How insiders hack SQL databases with free tools and a little luck

I see this scenario quite often. It's almost always a case of the focus being on the "important" database systems – while the seemingly "little" database systems that no one really uses are

More on SQL Server database security: SOX compliance checklist: IT security and SQL audits SQL Server source code analysis adds database security Database security threats include unruly insiders

ignored. Ending up on the Privacy Rights Clearinghouse list of data breaches is as simple as a trusted insider using a few free tools to exploit database weaknesses that almost certainly exist on the network. Sure, we can talk about database patching and passwords until we're purple in the face, but those two things are still the essence of most database security problems I see. Let me walk you through a real-world scenario.

Step 1: A bored employee (or contractor, or consultant, or auditor – you name it) decides one day that he wants to see what he can get into on the network. He knows that most of the good stuff is stored in company databases. The employee then combs the Internet for a couple of minutes and stumbles across the free (and very handy) SQLPing tool. This tool, like most network and security tools, is intended for legitimate and legal use, but the employee knows that good things can be used in bad ways. So, he simply plugs his local network address range into the tool and finds all of the SQL Server systems he can "play" with as shown in Figure 1.

Step 2: The employee then starts to poke around on the database systems during his adventure to hack SQL Server databases. He's not sure how to actually connect to the database, so he does a little more research on the Internet. He learns that Microsoft has a couple of tools he can use to connect to SQL Server databases. He hopes he won't need a password. Ha! He's in luck. It just so happens that the database he's interested in does not have a password on the sa account. Good for him – bad for business. Figure 2 shows how the employee simply connects to the database using Microsoft Web Data Administrator.

The ability to export databases, create backdoor users, delete databases is all in his control.

Step 3: The employee then stumbles across another interesting database system – and a new tool. With Microsoft's SQL Server Management Studio Express, he can connect and execute queries to databases as he sees fit. Sure, SELECT statements, table names and the like aren't for the faint of heart. But everything he needs is at his beck and call on the Internet. Having gone out on a limb and gained access to the database by using "password" as the password, he gets right in. He's able to execute a basic query that shows how many other accounts on the system have no password at all, as shown in Figure 3.

The system is thick with sloppy misconfigurations. The database is his.

Step 4: The employee has read recently that unstructured data scattered about the network is becoming a big problem for businesses. He does a little research and decides to poke around for Microsoft Access files on unsecured shares where they shouldn't be. He knows data contained in them may be stale, but they may still have some juicy content. After all, they were the company's mission-critical, relied-upon databases not that long ago. Any files he comes across are his. It's just a matter of loading them into Access. If they're password protected as a means of SQL Server database security, he can simply crack the passwords using a good commercial password cracking tool. It's a lot of valuable information for such a small investment.

Step 5: The employee goes on to abuse the database content for ill-gotten gains and the network administrator is none the wiser.

Think about these vulnerabilities. Then look at the descriptions of known breaches happening every week. It's all so free and easy, and it's reality -- no fancy commercial hacking tools are required.

Network flaws need your attention right now. It's okay to focus on the most urgent vulnerabilities on your enterprise's most critical systems, but don't overlook the "little guys." Your greatest SQL Server database security issues may very well be on some harmless database deep inside the network that no one ever uses. Leave no stone unturned and never, ever assume that network insiders cannot or will not do bad things, that is hack your SQL Server databases.

ABOUT THE AUTHOR:

Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent security assessments. Kevin has authored/co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at kbeaver@principlelogic.com. Copyright 2008 TechTarget

Rate this Tip To rate tips, you must be a member of SearchSQLServer.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Microsoft SQL Server Get SQL Server log shipping functionality without Enterprise Edition SQL Server 2008 backup compression pros and cons Tuning SQL Server performance via disk arrays and disk partitioning Should you upgrade to SQL Server 2005 or SQL Server 2008? SQL Server data conversions from date/time values to character types Using full-text search for symbols in SQL Server Monitor database mirroring and replication after a SQL Server upgrade Basics for working with DATETIME and SMALLDATETIME in SQL Server 2005 How to configure Database Mail in SQL Server 2005 to send mail Upgrade live applications to SQL Server 2005 for high availability SQL Server security Secure SQL Server from SQL injection attacks Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server source code analysis and management adds database security Ten common SQL Server security vulnerabilities you may be overlooking SQL Server 2008 security and compliance features reduce security risks Get your SQL Server security goals in order How secure is your SQL Server network design? Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? SQL Server connection lost when SA password is changed Strategy and planning Tuning SQL Server performance via disk arrays and disk partitioning Virtual database storage for SQL Server: Friend or foe? SQL Server high availability when upgrading to SQL Server 2005 Secure SQL Server from SQL injection attacks Storage area network (SAN) basics every SQL Server DBA must know Tips for moving from SQL Server local disk storage to SANs Sarbanes-Oxley compliance checklist: IT security and SQL audits SQL Server PerfMon counters for access methods and buffer manager Find size of SQL Server tables and other objects with stored procedure Monitor SQL Server disk I/O with PerfMon counters RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.