Thoughts and observations about database and infrastructure architecture and security.
Monday, April 25, 2005
Friday, April 22, 2005
A new article on SecurityFocus talks about how two insiders inappropriately used their access to databases to get information they had no business retrieving. Both did so for purely personal reasons.
From a security perspective, this is always an issue. At some point you're going to have to trust a privileged few users. For instance, what's to stop the mail administrator from sending out an email as the CEO? What's to stop an administrator from resetting a password to gain unauthorized access to a set of files? In some cases audit trails are effective. Hence the reason we put them into place. However, technology only takes us so far. For instance, a best practice is to send security events to a separate system in the event a particular server gets compromised. However, if an insider knows what system has the backup logs, that person can overcome this security measure.
Unfortunately, there's no easy answer on this one. Background checks, thorough interviews, careful review of audit logs, multiple people in the process to get to sensitive data - all of these help protect an organization. But none of these are 100% foolproof. It's a sad but true fact of life.
Wednesday, April 13, 2005
There has been a report of a Jet database vulnerability which can be exploited by an attacker to execute code. It's due to a memory handling issue and can be exploited with a specially crafted .mdb file. Exploit code is available.
Monday, April 11, 2005
According to the C|Net article, Microsoft has missed its latest beta release of Visual Studio 2005 and SQL Server 2005. They were targeting the end of March. Thus far, SQL Server 2005 beta 3 has not come out. Microsoft has announced that SQL Server 2005 RTM slipped from the summer to 2H2005. I'm hoping they'll still make that date.
Friday, April 08, 2005
Thursday, April 07, 2005
Frank Kalis is someone I've traded many a forum post and private message with over at SQLServerCentral.com. In today's newsletter I read the great news that Frank had been selected as a SQL Server MVP. In addition to posting at SQLServerCentral.com, Frank also runs InsideSQL.de (German). Way to go, Frank!
Monday, April 04, 2005
Randy Dyess, a friend of mine and author of the Transact-SQL Language Reference, has penned a new article titled Common Transact-SQL Performance Coding Errors. Randy has a great deal of experience with Very Large Databases (VLDBs) and he covers the common and not-so-common errors in transact-sql usage which can affect query performance.
I sat in a briefing last year at Black Hat Las Vegas where numbers were cited for SPAM and phishing attacks. The phishing attacks were significantly more successful, even if they only were believed by a relatively small percentage of the receiving audience. The small percentages don't tell the whole story, though, because if you can get 1 out of 1,000 to bite, you still have got a fairly large number of users. A good site to keep up with the latest in phishing attacks is the Anti-Phishing Working Group.
As indicated in their February 2005 Phishing Activity Trends Reports, the Anti-Phishing Working Group has noted an increased usage of IM and other non-email mechanisms to propogate these phishing attacks. There has been quite a bit of strong language against the use of IM in the workplace and while it can be seen as a "work saver," there are enough security concerns around its use to consider deploying appropriate appliances to control usage or blocking it altogether. With IM being utilized increasingly as a mechanism to deliver viruses and phishing attacks, I'm wondering if a balance will be reached, much like with email, before most organizations start blocking IM, period.
Saturday, April 02, 2005
A friend and fellow co-worker, Jeremy Brown, has published his first professional article: Flexible DTS Packages with Perl. He takes a look at using Perl to create a DTS package in memory in order to perform data transfer operations.