Solved

secure mysql data from vb.net app

Posted on 2014-10-07
2
460 Views
Last Modified: 2014-10-08
Hi all ehre is my question:

I have a litle app to connect to a remote mysql database wich will be used by some clients, but the data server address, database name, user and pass is inside my app I want to know of someone wuould be able to dissamble my app and get that information to connect or get all the database (and edit it); how safe is thhis? and if theres is a way to block the comand to list all the tables inside the database, so if somebody even when he gets the server addres and user.. he would not be able to list the users. any ideas?
0
Comment
Question by:carloselfaite
2 Comments
 
LVL 29

Accepted Solution

by:
Olaf Doschke earned 500 total points
ID: 40367684
You described the core of the problem. Any .NET code is easier to decompile than C/C++ code. But in that case to get at a connection string you wouldn't even need to decompile an EXE or DLL, just looking at it with a hex editor will reveal internal string literals, also connection strings.

So you will want to encrypt the connection string. When you have the connection string encrypted with a key, you'd store the key inside a keystore, protected with a passphrase, the passphrase stored... you see where this is going? At the end of this chain, there's some relatively small piece of information that if you obtain it - you can pretty much break the whole chain.

In the end you can only be safe by keeping some secret outside of the executable, eg let users enter a password/key/passphrase, which decrypts the connection string.

That way you somewhat need to trust users not reveal this password, but you also don't give them the info needed to go into the database directly.

Besides that solution trusting users, the end of the key chain may be a hardware security module (HSM) or a dongle. Even that way you trust at least one admin adding the dongle to some server.

All other things depend on security by obfuscation.

An MS SQL Server database offers connections via the windows account authentication. That moves the problem to the security of each users windows account and you can grant or withdraw permission to windows accounts or windows user groups. So you could have a minimum local MSSQL database containing the MySQL connection string or a key for it's decryption and get it from there with a connection string you can leave in your executable unencrypted. The chain of credentials then ends at each users windows account password.

Bye, Olaf.
0
 
LVL 4

Author Comment

by:carloselfaite
ID: 40369240
thanks I have done encrypting the conection string with 3des !
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As a database administrator, you may need to audit your table(s) to determine whether the data types are optimal for your real-world data needs.  This Article is intended to be a resource for such a task. Preface The other day, I was involved …
Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question