Securing SQL Server

Protecting Your Database from Attackers

  • Home
  • Other Books

180k+ websites attacked because of bad dev code

Author: mrdenny

There is another massive SQL Injection attack going around. This time hitting 180k ASP.NET websites.  The article which I referenced has a decent write up on the actual attack and it links to a post which has detailed information about the attack.  However the article on IT World gives some really poor advice on how to protect yourself from a SQL Injection attack.

There’s no easy way to fix the vulnerability of the database to this attack except to “harden” the database by applying all the patches and making all the security requirements consistent. Monitoring the database for unusual activity is important, too.

Patching SQL Server will NOT prevent SQL Injection attack, at all.  The SQL Server isn’t the attack vector for a SQL Injection attack, the web application is the attack vector.  By the time the SQL Injection attack gets to the SQL Server database (or any database) it’s too late.

SQL Injection is actually really easy to protect yourself from.  Simply stop using dynamically generated SQL  and instead start using parametrized queries (also called bound queries).  That’s it, that’s the big secret.  Yes I understand that writing your .NET code as parametrized queries is harder to write than just doing string concatenation and running the query, but getting your site attacked and putting malware on your customers computers because you didn’t want to do a little typing is just no excuse.

As this is a blog about my book “Securing SQL Server” here’s the sales pitch.  In the book I talk all about how to use parametrized queries.  It really isn’t that hard there is lots of sample code on how to do it.  You don’t need to use stored procedures to use parametrized queries.  You can do it with normal dynamic SQL as well, it works basically the same.

In case you didn’t get my point yet, parametrized queries are the ONLY WAY that you can 100% be sure that you are protecting yourself from SQL Injection attacks.  If you can’t find some links on how to use parametrized queries here are a few links for you PHP, .NET, and more .NET.

Denny

Tags: Securing SQL Server, SQL Injection
October 24th, 2011  |  Posted in Securing SQL Server  |  No Comments »

Exposing SQL Server to the public Internet is a pretty bad idea

Author: mrdenny

Every once and a while we hear about the nightmare situation where a SQL Server has been broken into and data has been stolen. All to often when this happens because the SQL Server is exposed directly to the public Internet. When you ask people why the SQL Server is connected to the Internet the answer is pretty much always the same, to make it easier to manage so that they don’t have to RDP to the server and manage it from there.

While this is easier, is sure isn’t the safest solution. A much better solution would be to setup a VPN Network between the office and the data center so that the connection is secured so that people from the public Internet can’t access the SQL Server’s connection.  This will prevent people who aren’t supposed to be connecting to the SQL Server from connecting to the SQL Server.

I talk about this more in Chapter 1 of “Securing SQL Server”.  Check it out on Amazon, which will actually let you read a good portion of Chapter 1 online for free.

August 23rd, 2011  |  Posted in Amazon, Securing SQL Server  |  1 Comment »

Meet the author, get your copy signed

Author: mrdenny

There are several chances to meet the author of Securing SQL Server, ask questions, and get your copy of the book signed.  These include (and are subject to change):

Dallas Tech Fest – August 13th, 2011

SQL PASS – October 11-14, 2011

SQL Saturday 95 – September 17th, 2011

SQL Excursions - May 17-19, 2012

I hope to see you at one (or all) of these great events.  Feel free to bring your copy and get it signed making it a priceless collectable (OK, probably not but I do love signing copies).

Denny

Tags: Securing SQL Server
July 27th, 2011  |  Posted in Securing SQL Server  |  No Comments »

Want to take a look at Securing SQL Server for 30 days?

Author: mrdenny

Thanks to Amazon, now you can rent Securing SQL Server for 30 days, and if you like it you can buy it with the cost of the rental being applied to the cost to buy the digital copy of the book.  This is all done through Amazon’s new ebook rental program for text books (which they have marked my book as being).  So now you can rent the book starting at a little over 1/2 the current price of the book which gives you access to the entire book for 30 days.  After the 30 days is up you can extend your rental or purchase with the initial rental price counting towards your new price (you pay the difference).

As an author I’m not sure how I feel about this, good I guess because it gives people a chance to give the book a try.  As a reader I like this because I can try the book for less, and if I like it keep it.  If it doesn’t serve me any purpose I don’t need to keep it, and it only cost be 1/2 the cash to find out.

You don’t need to have a Kindle to make use of this, just the Kindle app installed on your PC, phone, iPad, etc.

Denny

Tags: Amazon, Securing SQL Server
July 18th, 2011  |  Posted in Amazon, Kindle  |  No Comments »

Securing SQL Server will be available at the Tech Ed bookstore

Author: mrdenny

If you are going to Tech Ed 2011, and you were thinking about purchasing a copy of “Securing SQL Server” but you wanted to thumb through it before purchasing, now is your chance.  I’ve just be told that the Tech Ed book store will be stocking “Securing SQL Server”.  If you pick up a copy at Tech Ed and you want it signed I’ll be working at the SQL Server booth most afternoons.  Bring it on by, and I’ll be happy to sign it for you or at least draw funny faces in it.

Denny

Tags: Securing SQL Server, Tech Ed
May 4th, 2011  |  Posted in Microsoft, Securing SQL Server  |  No Comments »

Looks like MySQL isn’t the only company to be succeptable to a SQL Injection Attack (looking at you Barracuda)

Author: mrdenny

Apparently Barracuda (who is in the network security business) had one of their applications broken into this week as reported by CNet.  While no source code was stolen from Barracuda, it still has to be embarrassing to have names and email addresses of employees, leads and partners to be downloaded all thanks to a poorly written PHP application.  Passwords were also downloaded as part of the data dump, but the passwords were only stored as MD5 hashes.  However MD5 isn’t considered to be very secure any more (which is one of the reasons that SQL Server “Denali” is including SHA2 which is still considered to be secure).

Apparently the website which was attacked is normally secured using a Barracuda Web Application Firewall, but it was taken offline during a maintenance window on Friday night (April 8th, 2011).  On Saturday night at about 5pm a script being crawling the website looking for SQL Injection weaknesses, which is found about two hours later.

Sadly this isn’t the first SQL Injection attack to happen recently.  Just a couple of weeks ago MySQL.com’s website was attacked also using SQL Injection and a large amount of information was taken from their database as well.

You can read more about the Barracuda breach on CNet or on Barracuda’s own blog.

Denny

Tags: Barracuda, CNET, SQL Injection
April 12th, 2011  |  Posted in Securing SQL Server  |  4 Comments »

Securing SQL Server is available at #DevConnections / #SQLConections

Author: mrdenny

If you are at the Dev Connections / SQL Connections conference and wanted to pick up a copy of “Securing SQL Server” it is available at the Dev Connections book store over by the check in booth.

Denny

Tags: Dev Connections, Securing SQL Server, SQL Connections
March 29th, 2011  |  Posted in Securing SQL Server  |  No Comments »

MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.

Author: mrdenny

For those of you that were wondering, SQL Server isn’t the only platform which can be attacked via a SQL Injection attack.  Apparently the MySQL.com website which hosts the official distribution channel for the MySQL database platform was attacked using good old SQL Injection earlier today (notice sent out via seclists.org including their schema).

Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.  Apparently not only is it susceptible to SQL Injection attacks, but the company that writes the MySQL engine can’t correctly secure their website from being attacked.  According to sucuri.net the “customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…”.  Not only was the password dump captured and posted only, but people have begun cracking the passwords, and some of these passwords are stupidly simple.  The account sysadm (which I assume is pretty important) has a password of “qa”.

Apparently the Director or Product Management (who has 20+ years experience with most database platforms) used a 4 digit numeric password (probably his ATM pin code) as his password.

Needless to say, if you have an account on mysql.com and you use that password anywhere, you should probably change that password anywhere else that you use it.

If you think that your application is susceptible to SQL Injection attack, I recommend chapter 6 (SQL Injection Attacks) of “Securing SQL Server” which talks about how to prevent SQL Injection attacks.  The examples which I provide are not SQL Server specific and the techniques shown to prevent SQL Injection attacks can be used against pretty much any relational database platform.

Denny

UPDATE (1pm PST 2011/03/27): Apparently the SSL certificate for logging into the MySQL.com website expired a month ago.  The reason that I found this was that I was going to try and log in with my normal passwords (I’m pretty sure I have a mysql.com account) but with this error message, I’m not so sure about that.  It’s probably OK, but still…

Tags: MySql.com, Securing SQL Server, SQL Injection
March 27th, 2011  |  Posted in Securing SQL Server  |  13 Comments »

Sean and Jen McCown talk about “Securing SQL Server” on their show.

Author: mrdenny

A couple of weeks ago Sean and Jen McCown (twitter | Sean’s Blog | Jen’s Blog) talked about “Securing SQL Server” on their DBAs@Midnight web show.  While this isn’t a full review, they got the book about six hours before the recorded the show, it does give you a little insight into the book.  Sean was able to read a couple of the sections before he recorded the show, and his response to the book was pretty positive.

Apparently there are a couple of spelling errors that he’s found so far (I already know about the one in the dedication which he didn’t mention), but if those are the biggest problem that he finds with the book I’m doing pretty good.

You can download the video from the DBAs@Midnight – Get Away From Me web page on their site.  They start talking about the book at 34 minutes into the video, and they are done at about the 42 minute mark.  Sean said that he’ll be doing a full review of the book on their IT Bookworm book review site.  If his full review is as positive as this video was, I’ll be a very happy book writer.

Denny

Tags: Book Review, Jen McCown, MidnightDBA, Sean McCown, Securing SQL Server
March 26th, 2011  |  Posted in Review Link, Securing SQL Server  |  No Comments »

Chapter 1 of “Securing SQL Server” is now available for free on Amazon.

Author: mrdenny

Amazon has posted the entire Chapter 1 of Securing SQL Server up on their site. Go to the books Amazon page and click on the “Read first chapter free ” button (shown below) and you’ll get to read the first chapter right there on your computer.  If you want the sample on your Kindle, go to the Kindle versions page and use the Try it free I talk about below.

This gives you a great chance to take a peek at the first chapter for free, to see if it would be of assistance to you. Now do keep in mind that Chapter 1 isn’t actually about SQL Server specifically, but more about network design and network security.

If you go to the Kindle versions page you can get a sample of the book sent to your kindle using the “Try it free” option on the right of the page (shown below).  It appears that this will send Chapter 1 to your kindle (at least that’s what it sent to me).

Denny

Tags: Amazon, Free Chapter, Securing SQL Server
March 23rd, 2011  |  Posted in Amazon, Kindle, Securing SQL Server  |  No Comments »

<< Previous

  • Categories

    • Amazon (4)
      • Kindle (3)
    • Microsoft (2)
    • Securing SQL Server (12)
      • Review Link (1)

  • Order Now


    Also available on the Kindle.

  • Tags

    Amazon Barracuda Book Review CNET Dev Connections Free Chapter Friends I hate AT&T Jen McCown Kindle Microsoft MidnightDBA MySql.com Review Sean McCown Securing SQL Server SQL Connections SQL Injection Tech Ed

  • Recent Posts

    • 180k+ websites attacked because of bad dev code
    • Exposing SQL Server to the public Internet is a pretty bad idea
    • Meet the author, get your copy signed
    • Want to take a look at Securing SQL Server for 30 days?
    • Securing SQL Server will be available at the Tech Ed bookstore

  • Archives

    • October 2011
    • August 2011
    • July 2011
    • May 2011
    • April 2011
    • March 2011

Copyright © 2012 - Securing SQL Server | Entries (RSS) | Comments (RSS)

WordPress theme designed by web design