Database - eWeek



Database News

Researchers to Demonstrate Database Man-in-the-Middle Attacks at Black Hat


By: Brian Prince
2010-04-10
Article Rating:starstarstarstarstar / 11


There are  user comments on this Database story.


Two researchers from Trustwave will demonstrate how to use man-in-the-middle attacks against Oracle databases to steal user credentials and take over sessions at Black Hat Europe next week.

Two researchers from Trustwave will demonstrate how a man-in-the-middle attack on Oracle databases can be leveraged to swipe user credentials and hijack sessions at the upcoming Black Hat Europe security conference.

Armed with a new proof-of-concept tool, Trustwave Director of Security Research Steve Ocepek and Security Consultant Wendel Henrique will demonstrate how attackers can steal credentials by downgrading authentication mechanisms as well as take over existing user sessions.

“We’re highlighting the dangers of man-in-the-middle by showing attacks that go beyond what most people are familiar with,” Ocepek told eWEEK. “Wendel’s downgrade attacks can fool a client into giving up weak hash values and even Windows hashes, just by changing a few bytes of data. And the thicknet tool completely takes over, and allows arbitrary SQL injection. These are not common attacks, but they (creatively) exploit a known problem with plaintext data.”

As database users perform legitimate queries, information is often transmitted in clear text, easily readable by attackers with access to the data, the researchers explained.

“What we’re recommending is the use of encryption more frequently, something that’s built into the protocol from the beginning, just making it that much harder for an attacker to manipulate these packets,” Ocepek said. "We're also again trying to beat the drum of shutting down some of these methods of doing man-in-the-middle attacks. It's just far too easy right now."

Using their thicknet tool, Ocepek and Henrique plan to demonstrate how to gain unauthorized access to Oracle and launch both types of attacks. The tool will be available after the show, Ocepek said.

"(The attacks can) be done remotely; it depends on where the client is," he explained. "So let's say that you are at a hotspot, you're at a coffee shop, and somebody's got the laptop on and they're connecting to a database remotely. That would be a case where absolutely you could do that as well."

The duo only focused their research on Oracle due to its large presence in the market and because it is "very rare to find Oracle encryption turned on," Ocepek said.

“Because man-in-the-middle attacks have been around so long, we’ve gotten to the point of acceptance here,” he added. “But attacks like these highlight the fact that we might have underestimated the potential of these attacks.”

The conference will be held April 12-15 in Barcelona, Spain, with briefings April 14 and 15.







 
 
>>> More Database Articles          >>> More By Brian Prince
 


FEATURED SPONSOR VIDEOS

Benefits of Workload Optimization

What Smart Companies MUST Learn from Gaming

Advances in Authentication

Vertical Markets Benefit from Workload Optimization

View More Videos

Brought to you by
Advertisement

FEATURED SPONSOR MESSAGE

Start the New Year with business intelligence—it’s a smart move

Join us on February 1 for an encore rebroadcast at either 5 am or 12 noon EST and discover how business intelligence (BI) supports companies in uncertain business and economic climates. Get expert advice on how to create a strategy that fits your organization's needs and budget and see how quickly it can pay for itself.

Click Here

Brought to you by
eweek digital

Suggested Related Content:

Articles Labs/How-To Multimedia


Advertisement
 
APPLY FOR A FREE 
SUBSCRIPTION BELOW:
>Try digital eWEEK
>Renew today
>Subscription help
>More FREE Subscriptions
First Name:Last Name:
Title:Company:
Address:City:
State:Zip Code:
Email:
Issue Index | Contact Us | About | Advertise | Magazine Customer Service | Site Map
eWEEK Quick LInks

Security:
Enterprise Networking
Network Security
Infrastructure Security
How To: Data
Security Watch Blog
Storage:
Data Storage
Cloud Storage
Storage Virtualization
Network Access Storage
How To: Storage
Storage Station Blog
Computing:
Apple OSX
Linux Systems
Windows 7
Managed Print Services
Computer Reviews
Microsoft Watch Blog
Google Watch Blog
Communications:
VoIP Solutions
Wireless Technology
Messaging Software
Web Services
Apps & Development:
Application Development
Enterprise Apps
Search Engines
Database Software
Web 2.0
CIOs

Vertical Markets:
Federal Government IT
Health Care IT
Finance IT
Mid-Market
Channel and VARs
Careers Blog
More eWeek Links:
Green Computing Center
Tech Knowledge Center
Tech Newsletters
Tech RSS Feeds
White Papers
Tech Videos
Magazine Subscriptions
Enterprise Websites:
ZDE Home
eWeek
Baseline Magazine
Channel Insider
CIO Insight
eSeminars and Events
Web Buyers Guide
Developer Websites:
DevSource C# and .Net
Dev Shed
DeveloperShed
ASP Free
SEO Chat
Codewalkers
Tutorialized
Scripts.com
Dev Mechanic
Dev Articles
Web Hosters
Dev Hardware
Technology Websites:
Device Forge
Desktop Linux
Linux Devices
Windows for Devices
PDF Zone
Linux Watch
TechDirect
Windows Migration
Smarter Technology

Use of this site is governed by our Terms of Use and Privacy Policy
Copyright ©1996-2012 Ziff Davis Enterprise Holdings Inc. All Rights Reserved. eWEEK and Spencer F. Katt are trademarks of Ziff Davis Enterprise Holdings, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
ZDE Cluster 3