Securing SQL Server

NTLM 100% Broken Using Hashes Derived From Captures

Author: mrdenny

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/-x3fWaDw3LA/story01.htm written by Soulskill. They get all the credit for this, not me.

New submitter uCallHimDrJ0NES writes “Security researcher Mark Gamache has used Moxie Marlinspike’s Cloudcracker to derive hashes from captured NTLM handshakes, resulting in successful pass-the-hash attacks. It’s been going on for a long time, probably, but this is the first time a ‘white hat’ has researched and exposed the how-to details for us all to enjoy. ‘You might think that with all the papers and presentations, no one would be using NTLM…or, God forbid, LM. NTLMv2 has been around for quite some time. Surely, everyone is using it. Right? Wrong! According to the last data from the W3 Schools, 21% of computers are running XP, while NetMarketShare claims it is 39%. Unless someone has hardened these machines (no MS patches do this), these machines are sending LM and NTLM responses!’ Microsoft has posted a little guidance for those who need to turn off NTLM. Have fun explaining your new security project to your management, server admins!”

…

Additional reading can be found at the original author’s post.

Tags: Auto Blogged, Soulskill
January 10th, 2013  |  Posted in Soulskill  |  No Comments »

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

Author: mrdenny

This was reposted from http://rss.slashdot.org/~r/Slashdot/slashdot/~3/4jJjYcqA-4M/story01.htm written by Unknown Lamer. They get all the credit for this, not me.

vikingpower writes “As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens’ digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore.” Fixes were released, so it looks like it’s on their sysadmin team now.

…

Additional reading can be found at the original author’s post.

Tags: Auto Blogged, Unknown Lamer
January 10th, 2013  |  Posted in Unknown Lamer  |  No Comments »

An Audible Data Privacy Breach

Author: mrdenny

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://blog.infoadvisors.com/index.php/2013/01/02/an-audible-data-privacy-breach/ written by Karen Lopez. They get all the credit for this, not me.

RI labor dept. warns of possible privacy breach.

I think about data encryption, physical access controls to servers and such on a regular basis. But there are all kinds of formats via which data gets stored or communicated.  The Rhode Island Department of Labor recently had a data breach involving their call center.  Customers were able to hear conversations on other calls.  The department estimates fewer than 700 pe

…

Additional reading can be found at the original author’s post.

Tags: Auto Blogged, Karen Lopez
January 6th, 2013  |  Posted in Karen Lopez  |  No Comments »

Are Your Protecting Your DB Backups?

Author: mrdenny

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://www.sqlservercentral.com/blogs/brian_kelley/2012/11/27/are-your-protecting-your-db-backups/ written by (author unknown). They get all the credit for this, not me.

Folks have cited the recent InformationWeek article on how South Carolina’s Department of Revenue was hacked because the SC state government basically said, “It’s the IRS’ fault for not telling us we should encrypt social security numbers.” I’m not going to touch that. It stands on its own for its foolishness. However, I did key in on how the hack happened and how the data was obtained. I found this bit to be particularly interesting:

“But with more work, by Sept. 12, 2012, the attacker had successfully located and begun copying 23 database backup files, containing 74.7 GB of data, to another directory. Soon, the attacker compressed the data into 15 zip files, transferred them to another server, sent the data to an external system — outside the state’s control — and deleted the zip files to help hide the data breach, according to Mandiant’s report.”

In other words, the attacker, once inside the trusted network, located the database backup files, zipped them up, and then copied them offsite. That’s how the data was lost. The database backups were attacked.

…

Additional reading can be found at the original author’s post.

Tags: (author unknown), Auto Blogged
November 27th, 2012  |  Posted in (author unknown)  |  No Comments »

Jail Looms For Man Who Revealed AT&T Leaked iPad User E-Mails

Author: mrdenny

This was reposted from Clean Up BlogThisSecurity feed and make it a snipit http://rss.slashdot.org/~r/Slashdot/slashdot/~3/5ifWhOwuT7U/story01.htm written by Soulskill. They get all the credit for this, not me.

concealment sends this quote from MIT’s Technology Review: “AT&T screwed up in 2010, serving up the e-mail addresses of over 110,000 of its iPad 3G customers online for anyone to find. But Andrew Auernheimer, an online activist who pointed out AT&T’s blunder to Gawker Media, which went on to publicize the breach of private information, is the one in federal court this week. Groups like the Electronic Frontier Foundation worry that should that charge succeed it will become easy to criminalize many online activities, including work by well-intentioned activists looking for leaks of private information or other online security holes. [Auernheimer's] case hasn’t received much attention so far, but should he be found guilty this week it will likely become well known, fast.”

Read more of this story at Slashdot.

Additional reading can be found at the original author’s post.

Tags: Auto Blogged, Soulskill
November 20th, 2012  |  Posted in Soulskill  |  No Comments »

Second Edition of Securing SQL Server now longer available for pre-order. It’s Shipping!

Author: mrdenny

I’m afraid that I’ve got some bad news.  You can no longer pre-order Securing SQL Server 2nd Edition from Amazon.

Instead you have to settle for ordering the book outright and having it shipped to you.  That’s right, no more being a pre-order book, it’s published and available to be shipped directly to you.  Currently Amazon is selling the book at full price which is $49.95, but if you have Amazon Prime it is available for Amazon Prime shipping.  Because it is considered to be a text book you get a $5 Amazon MP3 Credit (what ever terms and conditions that Amazon chooses do apply).

This is a totally updated edition of the book including all sorts of new information about security within SQL Server 2012.  I of course cover things like how to secure AlwaysOn Availability Groups, how to use user defined server roles, contained users, etc. I also dive into how to properly secure SQL Server Reporting Services and SQL Server Analysis Services so they can’t be used to access data that people shouldn’t have access to.

All in all this book is much larger with Amazon showing it at 408 pages compared to just 272 pages for the 1st edition.  If you find someone cheaper to purchase it make sure that you are in fact ordering the second edition.  The ISBN number is 1597499471.

I hope that you pick up a copy of the book and that it is useful for you in securing your SQL Server environment.

Denny

Tags: 1597499471, 978-1597499477, AlwaysOn Security, Amazon, Clustering Security, Contained Databases, Contained Logins, Data Security, Database Firewalls, Securing SQL Server, Security SQL Server 2nd Edition, SQL Injection
August 8th, 2012  |  Posted in Amazon, Microsoft, Securing SQL Server  |  3 Comments »

Kindle Version of Securing SQL Server 2nd Edition Is Available

Author: mrdenny

In true Amazon style the Kindle Edition of Securing SQL Server 2nd Edition is available for purchase from Amazon before the physical print book is available.  I haven’t even gotten my preview copy yet (it should be here in a day or two) but you can get your digital copy from Amazon as of about a week ago.

So if you’ve been waiting for the 2nd edition to come out, there’s no need to wait any longer.

If you want that physical book you can pre-order it, and hopefully it’ll be shipping within just a couple of weeks.  Amazon has August 15th listed on the US website, but I’m not sure if that is the actual date or not.

Denny

August 6th, 2012  |  Posted in Amazon, Kindle, Securing SQL Server  |  2 Comments »

Securing SQL Server 2nd Edition Coming Soon

Author: mrdenny

I’m pleased to be able to announce that the 2nd edition of Securing SQL Server is going to be available soon.  It’s just been made available for pre-order on Amazon.com.  The second edition comes in at about 350 pages (according to Amazon, I don’t actually have a copy of it yet) while the first edition came in at about 270 pages so there has been a LOT of material added to the book.

While a lot of the new information is focused on SQL Server 2012, there is also a lot of new material which relates to older version of SQL Server including chapters on SQL Server Analysis Services and SQL Server Reporting Services, information on Instant File Initialization, EXECUTE AS, Database Firewalls, SAN Security, Actual Data Security (no idea how this got missed the first time around, but that’s to Brent Ozar for pointing it out).

As far as the SQL Server 2012 information you’ll find updated information about the SHA2 hashing algorithms, Securing AlwaysOn Availability Groups, Security and SQL Server Clustering, Security and Contained Databases and a lot more.

If you already have a copy of the 1st edition I encourage you to take a look at the second edition as well.  I know that it’s really soon for a second edition of a book (the first edition just came out February 2011, but this new edition comes on the release of SQL Server 2012.

Hopefully you pre-order you copy today.

Denny

P.S. Yes this edition will be available for the Kindle as well, that takes a little time.  As soon as I know that it’s been posted for the Kindle (usually happens a little after Amazon gets the physical books) I’ll post another announcement here.

P.P.S. If you visit my SecuringSQLServer.com site I’ve updated everything there for the new edition.  You can always find the old edition listed on the Other Books page on that site or on the Books page on mrdenny.com.

Tags: 1597499471, 978-1597499477, AlwaysOn Security, Amazon, Clustering Security, Contained Databases, Contained Logins, Data Security, Database Firewalls, EXECUTE AS, nstant File Initialization, SAN Security, Securing SQL Server, Security SQL Server 2nd Edition, SHA2, SQL Injection
April 24th, 2012  |  Posted in Amazon, Securing SQL Server  |  1 Comment »

180k+ websites attacked because of bad dev code

Author: mrdenny

There is another massive SQL Injection attack going around. This time hitting 180k ASP.NET websites.  The article which I referenced has a decent write up on the actual attack and it links to a post which has detailed information about the attack.  However the article on IT World gives some really poor advice on how to protect yourself from a SQL Injection attack.

There’s no easy way to fix the vulnerability of the database to this attack except to “harden” the database by applying all the patches and making all the security requirements consistent. Monitoring the database for unusual activity is important, too.

Patching SQL Server will NOT prevent SQL Injection attack, at all.  The SQL Server isn’t the attack vector for a SQL Injection attack, the web application is the attack vector.  By the time the SQL Injection attack gets to the SQL Server database (or any database) it’s too late.

SQL Injection is actually really easy to protect yourself from.  Simply stop using dynamically generated SQL  and instead start using parametrized queries (also called bound queries).  That’s it, that’s the big secret.  Yes I understand that writing your .NET code as parametrized queries is harder to write than just doing string concatenation and running the query, but getting your site attacked and putting malware on your customers computers because you didn’t want to do a little typing is just no excuse.

As this is a blog about my book “Securing SQL Server” here’s the sales pitch.  In the book I talk all about how to use parametrized queries.  It really isn’t that hard there is lots of sample code on how to do it.  You don’t need to use stored procedures to use parametrized queries.  You can do it with normal dynamic SQL as well, it works basically the same.

In case you didn’t get my point yet, parametrized queries are the ONLY WAY that you can 100% be sure that you are protecting yourself from SQL Injection attacks.  If you can’t find some links on how to use parametrized queries here are a few links for you PHP, .NET, and more .NET.

Denny

Tags: Securing SQL Server, SQL Injection
October 24th, 2011  |  Posted in Securing SQL Server  |  No Comments »