The security of databases: the Access case
Tóm tắt
Nowadays, more and more companies have to use databases in which they store their essential or confidential data for the society like client lists, product specifications, stock situations, etc.. Such pieces of data are the heart of a company and have to be protected. In fact, in the context of economic intelligence, getting such information is quite interesting for competitors who want to know how rival companies work for example. Databases need software to be managed. There is a variety of software, called database management system, which is able to manage database like MySQL, Oracle Database, Microsoft Access, etc... This paper will focus on Microsoft Access 2010 64 bits which is part of the Microsoft Office 2010 suite. Microsoft Access is currently used by small and medium enterprises (SMEs) who have subcontracted the creation of their database to specialized companies. SMEs represent a huge part of the economic area and could be an interesting target because of the large range of activities it gather. This technical paper analyses the Access Security and explains how an attacker could hijack an Access database in order to steal information or to perform malicious actions on the targeted computer. It deals with macro-viruses, still present after many years, and give then the possibility to use them to insert major security weaknesses into Access databases.
Tài liệu tham khảo
Starting Programming with Microsoft Access, http://www.office.microsoft.com/en-us/access-help/introduction-to-access-programming-HA010341717.aspx?CTT=1 (2011). Accessed 20 Nov 2011
Compiler and Interpreter in Microsoft Access, http://www.support.microsoft.com/kb/109382/en (2012). Accessed 23 Mar 2012
Introduction to the Access 2007 file format, http://www.office.microsoft.com/en-us/access-help/introduction-to-the-access-2010-file-format-HA010067831.aspx (2011). Accessed 2 Nov 2011
http://www.counterpunch.org/2008/09/27/an-israeli-trojan-horse/ and http://www.msnbc.msn.com/id/8064757/ns/technology_and_science-security/t/israeli-trojan-horse-scandal-widens/
Presentation of the Microsoft Access 2010 security policy, http://www.office.microsoft.com/en-us/access-help/introduction-to-access-2010-security-HA010341741.aspx?CTT=1 (2012). Accessed 23 Mar 2012
Jonathan, D., Eric, F., Jean-Paul, F.: Office Documents: New Weapons of Cyberwarfare. Hack.lu 2010 Conference, Luxembourg, 27–29 October 2010
Harshavardhan, K.: Classification of various security techniques in databases and their comparative analysis. ArXiV Repository. http://www.arxiv.org/abs/1206.4124 (2012)
Palamidessi, C., Stronati, M.: Differential privacy for relational algebra: improving the sensitivity bounds via constraint systems. ArXiV Repository. http://www.arxiv.org/abs/1207.0872 (2012)
Intended use, http://www.eicar.org/86-0-Intended-use.html. Accessed 2 Nov 2011
Matt, B.: Analysis of the ILOVEYOU Worm. http://www.citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.87.8077 (2000)
Jonathan, D., Eric, F., Jean-Paul, F.: Perverting eMails: a new dimension in internet (in)security. In: Proceedings of the 10th ECIW conference, July 2011, Tallinn, Estonia, pp. 106–112. ACI Press (2011).
Threading in VBA: http://www.social.msdn.microsoft.com/Forums/en-US/vsto/thread/735c8f26-2129-4b46-8c1a-aad385cab2ed (2012). Accessed 19 Mar 2012
MSDN Threads, http://www.msdn.microsoft.com/en-us/library/windows/desktop/ms68191728v=vs.8529.aspx (2012). Accessed 19 Mar 2012
MSDN DLLs, http://www.msdn.microsoft.com/en-us/library/windows/desktop/ms68258928v=vs.8529.aspx (2012). Accessed 19 Mar 2012
Result of the IAWACS 2010 AV Evaluation Contest, http://www.cvo-lab.blogspot.fr/2012/08/perseus-and-iawacs-20092010-available.html. Accessed 9 May 2010
Baptiste, D.: Do you still believe that nobody can make a Win 7 system become useless despite using a “powerful” antivirus? http://www.cvo-lab.blogspot.fr/2012/08/perseus-and-iawacs-20092010-available.html (2010)