InstantForum.NET v2.9.0SQLServerCentralhttp://www.sqlservercentral.com/Forums/notifications@sqlservercentral.comThu, 23 May 2013 02:08:43 GMT20http://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxThank you. I based my article on NGSS work. They are the best security consultants that I can think of. Their work on SQL injection was also a pioneer and we are always learning from them.<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>More on the weakness of the passwords:http://www.nextgenss.com/papers/cracking-sql-passwords.pdfOf course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.The software that came out of the research:http://www.nextgenss.com/software/ngssqlcrack.htmlThe review by Steve:http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.aspThe biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.K. Brian Kelleyhttp://www.truthsolutions.com/Author: Start to Finish Guide to SQL Server Performance Monitoring http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote> Sun, 15 Dec 2002 02:31:00 GMTjgamahttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxThank you. You are right, it is a matter of time and opportunity. Faster machines make brute force attacks easier, phone, email, ICQ and other faceless media allow for daring social engineering stunts and hackers with plenty of time and lots of online info will keep on trying to find loopholes. Hackers bring excitement to a DBA's life and actually, not long ago, the concept of databases that would require minimum assistance was gaining some momentum and it was the work of hackers and security analysts that stopped it.<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>Good article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>The only safe machine does not exist in reality.<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote> <hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote> Thu, 12 Dec 2002 00:18:00 GMTjgamahttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxNGSSQLCrack:http://www.ngssoftware.com/K. Brian Kelleyhttp://www.truthsolutions.com/Author: Start to Finish Guide to SQL Server Performance Monitoring http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1Tue, 10 Dec 2002 11:10:00 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxKind of off topic but not really...How do one go about finding a lost / forgotten sa password? Assuming that one cannot even login to the box.Err... this happens to err.. my friend's *cough cough* dev box that hasn't been used for quite some time... Tue, 10 Dec 2002 10:26:00 GMTNicholas Wanghttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxThis is a very good article.So, How can we prevent our computer from attacks.1. Deny rights to syslogins. 2. Deny rights to xp_ procedures3. Make your sa password lengthly (according to the white papers it will take only 13 seconds to crack a 8 characters password.4. Include upper level characters in your password (ALT+) key5. Monitor the traficTue, 10 Dec 2002 04:20:00 GMTG.R.Prithiviraj Kulasinghamhttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxThe last estimate I read on cracking true 128bit encryption for SSL (not the Netscape attempt of yesteryear where only 40 bits were actually encrypted to stay in compliance with US export requirements) was if you took all the computing power on the planet currently it would take millions of millions of years.K. Brian Kelleyhttp://www.truthsolutions.com/Author: Start to Finish Guide to SQL Server Performance Monitoring http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1Mon, 09 Dec 2002 08:56:00 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspx<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still... <hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote>When you think about networked computers and the internet, the potential number of computers available for a brute force attack can become reasonable. The SETI screen saver program had hundreds of thousands of users at its peak. This program used your idle time when the screen saver was running to analyze background radio noise to search for Extra Terrestrial Intelligence (SETI).Google has a tool bar button now that allows you to participate in pretty much whatever someone wants to pay them for in the same way. If you break a big problem into small enough parts, you can farm it out to lots of "crackers" to solve in a short elapsed time.You still can't get 9 women together and have a baby in one month though. Some single-threaded things do just take time. <img src=icon_smile.gif border=0 align=middle> Mon, 09 Dec 2002 08:27:00 GMTdon1941http://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxThis isn't necessarily the case. It really depends on the encryption mechanism used. For instance, 40-bit encryption for SSL was cracked in '95 or '96. However true 128-bit encryption would still take millions of years. 40-bit was still in a range where it could be brute forced (started out as 100 computers in 8 days and shrunk from there). 128-bit hasn't reached a point where brute forcing it is conceivable (unless possibly you're the NSA or some group like that and even still... which is why they've asked for backdoors in encryption algorithms that are too costly to crack). K. Brian Kelleyhttp://www.truthsolutions.com/Author: Start to Finish Guide to SQL Server Performance Monitoring http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1Mon, 09 Dec 2002 06:42:00 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspx<font face='Comic Sans MS'>Good Article. I agree that in a short matter of time as processors start getting faster, cracking SA passwords will be child's play.</font id='Comic Sans MS'> Mon, 09 Dec 2002 02:02:00 GMTabhi_developshttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxMore on the weakness of the passwords:http://www.nextgenss.com/papers/cracking-sql-passwords.pdfOf course, since this technique requires access to sysxlogins, you can only implement as a sysadmin. Of course, if someone can take advantage of a SQL server vulnerability to escalate his or her access (called privilege escalation)... you get the idea.The software that came out of the research:http://www.nextgenss.com/software/ngssqlcrack.htmlThe review by Steve:http://www.sqlservercentral.com/columnists/sjones/reviewmssqlcrack.aspThe biggest weakness, of course, is if the network traffic can be sniffed and either multiprotocol (with encryption) or SSL are not in use.K. Brian Kelleyhttp://www.truthsolutions.com/Author: Start to Finish Guide to SQL Server Performance Monitoring http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1Sat, 07 Dec 2002 19:32:00 GMTK. Brian Kelleyhttp://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxGood article. However it is only a matter of time before someone will figure out how to crack the password schema of anything. Especially if the password storage is easy to get at so security on your server against being able to see the table with the passwords is you best defense. Then fixing situations where people who would have access that could get there are removed or set rules about leaving logged in machines unattended (causal browsing is the biggest threat). And of course location and ability for others to access the machine itself is another major factor. As a Novell treacher told me once.<BLOCKQUOTE id=quote><font size=1 face="Verdana, Arial, Helvetica" id=quote>quote:<hr height=1 noshade id=quote>The only safe machine does not exist in reality.<hr height=1 noshade id=quote></BLOCKQUOTE id=quote></font id=quote><font face="Verdana, Arial, Helvetica" size=2 id=quote> Sat, 07 Dec 2002 17:32:00 GMTAntares686http://www.sqlservercentral.com/Forums/Topic8659-100-1.aspxComments posted to this topic are about the content posted at <A HREF=http://www.sqlservercentral.com/columnists/jgama/sqlserverpasswordauditing.asp>http://www.sqlservercentral.com/columnists/jgama/sqlserverpasswordauditing.asp</A>Sat, 07 Dec 2002 00:00:00 GMTjgama