BLACK HAT - New database attack revealed

Presenters to show how ‘timing attacks’ can infiltrate databases

Researchers at Core Security Technologies are to demonstrate an attack that could allow hackers to extract private information from databases -- without requiring any bugs in the database management software.

The demonstration, on Wednesday at Black Hat USA in Las Vegas, will involve timing attacks, a technique for breaking ciphers. It's effective against databases using BTREE, the most popular database indexing algorithm and data structure, and will use MySQL for demonstration purposes, Core researchers said.

Currently, data breaches are usually the result of bugs in front-end web applications or misconfigured authorization and access control permissions, Core said, but the timing attack doesn't need any such bugs to work.

"The new attack relies solely on the inherent characteristics of the indexing algorithms used by most commercial database management systems," said Core researchers Ariel Waissbein and Pablo Damian Saura in a note on the presentation.

In cryptography, the timing attack is a technique where the attacker analyses the time taken to execute cryptographic algorithms, using the analysis to discover information about how the cryptographic system is implemented and help find a way to crack the system.

Saura and Waissbein's approach is similar: their attack involves performing record insertion operations, typically available to all database users -- including anonymous users of front-end web applications -- and analyzing the time it takes to perform different kinds of insertions.

By analyzing the different timings, attackers can deduce what was inserted previous to the attack, Core said.

On the plus side for organizations with database systems, Core said the attack is "theoretical" and would be difficult to implement, since the attacker would need to have information about the structure and settings of the database to carry it off.

Another complicating factor is that on a "live" database other users could be making insertions at the same time, affecting the results of the timing analysis.

The point is for organizations to be aware that such attacks are possible, so that they can be on their guard, Core said.

The demonstration will include a review of BTREE and will explain how Saura and Waissbein discovered the vulnerability, Core said.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Matthew Broersma

Techworld.com
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?