Programming Help

Web Development



What's Here?

  • Members: 149,513
  • Replies: 506,615
  • Topics: 79,829
  • Snippets: 2,666
  • Tutorials: 706
  • Total Online: 1,357
  • Members: 72
  • Guests: 1,285

Welcome to Dream.In.Code
Become an Expert!

Join 149,513 Programmers for FREE! Get instant access to thousands of experts, tutorials, code snippets, and more! There are 1,357 people online right now. Registration is fast and FREE... Join Now!




New database attack revealed

 
 Reply to this topicStart new topic

New database attack revealed
PsychoCoder
2 Aug, 2007 - 08:56 PM
Post #1

using DIC.Core;
Group Icon

Joined: 26 Jul, 2007
Posts: 9,481



Thanked: 161 times
Dream Kudos: 9050
Expert In: VB, VB.Net, C#, SQL, ASP, ASP.Net, Web Development, HTML, CSS, Win32 API, Javascript, mySQL, J#, Boo.Net

My Contributions
TechWorld.Com posted an article outlining a new database attack that have been revealed. Unlike attacks in the past, this one doesn't rely on poorly written code on the front end or poorly administered servers to work.

QUOTE

"The new attack relies solely on the inherent characteristics of the indexing algorithms used by most commercial database management systems," said Core researchers Ariel Waissbein and Pablo Damian Saura in a note on the presentation.


Just thought developers should know about this smile.gif
User is online!Profile CardPM
+Quote Post

Amadeus
RE: New Database Attack Revealed
3 Aug, 2007 - 08:36 AM
Post #2

g++ -o drink whiskey.cpp
Group Icon

Joined: 12 Jul, 2002
Posts: 12,349



Thanked: 51 times
Dream Kudos: 25
My Contributions
Hmmm...this proposed attack is almost completly theoretical in nature...I would say virtually impossible to implement in the real world. That is a lot of variables to consider.

At the very least, it could be thwarted by a random delay between inserts (as noted by one commenter) - and this is virtually guaranteed to happen any way in any situation in which there is other network traffic.
User is online!Profile CardPM
+Quote Post

PsychoCoder
RE: New Database Attack Revealed
3 Aug, 2007 - 01:34 PM
Post #3

using DIC.Core;
Group Icon

Joined: 26 Jul, 2007
Posts: 9,481



Thanked: 161 times
Dream Kudos: 9050
Expert In: VB, VB.Net, C#, SQL, ASP, ASP.Net, Web Development, HTML, CSS, Win32 API, Javascript, mySQL, J#, Boo.Net

My Contributions
QUOTE(Amadeus @ 3 Aug, 2007 - 09:36 AM) *

Hmmm...this proposed attack is almost completly theoretical in nature...I would say virtually impossible to implement in the real world. That is a lot of variables to consider.

At the very least, it could be thwarted by a random delay between inserts (as noted by one commenter) - and this is virtually guaranteed to happen any way in any situation in which there is other network traffic.


Though hard to pull off they actually did a demonstration of the attack, meaning they pulled it off. But the random delay between inserts does sound like a plausible defense in my opinion.
User is online!Profile CardPM
+Quote Post

Amadeus
RE: New Database Attack Revealed
3 Aug, 2007 - 05:08 PM
Post #4

g++ -o drink whiskey.cpp
Group Icon

Joined: 12 Jul, 2002
Posts: 12,349



Thanked: 51 times
Dream Kudos: 25
My Contributions
They were able to pull of an attack for the demo because they controlled all aspects, including the db software. Easy to eliminate and manage the peripheral 'noise' to get the timing down if you have access to the logs. One would assume that a malicious individual would be attacking from outside, where they would not have access to such information.
User is online!Profile CardPM
+Quote Post

Fast ReplyReply to this topicStart new topic
Time is now: 1/7/09 07:45PM
Invision Power Board v2.1.7 © 2009  IPS, Inc.
Licensed to: MediaGroup1

Be Social

Dream.In.Code RSS Feed Dream.In.Code LinkedIn Group Follow Us On Twitter

Live Help!

Tutorials

Programming

Web Development

Reference Sheets

Code Snippets

DIC Chatroom

Bye Bye Ads

Monthly Drawing

Thumb Drive

Top Contributors

Top 10 Kudos This Month