Laurentiu Cristofor's blog @microsoft.com

Current topics: Security, SQL Server, bing

Browse by Tags

Tagged Content List
  • Blog Post: Microsoft account activity history feature is now online!

    I am breaking silence after a long pause. I have not had much information to share here as I have mostly worked on infrastructure services with no customer facing surface. Since 2011, I have been working in Microsoft account, the authentication service that powers most of Microsoft's services. Today...
  • Blog Post: South Korea's worst online security breach (so far)

    Long time, no posting, but here is a security related news article that drew my attention: http://www.bernama.com.my/bernama/v5/newsworld.php?id=607450 A security breach at one of South Korea's top Web portals basically led to the loss of personal data of 35 million people. Why was the data collected...
  • Blog Post: Schneier on securing data at rest vs securing data in motion

    Here's an interesting older article from Bruce Schneier on securing data at rest , which goes over some of the points I mentioned earlier in my Who needs encryption? post.
  • Blog Post: SQL Server 2005: Execution Context

    This post is based on an old presentation I gave several years back. A video of the presentation used to be available here , but today I couldn't get it to work, so I am attempting to make available most of the information from the presentation within this post. Keep in mind that the demo associated...
  • Blog Post: New attack on AES-256

    A new attack improves significantly on previous attacks against AES-256, see: http://schneier.com/crypto-gram-0908.html#8 . This doesn't mean that AES-256 is broken yet, but the surprising bit here is that AES-128 is not susceptible to this particular attack. Don't panic if you are using AES-256 and...
  • Blog Post: SQL Injection watch blog

    I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild.
  • Blog Post: Basic SQL Server Security concepts: ownership, CONTROL, TAKE OWNERSHIP

    I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL (introduced in SQL Server 2005). Ownership: This...
  • Blog Post: TechCrunch anatomy of the Twitter attack

    http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ The first step of registering an old email account to receive the password from a current account was a nice and easy way to break into an email acount. After that, things pretty much fell like dominoes, but it's nice to see how...
  • Blog Post: A SQL Injection attack and search engines

    A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search for the query string "http://1.verynx.cn...
  • Blog Post: New Microsoft Security Advisory on SQL Injection

    This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links.
  • Blog Post: A discussion of password authentication schemes

    I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post ). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen people wondering which method they should use. ...
  • Blog Post: Security in a nutshell

    Here's an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A. The hacker looks at program P and wonders how can he use it to perform actions other than A. The security guy wants to implement a program...
  • Blog Post: SQL Server: Password policy FAQ

    I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Q: What is the SQL Server password policy...
  • Blog Post: Can encryption make you more vulnerable?

    A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I'd like to add a few comments on this topic. I think that the article makes a...
  • Blog Post: SQL Server undocumented password hashing builtins: pwdcompare and pwdencrypt

    First, I must say that I don't know why these exist in an undocumented form. They have been around for a long time and a search on their names gets me back pages of hits. Being undocumented means that their actual implementation may change slightly from one version of SQL Server to another, mainly because...
  • Blog Post: Basic SQL Server Security concepts: SIDs, orphaned users, and loginless users

    I am grouping here two topics (orphaned users and loginless users) that are actually very different, but I have often seen confusion between them, so I am covering them together in an attempt to dispel that confusion. In a previous discussion of logins and users, I pointed out that the way a login...
  • Blog Post: SQL Server 2005: A note about the use of certificates

    To avoid any confusion, this post is not about the use of certificates for securing the communication between a client machine and the server; instead, this refers to the use of certificates created via the CREATE CERTIFICATE DDL. I am prompted in writing this post by a recent question I just saw...
  • Blog Post: SQL Server 2008: Transparent data encryption feature - a quick overview

    I have kept silent on this feature while it was being developed, but as it has now been publicly advertised in various ways (being mentioned here , here , here , and here , for example), I think it is probably time to write a bit about it. Given that my posts so far have covered SQL Server 2005, I'll...
  • Blog Post: Security and copy protection

    I have been watching the SQL Server Security forum for several years now and there is one question that gets spawned about once a month under different titles. It invariably begins with a request for guidance on how to secure access to a database, which sounds like a reasonable security inquiry, but...
  • Blog Post: Basic SQL Server Security concepts - ownership chaining: good and evil; schemas

    At some point during SQL Server's history, its designers must have confronted the following problem: how to give someone permission to see parts of a table without giving him any permission on the table? Slices of a table are easily defined using views, so the problem becomes one of giving SELECT permission...
  • Blog Post: Basic SQL Server Security concepts - permissions and special principals: sa, dbo, guest

    In a previous post , I talked about the various types of principals in SQL Server. Let's have a further look in this post at permissions and at some of the hardcoded principals that ship with any installation of SQL Server. Permissions are what allow principals (logins, users, roles, etc) to perform...
  • Blog Post: Beyond cracking: cybercrime

    If you are following the security news, you will not be surprised by what I cover in this post. It's old news already for most people working in security. But it's worth discussing this more, to raise awareness. In a nutshell, the idea is that breaking computers is ceasing to be mainly an entertainment...
  • Blog Post: SQL Server 2005: About login password hashes

    There seem to be a couple of misconceptions around the SQL Server handling of login passwords. Hopefully, by the end of this post, you will have a much clearer idea about what is going on under the covers. Note that this refers to the passwords of logins used with SQL Authentication - no passwords are...
  • Blog Post: SQL Server 2005 security presentations at PASS - Pre Conference

    If you missed the PASS Pre Conference security presentations, you can now catch up by viewing them online: http://cmcgc.com/Media/WMP/261115/ . [UPDATE 8/24/2010] : The main content of my execution context presentation is available here . The associated demo was already available here .
  • Blog Post: Who needs encryption?

    For those that read my previous posts, the question in the title may be startling. I want to reassure you from the start: this post is not about encryption being a useless technique; it is just about it not being a solution for certain problems and definitely not being a general solution for any problem...
Page 1 of 2 (46 items) 12