Expect an Attack

  • Comments posted to this topic are about the item Expect an Attack

  • Steve -

    Microsoft does keep people aware of some of the vectors. Note the Patch Tuesday every month. :w00t:

    They also publish some info, don't know if you've browsed these.

    http://msdn.microsoft.com/en-us/practices/default.aspx

    A couple of weeks ago there was a free online seminar (6 hours of a 5 day course) on Ethical Hacking.

    Good overview and demonstrations of some of the techniques used.

    http://www.nhmn.com/Courses/CrsSearchResults.aspx?ST=Q&S=false&T=hacking

    A lot of information isn't published, or not published until after a fix is available.

    Knowing how things work, and break, is part of being a good developer.

    I like to see live demos, along with examples of how to fix the issue.

    And they always impress that keeping current on patches is a big part of being safe.

    Greg E

  • Steve, I must say that SQL Server's security is good. When I load logins I tick "Enforce password policy" and I had users many times come to me complaining that they can't log in. When I check their logins I see that they have been locked out. I tested this and saw that after the third unsuccessful login the account is locked out. Now, I am not saying I will never be hacked because I believe that a chain is only as strong as it's weakest link.;-)

    :-PManie Verster
    Developer
    Johannesburg
    South Africa

    I can do all things through Christ who strengthens me. - Holy Bible
    I am a man of fixed and unbending principles, the first of which is to be flexible at all times. - Everett Mckinley Dirkson (Well, I am trying. - Manie Verster)

  • Just in today's news:

    $9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.

    http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

    SQL = Scarcely Qualifies as a Language

  • Microsoft and others do publish information, but you have to dig for it. The biggest issues I see is that their sample apps are often cut down, and don't always include great coding. That's not universal, and they have some good frameworks, but not all of them.

    Any code they put out should be well written, not slapped together.

  • Carl Federl (6/24/2009)


    Just in today's news:

    $9.75 million settlement related to a massive data theft that occurred at the parent company of T.J. Maxx and Marshall's more than two years ago. Under the settlement with a multistate group of 41 attorneys general, TJX also must certify that its computer system meets detailed data-security requirements specified by the states and must encourage the development of new technologies to address weaknesses in the U.S. payment card system.

    http://www.chicagotribune.com/business/chi-wed-tjx-data-breach-0624-jun24,0,1332734.story

    SQL = Scarcely Qualifies as a Language

    I love your tag line! I had not seen that before.

  • The way I see it, you should never rely on a vendor for security. Whether that is Microsoft or Barracuda, ultimately all vendors systems can be hacked, so it is your responsibility to plan for the worst.

    First map your data flow. If your database isn't for your website, it should be isolated from the outside. VLANs are great for this; isolate your data to its own network that has no outside access. Even a web db, shouldn't have web access, your web application can request data from your db network, but that should be the only thing able to connect to it. I know a lot of applications are primitively written and can only work within the local domain, but that really exposes that your application is badly written and probably has other security flaws.

    Second, talk with your software developers. I did a data migration from D3 to SQL a few months back and the software developer wanted me to expose my sql data port, so he could easily connect to my DB. I nearly choked on my yogurt. A VPN obviously was the better option. Nonetheless, a lot of software developers will do questionable things because they don't want to disturb what they perceive as your business environment, in other words, they work around the problems. Ask your developer how their software works, and ask them what they think is the best method. Often they don't really know, but sometimes they do.

    Third, patching is an ugly but necessary task. Schedule one Tuesday every month to test patches. I can't count the number of times that security patches have broken my apps, so you must setup a virtual environment and test those patches before you role them out. You can't wait and say, "I will do it Friday or next week", just set aside that one special Tuesday for testing all patches M$ or other. Unless you are the middle of a data recovery, you should have time.

    Your biggest threat isn't the single hacker, it is the many. I see Chinese net cafes sniffing at my walls every day, while 99.9% of them are amateur script kiddies who couldn't crack a flash app, that .1% is still pretty numerous. Look into multi-layered defenses. OpenDNS and similar services will help stem the flood, but then follow that up with a properly configured firewall. Don't trust your users, so filter outbound traffic as closely as you do inbound. Make sure the individual station is secure and I don't mean installing anti-virus apps. If the anti-virus app is successful, you have failed at your job. If you can, lock down user's stations and require them to store everything on a central file server. You should be able to blow up the users computer and restore them to a new one, without them being able to notice the difference.

  • Great movie graphic Steve. At the time the movie had cutting edge technology but it really looks ancient now. Hack the Planet! Hack the Planet! 😛

  • Books, articles, and forum examples are chock full of extremely insecure practices. Add comments warning about bad practices and point the readers to where they can find good examples to work from.

    I'm a regular participant on http://www.asp.net and a huge percentage of the programmers who ask questions (and not a few who answer them) show that they have absolutely no awareness of sql injection attacks. Not what they are, not how they work, and most certainly how not to code to avoid them.

    Much of this is due to the bad security practices in the sample code they learn from.

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply