A team of Microsoft researchers led by Seny Kamara claims to have been successful at recovering a substantial amount of data from health records stored in CryptDB (PDF), a database technology that uses layers of encryption to allow users to search through encrypted data without exposing its contents.
Crack Data Base
CryptDB was originally developed at MIT. It functions as an addition to a standard, unmodified SQL database and is intended to allow applications to interact with encrypted data using Structured Query Language. By using layers of encryption, CryptDB can allow certain properties of data to be revealed to applications processing the queries while keeping the data itself protected. In theory, the encryption prevents the database administrator (or anyone who attacks the database by gaining trusted access) from being able to view the contents of the database. Data from different users is encrypted with different keys.
The appeal of this sort of system to anyone in the cloud software business is obvious: CryptDB could allow for greater security of data stored in shared cloud environments. That would allow applications such as electronic medical record systems and other sensitive databases to move to cloud environments without having to rely on expensive, purpose-made database systems.
The Microsoft Research team sought to burst that bubble by going after the weakest link in CryptDB: the Order Preserving Encryption (OPE) and Deterministic Encryption (DET or DTE) schemes. OPE is used to make it possible for SQL queries such as "ORDER BY" to execute. DTE encryption allows databases to be searched for matching values, as described in the original paper by its developers, "by deterministically generating the same ciphertext for the same plaintext. This encryption layer allows the server to perform equality checks, which means it can perform selects with equality predicates, equality joins, GROUP BY, COUNT, DISTINCT, etc." These schemes are the ones most prone to data leakage in CryptDB.
Kamara, Muhammad Naveed of the University of Illinois-Urbana Champaign, and Charles Wright of Portland State University pulled out one of the oldest tricks in the cryptanalyst's book in their attack: good ol' frequency analysis. Using a data source similar to the targeted data in content, they were able to analyze the frequency of characters within the text and then match that against the frequency of data within DTE-encrypted columns of data. They also used three new attacks of their own devising, drawn from the centuries-old frequency analysis:
Lp-optimization: is a new family of attacks we introduce that decrypts DTE-encrypted columns. The family is parameterized by the lp norms [an analysis of the expected difference between values] and is based on combinatorial optimization techniques.
Sorting attack: is an attack that decrypts OPE-encrypted columns. This folklore attack is very simple but, as we show, very powerful in practice. It is applicable to columns that are "dense" in the sense that every element of the message space appears in the encrypted column. While this may seem like a relatively strong assumption, we show that it holds for many real-world datasets.
To test these attacks, the researchers used real patient data from US hospitals pulled from the National In-patient Sample (NIS) database of the Healthcare Cost and Utilization Project (HCUP), encrypting some of the data using OPE and DTE. Both the frequency analysis and Lp attack were able to recover "mortality risk and patient death" attributes "for 100 percent of the patients for at least 99 percent of the 200 largest hospitals," as well as 100 percent of disease severity data for 51 percent of the 200 hospitals in the data set. Other data easily obtained included the admission month, mortality risk, and admission type for a majority of the same 200 large hospitals, along with nearly all the same data for 200 small hospitals in the sample in OPE-encrypted columns.
As a rebuttal, former CryptDB developer Raluca Ada Popa responded to the research findings by telling Forbes' Thomas Fox-Brewster that the OPE and DTE encryption schemes were intended for "high entropy" values, where the order of data wouldn't reveal much rather than more tightly packed data like percentages of mortality in large sets of patients. "This is how the CryptDB paper says it should be used," she told Fox-Brewster. Users of CryptDB should not be affected by what Kamara's team reported "because they either use the order encryption scheme in a correct way (for the right types of data), or do not use it," Popa said. "Everyone I was in touch with that used CryptDB was careful about the use of OPE."
As MySQL, the open source database now owned by Oracle, is probably the most widely used back-end database of online websites, we'll use it as an example. Similar techniques can be used for Microsoft's SQL Server, Oracle, DB2, Postgresql, etc.
We will be using sqlmap, once again, which is a versatile and powerful tool for hacking databases. It has been used in a number of successful and highly publicized hacks by Anonymous members and other hackers against web-based databases.
In this tutorial, we'll work on how to extract the data after we've found the database and enumerated the database. Since the data in the database server is the hacker's "Golden Fleece," the ability to find and extract it is among the most critical skills for an effective hacker.
If we scroll down the help screen a bit, we will see another section called "Enumeration." These are the options available to enumerate various objects in the target database. In our previous example, we had enumerated; first, the databases (-dbs); then, the tables (--tables); and finally, the columns (--columns).
Let's take a look at enumerating the database users. If we can get these, we might be able to connect directly to the database (we are using a vulnerability in the web application here) even when and if the database administrator notices and repairs this security vulnerability in the website. We simply type:
In MySQL syntax, this means that the user's name is "scanme" and they can login from (@) the following host or IP. In this case, the user "scanme" can login from any host or IP, as the database admin has used the wildcard "%" which means "any or none".
If the database admin had used a IP address here, such as 'scanme@192.168.1.100', the user "scanme" would only be able to login from that IP address. In this case, scanme can login from any IP making it much easier for us to hack the database in the future using scanme's account, as it will allow scanme to login from any IP address. So, we can use scanme's credentials from any IP address and get into the database "legitimately".
If you look back on my past MySQL guide, you will see that I showed you how to backup data from a MySQL database by using the sqldump command. This is one of the many ways a database admin can back-up there data in MySQL. What we will do here is essentially the same, but here we will use the sqlmap tool to produce nearly the same result.
When we run this command, we get results like that below where the data from the database scanme's table orders has been "dumped" to a comma separated values file (CSV) and has been stored at:
As an example, if we're talking about a black-hat hacker, he could insert data to forge information of a fake purchase, to then post complaint to the website not having delivered his product. The website would check and (forgive my language) BAM, the website admin sees there was indeed a purchase. The hacker gets the product for free, perfectly.
thanks for the tutorial, i am really gaining alot here. i successfull hacked a database i got many information but the cc number i got is encrypted and i dont know the type of encryption, i used hash identifier still couldnt kn ow what type of encryption it is. sir my question is how can i decrypt these numbers:
Hello there! I've hacked around 4-5 Website database, but when I am trying to Update/Insert like this : --sql-shell Then typing UPDATE something FROM dbname.name Always on all website I get this error :
same as insert, I've tried to look for solution in the google for this problam, but no luck. If someone have knowledge please explain me a little bit how can I actually update data to hacked website database. Thanks .
Database Hacking - Governments, businesses, and consumers are becoming completely dependent on the Internet for their daily activities related to banking, paying bills, online purchases etc. With this increased use of the Internet, we also find a simultaneous growth in the number of hacking attacks from cybercriminals. Cybercriminals use a wide range of techniques and tools to gain access to the sensitive data that is found online. Very often, they attack websites and network resources with the ultimate aim to extract money or steal assets from organizations.
Hence, to protect your business and yourself against cybercriminals, you need to be aware of how website hacking techniques work. This article will first explain how to hack websites databases and how databases are hacked by discussing some of the key website database hacking methods and then talk about how Comodo cWatch will help protect your website database from hacking attacks.
There are several different ways to hack databases, and most of these techniques need SQL injection (SQLi), which is a method through which SQL commands are sent back to the database from a web form or other input. SQL allows websites to develop, recover, delete, and update database records.
Attackers are capable of exploiting buffer overflows, SQL Injection, etc. in order to own the database server. The attack could be via a web application by exploiting SQL injection, so no authentication is needed. In this way, databases can be hacked from the Internet and firewalls are completely bypassed. This is considered to be one of the easiest and preferred methods that criminals employ to steal sensitive data such as social security numbers, customer information, credit cards, etc. 2ff7e9595c
Comments