Laurentiu Cristofor's blog @microsoft.com

Long time, no posting, but here is a security related news article that drew my attention: http://www.bernama.com.my/bernama/v5/newsworld.php?id=607450 A security breach at one of South Korea's top Web portals basically led to the loss of personal...

Here's an interesting older article from Bruce Schneier on securing data at rest , which goes over some of the points I mentioned earlier in my Who needs encryption? post.

This post is based on an old presentation I gave several years back. A video of the presentation used to be available here , but today I couldn't get it to work, so I am attempting to make available most of the information from the presentation within...

I became aware of Danah Boyd's research a few years ago when I somehow stumbled over one of her papers discussing social networking sites. Since that time Danah Boyd has joined MSR and more recently she gave a couple of interesting talks about privacy...

It is no secret that search engines keep track of searches made. Any website logs accesses and most websites track your activity via cookies for reasons involving both your benefit and that of the site you're accessing. You may be surprised to find out...

If you ever needed to debug a permission related issue when using xp_cmdshell, you have probably realized that a crucial piece of information is about what particular account xp_cmdshell is executing under. If you are the administrator of the database...

See it work at: http://www.bing.com/twitter . [UPDATE 10/22/2009]: Reactions: http://googleblog.blogspot.com/2009/10/rt-google-tweets-and-updates-and-search.html http://www.businessinsider.com/henry-blodget-well-what-do-you-know-google-is-actually...

A new attack improves significantly on previous attacks against AES-256, see: http://schneier.com/crypto-gram-0908.html#8 . This doesn't mean that AES-256 is broken yet, but the surprising bit here is that AES-128 is not susceptible to this particular...

I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild.

I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL...

http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ The first step of registering an old email account to receive the password from a current account was a nice and easy way to break into an email acount. After that, things pretty...

I haven't posted anything new for some time, but now I have some news related to my current area of work: bing is Microsoft's new search engine, it has launched yesterday, and you can now find it at www.bing.com . Give it a try and let me know what you...

Exceptions are dangerous because people like to simplify their thinking process using rules, so exceptions always carry the risk of being overlooked. In security, exceptions are a bad thing because they make the model more complex and complex systems...

A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html ...

This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links.

I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post ). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen...

Here's an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A. The hacker looks at program P and wonders how can he use it to perform actions other than...

If you are wondering why software is hard to make or if you know why, but you would like to see how others deal with the issue, you may enjoy reading Scott Rosenberg's book, " Dreaming in Code ". I picked it this weekend and while I didn't finish it yet...

In my series of new posts on old topics, I decided to gather today several pieces of information that I think will help in debugging SQL Server login failures. Although most information should remain useful for future versions as well, some of it may...

I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine...

A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I'd like to add a few comments on...

I want to address the topic of requesting feature changes in Microsoft products, to point to some tools that can help, and to describe ways to use those tools more effectively. This post is based on my experience working on customer requests while being...

I just noticed that the TSA has started a blog to shed some light on the motivations for their security measures. The blog is here: http://www.tsa.gov/blog/ .

Encryption builtin functions in SQL Server have no known issues and, if used properly, they will produce the expected results. However, if they are used incorrectly, it can be hard to figure out what exactly is the problem, so in this post I am going...

Aaron Morton has a very interesting post and demo that show how MARS can be used to access keys temporarily opened by a procedure. This is a must-read for anyone that is interested in implementing custom restrictions around the use of encryption keys...