In our ongoing series of interviews, we are doing things a little differently this week and interviewing four members of TeamSHATTER. They answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work they do.
TeamSHATTER is the research arm of Application Security, Inc. and the largest dedicated database security, vulnerability and misconfiguration research team in the world.TeamSHATTER maintains the most comprehensive knowledgebase of database vulnerability and misconfiguration checks in the industry and understands how to make security an integral part of an enterprise’s database security and network management infrastructure. TeamSHATTER regularly publishes security advisories, technical papers, and research information on www.TeamSHATTER.com.
The people taking place in this week’s interview are: Alex Rothacker, who runs TeamSHATTER, and is the Director of Security Research; Esteban Martinez Fayo is Security Research Technical Lead; Martin Rakhmanov is Security Research Technical Lead; Vladimir Zakharevich is a Security Researcher.
What motivates you to find security vulnerabilities?
Vladimir Zakharevich In the beginning, my motivation for doing security research was the fun and challenge of the process, and later it became my career which I still enjoy.
Martin Rakhmanov Finding a vulnerability is never a guess. It requires intensive research of software which itself brings a lot of knowledge: how databases work, how a specific database feature is implemented by a vendor, how compilers work, what tools are available, etc. So, ultimately, one vulnerability discovery means a lot of knowledge is acquired in the process, and that is very motivating.
Esteban Martinez Fayo At first, I started for curiosity and to try something new besides programming and database administration. Then it became more like a challenge and quickly turned into something where I could make a difference. My main motivation continues to be the challenge of finding security issues and vulnerabilities in software that claims to be secure or work in a certain way – making it not to work as expected by just modifying a small thing that was overlooked by the vendor.
What are the primary tools you use, and how do you use them?
Alex Rothacker Every researcher is using their own set of tools, but in general we use native database command line and configuration tools, like SQLPlus, SQLServer Manager to find vulnerabilities that can be exploited using SQL code vulnerabilities. We also develop custom tools for proof of concepts and automation using tools developed in .Net, Java, C, Python. We use Wireshark heavily for analyzing network traffic. We also use debuggers like WinDbg and gdb for analysis of running processes. Finally, the Sysinternals tools suite is essential for work on Windows systems helping to analyze processes.
How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
Martin Rakhmanov Once some sort of bug has been found in one database, I try to find the same issue in a different product, too. However, since all databases are implemented differently (programming language, libraries), this may not be an easy task. It is very important to keep track of progress and return to the task later on, even if it seems impossible at first. If you keep trying, vulnerabilities will eventually be found. Nowadays, most database management systems are addressing more trivial, and easy to find and fix security bugs. More advanced research is required to find the harder-to-find vulnerabilities.
Alex RothackerAs a database security research team, we primarily focus on the major database management systems, like Microsoft SQLServer, Oracle, Sybase and DB2.
Esteban Martinez Fayo I am mainly concentrated on Oracle because it is one of the most used database servers, especially for the largest and most critical databases.
I typically look for different types of bugs in a target application, moving from one type of bug at a time, in a target application.
How do you handle disclosure? Which vendors have been good to work with and which have not?
Alex Rothacker We are a “responsible disclosure” organization. Our official policy is available here. As such, we report our findings to the product vendors and work with them at fixing the issue. Once a patch is released, we release a detailed security advisory to the public. We typically do not release exploit code, but reserve the right to do so in certain circumstances.
In general, our experiences with vendors have been mixed. It’s often very frustrating to make the database vendors understand why a certain problem is a vulnerability and why it deserves a fix. Esteban Martinez Fayo was even once asked ’Why does a buffer overflow pose a security risk?’
Overall, the process has improved a lot compared to some years ago, but there is still a lot of room for improvement, especially in the time it takes a vendor to fix a vulnerability. We have seen database vendors take a year or longer to fix some very critical issues.
What are you working on currently?
|Esteban Martinez Fayo|
Esteban Martinez Fayo Regarding vulnerability research, I’m currently most interested in network protocol issues and cryptography than on other kinds of vulnerabilities like SQL injections or buffer overflows. I’m also dedicated to keep AppSec’s database activity monitoring software signatures up-to-date with the latest database attacks.
Martin Rakhmanov We have some discoveries in major databases and are working on new ones every day.
Alex Rothacker As a team, we are always looking for the next database vulnerability or misconfiguration. We are working constantly to improve our understanding of database security issues, which will help to strengthen our database vulnerability assessment and activity monitoring control sets.
What do you think is the biggest challenge facing infosec as an industry?
Vladimir Zakharevich In my opinion, the biggest challenge facing information security is the lack of adequate legal support and understanding from the government and the general public. Many of the laws that apply to information security are severely outdated and those that are relevant are usually not written to encourage security research in any shape or form.
Esteban Martinez Fayo I think that one of the biggest problems is the lack of strong standards with regard to vulnerability and risk management. I think that we especially need these standards for better integration of security software and vulnerability descriptions.
Alex Rothacker I don’t think that there is only one challenge. My main concern these days is the lack of urgency by companies to understand the severe risk to their critical data and to understand and take the adequate steps to properly secure their systems. For most organizations, security is an afterthought until they fail an audit, or even worse, experience a breach. Perimeter protection has proven to fail as a standalone solution, but defense in depth and securing the data where it lives are unfortunately, not a common approach yet. I would also second Esteban, that as an industry we need stronger standards and better interoperability between products.
Why do databases make such popular targets of attackers? What can be done to protect them?
Alex Rothacker Databases are present in almost every organization. Databases are where the valuable data resides 99% of its lifecycle, so it is natural that attackers will try to infiltrate them. There are a number of things that can be done to protect them. The starting point is to take an inventory of all the databases in the organization, and then to identify where the important data like Personally Identifiable Information (PII) is located. When going to a potential customer, one of our first tasks is to scan the network for databases present in the environment. We never fail to find numerous un-inventoried databases.
Once all the database assets have been discovered, the key task is to protect the databases by prioritizing security patches by severity and applying them immediately. Database monitoring should be in place for vulnerabilities that cannot be immediately fixed immediately to establish a compensating control. In addition, reducing the attack surface by disabling unused features, train application developers and DBAs on security, make sure the application does not contain vulnerabilities that allow attackers to exploit SQL injection attacks and follow well-known secure configuration and vulnerability checklists specific to the database server you are trying to secure.
Ensure proper separation of duties and periodically perform a comprehensive user rights review.
Finally, monitor database traffic for known attacks and make sure to create and regularly review a fine-grained audit trail of all sensitive database transactions.
Is there too much focus on the attacking side of security in breaking into systems? Should more time be spent on building better systems that are harder to get into?
Esteban Martinez Fayo I think that both sides should work more closely together to build better systems. If you get too much focus on the attacking side of security, you will end up with a system that will be missing security features and, on the other hand, if you spend too much time on designing and building a perfectly secure system, you will most likely end up with a system that has vulnerabilities that can be exploited to circumvent the security protections implemented in the system. Even if you put a strong emphasis on designing a secure system, there will always be overlooked aspects that can be exploited to bypass security protections.
So, to answer the question: I don’t think that there is too much focus put on the attacking side and I believe that software makers should spend more time to build better systems by working more closely with the attacker side.