Blog

HOWTO defend databases from SQL attacks with GreenSQL

UPDATE: as if to underscore the importance of this tool and approach, yesterday a story hit about a SQL Injection attack infecting over 132,000 systems in short order. Net-Security have the full details on this attack, including how it probes the host via JavaScript to check for known vulnerabilities, how it exploits them, and how it ultimately downloads a back-door trojan to get the game going. It’s really amazing to see how complicated and professional these things have gotten, and just adds to the reasoning that we have to step up to the plate and learn how to better defend against them.

I’ve been privy to some log dumps showing real, and successful, SQL attacks on some MSSQL servers before, and they weren’t pretty. Of course a SQL injection attack has little to do with the database (well, as long as it’s still SQL based at least (nod to CouchDB and MongoDB)), and more with the code that calls it, and how that code deals with sanitizing inputs. For this reason MySQL is just as vulnerable, after all, bad code is bad code. While a client of mine opted for a firewall ‘module’ they had to buy an additional licence for, that set them back many thousands of dollars, I knew there had to be cheaper/better ways to address this kind of vulnerability. One way of course is to fix the code, but with legacy sites that no one has touched for years, this may be impractcal (I didn’t say this, I only heard it), and the other idea is to proxy the SQL and ‘clean’ it before it hits the database. The advantage of this approach is that it protects against known attacks, as well as unknown attacks, since it limits so much of what an attack is allowed to accomplish when trying to get its’ foot in the door. This approach is what the folks over at GreenSQL have done, and it’s very impressive. They sum things up nice and sweet with, “GreenSQL is an Open Source database firewall used to protect databases from SQL injection attacks. GreenSQL works as a proxy for SQL commands and has built in support for MySQL & PostgreSQL . The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.” (more…)

Dec 10, 2009 | Categories: commerce, geek, linux | Tags: data retention, Database, firewall, linux, mysql, network security, open source, opensource, postgresql, privacy, sql attacks | Comments

Talking about clouds, TDWG and Eucalyptus

We had a alternate (un-official) cloud talk at TDWG. Organized here http://bit.ly/8LGUCr – one of the main things we wanted to cover, is to review what data is available now (or should be) out on Amazon’s free public data sets: http://developer.amazonwebservices.com/connect/kbcategory.jspa?categoryID=243 From there we derived a software stack from ideas of what would be useful for biodiversity folks to have on an EC2 compatible Debian Linux instance to do distributed computing against those sets. http://bit.ly/8GSEa7 This in turn builds off of what has already been done with BioLinux http://www.jcvi.org/cms/research/projects/jcvi-cloud-biolinux/ which is more of a desktop-able EC2/Eucalyptus image. Eucalyptus (http://open.eucalyptus.com/) is an open source project for you to bring up your own ‘private clouds’ that leave open the ability to migrate part of all of it to Amazon’s EC2 instances if you needed more power. (more…)

Dec 04, 2009 | Categories: blah | Comments

EFF’s SSD (Surveillance Self-Defense) Project

EFF has a page covering what they call The SSD Project (Surveillance Self-Defense) which they provide, “…to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it.“ This is important stuff, and what I wish others would know, so I’m posting links to the source in the hope it will get more exposure and results in the search engines of the Internet. I will contact EFF and see if we can formulate a better method to disseminate and distribute this text, allowing for updates and annotations going forward. Also, I aggregate news that cover these kind of issues over on Left to chance, take a look, then follow @lefttochance and @eff on Twitter to stay informed, and consider joining the LinkedIn EFF Group I run to join in the conversation. In other words, get involved and …

Know your rights!

Dec 02, 2009 | Categories: commentary, geek | Tags: digital rights, drm, eff, encryption, hacker, IP, law, online privacy, privacy, security | Comments

Ruby on Rails: gem install versus apt-get

rails UPDATE: Thanks to Ryan, Ant and Fern for the tips. With that in mind I found an online Slicehost tutorial that contained the steps and explained how to install ruby via apt-get, then get the latest rubygems, install that manually, ran gem to update itself, then run gem to install rails – as suggested. The steps I took from that page:
(more…)

Nov 18, 2009 | Categories: geek, howto | Tags: apt-get, bsd, config, configuration, gem install, hacker, howto, linux, redmine, ruby, ruby on rails, update | Comments

Dark Night of the Soul

Notice: the text of this post in the gray, blockquote area was taken from the website Look Into My Owl, and I forgot to attribute it to them. The reason I used a blockquote was to signify that it was a direct quote, and that it wasn’t mine, but I didn’t say it wasn’t, and didn’t put a link to the original work as I usually do. It was an oversight on my part, and I regret it.

…

“The more I try to hurt you, the more it hurts me“

Ah, just another line that revolves in my head after repeated listenings of the amazing ‘Dark Night Of The Soul‘, the Danger Mouse and Sparklehorse (Mark Linkous) musical collaboration with David Lynch.

DARK NIGHT POSTER FINALai