Are they lazy? Stupid? Or merely inexperienced?
Its baffling that so many database administrators or casual non-DBA downloaders were responsible for leaving weak or default passwords on MySQL databases and thus allowing the MySpooler bot attack against Windows installations of MySQL, which last week peaked at an infection rate of 100 machines per minute.
Johannes Ullrich, chief technology officer at the SANS Internet Storm Center, told eWEEK.com reporter Ryan Naraine that, in order to launch the exploit, the bot first had to authenticate to “mysql” as “root” user. Once authenticated, brute-force attacks were launched using a list of passwords included with the bot.
The hijacked databases were thus strung together in a network of MySQL Windows installations that was up to no good, as MySpooler opened three listening ports on target machines and dropped in random, eight-character file names.
MySpooler also inserted a backdoor through which to access the machine and deliver payload, Naraine reported. And MySpooler also included a DDoS engine, scanners, and commands to solicit information such as system stats and software registration keys.
In other words, MySpooler was an evil little bugger. But what really kills me is this quote from Ullrich: “This bot does not use any vulnerability in MySQL. The fundamental weakness it uses is a weak root account,” he said.
Weak or default passwords? Weak root accounts? Arent we beyond that? After all, whether youre talking databases or networks or general host operating systems, the process for dealing with weak passwords is well understood.
Vulnerability scanning has been around for years, with smart system administrators scanning routers and general-purpose operating systems such as Windows and Unix.
Really savvy enterprises have hooked up with tools to scan databases as well, tools from Application Security or Internet Security Systems or the like, although databases, regrettably, still lag in getting the level of vulnerability scanning to which their network component brethren have been rightly subjected.
However, the fact that were talking about an open-source database gives a sneaky twist to what should be a simple issue of password policy-setting or vulnerability scanning.
As pointed out to me in a recent conversation with AppSecs Ted Julian, vice president of marketing, open-source software such as MySQL has the potential to get into an enterprise casually, since its free and can be readily downloaded. Many MySQL instances tend to be local, organic ones. As such, IT departments have little to no awareness they exist, Julian said.
“There could be shops that are very well hardened on the SQL Server front that could have been surprised just because of the database they targeted,” Julian said.
Not that every MySQL downloader is oblivious to the need for strong passwords. Jason Bailey, a network engineer and Web developer who works at a small-town newspaper in Utah, uses MySQL to house data that powers the papers Web site—a typical use for MySQL.
Baileys employer uses a Windows 2003 server running MySQL, but its a slave server, used as backup, as opposed to being always active. Bailey hasnt had issues with MySQL on Windows security, but he uses the database almost exclusively for Web applications. Over 80 percent of connections to the MySQL daemon are from the local host, he told me.
When it comes to organic adoption of MySQL within networks, a small outfit such as Baileys newspaper employer doesnt have much of an issue, but he and other users Ive spoken with can certainly see the potential.
“I can easily see that being the case in some of the large networks in our area (ISPs, college networks, etc.), who are barely opening up to the idea of open-source database technology,” he wrote in an e-mail exchange.
“Large networks, at least in our area, are slower to embrace open-source databases. The lack of high licensing and usage fees is alluring, but many are afraid the open-source equivalents wont hold up or arent robust enough.”
Thus, because theyre too timid to open the front door to open-source databases, enterprises find databases slip in through the back door.
Because of casual download, its very likely that there are more inexperienced MySQL users than users of expensive, heavily IT-regulated commercial databases.
ABCs of Password Security
These inexperienced MySQL users must be educated as to the essentials of security. Rule No. 1 is that root password abilities must be disabled. Alternate log-ins give full administrative access with a separate password and also must be changed from the default.
Evert Ford is a software developer and MySQL user at Westone Laboratories, in Colorado Springs, Colo. He told me that hes not aware of there being many security-oblivious MySQL users, judging from the time he spends in online forums.
“The reason Id say this is that MySQL is an open-source application,” he told me. “The feeling Ive gotten in reading the forums and talking to friends is the default behavior for most MySQL administrators is they unpack an application and they automatically reset the passwords.”
That is undoubtedly true for the majority of MySQL users, but when youre talking about a database thats up to some 8 million downloads, youre going to get some inexperienced users in the bunch.
Thats fine. As Ford said, weve all got to start someplace, and starting with an open-source database like MySQL is a great place to launch a DBA career.
But, if you know of any inexperienced MySQL downloaders, do us all a favor and educate them as to the importance of changing default passwords and of creating strong passwords. Microsoft has a good Web page devoted to creating strong passwords.
The gist is simple. A strong password:
- Is at least seven characters long.
- Contains letters, numbers and symbols.
- Has at least one symbol character in the second through sixth positions.
- Is significantly different from prior passwords.
- Doesnt contain names or user names.
- Isnt a common word or name.
Educating the inexperienced is a fine short-term step to address security risks such as MySpooler. In the long term, however, its high time that IT departments got a handle on the open-source databases that are infiltrating their enterprises.
Subject them to the same stringent security measures applied to commercial databases and network components. Then, after theyve been formally invited in through the front door and asked to behave as domesticated, commercial databases behave, you can judge whether you want to invite them for permanent residence.
Write to me at firstname.lastname@example.org.
eWEEK.com Associate Editor Lisa Vaas has written about enterprise applications since 1997.
Editors Note: This story was updated to correct a statement in one of the headlines regarding how MySpooler spreads.
Check out eWEEK.coms for the latest database news, reviews and analysis.