Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Expect an Attack Expand / Collapse
Author
Message
Posted Tuesday, June 23, 2009 9:55 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:38 PM
Points: 31,368, Visits: 15,834
Comments posted to this topic are about the item Expect an Attack






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #740728
Posted Wednesday, June 24, 2009 6:36 AM


Say Hey Kid

Say Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey KidSay Hey Kid

Group: General Forum Members
Last Login: Today @ 6:28 AM
Points: 680, Visits: 6,855
Steve -
Microsoft does keep people aware of some of the vectors. Note the Patch Tuesday every month.
They also publish some info, don't know if you've browsed these.
http://msdn.microsoft.com/en-us/practices/default.aspx

A couple of weeks ago there was a free online seminar (6 hours of a 5 day course) on Ethical Hacking.
Good overview and demonstrations of some of the techniques used.
http://www.nhmn.com/Courses/CrsSearchResults.aspx?ST=Q&S=false&T=hacking

A lot of information isn't published, or not published until after a fix is available.
Knowing how things work, and break, is part of being a good developer.
I like to see live demos, along with examples of how to fix the issue.
And they always impress that keeping current on patches is a big part of being safe.
Greg E
Post #740979
Posted Wednesday, June 24, 2009 7:24 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Tuesday, December 16, 2014 9:58 PM
Points: 1,207, Visits: 928
Steve, I must say that SQL Server's security is good. When I load logins I tick "Enforce password policy" and I had users many times come to me complaining that they can't log in. When I check their logins I see that they have been locked out. I tested this and saw that after the third unsuccessful login the account is locked out. Now, I am not saying I will never be hacked because I believe that a chain is only as strong as it's weakest link.

Manie Verster
Developer
Johannesburg
South Africa

I can do all things through Christ who strengthens me. - Holy Bible
I am a man of fixed and unbending principles, the first of which is to be flexible at all times. - Everett Mckinley Dirkson (Well, I am trying. - Manie Verster)
Post #741015
Posted Wednesday, June 24, 2009 10:08 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Wednesday, December 17, 2014 9:58 AM
Points: 2,281, Visits: 4,241
Just in today's news:
$9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.


http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story


SQL = Scarcely Qualifies as a Language
Post #741164
Posted Wednesday, June 24, 2009 10:39 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 5:38 PM
Points: 31,368, Visits: 15,834
Microsoft and others do publish information, but you have to dig for it. The biggest issues I see is that their sample apps are often cut down, and don't always include great coding. That's not universal, and they have some good frameworks, but not all of them.

Any code they put out should be well written, not slapped together.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #741198
Posted Wednesday, June 24, 2009 11:31 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Monday, November 2, 2009 8:46 AM
Points: 875, Visits: 313
Carl Federl (6/24/2009)
Just in today's news:
$9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.


http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

SQL = Scarcely Qualifies as a Language


I love your tag line! I had not seen that before.
Post #741228
Posted Wednesday, June 24, 2009 11:40 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, October 21, 2009 12:47 PM
Points: 49, Visits: 130
The way I see it, you should never rely on a vendor for security. Whether that is Microsoft or Barracuda, ultimately all vendors systems can be hacked, so it is your responsibility to plan for the worst.

First map your data flow. If your database isn't for your website, it should be isolated from the outside. VLANs are great for this; isolate your data to its own network that has no outside access. Even a web db, shouldn't have web access, your web application can request data from your db network, but that should be the only thing able to connect to it. I know a lot of applications are primitively written and can only work within the local domain, but that really exposes that your application is badly written and probably has other security flaws.

Second, talk with your software developers. I did a data migration from D3 to SQL a few months back and the software developer wanted me to expose my sql data port, so he could easily connect to my DB. I nearly choked on my yogurt. A VPN obviously was the better option. Nonetheless, a lot of software developers will do questionable things because they don't want to disturb what they perceive as your business environment, in other words, they work around the problems. Ask your developer how their software works, and ask them what they think is the best method. Often they don't really know, but sometimes they do.

Third, patching is an ugly but necessary task. Schedule one Tuesday every month to test patches. I can't count the number of times that security patches have broken my apps, so you must setup a virtual environment and test those patches before you role them out. You can't wait and say, "I will do it Friday or next week", just set aside that one special Tuesday for testing all patches M$ or other. Unless you are the middle of a data recovery, you should have time.

Your biggest threat isn't the single hacker, it is the many. I see Chinese net cafes sniffing at my walls every day, while 99.9% of them are amateur script kiddies who couldn't crack a flash app, that .1% is still pretty numerous. Look into multi-layered defenses. OpenDNS and similar services will help stem the flood, but then follow that up with a properly configured firewall. Don't trust your users, so filter outbound traffic as closely as you do inbound. Make sure the individual station is secure and I don't mean installing anti-virus apps. If the anti-virus app is successful, you have failed at your job. If you can, lock down user's stations and require them to store everything on a central file server. You should be able to blow up the users computer and restore them to a new one, without them being able to notice the difference.
Post #741235
Posted Wednesday, June 24, 2009 5:12 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Tuesday, December 9, 2014 3:09 PM
Points: 54, Visits: 172
Great movie graphic Steve. At the time the movie had cutting edge technology but it really looks ancient now. Hack the Planet! Hack the Planet!

Post #741444
Posted Wednesday, June 24, 2009 6:37 PM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Thursday, September 19, 2013 2:00 PM
Points: 183, Visits: 479
Books, articles, and forum examples are chock full of extremely insecure practices. Add comments warning about bad practices and point the readers to where they can find good examples to work from.

I'm a regular participant on www.asp.net and a huge percentage of the programmers who ask questions (and not a few who answer them) show that they have absolutely no awareness of sql injection attacks. Not what they are, not how they work, and most certainly how not to code to avoid them.

Much of this is due to the bad security practices in the sample code they learn from.
Post #741465
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse