Yesterday, January 5, 2010, following last month’s security breach at the application development firm RockYou, a class action lawsuit was brought against the company by one of the service’s subscribers. The application provider is best known for its Slideshow and Superwall apps for MySpace and Facebook.

The lawsuit, filed in federal district court, accuses the company of “failing to use hashing, salting or any other common and reasonable method of data protection and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of web security.”

The lawsuit claims a hacker known as “igigi” exploited an SQL injection flaw and made off with e-mails and passwords of approximately 32 million registered RockYou users. RockYou admitted to both the breach and the security flaw last month.
Being protected from SQL injection is now as serious an issue as it can get.
Being hacked using SQL injection apparently can lead to a class action lawsuit.

GreenSQL provides free, easy to use and reliable SQL injection protection.
About a week ago I wrote the “Database security, Database Firewall? Why should I use GreenSQL?” This class action lawsuit enhances the reasons I gave and then some.

Be secured, be protected, from SQL Injection and, even more importantly, from class action lawsuits.

It turns out that since the official release, less than a month ago, GreenSQL reached number three in the delicious top PostgreSQL links.

It shows that the GreenSQL became among the most popular tools for developers and admins of  PostgreSQL.

GreenSQL Database Security Solution for PostgreSQL

GreenSQL is the only solution (open or closed source) which provides Database Firewall for the PostgreSQL Database.

The answer is not as simple as you may think, and I’m not going to preach to you about the great advantages using GreenSQL in front of your MySQL or PostgreSQL Database.

I’m going to highlight a few obvious current situations which will help you see the full picture of your Database security needs.

What is the core of the company?

When you come right down to it, the Database, eventually, is the core of your company or organization. All the information that the company is built upon is located in the Database. Without it, your company or organization cannot exist and it doesn’t matter if it’s an Enterprise, Large, Medium, or Small or even just an e-commerce business. The Database is the core of your company.

Today the market is leading us to the beauty of SaaS (Software as a Service) solutions to provide most of our needs. With SaaS, all of our information is located on some SaaS’s Database.

Who is using the Database?

The Database is used by many sources that can be divided into two main categories:

Automated connections, which mostly include:
- Backup and replications
- ETL: Extract, transform, load, a common data warehousing process
- Interconnect
- Testing
- Data Load / Data Unload
- Application Integration
- Reporting services
- Etc.

And User Connections, which mostly include:
- Developers
- Administrators
- Application users (Web applications and other applications)
- Monitoring
- Casual users
- IT Personnel
- Etc.

As you can see for yourself, there are many sources connecting to the Databases, automated or user–based, and all them must be verified, inspected and controlled.

SQL Injection

Without a doubt, among the current biggest security threats is SQL Injection. It’s caused a major Buzz for a while now. SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. Using a direct connection to the web application provides the option of running commands over the Database itself. We’ve all heard about the latest SQL injection attacks on websites belonging to Symantec, President Barack Obama, Wall street journal and many others as well.

As time passes, we see the level of SQL injection sophistication increasing and becoming even more threatening, SQL injections are now part of the automated Worms and Trojans arena. The latest large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. After some research we’ve noticed that this specific attack was preformed mostly on Microsoft IIS:

The image above shows that the vulnerable injected frame was found mostly on dynamic asp websites (available on Microsoft IIS).

The Web application frontier

The web application frontier is among the most threatening to our Databases, but it’s not the only one.

The web application may be secured using a closed or open source web application firewall. Unfortunately, as time passes, major companies and organizations that implemented a web application firewall, for some reason, mis-configured it, or missed updating it, or were successfully attacked using SQL Injections simply because the solution was inadequate.

Many people are sure that coding securely is the only solution required, but almost every application uses legacy code, and sometimes just a few faulty lines can lead to a successful SQL Injection attack.

Among the major problems of a web-based SQL Injection attack is the option to continue the attack to additional servers. If someone has successfully attacked your Database using SQL injection, by using CMD_Shell and other commands, he can gain control of your server, and from this specific server, gain control over your entire network.

There are many attack tools which automate this process of gaining control of the Database server, such as the  SQL Ninja and others, which also provide a video demo that show’s how easy it is taking control of your Database server.

Achieving Sarbanes-Oxley compliance requires visibility and control over business applications and databases – including monitoring the actions of privileged database users.

Database Firewall and the GreenSQL approach

The GreenSQL solution is a secured SQL reverse proxy solution, which during the reverse proxy process provides you the option of enforcing database security. GreenSQL helps you prevent SQL-based attacks, whether they are Web application based or not. And it’s easily implemented.

After setting up and implementing the GreenSQL Firewall, none of your connections, automated or not, should connect to the Database directly. You can easily Implement the GreenSQL solution in a DMZ zone on your Firewall, and allow traffic to the Database from the GreenSQL machine only. From then on, you can be sure that no other source will connect to your Database without inspection and control by the GreenSQL solution.

GreenSQL provides you the option of installing the GreenSQL Database firewall on the Database itself, or on a dedicated server (virtual or physical), so you are not limited.As time passes we’ve witnessed that more and more web sites adopts GreenSQL to defend against any SQL based attacks.

For example you can check out http://fak3r.com which also wrote a real nice article about GreenSQL and why he decided to use it.

We have published an article titled 10 reasons why you should use GreenSQL, check it out.

Information security is an on going process, not a specific product or solution.
Now, with GreenSQL your Database can be part of this process.

Please welcome, the new, improved, GreenSQL Rhino:

www.greensql.net already includes the new logo.

As you might have heard, The GreenSQL project has now evolved to a limited company, and we have adopted a tradition from the old country, Thursday morning Brunches at the Office (well, no one we know old’s country tradition, but we are still working on that part )

This Thursday branch was all about making the First official GreenSQL Sheppard’s Pie, and we would like to share with you our exciting experience.

Preparing the dough for the pie..

Filling the dough with the cooked internal parts..

Working hard on the Sheppard’s Pie branding..

Final touches of the Sheppard’s Pie GreenSQL branding..

About an hour later.. The Final and exciting GreenSQL Sheppard’s Pie!

Well… you should have been here today to understand how fast the GreenSQL Sheppard’s Pie has vanished…

Yours truly,
The GreenSQL Sheppard’s Pie Team

GreenSQL has just announced that version 1.2 of its database firewall will provide PostgreSQL databases with the same protection from SQL Injection already enjoyed by MySQL databases. GreenSQL version 1.2 is now available for download as Open Source software from the company’s website at http://www.greensql.net/download

PostgreSQL is a popular Open Source database in wide use by small to medium-sized businesses. Currently, there is no solution, either Open or Closed Source, that provides a database firewall for PostgreSQL databases. As a result, they may be vulnerable to SQL injection attacks, one of the most widespread ways for gaining access to sensitive information stored in a database and/or taking control of a host server.

SQL injection, widely used by criminals, tricks Web applications into providing protected information from a database by exploiting existing queries such as user sign-in verifications to do things they weren’t designed to do. This technique was the method used in the attack on Heartland Payment Systems, where hackers broke into a database of millions of credit card numbers.

The GreenSQL database firewall already prevents SQL Injection attacks on the most popular Open Source database, MySQL. Since its first release 30 months ago, over 25,000 copies of its software have been downloaded, making it the most popular database firewall available, bar none. The addition of native protection from SQL Injection to PostgreSQL databases will broaden GreenSQL’s appeal even more.

More information about the company is available on its website at http://www.greensql.net

GreenSQL version 1.2 is now Available . In this version, GreenSQL providing native support for PostgreSQL databases for the very first time. In fact, GreenSQL will be the only database firewall available for protection of the many PostgreSQL databases currently in use.
With this release, we are proud to be making another major contribution to our Open Source community.
Is Your Copy of GreenSQL Up to Date?
From time to time, GreenSQL releases new versions of its software. This may be for many reasons, including:
* To be in sync with new versions of MySQL
* To add protection from newly discovered SQL Injection techniques
* To fix bugs
* To add new features to the management console
* To provide support for PostgreSQL databases
As users of GreenSQL, you understand the importance of protecting your information from SQL injection. Please take a moment to ensure that you are running the latest version of GreenSQL so that you can continue to have the highest possible level of protection for your databases. Download the latest version of GreenSQL now.
Document Your Compliance
Attacks on large organizations, such as President Obama’s website, are making the news, but do not be misled into thinking that small and medium-sized businesses are not a target. Criminals are now using automated SQL Injection attacks to target unprotected data bases, no matter their size.
There is a large market for stolen personal information. From common data such as addresses and phone numbers, to less accessible data such as lawsuit information and a military record, everything has its price. Do you know what information is being stored in the data bases on your networks?
If you are taking payments on the Web or are storing social security numbers, credit card numbers or other such sensitive information, you may be legally liable for taking steps to secure that information. The PCI Data Security Standard (PCI DSS) for payment account data security, the Health Insurance Portability and Accountability Act (HIPAA) for personal data, the Gramm-Leach-Bliley Act (GLBA) for personal financial information, the Statement on Auditing Standard 70 (SAS 70) from the American Institute of Certified Public Accountants – to name just a few – are standards and regulations that require appropriate measures to be taken to protect information.
If you have the responsibility for protecting sensitive records, we recommend that you document your efforts with GreenSQL Database Firewall.
Download NowGreenSQL DATABASE FIREWALL V 1.2 !
The GreenSQL Team