SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


A Welcome Intruder


A Welcome Intruder

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: Administrators
Points: 65209 Visits: 19118
Comments posted to this topic are about the item A Welcome Intruder

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
SQLRNNR
SQLRNNR
SSC-Dedicated
SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)SSC-Dedicated (33K reputation)

Group: General Forum Members
Points: 33416 Visits: 18560
I have participated in penetration testing on occasion helping to penetrate and test security. It's fun and scary at the same time. Always take the findings and report them up the chain of command.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

LutzM
LutzM
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10643 Visits: 13559
I've participated in intrusion/penetration tests, too.

We thought we were in a good shape until the person we got in to perform the test found a piece of software on our system which had silently installed SQL2000 as a back end with login and pwd widely spread across the internet. Even worse, this login had privileges to run xp_cmdshell and could not be altered.

Within a few seconds he had his own login at the system with admin privileges. He asked us if he should escalate to domain admin privileges...

That stuff was way beyond just being scary. Consequence: A few days later the software in question got upgraded to a SQL2005 backend with locked down privileges.

The positive parts about it: any approach to break into our system from the outside failed (And I expect that guy tried more than just the "simple ways"...). And we've learned how to look for such holes and close it.



Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
mpa
mpa
Forum Newbie
Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)Forum Newbie (3 reputation)

Group: General Forum Members
Points: 3 Visits: 162
We have an external company doing security audits on all external facing systems every three months. Sure, it's canned tests with some manual follow up on potential holes, but it's better than nothing, and they've certainly helped us close several holes in security - including SQL injection on some VERY old web sites. New exploits pop up all the time so it's important to do regular testing I think.

A couple time we've also had a consultant "attack" some very important websites, to ensure that no one could get to restricted information.
majorbloodnock
majorbloodnock
SSCommitted
SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)SSCommitted (1.5K reputation)

Group: General Forum Members
Points: 1519 Visits: 3062
I certainly do perform various tests on our application, database and infrastructure security, but I only see that as the first layer. I'm not a security expert, so my coding, my administration and my testing can only find issues to a certain level. That's good as a means for ensuring we're consistently following best practice, and it's an effective first pass. However, for many of our applications - and particularly anything public-facing - we follow up that first pass with something more rigorous from true experts in that field.

As has been said many a time before, security is a matter of layers. In my opinion, so should the testing be.

Semper in excretia, sumus solum profundum variat
GSquared
GSquared
SSC-Insane
SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)SSC-Insane (24K reputation)

Group: General Forum Members
Points: 24453 Visits: 9730
PCI compliance (https://www.pcisecuritystandards.org/) requires periodic scanning by a third party for common/known security issues. We don't store any credit card information, but we still have to get the scans done for compliance purposes. It's essentially penetration testing.

We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.

- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread

"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
Steve Jones
Steve Jones
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: Administrators
Points: 65209 Visits: 19118
GSquared (12/2/2011)


We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


Good for you. A few others were not as lucky.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
IMHO
IMHO
Old Hand
Old Hand (356 reputation)Old Hand (356 reputation)Old Hand (356 reputation)Old Hand (356 reputation)Old Hand (356 reputation)Old Hand (356 reputation)Old Hand (356 reputation)Old Hand (356 reputation)

Group: General Forum Members
Points: 356 Visits: 284
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.
richj-826679
richj-826679
Valued Member
Valued Member (61 reputation)Valued Member (61 reputation)Valued Member (61 reputation)Valued Member (61 reputation)Valued Member (61 reputation)Valued Member (61 reputation)Valued Member (61 reputation)Valued Member (61 reputation)

Group: General Forum Members
Points: 61 Visits: 152
IMHO (12/2/2011)
The easiest way to penetrate a system is to have the password. As long there are phones out there with rootkits capturing urls and keystrokes, none of our systems are truly secure.


No need to have such technical expertise. Social means, like calling users feigning that you're from IT and requesting user/pwd info is frighteningly effective.

On the flipside, it's also very effective for SAs and DBAs to have automated scanners check your logs every few minutes for errors, like, oh, I don't know, login failures. If anything, it allows me to continue putting down "DB monitoring" into my timesheet without being questioned after catching the penetration testers. :-)

Rich
jay-h
jay-h
SSCommitted
SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)

Group: General Forum Members
Points: 1963 Visits: 2337
Steve Jones - SSC Editor (12/2/2011)
GSquared (12/2/2011)


We were also attacked by Annonymous a while back, but when they failed to accomplish anything, they changed targets. I guess that counts too.


Good for you. A few others were not as lucky.


I'm not sure how anyone would actually know they were unsuccessfully attacked by anonymous. There are plenty of wannabes out there. The only real way to tell is if the attacker is actually unmasked and investigated.

...

-- FORTRAN manual for Xerox Computers --
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search