- Paperback: 532 pages
- Publisher: Wiley; 1 edition (July 14, 2005)
- Language: English
- ISBN-10: 0764578014
- ISBN-13: 978-0764578014
- Product Dimensions: 7.2 x 1.2 x 9.1 inches
- Shipping Weight: 1.7 pounds (View shipping rates and policies)
- Average Customer Review: 10 customer reviews
- Amazon Best Sellers Rank: #1,160,508 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
The Database Hacker's Handbook: Defending Database Servers 1st Edition
Use the Amazon App to scan ISBNs and compare prices.
Fulfillment by Amazon (FBA) is a service we offer sellers that lets them store their products in Amazon's fulfillment centers, and we directly pack, ship, and provide customer service for these products. Something we hope you'll especially enjoy: FBA items qualify for FREE Shipping and Amazon Prime.
If you're a seller, Fulfillment by Amazon can help you increase your sales. We invite you to learn more about Fulfillment by Amazon .
The Amazon Book Review
Author interviews, book reviews, editors picks, and more. Read it now
Frequently bought together
Customers who bought this item also bought
From the Back Cover
Databases are the nerve center of our economy. Every piece of yourpersonal information is stored theremedical records, bankaccounts, employment history, pensions, car registrations, evenyour children's grades and what groceries you buy. Database attacksare potentially cripplingand relentless.
In this essential follow-up to The Shellcoder's Handbook, fourof the world's top security experts teach you to break into anddefend the seven most popular database servers. You'll learn how toidentify vulnerabilities, how attacks are carried out, and how tostop the carnage. The bad guys already know all this. You need toknow it too.
- Identify and plug the new holes in Oracle and Microsoft®SQL Server
- Learn the best defenses for IBM's DB2®, PostgreSQL, SybaseASE, and MySQL® servers
- Discover how buffer overflow exploitation, privilege escalationthrough SQL, stored procedure or trigger abuse, and SQL injectionenable hacker access
- Recognize vulnerabilities peculiar to each database
- Find out what the attackers already know
Go to www.wiley.com/go/dbhackershandbook for code samples,security alerts , and programs available for download.
About the Author
David Litchfield specializes in searching for new threats todatabase systems and web applications and holds the unofficialworld record for finding major security flaws. He has lectured toboth British and U.S. government security agencies on databasesecurity and is a regular speaker at the Blackhat SecurityBriefings. He is a co-author of The Shellcoder’sHandbook, SQL Server Security, and Special Ops.In his spare time he is the Managing Director of Next GenerationSecurity Software Ltd.
Chris Anley is a co-author of The Shellcoder’sHandbook, a best-selling book about security vulnerabilityresearch. He has published whitepapers and security advisories on anumber of database systems, including SQL Server, Sybase, MySQL,DB2, and Oracle.
John Heasman is a principal security consultant at NGSSoftware. He is a prolific security researcher and has publishedmany security advisories relating to high-profile products such asMicrosoft Windows, Real Player, Apple Quick-Time, andPostgreSQL.
Bill Grindlay is a senior security consultant andsoftware engineer at NGS Software. He has worked on both thegeneralized vulnerability scanner Typhon III and the NGSSQuirreLfamily of database security scanners. He is a co-author of thedatabase administrator’s guide, SQL ServerSecurity.
Next Generation Security Software Ltd is a UK-basedcompany that develops a suite of database server vulnerabilityassessment tools, the NGSSQuirreL family. Founded in 2001, NGSSoftware’s consulting arm is the largest dedicated securityteam in Europe. All four authors of this book work for NGSSoftware.
Top customer reviews
There was a problem filtering reviews right now. Please try again later.
I'm quite concerned that significant new threats have probably arisen in the ten years since the book's publication, and I'd love to hear that a new edition is planned; but the theoretical background and classification of threats is as valid as ever.
One significant lack here -- no discussion of security for mainframe databases (DB2 for z/OS, IMS, CA-IDMS, and presumably others), which hold a significant portion of the world's financial data.
The most interesting chapter is "Attacking Oracle". These guys give phrase "thinking outside of the box" the real meaning. They look for a feature or bug open to the security attack, then they shake it til it breaks. You will see exploits of AUTHID, PL/SQL injections, app. server, dbms_sql.parse bug,... most of them relevant to 9i and 10g versions.
The hacks are mainly in the sections called "Real-World Examples". Most of the exploits are already patched by Oracle and they are also available on hacking forums, but there were some new ones that were quite a revelation.
The security recommendations in the "Securing Oracle" chapter were too general, you can probably find Internet white papers on hardening Oracle that give more details. But, this book is not really about hardening Oracle, even if it says "Defending Database Servers" with small, blue letters on the front cover. This book is about attacking database servers.
I have seen David Litchfield's previous work and I am sure he knows (and has tried) more than what is written here. Can we expect to see that in "The Hacker's Handbook" part II?
Instead, this book offers detailed information on the various exploits, and detailed information on how to fix the problems.
If you are a DBA of any of the major databases, you NEED to pick up this book sooner rather than later. Now that this book is "on the streets", it's just a question of time before all hell breaks loose :(
Even if some of the attacks or exploits described in the book were previously obscure or unknown, the fact that they have been outlined in this book means that administrators need to know about them and defend against them before the "bad guys" read this book and take advantage of them.
One of the best aspects of this book is the way it is organized. Splitting the book into sections devoted to specific database systems makes it exceptionally simple and convenient to use. If you only use MySQL, you can skip all of the information regarding Oracle or Microsoft SQL Server, and just focus on the section of the book that applies to you.
Within each section, the authors provide a tremendous wealth of knowledge. Aside from describing weaknesses, potential exploits and protective measures to defend against them, they also look at the general architecture and the methods of authentication used by the database.
Any database admin should have a copy of this on their desk.
Each section of the book covers one of the databases. It usually begins with some history of both the database and attacks on it. For instance the Slammer worm compromised more than 75,000 SQL Server databases within ten minutes of its release in January 2003.
After that there is a discussion on the database, its architecture, how it handles things like authentication and so on.
Finally it goes into how to defend the database against attack. This includes information on how to remove unncecessary features and services that might serve as gateways to attacks, and talks about how to use the databases own internal security systems to their maximum effectiveness.
As I said, you really need the 70 or so pages that refer to your own database.
PS - What's the most secure database - PostGreSQL, and it goes into why.