Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Database Forensics Still In Dark Ages

Former database bug finder demos a new tool to help fill gap in the forensics process

BLACK HAT USA 2011 -- Las Vegas -- Even in this era of massive data breaches and database hacks, the field of database forensics still lags behind significantly, database security expert David Litchfield reported to a crowd at Black Hat today. A longtime security expert and known best for his work in database security bug finding, Litchfield demonstrated the beta of a new set of Oracle database forensics tools he developed and is releasing for free to the security community at large.

Click here for more of Dark Reading's Black Hat articles.

In his presentation Litchfield walked his audience through a demonstration of an Oracle database hack, from gaining access into the database, to escalating privilege, to modifying data, and showed the types of evidence left behind by these attacks and how that evidence could be collected by the tool for the purpose of forensics.

Leading up to the demo, he explained how no one is really taking responsibility for database forensics and incident response because the convergence of databases and forensics puts the subject well out of the comfort zones of experts in either field.

"There seems to be this no-man's-land where no one's doing it simply because the forensics and IR people understand very well their own technologies, whereas with databases you have to understand things like SQL. You have to understand the architecture. So they leave it to the database guys to do it," Litchfield said, "whereas the database guys are probably thinking, 'Wow, I understand databases, but the whole forensics thing is way out of my depth, so I'll leave it to the other guys. '"

Additionally, he said, there were no commercially available tools for doing effective database forensics.

"Until now, that is," Litchfield said, explaining that the big gap in forensics was what lured him away from researching vulnerabilities in databases to developing tools under V3rity Software, a company he founded a little more than a year ago.

According to Litchfield, plenty of forensics data is laying around a database infrastructure to do a proper investigation, particularly for Oracle. Litchfield said that even though Oracle has a long way to catch up with SQL Server in terms of security posture -- pointing to a comparison between the number of critical patch updates as evidence -- he believes Oracle offers the most information necessary to piece together an incident after the fact.

"Evidence is everywhere in Oracle -- that's one of the best things it has done. There is so much redundancy built into it that there is a wealth of information about what's taking place," he said. "They have all this juicy information to a forensics investigator."

Some places where incident response teams should look include system metadata, datafiles, redo logs, transaction logs, undo segments, and memory and trace files. Log files are also good, but only with caution because the hackers can manipulate them.

It is all a matter of extracting that data without changing any system states so that it can be read in a human understandable format. Litchfield says his new tools do that for Oracle version 8 through present time. He encourages forensics people to contact him for the free tools, with the understanding that it is still unpolished.

"Right now the tools are all held together by bubblegum and cello tape," he said, " so you have to lick everything together."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26890
PUBLISHED: 2020-11-24
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the r...
CVE-2020-28348
PUBLISHED: 2020-11-24
HashiCorp Nomad and Nomad Enterprise 0.9.0 up to 0.12.7 client Docker file sandbox feature may be subverted when not explicitly disabled or when using a volume mount type. Fixed in 0.12.8, 0.11.7, and 0.10.8.
CVE-2020-15928
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters to test-browser/index.cfm allow directory traversal.
CVE-2020-15929
PUBLISHED: 2020-11-24
In Ortus TestBox 2.4.0 through 4.1.0, unvalidated query string parameters passed to system/runners/HTMLRunner.cfm allow an attacker to write an arbitrary CFM file (within the application's context) containing attacker-defined CFML tags, leading to Remote Code Execution.
CVE-2020-28991
PUBLISHED: 2020-11-24
Gitea 0.9.99 through 1.12.x before 1.12.6 does not prevent a git protocol path that specifies a TCP port number and also contains newlines (with URL encoding) in ParseRemoteAddr in modules/auth/repo_form.go.