security

MySQL export CSV into OUTFILE triggers “access denied” error

I came across a weird problem today. Gladly, the web is full of solutions, but I’m going to post this anyway, just to have it nearby for the next time. I needed to export the results of some query into a CSV file directly from MySQL. I prepared my query, made sure that I can see the correct results and than changed it to export into the file. The query looked something like this:

SELECT id, field1, field2, field3
INTO OUTFILE '/tmp/data.csv'
FIELDS TERMINATED BY ','
OPTIONALLY ENCLOSED BY '"'
ESCAPED BY '\\'
LINES TERMINATED BY '\n'
FROM data_table
WHERE field1 = 0;

I was quite surprised to find myself staring at:

ERROR 1045 (28000): Access denied for user ‘db_user’@’localhost’ (using password: YES)

My database user definitely had full access to the database. I definitely could see the results of the query before the redirect to the file. And I definitely had enough permissions to create files in /tmp directory. And on top of that, I’m sure I used MySQL export functionality a gadzillion times and it always worked without any problems. What’s wrong this time?

A quick search around got me to this Stack Overflow question. Apparently, database user has to be given a FILE privilege, which is global (not per-database). Here is what I did to solve the problem (you’ll need to use MySQL root user of course):

USE mysql;
UPDATE user SET File_priv = 'Y' WHERE User = 'db_user';
FLUSH PRIVILEGES;

I think that it worked for me before was because I exported as root, who does have this permission set to ‘Y’.

LastPass XSS vulnerability found. Is it a big deal?

Via DownloadSquad I found out that a cross-site scripting (XSS) vulnerability was found in LastPass – an online password management service. The problem was reported to LastPass and they seem to have fixed it before the information went out public. What remains now is the question of how bad is this incident.

First off: don’t worry. Cardwell reported the vulnerability to LastPass before writing it up, and it has since been fixed. We’re not sure if the fix has propagated out to the Chrome and Firefox add-ons — but we have to assume that Cardwell wouldn’t have written his blog post if the vulnerability still existed.

With that said, you should still be more than a little concerned about the fundamental architecture of LastPass as an in-the-cloud password manager. While this cross-site scripting attack was fixed quickly, Cardwell thinks a similar attack “could easily happen again in future.”

[…]

It’s very hard for us to recommend LastPass as a password manager when further vulnerabilities will almost certainly be found. For the time being, you should check out KeePass, an offline password manager that, for now, is a lot more secure than LastPass.

Being a user of LastPass myself and knowing quite a few other people who use the service (some of them are even on my recommendation), I have to say that I am not pleased. I trust absolutely all of my passwords to LastPass and I rely on it being secure. Having said that, I have to point out that the world is still there. And mostly likely, it will still be there even if all those passwords get stolen and distributed all over the Internet. For sure, some people will lose some data. Some will probably lose some money. But I don’t think it can get any worse than that. Nobody will die.

More so, convenience and productivity beat security. Yes, there are a few security concerned individuals out there who would never trust their passwords to their own mother, let alone a web-based service that they have no control over. But most people aren’t like that. Most people, yours truly included, just don’t care enough. Modern world is filled with usernames and passwords and for most part people don’t care if someone else knows them or not. We only use credentials because we are forced to. Remembering all those logins and password is a tough job. Having it done by LastPass is awesome! You don’t have to remember passwords anymore. You don’t have to worry about losing them together with your laptop. You don’t have to worry about carrying the laptop with you at all times. Just save them to LastPass and you’ll be able to access them from anywhere – home, office, mobile, etc. This is so convenient that it’s almost irrelevant how many vulnerabilities will be found and exploited – LastPass still solves the hard problem for a lot of people. The only thing they have to worry about is competition that can and probably will exploit such incidents.

On growing challenges in IT security

I came across an interesting article which illustrates the growing challenges in IT security.

“The IT guys have been told to do one job, so they [lock things down and] rule out the use of Google docs. And the workers are told to do another job, to get their work done, so they start using Google docs, and the power balance is moving away from the IT guys,” says Josh Klein, co-author of Hacking Work, a guide on how to “break stupid rules for smart results”.

According to a survey by networking firm Cisco, 41% of workers break corporate IT policies, saying that “they need restricted programs and applications to get the job done – they’re simply trying to be more productive and efficient”.

Judging by my personal experiences, I’d say most companies will go for the productivity and efficiency. Employee efficiency helps the company to move and adopt faster. Not only it usually means more money, but from the security point of view it makes the company a faster moving target.

Also, with this approach, a lot of security issues will be moved from a company level to an employee level. Similar to how training evolved. Companies still train employees, but a lot of skills are just expected from the employee and it’s up to him or her how and when to acquire those skills. For example, nobody really trains employees to process email, search the web, or operate a telephone. A quick display of the interface and a “you’ll figure it out, and let me know if you don’t” is usually enough.

Similarly, I think, many of the security issues will be passed on to the employee. The company will just expect him to run antivirus software, spam filters, basic firewalls, secure passwords, and such. With that, IT departments will have more resources to focus on protecting centralized resources – web servers, databases, etc.

On airport security Israelification

I came across an excellent article which compares ways airport security is handled in Israel as opposed to USA and Canada. Instead of being a yet another whine and complain about how bad things are there and how good they are over there, it does in fact illustrate the difference in approaches, as well as some of the things that people who are responsible for protecting the public have to think about. Here is a quote to get you started:

“I once put this question to Jacques Duchesneau (the former head of the Canadian Air Transport Security Authority): say there is a bag with play-doh in it and two pens stuck in the play-doh. That is ‘Bombs 101’ to a screener. I asked Ducheneau, ‘What would you do?’ And he said, ‘Evacuate the terminal.’ And I said, ‘Oh. My. God.’

“Take Pearson. Do you know how many people are in the terminal at all times? Many thousands. Let’s say I’m (doing an evacuation) without panic — which will never happen. But let’s say this is the case. How long will it take? Nobody thought about it. I said, ‘Two days.'”

Another part that I sympathized a lot with was this:

“Do you know why Israelis are so calm? We have brutal terror attacks on our civilians and still, life in Israel is pretty good. The reason is that people trust their defence forces, their police, their response teams and the security agencies. They know they’re doing a good job. You can’t say the same thing about Americans and Canadians. They don’t trust anybody,” Sela said. “But they say, ‘So far, so good’. Then if something happens, all hell breaks loose and you’ve spent eight hours in an airport. Which is ridiculous. Not justifiable

So true! I’ve been thinking exactly the same a few times while watching fear-infested news coverages on mostly American TV (Europeans and Russians have it too, but to a lesser degree). Nobody can guarantee a 100% protection. A continuous effort should be made to ensure the best possible protection. Once everyone knows and trusts that everything that could have been done was done, they will calm down and relax. And even if something bad happens, people won’t overreact as they would know better.

VaultPress – yet another goodie from Automattic

Automattic – an awesome company behind WordPress, Gravatar, IntenseDebate, Akismet, and a few other – announced that they are starting up a new service – VaultPress. While the details of the service are not completely clear yet, it looks like a real-time backup solution plus some security monitoring and automated updates. This service is primarily targeted towards stand-alone WordPress blogs, not the ones hosted at WordPress.com . Maybe WordPress.com support will come later, but for now those guys are settled pretty well anyway.

If you want to try VaultPress, it is in the invite-only stage now. You can request an invite. And while you are there, please do enjoy the beautiful form, which doesn’t follow the conventional “captions, fields, and the submit button” concept. That’s what happens when you have a good web designer around and enough sense to let him work.