Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

A Welcome Intruder Expand / Collapse
Author
Message
Posted Thursday, December 1, 2011 9:40 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:53 PM
Points: 33,063, Visits: 15,179
Comments posted to this topic are about the item A Welcome Intruder






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1215110
Posted Thursday, December 1, 2011 9:43 PM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Yesterday @ 7:37 PM
Points: 21,215, Visits: 14,917
I have participated in penetration testing on occasion helping to penetrate and test security. It's fun and scary at the same time. Always take the findings and report them up the chain of command.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1215113
Posted Thursday, December 1, 2011 11:41 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 4:39 PM
Points: 7,038, Visits: 12,951
I've participated in intrusion/penetration tests, too.

We thought we were in a good shape until the person we got in to perform the test found a piece of software on our system which had silently installed SQL2000 as a back end with login and pwd widely spread across the internet. Even worse, this login had privileges to run xp_cmdshell and could not be altered.

Within a few seconds he had his own login at the system with admin privileges. He asked us if he should escalate to domain admin privileges...

That stuff was way beyond just being scary. Consequence: A few days later the software in question got upgraded to a SQL2005 backend with locked down privileges.

The positive parts about it: any approach to break into our system from the outside failed (And I expect that guy tried more than just the "simple ways"...). And we've learned how to look for such holes and close it.





Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
Post #1215144
Posted Friday, December 2, 2011 12:42 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, December 17, 2013 3:16 AM
Points: 3, Visits: 162
We have an external company doing security audits on all external facing systems every three months. Sure, it's canned tests with some manual follow up on potential holes, but it's better than nothing, and they've certainly helped us close several holes in security - including SQL injection on some VERY old web sites. New exploits pop up all the time so it's important to do regular testing I think.

A couple time we've also had a consultant "attack" some very important websites, to ensure that no one could get to restricted information.
Post #1215175
Posted Friday, December 2, 2011 3:13 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, July 21, 2014 4:57 AM
Points: 1,049, Visits: 3,002
I certainly do perform various tests on our application, database and infrastructure security, but I only see that as the first layer. I'm not a security expert, so my coding, my administration and my testing can only find issues to a certain level. That's good as a means for ensuring we're consistently following best practice, and it's an effective first pass. However, for many of our applications - and particularly anything public-facing - we follow up that first pass with something more rigorous from true experts in that field.

As has been said many a time before, security is a matter of layers. In my opinion, so should the testing be.


Semper in excretia, sumus solum profundum variat
Post #1215227
Posted Friday, December 2, 2011 6:43 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Friday, June 27, 2014 12:43 PM
Points: 15,444, Visits: 9,596
PCI compliance (https://www.pcisecuritystandards.org/) requires periodic scanning by a third party for common/known security issues. We don't store any credit card information, but we still have to get the scans done for compliance purposes. It's essentially penetration testing.

We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Post #1215311
Posted Friday, December 2, 2011 7:08 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:53 PM
Points: 33,063, Visits: 15,179
GSquared (12/2/2011)


We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


Good for you. A few others were not as lucky.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1215334
Posted Friday, December 2, 2011 7:18 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Thursday, July 24, 2014 7:54 AM
Points: 248, Visits: 193
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.
Post #1215341
Posted Friday, December 2, 2011 7:39 AM


SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Tuesday, March 4, 2014 2:10 PM
Points: 35, Visits: 151
IMHO (12/2/2011)
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.


No need to have such technical expertise. Social means, like calling users feigning that you're from IT and requesting user/pwd info is frighteningly effective.

On the flipside, it's also very effective for SAs and DBAs to have automated scanners check your logs every few minutes for errors, like, oh, I don't know, login failures. If anything, it allows me to continue putting down "DB monitoring" into my timesheet without being questioned after catching the penetration testers.

Rich
Post #1215354
Posted Friday, December 2, 2011 8:23 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Thursday, July 24, 2014 7:01 AM
Points: 740, Visits: 1,892
Steve Jones - SSC Editor (12/2/2011)
GSquared (12/2/2011)


We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


Good for you. A few others were not as lucky.


I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.


...

-- FORTRAN manual for Xerox Computers --
Post #1215396
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse