uncompiled.com

The Cloud Connect conference March 15-18 will feature leaders of the NoSQL movement speaking on how to handle large data sets in the cloud. The NoSQL movement and other cloud practitioners are likely to be out in force at the Cloud Connect 2010 conference March 15-18 in Santa Clara, Calif., one of the first major gatherings of the year on cloud computing.

One of the workshop instructors March 15 will be Dwight Merriman, CEO and co-founder of gen10 and the architect of the DoubleClick ad serving system, DART. DART is now serving billions of ads a day. Merriman will instruct a first day workshop on MongoDB and why it and other no-SQL systems, such as CouchDB and Hadoop, are preferable to traditional database systems for operations in the cloud.

MongoDB is a cluster or cloud-based data management system that does not rely on relational database principles. Cloud users try to get away from relational database for operations on large data sets because SQL queries tend to consume CPU cycles and “thrash the disk” as they pull data off it.

“NoSQL” systems work with data in memory, or upload chunks of data from many disks in parallel. 10gen is a New York-based company that sponsors the MongoDB open source project and provides commercial support for it.

Alistair Croll, an organizer of the event, said Merriman is one of several cloud computing professionals recruited to speak based on their credentials as “doers” in the cloud environment.

Another is Bradford Stephens, founder of Drawn to Scale, a firm which designs systems to deal with Web-sized masses of data. He will speak on “Introduction to Big Data and Storage at Scale” at 8:15-9:15 a.m. on March 18. His co-speaker will be Florian Leibert, software engineer, research, at Twitter.

The topic “Processing Big Data” at 9:30 a.m. March 18 will feature Chris Wensel, CTO and founder of Concurrent, a supplier of tools for creating applications that execute on parallel computing clusters, and Nathan Marz, lead engineer for BackType.com, a Web site that searches blogs and social networking sites for particular topics of discussion.

“Learning from Big Data with Scalable Analytics” will be the topic of a talk at 10:45 a.m. March 18 given by Michael Driscoll, founder of Dataspora, a firm producing software for data analytics and visualization, and Ted Dunning, CTO of Deepdyve, an aggregator of medical knowledge.

The Cloud Connect conference at the Santa Clara Convention Center is organized by TechWeb and is billed as bringing cloud computing stakeholders together in one event.

“These are the people who are the experts in a given domain, the guy who wrote the thing or the guy who invented it, ” said Croll. There will be many cloud computing vendors both on the show floor and in the ranks of speakers, but Croll said the conference was seeking to make their presentations “non-partisan” and focused on their subject expertise.

Source

For almost a year now, the idea of “NoSQL” has been spreading due to the demand for relational database alternatives. Maybe the biggest motivation behind NoSQL is scalability. Relational databases don’t lend themselves well to the kind of horizontal scalability that’s required for large-scale social networking or cloud applications, and ORMs can abstract away impedance mismatch only so much. In other cases, companies just don’t need as many of the complex features and rigid schemas provided by relational databases. Most people are not suggesting that we all ditch the RDBMS, in fact, many companies don’t really need to switch. Relational databases will probably be necessary for many applications years and years from now. In essence, NoSQL is a movement that aims to reexamine the way we structure data and draw attention to innovation in hopes of finding the solution to the next generation’s data persistence problems.

Check the source for details on various types of NoSQL.

Source

An over-emphasis on tackling new and emerging security threats may be causing companies to overlook older but far more frequently exploited vulnerabilities, says a recent report.

The report, from TrustWave Inc., is based on an analysis of data gathered from over 1900 penetration tests and over 200 data breach investigations conducted on behalf of clients such as American Express, MasterCard, Discover, Visa and several large retailers.

The analysis showed is that major global companies are employing “vulnerability chasers” and searching out the latest vulnerabilities and zero-day threats while overlooking the most common ones, the report said.

As a result, companies continue to be felled by old and supposedly well-understood vulnerabilities rather than by newfangled attack tools and methods.

For instance, the top three ways hackers gained initial access to corporate networks in 2009 were via remote access applications, trusted internal network connections and SQL injection attacks, TrustWave found.

All three attacks points have been well researched and known about for several years. SQL injection vulnerabilities, for instance, have been known about for at least 10 years, but still continue to be widely prevalent in Web-based, database-driven applications, TrustWave said.

The most common vulnerability that TrustWave discovered during its external network penetration tests had to do with the management interfaces for Web application engines such as Websphere, and Cold Fusion. In many cases, the management interfaces were accessible directly from the Internet and had little or no password protection, potentially allowing attackers to deploy their own malicious applications on the Web server.

Similarly unprotected network infrastructure components such as routers, switches and VPN concentrators represented the second most common vulnerability unearthed by TrustWave. The tendency by many companies to host internal applications on the same server that also hosts external content was another common vulnerability, as were misconfigured firewall rules, default or easy-to-guess passwords and DNS cache poisoning.

Meanwhile TrustWave’s wireless penetration tests unearthed common weaknesses such as the continued use of WEP encryption, legacy 802.11 networks with minimal to no security controls and wireless clients using public “guest” networks instead of secured private networks.

In almost all of the cases, the most common vulnerabilities unearthed by TrustWave were common well-understood issues that should have been addressed a long time ago said Nicholas Percoco, senior vice president at TrustWave’s SpiderLabs research unit.

“There are basically two themes,” Percoco said. “Through our study in 2009 we found some very old vulnerabilities present within enterprises, some as old as 20 to 30 years.” The second theme is that attackers are targeting these old flaws to break into enterprises, then using increasingly sophisticated tools to harvest data from companies, he said.

In addition to older keystroke logging and packet sniffing tools, malicious attackers are increasingly employing tools such as memory parsers and credentialed malware to steal data, Percoco said. Memory parsers are used to monitor the random access memory associated with a certain process and to extract specific data from it. Credentialed malware programs are a new class of multi-user programs that have typically been used to steal money and payment card numbers from ATMs.

There are several measures companies can take to mitigate the risks posed by older and often overlooked vulnerabilities, TrustWave said. One step is to maintain a complete asset inventory. Many companies are often unaware of all the IT assets they own or of the risks they pose to data, so maintaining an up to date list of assets is vital to protecting them, TrustWave said.

Decommissioning older legacy systems as much as possible can also help mitigate the risk. Also, in 80% of the cases that TrustWave looked at, third-parties were responsible for introducing vulnerabilities. So monitoring third-party relationships is key according to the company. Other recommended measures included internal network segmentation, data encryption and stronger Wi-Fi security policies.

Source

In 2001, Larry Ellison brashly proclaimed in a keynote speech at the computing conference Comdex that his database software was “unbreakable.” David Litchfield has devoted the last nine years to making the Oracle chief executive regret that marketing stunt.

At the Black Hat security conference Tuesday afternoon, Litchfield unveiled a new bug in Oracle’s 11G database software, a critical, unpatched vulnerability that would allow a hacker to take control of an Oracle database and access or modify information at any security level. “Anything that God can do on that database, you can do,” Litchfield told Forbes in an interview following his talk.

The attack that Litchfield laid out for Black Hat’s audience of hackers and cybersecurity researchers exploits a combination of flaws in Oracle’s software. Two sections of code within the company’s database application–one that allows data to be moved between servers and another that allows management of Oracle’s implementation of java–are left open to any user, rather than only to privileged administrators. Those vulnerable subroutines each have their own simple flaws that allow the user to gain complete access to the database’s contents.

Litchfield says he warned Oracle about the flaws in November, but they haven’t been patched. Oracle didn’t immediately respond to a request for comment.

The bug is far from the first that 34-year-old Litchfield has outed on Oracle’s behalf. As a cybersecurity researcher and penetration tester, Litchfield has exposed more than a thousand database software security flaws, mostly in Oracle’s code.

Source

January promises to be a busy month for Web server and database administrators alike: A security research firm in Russia says it plans to release information about a slew of previously undocumented vulnerabilities in several widely-used commercial software products.

Evgeny Legerov, founder of Moscow based Intevydis, said he intends to publish the information between Jan 11 and Feb 1. The final list of vulnerabilities to be released is still in flux, Legerov said, but it is likely to include vulnerabilities (and in some cases working exploits) in:

-Web servers such as Zeus Web Server, Sun Web Server (pre-authentication buffer overflows);
-Databases, including Mysql (buffer overflows), IBM DB2 (local root vulnerability), Lotus Domino and Informix
-Directory servers, such as Novell eDirectory, Sun Directory and Tivoli Directory.

In an interview with krebsonsecurity.com, Legerov said his position on vulnerability disclosure has evolved over the years.

“After working with the vendors long enough, we’ve come to conclusion that, to put it simply, it is a waste of time. Now, we do not contact with vendors and do not support so-called ‘responsible disclosure’ policy,” Legerov said. For example, he said, “there will be published two years old Realplayer vulnerability soon, which we handled in a responsible way [and] contacted with a vendor.”

At issue is the pesky ethical and practical question of whether airing a software vendor’s dirty laundry (the unpatched security flaws that they know about but haven’t fixed yet) forces the affected vendor to fix the problem faster than it would have had the problem remained a relative secret. There are plenty of examples that show this so-called “full disclosure” approach does in fact prompt vendors to issue patches faster than when privately notified by the researcher and permitted to research and fix the problem on their own schedule. But in this case, Legerov said he has had no contact with the vendors, save for Zeus.com, which he said is likely to ship an update to fix the bug on the day he details the flaw.

Intevydis is among several vulnerability research firms that sell “exploit packs” — or snippets of code that exploit vulnerabilities in widely-used software (others include Gleg, Enable Security, and D2). The company’s exploit packs are designed for users of CANVAS, a commercial software penetration testing tool sold by Miami Beach, Fla. based Immunity, Inc.

While companies that purchase CANVAS along with exploit packs from these companies may have better protection from newly-discovered security vulnerabilities while waiting for affected vendors to fix the flaws, Immunity does not report the vulnerabilities to the affected vendors (unless the vendors also are customers, in which case they would have access to the information at the same time as all other customers).

Source

One of the cloud-related trends that developers have been paying attention to lately is the idea of “NoSQL,” a set of operational-data technologies based on nonrelational technology.

These technologies do not replace the relational database but rather add a new tool to the developer toolbox. Business intelligence database technologies such as Aster Data, Greenplum, Neteeza, and Vertica do not completely replace the traditional relational database but rather use nonrelational databases to augment the software.

RedMonk analyst Stephen O’Grady wrote recently that NoSQL “adoption was inevitable because, just as in every other walk of life, there are different tools for different jobs in the technology world.” NoSQL may not be exactly the right moniker, but the companies and developers behind these tools have legitimate substantiating points as to why the approach is right.

According to Dwight Merriman, CEO of 10gen (the commercial team behind the open-source MongoDB project), we’ll see NoSQL complement existing applications for the foreseeable future.

The broad range of NoSQL tools that include projects like Cassandra, CouchDB, Hadoop, Memcached, and MongoDB bring to bear a number of technical advantages–even if no one tool does everything.

Source

Miscreants took advantage of weak security to hack into two NASA-run websites over the weekend. The websites of NASA’s Instrument Systems and Technology unit and Software Engineering division were broken into and screenshots illustrating the hack posted online. Hackers appear to have taken advantage of SQL Injection flaws and poor access controls in mounting the attack, reports Gunter Ollmann, an ex-IBM security expert who is now VP of Research at security firm Damballa.

Source

Version 1.2 of GreenSQL is now able to protect PostgreSQL as well as MySQL. GreenSQL is designed to protect databases against SQL injection attacks and other unauthorised changes, in a similar fashion to a firewall protecting a network against TCP/IP outside attacks. The new version also provides a graphical user interface for monitoring the database firewall.

GreenSQL is run as a proxy between applications and database servers. It actively analyses the incoming SQL commands and can then act on the results according to the selected mode. Simulation mode blocks nothing but records the analysis in GreenSQL’s own database and notifies the administrator of suspicious queries. Blocking mode on the other hand uses the database and it’s heuristic engine to find and block suspicious queries.

Source

There are lots of stories in the press about crackers accessing corporate databases. Gone are the days when prepubescent teens were the authors of most cracks. Today, data harvesting is big business and is accomplished by dedicated experts who work within a corporate infrastructure. It’s not a question of how you can prevent the unauthorized access attempt — you can’t — but, rather, how can you reduce the effect when it does happen.

This article explores the challenges of protecting your PostgreSQL (also known as Postgres) database server. PostgreSQL is a powerful open source object-relational database system. It has a proven architecture with a reputation for reliability, data integrity, and correctness. It runs on all major operating systems, including Linux®, UNIX®, and Windows®. It is fully ACID-compliant, and has full support for foreign keys, joins, views, triggers, and stored procedures (in multiple languages).

Source

Every time you turn around these days, it seems there’s news of yet another wide-scale attack perpetrated through SQL injection. Forensics have proven that the biggest breaches of the last several years—Heartland Payment Systems, Hannaford Brothers, and even TJX—were all made possible through blended attacks. And yet many IT experts within the enterprise aren’t even aware of how pervasive these attacks truly are nor what to do about them, according to “SQL Injection: A Major Threat to Data Security” a new report published today by Dark Reading.

Source