In the past years credential theft has become a common theme among web sites. They all stem from a compromise of the web or application server or unrelated other infrastructure. Once access to the file system of the database server is achieved or the database can be accessed using the application’s credentials, the stored secret credentials the user configured, and potentially shares with other sites, can be retrieved from the database. As soon as the intrusion is detected, responsible web site owners usually notify the users about the breach and ask them to change their credentials to the website and warn about credentials reuse. Having a breach is obviously bad publicity and evidently has negative consequences.
However, at least one of the attack avenues can be sealed off: Retrieving of the secret data from the database using the credentials of the web application
Continue reading “Protecting databases against credentials theft”