Infrastructure Architecture

Closing down this blog

2006-07-20T18:38:00.000-04:00

I've done more posting on the SQL Server Central side and I've decided to focus my efforts there. You can read my future blog posts at:

http://blogs.sqlservercentral.com/blogs/brian_kelley/default.aspx

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

2006-07-11T10:55:00.000-04:00

Found this link on one of the security mailing lists I peruse. You can find an archive of the original post here. Here is the link:

A Chronology of Data Breaches Reported Since the ChoicePoint Incident

This should be of interest to not only DBAs, but also system administrators, managers, HR personnel, etc. There are many ways data can be breached... it's not just an insecure database. Quite a few of these are equipment related (stolen backup tapes, stolen laptops, etc.) which underscore the human element. This is further reinforced by the incidents where fraudsters and scam artists have been to penetrate systems, usually through social engineering. Security isn't just a technology solution. It also has to include people solutions.

Microsoft Active Directory Webcasts

2006-07-11T07:46:00.000-04:00

If you're looking for a single link to take you to the majority of the Microsoft webcasts on Active Directory, here you go:

http://www.microsoft.com/events/series/adaug.mspx

I say majority because I think there were one or two I didn't see (Active Directory Disaster Recovery part 2 of 2, for instance).

New Article: SQL Server 2005 Logins

2006-07-05T08:56:00.000-04:00

I wrote a new article for SQL Server Central on SQL Server 2005 Logins. It covers the basics. This is the first in a series of articles on SQL Server 2005 security.

Microsoft Office 2007 Delayed

2006-06-29T22:38:00.000-04:00

It looks like Microsoft Office 2007 will be delayed due to performance issues. It was supposed to release in conjunction with Vista, but that's apparently not going to happen now.

Office 2007 Delayed Again (InternetNews.com)

I don't see anything on the Microsoft's PressPass portion of their web site, but I'm sure something will be posted there soon. This announcement is interesting given the very positive PressPass story from just a few days ago:

Put the Pedal to the Metal: Take the 2007 Microsoft Office System Out for a Spin

WinFS rolled into next version of SQL Server

2006-06-27T11:09:00.000-04:00

A blog posting from the WinFS team caught me a bit by surprise today. Apparently I wasn't the only one, judging by the comments. WinFS was supposed to give us a relational file system. There are security ramifications with doing that, as demonstrated in this video from BlueHat 2006 (from Channel 9), where the first part has a security program manager from WinFS talks about some of the things he learned.

However, when you consider what the benefits can be (a comment gives the example of deleting thousands of files and how long that takes... this would be near instantaneous with a properly implemented relational database structure), many folks were looking forward to getting WinFS. And Vista was supposed to deliver it. But then Microsoft made the announcement that WinFS wouldn't ship with Vista. Instead, it'd be stand-alone and it could be installed later. Now today we learn that it won't be shipped later. Mature parts of WinFS are being integrated into Katmai, the next version of SQL Server.

I'm still considering what all this means for SQL Server and for the OS. Certainly it's a loss on the OS side. We're not going to get that relational file structure we've been looking forward to. The venerable NTFS is going to have to plod on a bit longer. But on SQL Server's side, there certainly is gain. And with file integration, there is the potential to deal with BLOBs better. That makes sense given that Microsoft is trying to get more into the enterprise document management sector with Sharepoint Server 2007. But I know that integrating a file system hasn't always been as great as it sounds. Exchange Installable File System (ExIFS or just IFS) is an example. It sounded great in Exchange Server 2000, but they scaled it back in Exchange Server 2003. It'll be interesting to see how they make this work in Katmai.

Top 100 Network Security Tools

2006-06-26T13:56:00.000-04:00

This is a bit dated (it came out last week), but here is the list of the top 100 network security tools, as compiled from a survey by Fyodor:

http://SecTools.Org

Since Fyodor conducted the survey, nMap was disqualified, so you won't see it on the list. Most of the tools are well known and have been around for a while.

SANS Stay Sharp Course - SEC351: Computer and Network Security Awareness

2006-06-21T02:03:00.000-04:00

A few years ago I took the SANS GIAC Security Essentials Course on-line. Included in it was an attempt at the GSEC certification itself, something which I finished up. The GSEC certification is SANS' entry level certification, but it isn't an industry entry level certification, if that makes sense. I have found that information provided in the coursework for that certification has proven valuable in my day-to-day job working with servers and server security. This is definitely a course I recommend for anyone who is serious about hands-on security, not a management focus on security, like the CISSP. For those who aren't able to attend a class, there still exists the online option through SANS' OnDemand program. The GSEC coursework is found under SEC 401: SANS Security Essentials.

But what if you're not interested in a hardcore security course but you did want to become more knowledgeable on the subject? You may want to take a look at SANS' SEC351 offering, Computer and Network Security Awareness. It, too, is available on-line. The course is inexpensive and includes a free attempt at the SANS Stay Sharp Program - Computer and Network Security Awareness certificate (SSP-CNSA). This is a course you can go through in a few days without too much trouble and most certainly learn something from. When I took it as a member of the GIAC Awareness Council, I learned a couple of things myself. I will advise that the certificate attempt isn't required. And before you attempt it, review your notes from the course itself. Not all of the questions in the attempt were easy.

By the way, this course is good for any end user who wants to becomes more security aware. If you have someone in your family who doesn't understand phishing attacks, basic social engineering mechanisms, and the importance of keeping systems up-to-date with antivirus definitions and security patches, this course helps teach why. It is as applicable to the home user as the business user, possibly even more so.

SysInternals EULA Updated

2006-05-06T01:25:00.000-04:00

The SysInternals licensing has been updated on the SysInternals website. The new licensing is something you'll want to take a look at if you use these tools. There is a change with respect to "embedding" a SysInternals tool within another program, script, etc. You can find the new licensing agreement here:

http://www.sysinternals.com/Licensing.html

The portion that is catching everyone's attention is the following:

A commercial license is required to use the software in any way not covered above, including for example:

Redistributing the software in any manner, including by computer media, a file server, an email attachment, etc.
Embedding the software in or linking it to another program including internal applications, scripts, batch files, etc.
Use of the software for technical support on customer computers

The way I read this, if you use a script which calls a SysInternals product, you now need a commercial license. If that's the case, then something like the example given by Microsoft.com Operations would need just such a commercial license.

Scaling Out SQL Server 2005

2006-05-05T12:44:00.000-04:00

This article appeared just recently on MSDN.

Scaling Out SQL Server 2005

It's a relatively high level document which covers how to think about the data before going with a scale out solution, what factors impact a scale out solution (such as how often the data is updated), and what the main options are.

Going to TechEd 2006 in Boston!

2006-05-05T12:32:00.000-04:00

As of right now, it looks like I'm going to TechEd 2006 in Boston. If you're going to be there and want to meet up, let me know!

How Microsoft patches microsoft.com web servers

2006-05-01T23:15:00.000-04:00

Microsoft.com operations has posted an interesting blog entry on how they patch their web servers:

Scripting Patch Management of Enterprise Web Clusters on Microsoft.com

I found a few things interesting in all of this:

They are using Windows network load balancing instead of a 3rd party hardware load balancer. At least, they make no mention of such.
They aren't using a fancy patch management product like those from Shavlik or St. Bernard Software.
The core of their patching solution is a simple script written in VBScript.
They are using psexec from Sysinternals.

Sharing Internet Connections?

2006-04-30T17:53:00.000-04:00

This study out of the University of Illinois at Urbana-Champaign sounds great:

Software Allows Neighbors To Improve Internet Access At No Extra Cost

The way they are accomplishing higher throughput makes sense: use multiple paths. However, I'm not so sold on how secure this will necessarily be. The software has some allowances for security but basically it means willingly allowing another onto your private network. Don't get me wrong. Wireless as implemented in most homes isn't anywhere near to secure, however, I think this type of solution may present folks with a false sense of security: "This software handles security for me so I don't have to do anything else."

A couple of years ago I saw a presentation at Black Hat about how firewalls and the concepts we have for perimeter-based security models aren't going to cut it in the future (Keynote:
Thinking Outside the Box–Embracing Globalization). The trick then is to ensure each individual system is secure and that they talk with each other using secure mechanisms. While this may end up being the rule in the enterprise, I doubt the average home user is going to get to a point where he or she is going to be able to lock down a computer system to be reasonably secure in an environment such as this.

SQLServerCentral.com blogs are back up

2006-04-26T08:49:00.000-04:00

The SQLServerCentral.com blogs are back up at the following URL:

http://blogs.sqlservercentral.com/blogs/

I've begun posting SQL Server related entries again there.

Internet Explorer Vulnerability

2006-03-28T16:52:00.000-05:00

If you're using Internet Explorer, be advised Microsoft has released a
security advisory for Internet Explorer. This would allow an attacker
to run code under the context of the logged on user. The only
workaround is to disable active scripting, which isn't such a great
workaround because it breaks so many sites. You can find the Microsoft
Advisory here:

Microsoft Security advisory (917077)

There are a number of sites which are already using exploits for the
vulnerability, so if you haven't been lately, start practicing safe
browsing habits again. All that's required is a visit to activate the
exploit. If you're interested in potential patches, there are two out
by a couple of security companies. Neither fix the problem but instead
mask the vulnerability as fixing it would require changing Microsoft's
files. However, neither are supported by Microsoft (no big surprise).
Microsoft has previously said they plan on releasing an update on 4/11,
the normal monthly patch day, but who knows? They may move it up.
Read, consider risk, etc. As far as the two patches:

eEye Digital Security

Determina

And yes, this does affect up to Internet Explorer 7 beta.

Understand the threat...

2006-03-13T13:16:00.000-05:00

The following was an opening paragraph replying to the question of "How secure is a domain controller?"

Secure from what? Pick your risks and then make an assessment based on that. I have personally found that a fully patched Domain Controller is not secure from Denial of Service Attacks that involve a large truck running the DC over. May sound extreme but only you can really start to guess what your risks are and what you should start looking at.

The point made is a valid one: consider your threats and protect accordingly. Truth be told, we can run around in circles, chasing our tails, if we don't take the time to understand what we're protecting, what we need to protect it against, and the business factors that go into both of those things.

You can find the actual post here , in the archives for the ActiveDir (Active Directory) mailing list.

Mavericks don't make it

2006-02-18T14:37:00.000-05:00

One of the blogs I most enjoy reading is Life Beyond Code. This blog allows me to take off my technology hat and think about things like my career, my direction with information technology, and how to better develop not only my technical but also my personal and interpersonal skills. The posting "You don't have to go ALONE!" is one that is hard for me, but I understand the wisdom in what is being said.

Very little in our lives is about something we did alone, without a shred of help. This is especially true when it comes to our careers. Someone likely inspired us, challenged us, encouraged us, or gave us a helping hand for every major accomplishment we count in our lives. But we often don't think that way. We count them as personal accomplishments and that doesn't make a whole lot of sense. Therefore, it makes even less sense to try and plan and scope our careers without stopping to consider where we might obtain help.

For instance, once upon a time a guy by the name of Chad Silva, an airman in my unit in the US Air Force, introduced me to Active Server Pages and what you could do with an Microsoft Access back-end. We then got into SQL Server, then version 6.5, together. Truth be told, I was riding on his coattails, learning about all this great new technology. After all, my primary job was as a project manager, the Air Force in its infinite wisdom deciding that a guy with degrees in physics and mathematics and a professional background as a developer with Visual Basic experience was best suited managing computer contracts. Therefore, everything I dealt with technology wise was completely on the side. Chad kept feeding me the nuggets of new technology, keeping me from losing all hope and converting to the dark side known as project management.

Fast forward almost ten years. I write for SQLServerCentral.com and SQL Server Standard Magazine. I've been an infrastructure architect for an enterprise class organization for over four years. I penned an eBook on SQL Server performance monitoring. And Chad? He's a .NET architect with his organization, a multinational corporation. You won't likely find him on a Google search because Chad has been and probably always will be a very private person. However, for those who know him, he'll do just about anything to help them. If I have a question about anything programming related, Chad's the first guy I email or call on the phone. A lot of where I am today is due to my friend, Chad.

But Chad is only one of many people who have helped me to get where I am today. And I'm sure as others think about their own paths, they'll find a whole litany of people who helped them, too. Which brings up the critical question, "If we didn't get to where we are alone, why do we think we can get to where we want to go by ourselves?" That's enough to slap down any ego.

Reading List

2006-02-16T03:18:00.000-05:00

In the tradition of many others, I decided to add a reading list to my professional site. The reading list comprises those books I am currently reading. Folks like Steve Jones write reviews on quite a few of the books they read. I'm not sure if I have that kind of time, but I'll certainly post a review or two as a book warrants it.

My Reading List

Nmap 4.01 Released

2006-02-11T10:15:00.000-05:00

Nmap 4.0 released only a short time ago, but Fyodor indicated that there is already a 4.01 due to a few bugs. If you use this tool, take a look:

http://www.insecure.org/nmap/download.html

Reviews Section Added to Web Site

2006-02-09T00:53:00.000-05:00

I've been thinking about doing this for a whole and I finally got around to building a reviews section into the web site. There you'll find reviews on books, tools, training, and web sites as I get to writing them. I've posted an initial review of Microsoft's first eLearning security clinic. More to come in the days ahead.

My reviews

PromptSQL Review

2006-01-18T11:52:00.000-05:00

I had the opportunity recently to take a look at PromptSQL and offer a
review on it. That review hit SSC.com's front page today. If you're
interested in an inexpensive IntelliSense tool for Query Analyzer,
Visual Studio, or SQL Server Management Studio, take a look at the
review to get some information on this product.

PromptSQL Review

Awesome Interview on Windows Vista Kernel Architecture

2006-01-07T23:23:00.000-05:00

This actually premiered on Channel 9 right before Christmas. It is an interview with Rob Short, a Microsoft VP in charge of the team working on Vista's kernel architecture. With him are Darryl Havens, Richard Ward, and Rich Neves, all architects who work under him. The interview is quite candid about issues that have been experienced in the Windows kernel to date and how they are going about trying to fix the issues by laying out a roadmap of where they want to be and attacking the problems in small chunks. Listening to the compartmentalizing of the operating system and segmenting state better makes one appreciate the work that goes into making a robust operating system work. It's just short of 50 minutes long but well worth the time.

Going deep into Windows Vista's kernel architecture

Guidance on .WMF patch from Mike Nash, Microsoft Corporate VP

2006-01-05T15:54:00.000-05:00

There is a new posting from Mike Nash on the Microsoft Security Response Center blog:

http://blogs.technet.com/msrc/archive/2006/01/05/416980.aspx

Relevant quote:

So the thing that I know you are all wondering is what should I do? So here is my advice. If you are a consumer or a small business, you should use either Windows Update (or ideally Microsoft Update) to automatically install the update. If you are running Windows XP SP2, you are likely already at least using Windows Update or Automatic Update. If you are an enterprise customer, you should deploy the update as soon as is feasible. Put it through your testing process and get it deployed. With the update available today, you certainly have the choice of deploying now or waiting until your normal release process. If it were my decision, I would move up the schedule. That is what we are doing in our IT operation here at Microsoft.

Microsoft WMF Patch Releasing Today (out-of-cycle)

2006-01-05T15:21:00.000-05:00

Microsoft has announced they will release a security hotfix at 2 PM PST for the WMF design flaw. More details here:

Microsoft Security Bulletin Advance Notification

The number of exploits taking advantage of this design flaw are continuing to grow. Consider testing this patch immediately on non-production systems.

Basic Philosophy on Soldiering

2006-01-01T20:24:00.000-05:00

This is taken from the book About Face:The Odyssey of an American Warrior. The author is Col. David "Hack" Hackworth, one of the most decorated soldiers in the history of the United States. He served in post-WWII Europe in Trieste, spent two tours in Korea during the Korean War, was on the line in Germany during the Cold War, and fought in Viet Nam. He was described by many as a "soldier's soldier." Unfortunately, Hack passed away in May of 2005 due to cancer, possibly caused by Agent Blue, one of the defoilants like Agent Orange used in Viet Nam.

This basic philosophy of soldiering comes from one of Hack's commanders, Col. Glover S. Johns, whom Hack described as the finest senior infantry commander Hack had ever seen. Hack took these bullets from Col Johns' farewell speech. These are taken verbatim from Hack's book because I doubt I could write them any better.

Strive to be small things well.
Be a doer and a self-starter - aggressiveness and initiative are two most admired qualities in a leader - but you must also put your feet up and think.
Strive for self-improvement through constant self-evaluation.
Never be satisfied. Ask of any project, How can it be done better?
Don't overinspect or oversupervise. Allow your leaders to make mistakes in training, so they can profit from the errors and not make them in combat.
Keep the troops informed; telling them "what, how, and why" builds their confidence.
The harder the training, the more troops will brag.
Enthusiasm, fairness, and moral and physical courage - four of the most important aspects of leadership.
Showmanship - a vital technique of leadership.
The ability to speak and write well - two essential tools of leadership.
There is a salient difference between profanity and obscenity; while a leader employs profanity (tempered with discretion), he never uses obscenities.
Have consideration for others.
Yelling detracts from your dignity; take men aside to counsel them.
Understand and use judgment; know when to stop fighting for something you believe is right. Discuss and argue your point of view until a decision is made, and then support the decision wholeheartedly.
Stay ahead of your boss.

Most of these fit in with my own views of leadership from my four years at The Citadel and from my four years of active duty with the US Air Force. They also fit with many of the tenets my father taught me as I was growing up. He is a retired Marine GySgt and spent most of his career leading others in the NCO and staff NCO ranks. The profanity one I'd toss aside, but the rest definitely make up a great philosophy. This philosophy doesn't just apply to the military. It applies to leadership in any arena.

Antivirus Vendor Response Time

2005-12-29T12:06:00.000-05:00

Saw this on the Full-Disclosure mailing list. Interesting response times on the various AV product "vendors" out there. Not comprehensive, mind you, as some of the comments point out.

http://blogs.washingtonpost.com/securityfix/2005/12/antivirus_resea.html

Unpatched Microsoft Windows WMF Vulnerability

2005-12-28T09:05:00.000-05:00

If you haven't heard by now, there is an unpatched exploit in how Windows handles WMF files. Since this handling is done with System level privileges, you guessed it, complete control of the system. Secunia sent out an advisory this morning and I noticed that Sunbelt Software had posted about it in their blog.

Secunia Advisory
Sunbelt Software Blog (with example)

New version of HTTPrint available

2005-12-23T16:54:00.000-05:00

A new version of HTTPrint is available for download. As of this post, that version is 3.01 beta. If you aren't familiar with HTTPrint, it is a web server fingerprinting tool. One of those best practices out there is to deactivate the banner your web server would normally return in the RESPONSE header. However, even with the banner removed (or altered to look like something different... for instance, having an IIS server say it's an Apache server), there are fingerprinting techniques based on how different web servers behave to determine exactly what web server is being connected to. Yes, this can detect an IIS server fairly easy, even if you're using URLScan.

One of the reasons for the new version may be due to a security advisory. The banner coming back isn't properly sanitized before being inserted into an HTML report that HTTPrint generates. Therefore if someone has a web server with a banner specially crafted to be malicious, the report HTTPrint produces could be affected accordingly, meaning anyone viewing the report could be hit. The latest version fixes this problem.

Secunia advisory - httprint Server Banner Script Insertion and Denial of Service

Symantec Antivirus Vulnerability

2005-12-22T02:29:00.000-05:00

Symantec should be posting an advisory soon for a heap overflow issue when dealing with RAR archive files. The original notice about there being an issue was posted to the Full Disclosure mailing list.

Full Disclosure: Symantec Antivirus Library Remote Heap Overflows
Symantec Advisory: Symantec AntiVirus Decomposition Buffer Overflow

VMware Vulnerability

2005-12-21T21:16:00.000-05:00

There is a serious vulnerability in all versions of VMware except ESX server. Basically, in the affected versions, an attacker can escape the virtual machine in order to execute commands on the host. There is an update available from VMware to fix the issue.

Circumventing Group Policy...

2005-12-14T23:53:00.000-05:00

If you haven't read Mark Russunovich's latest blog post entitled Circumventing Group Policy as a Limited User and you're responsible for systems and/or security, you need to. This goes back to the concept of saying what is authorized as opposed to blocking what is not. The same issue we see on the network side, but now a problem on the systems side.

uPnP Denial of Service Vulnerability in Windows 2000

2005-11-19T15:11:00.000-05:00

Secunia offered a vulnerability announcement for Windows XP SP1 and Windows 2000. When a system running one of these operating systems requests a device list via RPC, the system is vulnerable to a potential Denial of Service attack.

The vulnerability announcement can be found here: http://secunia.com/advisories/17595/
Microsoft's Security Advisory is here: http://www.microsoft.com/technet/security/advisory/911052.mspx

The original write-up announcing the vulnerability is here: http://seclists.org/lists/vuln-dev/2005/Nov/0008.html
An addendum is here: http://seclists.org/lists/vuln-dev/2005/Nov/0007.html

Exploit code is in the write-up with the addendum containing a correction.

Good Article on Developing Stronger Passwords

2005-11-19T12:20:00.000-05:00

This paper was actually put on the SANS Reading Room site a while ago, however, I just recently read it because it came up for Honors designation. It gives some good ideas for how to create stronger passwords in order to help end users. While most see the days of simple passwords to secure systems and data coming to an end sooner than later, the paper is still a very good read.

http://www.sans.org/rr/whitepapers/authentication/1636.php

Windows 2000 AD - Terminal Services and ADSI

2005-09-27T17:02:00.000-04:00

To my chagrin I have discovered that the Terminal Services scripting functionality is only available with Windows 2003 directory services. Windows 2000 it's not native. Meaning trying to script profile migrations is a bear. There is a 3rd party product I'm going to check out, but it shouldn't be too hard for MS to release something to add this functionality to 2000.

OWASP Guide v2.0 Released

2005-07-27T10:18:00.000-04:00

The OWASP Guide v2.0 has been released. If you're not familiar with OWASP, take a gander at the OWASP home at http://www.owasp.org/.

It's a large document, I've only just begun going through this version. However, if you have web developers, pass this on to them!

SQL PASS Chapter in South Carolina

2005-07-15T10:37:00.000-04:00

If you are interested in helping to organize or be a part of an official Professional Association of SQL Server chapter in South Carolina, please let me know. There are several of us from Columbia, Greenwood, and Sumter/Hartsville attempting to start a chapter up.

You can contact me at bkelley [-at-] truthsolutions [-dot-] com. Make sure you have PASS (all uppercase) in the subject so I don't accidentally flag it as SPAM.

Thanks!

New from Microsoft: The Administrator Accounts Security Planning Guide

2005-07-08T16:34:00.000-04:00

Nothing earth-shattering, but if you're looking for backup on why you want to split out accounts, restrict privileged accounts, etc., this will give you more documentation.

The Administrator Accounts Security Planning Guide

Some Details on IE7

2005-04-25T17:01:00.000-04:00

A few details for IE 7 has been posted to the Internet Explorer weblog. The two mentioned are support for .PNG and fixing some CSS consistency issues.

Trusting Privileged Users

2005-04-22T16:57:00.000-04:00

A new article on SecurityFocus talks about how two insiders inappropriately used their access to databases to get information they had no business retrieving. Both did so for purely personal reasons.

From a security perspective, this is always an issue. At some point you're going to have to trust a privileged few users. For instance, what's to stop the mail administrator from sending out an email as the CEO? What's to stop an administrator from resetting a password to gain unauthorized access to a set of files? In some cases audit trails are effective. Hence the reason we put them into place. However, technology only takes us so far. For instance, a best practice is to send security events to a separate system in the event a particular server gets compromised. However, if an insider knows what system has the backup logs, that person can overcome this security measure.

Unfortunately, there's no easy answer on this one. Background checks, thorough interviews, careful review of audit logs, multiple people in the process to get to sensitive data - all of these help protect an organization. But none of these are 100% foolproof. It's a sad but true fact of life.

Critical Flaw in Jet Database

2005-04-13T08:44:00.000-04:00

There has been a report of a Jet database vulnerability which can be exploited by an attacker to execute code. It's due to a memory handling issue and can be exploited with a specially crafted .mdb file. Exploit code is available.

Current workaround: Don't open an untrusted file, even if it's an .mdb.

Still no new SQL Server 2005 beta

2005-04-11T16:53:00.000-04:00

According to the C|Net article, Microsoft has missed its latest beta release of Visual Studio 2005 and SQL Server 2005. They were targeting the end of March. Thus far, SQL Server 2005 beta 3 has not come out. Microsoft has announced that SQL Server 2005 RTM slipped from the summer to 2H2005. I'm hoping they'll still make that date.

Series on Finding and Patching SQL Server

2005-04-08T03:16:00.000-04:00

Chip Andrews, founder of SQLSecurity.com and co-author of SQL Server Security from McGraw Hill-Osborne (among other authoring credits) has written a two part series of patching SQL Servers. The first part is on how to locate SQL Servers in a given environment.

Frank Kalis - SQL Server MVP

2005-04-07T23:55:00.000-04:00

Frank Kalis is someone I've traded many a forum post and private message with over at SQLServerCentral.com. In today's newsletter I read the great news that Frank had been selected as a SQL Server MVP. In addition to posting at SQLServerCentral.com, Frank also runs InsideSQL.de (German). Way to go, Frank!

New T-SQL Performance Article by Randy Dyess

2005-04-04T09:54:00.000-04:00

Randy Dyess, a friend of mine and author of the Transact-SQL Language Reference, has penned a new article titled Common Transact-SQL Performance Coding Errors. Randy has a great deal of experience with Very Large Databases (VLDBs) and he covers the common and not-so-common errors in transact-sql usage which can affect query performance.

Phishing and IM usage

2005-04-04T09:35:00.000-04:00

I sat in a briefing last year at Black Hat Las Vegas where numbers were cited for SPAM and phishing attacks. The phishing attacks were significantly more successful, even if they only were believed by a relatively small percentage of the receiving audience. The small percentages don't tell the whole story, though, because if you can get 1 out of 1,000 to bite, you still have got a fairly large number of users. A good site to keep up with the latest in phishing attacks is the Anti-Phishing Working Group.

As indicated in their February 2005 Phishing Activity Trends Reports, the Anti-Phishing Working Group has noted an increased usage of IM and other non-email mechanisms to propogate these phishing attacks. There has been quite a bit of strong language against the use of IM in the workplace and while it can be seen as a "work saver," there are enough security concerns around its use to consider deploying appropriate appliances to control usage or blocking it altogether. With IM being utilized increasingly as a mechanism to deliver viruses and phishing attacks, I'm wondering if a balance will be reached, much like with email, before most organizations start blocking IM, period.

First Article!

2005-04-02T08:24:00.000-05:00

A friend and fellow co-worker, Jeremy Brown, has published his first professional article: Flexible DTS Packages with Perl. He takes a look at using Perl to create a DTS package in memory in order to perform data transfer operations.

News on the SQL Server Front?

2005-04-01T08:44:00.000-05:00

Steve Jones has this breaking article on SQL Server on Linux. Be sure to read the entire article, though.

HTTP/HTTPS Proxies

2005-03-25T14:25:00.000-05:00

With more and more applications becoming web-based, it's not unusual to have to break out an HTTP/HTTPS proxy for troubleshooting when issues come up. Packet traces are okay, and sometimes it's necessary to get down to that level, but often I just want to see the Request and Response headers as they are transmitted back and forth. Proxies which allow me to see the headers are great for troubleshooting at this level. Case in point, I was troubleshooting a web application last week where the web client was not sending a Request header to the server as expected. This involved a problem downloading a .PDF document over an SSL connection. Ultimately, a modification to the cache-control header was required.

When it comes time to do pen-testing, proxies that allow the Request header to be modified are valuable tools. Even if a developer uses POST to try and "hide" or "control" what is going back to the server, such a proxy allows an attacker to easily manipulate the Request header to send back whatever data is desired. Truth be told, a quickly modified web page can do the same, but that requires a teeny bit more work. The point is that if an application can't handle a manipulated request properly, the owner of that application has a problem. A recent case of this involves PayMaxx, who shut down its online W2 services after a customer demonstrated he could get to other W2s in the system simply by changing an ID number. As a matter of fact, modifying values for the Request field is one of the "tests" in OWASP's WebGoat application. WebGoat is a teaching tool designed to show web application weaknesses by allowing an individual to learn about and then practice exploiting a weakness.

The only reason I bring this up is as I was cycling through the blogs I keep track of, I found a new HTTP proxy tool, Fiddler. It looks like it allows some scripting and has a nice interface. I'll have to play with it some more. One thing it does not do, as of yet, is support HTTPS. The proxy I use is Achilles, which does support HTTPS. It also allows me to change the Request header, etc., and it's the one I used in my troubleshooting that .PDF download over SSL.

Security Updates for Mozilla Firefox and Thunderbird

2005-03-25T00:18:00.000-05:00

If you use Firefox, Mozilla, or Thunderbird, check the Mozilla site for important security updates. Firefox and Thunderbird should be updated to version 1.0.2 and Mozilla to 1.7.6.

Secunia security advisories:

SA14654 - Mozilla Firefox Three Vulnerabilities (24 March 2005) - Highly Critical
SA14684 - Mozilla Security Bypass and Buffer Overflow Vulnerabilities (24 March 2005) - Highly Critical
SA14685 - Mozilla Thunderbird GIF Image Processing Buffer Overflow Vulnerability (24 March 2005) - Highly Critical

New Article: Securing SQL Backups

2005-03-24T11:37:00.000-05:00

Probably should be titled just Securing Backups. High-level (business) article on how to protect your backups.

SQL Server Security: Securing SQL Backups