Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Unprotected Queries Expand / Collapse
Author
Message
Posted Monday, December 3, 2007 3:08 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:52 PM
Points: 33,268, Visits: 15,440
Comments posted to this topic are about the item Unprotected Queries






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #428628
Posted Tuesday, December 4, 2007 2:04 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, September 12, 2014 7:14 AM
Points: 1,049, Visits: 3,007
Worth remembering the oft-quoted cliche that a little knowledge is a dangerous thing. Presenting data on the Internet is easy to achieve. Presenting data safely and securely on the Internet is far more difficult.

Some time ago, I found a few articles detailing the use of Google to query systems for the purposes of hacking. I've seen examples of Google search criteria which list UNIX servers on the Internet which have blank root passwords, or allow at least read access to the whole file system. I've seen examples of using Google to find insecure databases, including SQL Server ones (check out this link). I've seen examples of using Google to find Excel spreadsheets containing budgetary information (or, perhaps, medical or financial records). All scary stuff.

Personally, I see it as one of my major responsibilities to recognise my limitations. I'm a DBA, not a security expert. I understand a lot of the tricks used, but it's not my core expertise, which is why we employ people who do have that under their remit. Therefore, anything we roll out is looked at with several pairs of eyes instead of just one pair. Easier said than done in a small company, I'll admit, but failing to do so is a gamble you will, sooner or later, definitely lose.


Semper in excretia, sumus solum profundum variat
Post #429141
Posted Tuesday, December 4, 2007 6:57 AM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: Moderators
Last Login: Monday, September 15, 2014 9:16 AM
Points: 6,784, Visits: 1,895
I suspect it's the small companies that suffer the most. They aren't big enough to have a security person on staff, which means someone does the best they can. The first part is hoping they recognize what they don't know and ask for help, the next part is figuring out who to ask and what to buy, and those two become the chicken and the egg, because if you're going with software like ISA you need an ISA expert, if you're using Cisco or whatever hardware device then you need someone that can configure that. Or, you can just find an "expert" and let them tell you what you need, and hope that they have a sense of your budget and the realities of your business!

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
Post #429261
Posted Tuesday, December 4, 2007 3:44 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Wednesday, May 9, 2012 10:26 AM
Points: 891, Visits: 1,958
I had an object lesson in this, fortunately with a friend's computer, not a SQL Server. He was running Win2K Pro and something really hosed his permissions and it boiled down to needing to do a reinstall. Unfortunately I hadn't brought my laptop with me and had no way to download SP4. He had a broadband connection but without a router. After the install was completed and we rebooted, the machine was instantly rooted by bots sitting on Qwest's network. We never had a chance at downloading SP4 and IE 6 to get the minimum level of protection needed.

We went out and bought a copy of XP Pro that had SP2 pre-installed. Off-line installation went fine, system actually ran faster. We installed Zone Alarm Pro, and as soon as we put the system online again, you could see the root kit bots hammering away.

Tried to get the guy to buy a router but he wouldn't.

Oh, and a special shout out to Qwest for doing such a great job of monitoring their network to prevent bots from compromising their user's equipment! :D
Post #429562
Posted Tuesday, December 4, 2007 3:59 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 7:32 PM
Points: 7,158, Visits: 15,265
I came across that article a little while ago. The scariest part to me was that these servers were usually also not patched in any way, so they were the "perfect" breeding grounds/launching grounds for any number of exploits. Slammer is still alive and well thanks to these servers.....

It's reminiscent of this guy's take on unpatched machines.....


----------------------------------------------------------------------------------
Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?
Post #429567
Posted Wednesday, December 5, 2007 7:41 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:52 PM
Points: 33,268, Visits: 15,440
I wonder how unfair it is to refuse to buy a router or not protect your machine? Is it like driving without headlights? Is it refusing to tune your engine so it doesn't stall?

It's tough to get your machines protected. The downloads from MS don't work, you need to get stuff before you put your machine line, but really I think ISPs are a little negligent if they don't give you a router up front and build the cost into the price they charge.








Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #429777
Posted Wednesday, December 5, 2007 8:02 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Friday, September 12, 2014 7:14 AM
Points: 1,049, Visits: 3,007
Steve Jones - Editor (12/5/2007)
I wonder how unfair it is to refuse to buy a router or not protect your machine? Is it like driving without headlights? Is it refusing to tune your engine so it doesn't stall?

It's tough to get your machines protected. The downloads from MS don't work, you need to get stuff before you put your machine line, but really I think ISPs are a little negligent if they don't give you a router up front and build the cost into the price they charge.



Really? I don't know how it is in the US, but here in the UK I can't think of any ISP that doesn't provide at least one package which includes a router. If an ISP provides two packages (one with a router and one without), and a customer makes an active decision to go with the one without, do you really think it's the ISP at fault?

I read a story about someone who bought a Winnebago, put it on cruise control, went into the back to make a cuppa, then sued Winnebago because of the ensuing crash. Irrespective of the way the ruling went, do you really think it was Winnebago's fault?

Where I would say ISPs are at fault is in having the ability to easily spot virus-generated traffic on their network, not using that ability and failing to suspend the connections used by the virus-ridden machines. There, I believe there is a good case to be made for negligence.


Semper in excretia, sumus solum profundum variat
Post #429787
Posted Wednesday, December 5, 2007 8:27 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:52 PM
Points: 33,268, Visits: 15,440
The problem we had in the US is that a lot of ISPs put up a modem, but not a router. They were trying to charge a fee for every machine, not the connection. It hasn't worked terribly well and I'm surprised if anyone doesn't require a router these days.

Not stopping virus traffic is a problem. I think it becomes hard to tell sometimes what's legitimate and what's not, but they should be able to figure it out more often than not. At least they could be working with SANS or someone else to identify virus/bot/other traffic and shut it down.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #429808
Posted Wednesday, December 5, 2007 3:35 PM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Wednesday, May 9, 2012 10:26 AM
Points: 891, Visits: 1,958
Steve Jones - Editor (12/5/2007)
The problem we had in the US is that a lot of ISPs put up a modem, but not a router. They were trying to charge a fee for every machine, not the connection. It hasn't worked terribly well and I'm surprised if anyone doesn't require a router these days.

Not stopping virus traffic is a problem. I think it becomes hard to tell sometimes what's legitimate and what's not, but they should be able to figure it out more often than not. At least they could be working with SANS or someone else to identify virus/bot/other traffic and shut it down.

When I signed up for Qwest's DSL, I got a wireless router from them. It is unfortunately mediocre quality, so I hooked up a Linksys wireless router on top of it. The combo seems to work well. I'm planning on eventually buying an Apple Airport base station, but not any time soon.

I've never understood why ISPs won't monitor their traffic for zombies. I would give odds that the public reason is "we don't have the bodies to do the monitoring" whereas the real reason is they don't want to lose the $20-50 a month a zomibied customer represents. Obviously they don't care what the security costs are for the rest of the world, or, for that matter, the rest of their customers!
Post #429944
Posted Wednesday, December 5, 2007 3:44 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:52 PM
Points: 33,268, Visits: 15,440
I tend to agree with Wayne. I think it's not necessarily in their interest. They certainly don't want to deal with customers getting shut off and then calling, incurring a support cost. Especially when the customer will expect them to explain what needs to be done to get their computer hooked back up!







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #429948
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse