Securing SQL Server

MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.

Sunday, March 27th, 2011

For those of you that were wondering, SQL Server isn’t the only platform which can be attacked via a SQL Injection attack.  Apparently the MySQL.com website which hosts the official distribution channel for the MySQL database platform was attacked using good old SQL Injection earlier today (notice sent out via seclists.org including their schema).

Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.  Apparently not only is it susceptible to SQL Injection attacks, but the company that writes the MySQL engine can’t correctly secure their website from being attacked.  According to sucuri.net the “customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…”.  Not only was the password dump captured and posted only, but people have begun cracking the passwords, and some of these passwords are stupidly simple.  The account sysadm (which I assume is pretty important) has a password of “qa”.

Apparently the Director or Product Management (who has 20+ years experience with most database platforms) used a 4 digit numeric password (probably his ATM pin code) as his password.

Needless to say, if you have an account on mysql.com and you use that password anywhere, you should probably change that password anywhere else that you use it.

If you think that your application is susceptible to SQL Injection attack, I recommend chapter 6 (SQL Injection Attacks) of “Securing SQL Server” which talks about how to prevent SQL Injection attacks.  The examples which I provide are not SQL Server specific and the techniques shown to prevent SQL Injection attacks can be used against pretty much any relational database platform.

Denny

UPDATE (1pm PST 2011/03/27): Apparently the SSL certificate for logging into the MySQL.com website expired a month ago.  The reason that I found this was that I was going to try and log in with my normal passwords (I’m pretty sure I have a mysql.com account) but with this error message, I’m not so sure about that.  It’s probably OK, but still…

Tags: MySql.com, Securing SQL Server, SQL Injection
Posted in Securing SQL Server | 13 Comments »

Sean and Jen McCown talk about “Securing SQL Server” on their show.

Saturday, March 26th, 2011

A couple of weeks ago Sean and Jen McCown (twitter | Sean’s Blog | Jen’s Blog) talked about “Securing SQL Server” on their DBAs@Midnight web show.  While this isn’t a full review, they got the book about six hours before the recorded the show, it does give you a little insight into the book.  Sean was able to read a couple of the sections before he recorded the show, and his response to the book was pretty positive.

Apparently there are a couple of spelling errors that he’s found so far (I already know about the one in the dedication which he didn’t mention), but if those are the biggest problem that he finds with the book I’m doing pretty good.

You can download the video from the DBAs@Midnight – Get Away From Me web page on their site.  They start talking about the book at 34 minutes into the video, and they are done at about the 42 minute mark.  Sean said that he’ll be doing a full review of the book on their IT Bookworm book review site.  If his full review is as positive as this video was, I’ll be a very happy book writer.

Denny

Tags: Book Review, Jen McCown, MidnightDBA, Sean McCown, Securing SQL Server
Posted in Review Link, Securing SQL Server | No Comments »

Chapter 1 of “Securing SQL Server” is now available for free on Amazon.

Wednesday, March 23rd, 2011

Amazon has posted the entire Chapter 1 of Securing SQL Server up on their site. Go to the books Amazon page and click on the “Read first chapter free ” button (shown below) and you’ll get to read the first chapter right there on your computer.  If you want the sample on your Kindle, go to the Kindle versions page and use the Try it free I talk about below.

This gives you a great chance to take a peek at the first chapter for free, to see if it would be of assistance to you. Now do keep in mind that Chapter 1 isn’t actually about SQL Server specifically, but more about network design and network security.

If you go to the Kindle versions page you can get a sample of the book sent to your kindle using the “Try it free” option on the right of the page (shown below).  It appears that this will send Chapter 1 to your kindle (at least that’s what it sent to me).

Denny

Tags: Amazon, Free Chapter, Securing SQL Server
Posted in Amazon, Kindle, Securing SQL Server | 1 Comment »

First book review coming soon from Sean & Jen (@midnightdba)

Friday, March 18th, 2011

So tonight Sean McCown did a review of my book on their live web show.  Sadly I didn’t get to watch it, because my AT&T uVerse crapped out just as Sean started talking about my book, and my Internet came back up just after Sean finished talking about my book.

If you didn’t catch the live show then you can download the video in about a week or so, which is when I’ll be downloading and watching it for the first time.  The video will be up on the DBAs@Midnight page.  I’ll be sure to blog again, and link directly to the page when it gets posted.

Denny

Tags: I hate AT&T, Review, Sean McCown
Posted in Securing SQL Server | No Comments »

Those free copies should be there this week or so

Monday, March 14th, 2011

So today I went and dropped out that big pile of books to be mailed out. For those that are getting them, you should be getting them this week, or early next (for the east coast people).

Thanks,

Denny

Posted in Securing SQL Server | No Comments »

Sending out some free copies

Monday, March 14th, 2011

Just before the MVP summit I received a nice box from my publisher, Syngress,  which was full of books for me to send out.  So I racked my brains to pick the friends which I would be able to send a copy to.  I have a lot more friends than I have books, meaning that this was a very tough list to put together.  I finally got the list put together, and signed the books and packaged them up.  Later today (Monday) will be a trip to the post office to mail them all out.

It does make a pretty impressive stack in the envelopes, doesn’t it?  If you don’t get a copy (if you didn’t get an email from me asking for your address, sorry but that means that you were probably number 21 on my list when I only had 20 copies to give out), please don’t take it personally I only had a limited number of copies to give out.  For those that are getting copies hopefully they will be there in a few days.

Denny

Tags: Friends, Securing SQL Server
Posted in Securing SQL Server | No Comments »

Book available for sale at the Microsoft Company Store

Wednesday, March 9th, 2011

I normally don’t blog about stuff that I’m doing when I go to the Microsoft corporate office, but I just couldn’t pass this up.

While going through the company store someone noticed that my book was available for sale there. No I did the next logical thing, I drug by butt over to that building and took a picture of it, in all it’s glory.

Needless to say that I’m very proud that whoever does the purchasing for the Microsoft Corporate store decided to put my book up for sale. Personally I think that the 20% off sticker takes away from the awesomeness of the cover, but I’ll take what I can get.

If you can’t pick it up at the company store, it is available from Amazon via the link to the right.

Denny

Tags: Microsoft, Securing SQL Server
Posted in Microsoft | No Comments »

Kindle version of Securing SQL Server is available

Sunday, March 6th, 2011

Apparently the publisher has decided that the kindle version of “Securing SQL Server” should be made available early. I was originally told that it wouldn’t be available until May 2011, but they have released it already. Purchasing is easy, just click the image of the book below.

Thanks,
Denny

Tags: Kindle, Securing SQL Server
Posted in Amazon, Kindle | 2 Comments »