If you are going to Tech Ed 2011, and you were thinking about purchasing a copy of “Securing SQL Server” but you wanted to thumb through it before purchasing, now is your chance. I’ve just be told that the Tech Ed book store will be stocking “Securing SQL Server”. If you pick up a copy at Tech Ed and you want it signed I’ll be working at the SQL Server booth most afternoons. Bring it on by, and I’ll be happy to sign it for you or at least draw funny faces in it.
Apparently Barracuda (who is in the network security business) had one of their applications broken into this week as reported by CNet. While no source code was stolen from Barracuda, it still has to be embarrassing to have names and email addresses of employees, leads and partners to be downloaded all thanks to a poorly written PHP application. Passwords were also downloaded as part of the data dump, but the passwords were only stored as MD5 hashes. However MD5 isn’t considered to be very secure any more (which is one of the reasons that SQL Server “Denali” is including SHA2 which is still considered to be secure).
Apparently the website which was attacked is normally secured using a Barracuda Web Application Firewall, but it was taken offline during a maintenance window on Friday night (April 8th, 2011). On Saturday night at about 5pm a script being crawling the website looking for SQL Injection weaknesses, which is found about two hours later.
Sadly this isn’t the first SQL Injection attack to happen recently. Just a couple of weeks ago MySQL.com’s website was attacked also using SQL Injection and a large amount of information was taken from their database as well.
You can read more about the Barracuda breach on CNet or on Barracuda’s own blog.
If you are at the Dev Connections / SQL Connections conference and wanted to pick up a copy of “Securing SQL Server” it is available at the Dev Connections book store over by the check in booth.
For those of you that were wondering, SQL Server isn’t the only platform which can be attacked via a SQL Injection attack. Apparently the MySQL.com website which hosts the official distribution channel for the MySQL database platform was attacked using good old SQL Injection earlier today (notice sent out via seclists.org including their schema).
Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks. Apparently not only is it susceptible to SQL Injection attacks, but the company that writes the MySQL engine can’t correctly secure their website from being attacked. According to sucuri.net the “customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…”. Not only was the password dump captured and posted only, but people have begun cracking the passwords, and some of these passwords are stupidly simple. The account sysadm (which I assume is pretty important) has a password of “qa”.
Apparently the Director or Product Management (who has 20+ years experience with most database platforms) used a 4 digit numeric password (probably his ATM pin code) as his password.
Needless to say, if you have an account on mysql.com and you use that password anywhere, you should probably change that password anywhere else that you use it.
If you think that your application is susceptible to SQL Injection attack, I recommend chapter 6 (SQL Injection Attacks) of “Securing SQL Server” which talks about how to prevent SQL Injection attacks. The examples which I provide are not SQL Server specific and the techniques shown to prevent SQL Injection attacks can be used against pretty much any relational database platform.
UPDATE (1pm PST 2011/03/27): Apparently the SSL certificate for logging into the MySQL.com website expired a month ago. The reason that I found this was that I was going to try and log in with my normal passwords (I’m pretty sure I have a mysql.com account) but with this error message, I’m not so sure about that. It’s probably OK, but still…
A couple of weeks ago Sean and Jen McCown (twitter | Sean’s Blog | Jen’s Blog) talked about “Securing SQL Server” on their DBAs@Midnight web show. While this isn’t a full review, they got the book about six hours before the recorded the show, it does give you a little insight into the book. Sean was able to read a couple of the sections before he recorded the show, and his response to the book was pretty positive.
Apparently there are a couple of spelling errors that he’s found so far (I already know about the one in the dedication which he didn’t mention), but if those are the biggest problem that he finds with the book I’m doing pretty good.
You can download the video from the DBAs@Midnight – Get Away From Me web page on their site. They start talking about the book at 34 minutes into the video, and they are done at about the 42 minute mark. Sean said that he’ll be doing a full review of the book on their IT Bookworm book review site. If his full review is as positive as this video was, I’ll be a very happy book writer.
Amazon has posted the entire Chapter 1 of Securing SQL Server up on their site. Go to the books Amazon page and click on the “Read first chapter free ” button (shown below) and you’ll get to read the first chapter right there on your computer. If you want the sample on your Kindle, go to the Kindle versions page and use the Try it free I talk about below.
This gives you a great chance to take a peek at the first chapter for free, to see if it would be of assistance to you. Now do keep in mind that Chapter 1 isn’t actually about SQL Server specifically, but more about network design and network security.
If you go to the Kindle versions page you can get a sample of the book sent to your kindle using the “Try it free” option on the right of the page (shown below). It appears that this will send Chapter 1 to your kindle (at least that’s what it sent to me).
So tonight Sean McCown did a review of my book on their live web show. Sadly I didn’t get to watch it, because my AT&T uVerse crapped out just as Sean started talking about my book, and my Internet came back up just after Sean finished talking about my book.
If you didn’t catch the live show then you can download the video in about a week or so, which is when I’ll be downloading and watching it for the first time. The video will be up on the DBAs@Midnight page. I’ll be sure to blog again, and link directly to the page when it gets posted.
So today I went and dropped out that big pile of books to be mailed out. For those that are getting them, you should be getting them this week, or early next (for the east coast people).
Just before the MVP summit I received a nice box from my publisher, Syngress, which was full of books for me to send out. So I racked my brains to pick the friends which I would be able to send a copy to. I have a lot more friends than I have books, meaning that this was a very tough list to put together. I finally got the list put together, and signed the books and packaged them up. Later today (Monday) will be a trip to the post office to mail them all out.
It does make a pretty impressive stack in the envelopes, doesn’t it? If you don’t get a copy (if you didn’t get an email from me asking for your address, sorry but that means that you were probably number 21 on my list when I only had 20 copies to give out), please don’t take it personally I only had a limited number of copies to give out. For those that are getting copies hopefully they will be there in a few days.