's move swiftly on to talking about an attack surface so what is in attack surface areas in which your application your organization or anything about your person can be attacked so I'd like you to guess who's got the biggest attack surface in this scenario of three people playing paintball is a clue it's the guy Denis luminous pink vest of the bullseye on his chest so we need to produce the avenues of access or attack take the vest off reduce visibility seriously he's in the woods he still got this pink vest on remove bad access control this like I said any any Eddie bad no killing the fire grant all your application does not need all permissions on your database path of least privilege give it what it needs it doesn't need super if your application has super I will give you an example after the talk if you want to talk about it and where I inject the UDF and take over the database server bad file permissions will own you every time 777 bad Oh 6-4 owed the files Oh 752 days I know these aren't your standard ones but please please please please please restrict them so let's continue to uh talk about attack services doesn't have to be limited to your database or your web application your attack services also your employees if somebody knows that the HR of your business or somebody handling your contracts always stops off at Starbucks on the Monday morning to respond to their emails they're going to hit them over the head and steal my laptop so get them to encrypt said laptop and get into the habit of locking the thing or walk around with it hand off to the hands remove redundant packages I hate so it guys Bluetooth D does not need to be on your wreck mate servers you wouldn't believe how many times I see this you don't need cooks on your prints and your servers either you don't need I hope you wouldn't be using sambar on your Linux servers guys I refer to you to the fact that it actually got owned again last week isolate the DB system so basically put an access control list your MySQL server does not need to be able to query Google com I have seen this I have exploited this it's bad don't be the guy running around the forest in the bright pink vest saying hey I'm over here come on own me so let's talk a little bit about MySQL security features now in we'll talk about five six and five seventy briefly in five six you've got the plug-in nice one sha-256 password now the only thing this really does is it changes the default password algorithm it stores and uses chatting five six instead you've got a couple other plugins like off Pam now the reason I pick on these two is they're the most widely known authentication plugins in it because in within my school you've got proxy groups and these are groups kind of like the access controls you have an analytic system they're a group whereby you can say they're a sysadmin therefore they need access to all the databases they're in HR they only need access to the employee databases and tables etc when you don't have to do an individual basis you put do on the group basis and then you grant the individual proxy on that group it's kind of a roundabout way to try and do user ACLs within MySQL in five seven seven and onwards they've removed the requirement to have an authentication plugin to do it so you can go back to the MySQL native password and still have the proxy groups if you want proxy groups right now and you don't want to you know throw an on ga release into your production which I assume none of you would want to do then you go into need to use an authentication plug-in switches off Pam which a lot of people do they have it back in on 12 app or chateau five six password which I highly recommend because I couldn't break it I tried so let's talk about quickly about selective grants like I said no all on star dot star and a previous talk I called this guy the key-maker okay you got all on star that star o you've also got with grant privilege if you do with grant privilege and I've seen a lot of tutorials and say please install our WordPress deploy or please install our PHP my admin with all the grant privileges and all the things and then I don't even need your permissions of your password I'll go make my own no super the images dropped off I call super the trolling privilege the reason I call super the trolling privilege is if I wanted to do nothing else I can sit there killing all of your queries just do whatever I want I could reset your slaves I could reset your master sometimes so yeah little bit of textbook stuff here's the differences you have to be aware of the mysql authentication handshake is actually a hell of a lot more secure than the storage of the password in the first place the default storage - coordinated password is a double passive shot one of the password hands up if anybody knows why this is a bad thing if anybody knows what Google have recently said about sha-1 and the fact that you need to defecate it because it's been exploited so your authentication handshake is a little bit different if you ever run Wireshark against a plaintext of MySQL you'll see this you sent across it you will send a query you'll get the capabilities of the server and the server will send back a payload that says hi I'm the server here's my capabilities and here's the salt to use for the connection it will then your client will respond with this which is a sha-1 of the password X sword against the salt plus the same storage of the local password so you get this awful awful string and the reason why this is much better it is computationally a computationally much more of a pain to calculate this and that's the biggest mantra about your systems make it difficult for the attackers to get in 99% of them will get bored and go away strong passwords are key now this is where my video failed over so I'm gonna have to pop it up here I've got a really good set of passwords here that I recovered these are stored in the - cool users table and he took a grand total of one point three eight seven seconds to crack them I caught one cracking them and because the media loves to say it because I cracked the password no I didn't all I've basically done is run a dictionary against the hashes run a dictionary against the same algorithm which is a double sha-1 pass of the word got the resulting hash and said is this the same Oh looks like it is great thank you very much LibreOffice ok here we go so secure password nope that's pretty much what you're getting at you have to have strong passwords even though it's hashed please please please make sure you remember strong passwords are still important these are the past which we actually recovered they were much past such bad Wow so let's talk about require SSL what would have stopped me from getting some of these hashes in the first place would have been if the communication was actually encrypted in the first place put SSL on all the things that making it default in five-point-seven that's at least what some of the guys in article are telling me make sure this makes the authentication actually take place over SSL so you will see the salt and the capabilities come back that's all you'll see on the wire you will never see the resulting SSH one part of the password XOR it against assault concat bla bla bla bla but you won't see that you'll see all the nice SSL stuff makes it a little bit more difficult there is a good amount of overhead and I've links here there's a blog post if you have connection pooling you will want to use it that removes 90% of the overhead because it's all in actually trying to establish the connection in the first place you can change the SSL cipher don't rely on the defaults some of them are in there for backward compatibility some of them use the md5 hash which hopefully I don't have to tell you is bad let's talk about training your employees so up here from the way I see it you can either run from it or learn from it don't do this don't say I'm to smaller business no one will ever want to hack me no one that's ok I'm a nice person I've never said a cross word to anyone you're the best targets you won't tell anyone you've been hacked we love you so train your employees it's not a difficult it might say and you don't have to send them a seminar they come back and go I am never using a computer again it's really easy don't open an email that says free things that's probably one of the best things you can tell them but I want free stuff look if I open this program I see naked pictures of celebrities no stop train yourself the reason you should train yourself is how do you expect others to follow you if you can't do it yourself don't do the head in the sand and just be aware of potential threats simplest I'm suppose one I can think of is somebody offering you to drive you home with your own car just give me your keys please no takers so let's talk about more acronyms BYOD anybody any idea what BYOD is it's a short acronym for bring your own device how many people's employees bring their own phone to work and use email on it and might use VPN on it and SSH give me your phone I want your infrastructure I think we're getting to the point now i OT anyone internet of things very popular subject right now you don't need Wi-Fi in your light bulb how many times can I say this just because it's cool does it make it good there is a proof of concept out there to take the philips RGB light bulb and turns it into something that's initial Wi-Fi connections let's talk about malicious human interface devices in fact did I bring my back over here though so have and abusing and slash malicious Wi-Fi and I'm sorry I've got to run up here the TLDR of this is there are so many things you can do and some of you may have seen me running around with a bag of toys I'm not gonna go through the malicious Wi-Fi because we are actually running out of time if you want to see that come and see me after I have a nice little device that Rick rolls are you every time you try to access the site and also played polka dot circus from Madagascar so we have fun with all these things which I can't find name here we go this is an oversized example of malicious even interface device it's oversized because it makes a point you can see it I've seen these embedded in mice I've seen these embedded in keyboards I've seen these embedded in free USB drives you might pick up from a conference okay so this one should be really easy I've slowed this down and I've slowed the sound so you can actually see it this thing will right keypresses in less than a millisecond however I've slowed it down I think is about 20 milliseconds gap between each one oh look it types so the TLDR oh this really is if I can make it be a keyboard what else can I make it big who uses keyboard shortcuts to open their favorite programs now well there's a lot there you can open a terminal what happens when I open the terminal icon and anything I want as your user so to say a bash reverse shell back to my commander control server so right you can hibernate your laptop when you connect it will be there again the best example of this and the most simple who have who has an organization where they have a timeout policy two screens yep most people shall I program it to be a mouse that Wiggles every few seconds oh it's not going to timeout anymore so that 60 second policy to lock me into the Machine once it's timed out doesn't matter I put this little device in and these are great these are little micro controllers I can put a photo sensor on there so that it can detect when you're sat in front of it and when you're not there's lots of things I ain't get gave a great presentation where we embedded it and emotionally discuss all of these concepts where you could tell when your hand was on the mouse that it was embedded in and took it off he could tell you can give it the instructions as to when to change between a mouse and an exploit payload within micro SSD in it and actually start pulling all the data off this thing will open in less than ten milliseconds it will open a terminal it will send the malicious payload connects to the command-and-control server and completely and mostly on your infrastructure and that's the wrong table okay so that was supposed to say show me and that's kind of what I'm getting out here I've just been given the five minutes card so if you want to speak about any of the Wi-Fi or any of the fun toys I've got with me please come and see me later there's a huge bag of them and any questions or if I scared you all into silence okay guys [Applause]

Info

Channel: Percona

Views: 2,699

Rating: 3.9000001 out of 5

Keywords: MySQL, Percona Live, MySQL 101, mysql security, mysql tutorial security, mysql secure connection, database security, mysql damage, mysql safe mode update, database hack, mysql tricks and tips, mysql tricks and hacks, db security, spring security mysql authentication, protect mysql, protect database, protect access database, safe mysql, safety mysql, mysql talk, mysql tutorial, mysql understanding security, doomsday mysql, doomsday database

Id: dlcZyLVs5kE

Channel Id: undefined

Length: 20min 19sec (1219 seconds)

Published: Tue May 30 2017