Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


A Welcome Intruder


A Welcome Intruder

Author
Message
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)

Group: Administrators
Points: 41808 Visits: 18876
Comments posted to this topic are about the item A Welcome Intruder

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC-Insane
SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)SSC-Insane (23K reputation)

Group: General Forum Members
Points: 23373 Visits: 18271
I have participated in penetration testing on occasion helping to penetrate and test security. It's fun and scary at the same time. Always take the findings and report them up the chain of command.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

LutzM
LutzM
SSCertifiable
SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)SSCertifiable (7.8K reputation)

Group: General Forum Members
Points: 7773 Visits: 13559
I've participated in intrusion/penetration tests, too.

We thought we were in a good shape until the person we got in to perform the test found a piece of software on our system which had silently installed SQL2000 as a back end with login and pwd widely spread across the internet. Even worse, this login had privileges to run xp_cmdshell and could not be altered.

Within a few seconds he had his own login at the system with admin privileges. He asked us if he should escalate to domain admin privileges...

That stuff was way beyond just being scary. Consequence: A few days later the software in question got upgraded to a SQL2005 backend with locked down privileges.

The positive parts about it: any approach to break into our system from the outside failed (And I expect that guy tried more than just the "simple ways"...). And we've learned how to look for such holes and close it.



Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
mpa
mpa
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 162
We have an external company doing security audits on all external facing systems every three months. Sure, it's canned tests with some manual follow up on potential holes, but it's better than nothing, and they've certainly helped us close several holes in security - including SQL injection on some VERY old web sites. New exploits pop up all the time so it's important to do regular testing I think.

A couple time we've also had a consultant "attack" some very important websites, to ensure that no one could get to restricted information.
majorbloodnock
majorbloodnock
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1171 Visits: 3062
I certainly do perform various tests on our application, database and infrastructure security, but I only see that as the first layer. I'm not a security expert, so my coding, my administration and my testing can only find issues to a certain level. That's good as a means for ensuring we're consistently following best practice, and it's an effective first pass. However, for many of our applications - and particularly anything public-facing - we follow up that first pass with something more rigorous from true experts in that field.

As has been said many a time before, security is a matter of layers. In my opinion, so should the testing be.

Semper in excretia, sumus solum profundum variat
GSquared
GSquared
SSCoach
SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)SSCoach (16K reputation)

Group: General Forum Members
Points: 16497 Visits: 9729
PCI compliance (https://www.pcisecuritystandards.org/) requires periodic scanning by a third party for common/known security issues. We don't store any credit card information, but we still have to get the scans done for compliance purposes. It's essentially penetration testing.

We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Steve Jones
Steve Jones
SSC-Forever
SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)SSC-Forever (41K reputation)

Group: Administrators
Points: 41808 Visits: 18876
GSquared (12/2/2011)


We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


Good for you. A few others were not as lucky.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
IMHO
IMHO
Old Hand
Old Hand (315 reputation)Old Hand (315 reputation)Old Hand (315 reputation)Old Hand (315 reputation)Old Hand (315 reputation)Old Hand (315 reputation)Old Hand (315 reputation)Old Hand (315 reputation)

Group: General Forum Members
Points: 315 Visits: 276
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.
richj-826679
richj-826679
SSC Rookie
SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)

Group: General Forum Members
Points: 43 Visits: 152
IMHO (12/2/2011)
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.


No need to have such technical expertise. Social means, like calling users feigning that you're from IT and requesting user/pwd info is frighteningly effective.

On the flipside, it's also very effective for SAs and DBAs to have automated scanners check your logs every few minutes for errors, like, oh, I don't know, login failures. If anything, it allows me to continue putting down "DB monitoring" into my timesheet without being questioned after catching the penetration testers. :-)

Rich
jay-h
jay-h
Ten Centuries
Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)Ten Centuries (1.2K reputation)

Group: General Forum Members
Points: 1163 Visits: 2257
Steve Jones - SSC Editor (12/2/2011)
GSquared (12/2/2011)


We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


Good for you. A few others were not as lucky.


I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.

...

-- FORTRAN manual for Xerox Computers --
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search