Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • Database
    • Servers

    Downloadable Databases Pose Security Dangers

    Written by

    Lisa Vaas
    Published February 1, 2005
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Are they lazy? Stupid? Or merely inexperienced?

      Its baffling that so many database administrators or casual non-DBA downloaders were responsible for leaving weak or default passwords on MySQL databases and thus allowing the MySpooler bot attack against Windows installations of MySQL, which last week peaked at an infection rate of 100 machines per minute.

      Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, told eWEEK.com reporter Ryan Naraine that, in order to launch the exploit, the bot first had to authenticate to “mysql” as “root” user. Once authenticated, brute-force attacks were launched using a list of passwords included with the bot.

      The hijacked databases were thus strung together in a network of MySQL Windows installations that was up to no good, as MySpooler opened three listening ports on target machines and dropped in random, eight-character file names.

      MySpooler also inserted a backdoor through which to access the machine and deliver payload, Naraine reported. And MySpooler also included a DDoS engine, scanners, and commands to solicit information such as system stats and software registration keys.

      In other words, MySpooler was an evil little bugger. But what really kills me is this quote from Ullrich: “This bot does not use any vulnerability in MySQL. The fundamental weakness it uses is a weak root account,” he said.

      /zimages/4/28571.gifThe bot attack fizzled after DNS service authorities shut off access to IRC servers controlling the worm. Read more here.

      Weak or default passwords? Weak root accounts? Arent we beyond that? After all, whether youre talking databases or networks or general host operating systems, the process for dealing with weak passwords is well understood.

      Vulnerability scanning has been around for years, with smart system administrators scanning routers and general-purpose operating systems such as Windows and Unix.

      Really savvy enterprises have hooked up with tools to scan databases as well, tools from Application Security or Internet Security Systems or the like, although databases, regrettably, still lag in getting the level of vulnerability scanning to which their network component brethren have been rightly subjected.

      Next Page: Organic growth means inexperienced users.

      Organic Growth


      However, the fact that were talking about an open-source database gives a sneaky twist to what should be a simple issue of password policy-setting or vulnerability scanning.

      As pointed out to me in a recent conversation with AppSecs Ted Julian, vice president of marketing, open-source software such as MySQL has the potential to get into an enterprise casually, since its free and can be readily downloaded. Many MySQL instances tend to be local, organic ones. As such, IT departments have little to no awareness they exist, Julian said.

      /zimages/4/28571.gifClick here to read about how third-party developers are picking up the slack in database security.

      “There could be shops that are very well hardened on the SQL Server front that could have been surprised just because of the database they targeted,” Julian said.

      Not that every MySQL downloader is oblivious to the need for strong passwords. Jason Bailey, a network engineer and Web developer who works at a small-town newspaper in Utah, uses MySQL to house data that powers the papers Web site—a typical use for MySQL.

      Baileys employer uses a Windows 2003 server running MySQL, but its a slave server, used as backup, as opposed to being always active. Bailey hasnt had issues with MySQL on Windows security, but he uses the database almost exclusively for Web applications. Over 80 percent of connections to the MySQL daemon are from the local host, he told me.

      When it comes to organic adoption of MySQL within networks, a small outfit such as Baileys newspaper employer doesnt have much of an issue, but he and other users Ive spoken with can certainly see the potential.

      “I can easily see that being the case in some of the large networks in our area (ISPs, college networks, etc.), who are barely opening up to the idea of open-source database technology,” he wrote in an e-mail exchange.

      “Large networks, at least in our area, are slower to embrace open-source databases. The lack of high licensing and usage fees is alluring, but many are afraid the open-source equivalents wont hold up or arent robust enough.”

      Thus, because theyre too timid to open the front door to open-source databases, enterprises find databases slip in through the back door.

      Because of casual download, its very likely that there are more inexperienced MySQL users than users of expensive, heavily IT-regulated commercial databases.

      Next Page: ABCs of password security.

      ABCs of Password Security

      These inexperienced MySQL users must be educated as to the essentials of security. Rule No. 1 is that root password abilities must be disabled. Alternate log-ins give full administrative access with a separate password and also must be changed from the default.

      Evert Ford is a software developer and MySQL user at Westone Laboratories, in Colorado Springs, Colo. He told me that hes not aware of there being many security-oblivious MySQL users, judging from the time he spends in online forums.

      “The reason Id say this is that MySQL is an open-source application,” he told me. “The feeling Ive gotten in reading the forums and talking to friends is the default behavior for most MySQL administrators is they unpack an application and they automatically reset the passwords.”

      That is undoubtedly true for the majority of MySQL users, but when youre talking about a database thats up to some 8 million downloads, youre going to get some inexperienced users in the bunch.

      Thats fine. As Ford said, weve all got to start someplace, and starting with an open-source database like MySQL is a great place to launch a DBA career.

      But, if you know of any inexperienced MySQL downloaders, do us all a favor and educate them as to the importance of changing default passwords and of creating strong passwords. Microsoft has a good Web page devoted to creating strong passwords.

      The gist is simple. A strong password:

      • Is at least seven characters long.
      • Contains letters, numbers and symbols.
      • Has at least one symbol character in the second through sixth positions.
      • Is significantly different from prior passwords.
      • Doesnt contain names or user names.
      • Isnt a common word or name.

      Educating the inexperienced is a fine short-term step to address security risks such as MySpooler. In the long term, however, its high time that IT departments got a handle on the open-source databases that are infiltrating their enterprises.

      Subject them to the same stringent security measures applied to commercial databases and network components. Then, after theyve been formally invited in through the front door and asked to behave as domesticated, commercial databases behave, you can judge whether you want to invite them for permanent residence.

      Write to me at [email protected].

      eWEEK.com Associate Editor Lisa Vaas has written about enterprise applications since 1997.

      Editors Note: This story was updated to correct a statement in one of the headlines regarding how MySpooler spreads.

      Check out eWEEK.coms for the latest database news, reviews and analysis.

      Lisa Vaas
      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×