3 Replies - 1312 Views - Last Post: 03 August 2007 - 06:08 PM

#1 PsychoCoder  Icon User is offline

  • Google.Sucks.Init(true);
  • member icon

Reputation: 1642
  • View blog
  • Posts: 19,853
  • Joined: 26-July 07

New database attack revealed

Posted 02 August 2007 - 09:56 PM

TechWorld.Com posted an article outlining a new database attack that have been revealed. Unlike attacks in the past, this one doesn't rely on poorly written code on the front end or poorly administered servers to work.

Quote

"The new attack relies solely on the inherent characteristics of the indexing algorithms used by most commercial database management systems," said Core researchers Ariel Waissbein and Pablo Damian Saura in a note on the presentation.


Just thought developers should know about this :)

Is This A Good Question/Topic? 0
  • +

Replies To: New database attack revealed

#2 Amadeus  Icon User is offline

  • g+ + -o drink whiskey.cpp
  • member icon

Reputation: 248
  • View blog
  • Posts: 13,507
  • Joined: 12-July 02

Re: New database attack revealed

Posted 03 August 2007 - 09:36 AM

Hmmm...this proposed attack is almost completly theoretical in nature...I would say virtually impossible to implement in the real world. That is a lot of variables to consider.

At the very least, it could be thwarted by a random delay between inserts (as noted by one commenter) - and this is virtually guaranteed to happen any way in any situation in which there is other network traffic.
Was This Post Helpful? 0
  • +
  • -

#3 PsychoCoder  Icon User is offline

  • Google.Sucks.Init(true);
  • member icon

Reputation: 1642
  • View blog
  • Posts: 19,853
  • Joined: 26-July 07

Re: New database attack revealed

Posted 03 August 2007 - 02:34 PM

View PostAmadeus, on 3 Aug, 2007 - 09:36 AM, said:

Hmmm...this proposed attack is almost completly theoretical in nature...I would say virtually impossible to implement in the real world. That is a lot of variables to consider.

At the very least, it could be thwarted by a random delay between inserts (as noted by one commenter) - and this is virtually guaranteed to happen any way in any situation in which there is other network traffic.


Though hard to pull off they actually did a demonstration of the attack, meaning they pulled it off. But the random delay between inserts does sound like a plausible defense in my opinion.
Was This Post Helpful? 0
  • +
  • -

#4 Amadeus  Icon User is offline

  • g+ + -o drink whiskey.cpp
  • member icon

Reputation: 248
  • View blog
  • Posts: 13,507
  • Joined: 12-July 02

Re: New database attack revealed

Posted 03 August 2007 - 06:08 PM

They were able to pull of an attack for the demo because they controlled all aspects, including the db software. Easy to eliminate and manage the peripheral 'noise' to get the timing down if you have access to the logs. One would assume that a malicious individual would be attacking from outside, where they would not have access to such information.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1