Browse by Tags

All Tags » computer security   (RSS)
New attack on AES-256
A new attack improves significantly on previous attacks against AES-256, see: http://schneier.com/crypto-gram-0908.html#8 . This doesn't mean that AES-256 is broken yet, but the surprising bit here is that AES-128 is not susceptible to this particular Read More...
Posted 14 October 09 05:05 by lcris | 0 Comments   
Filed under , ,
SQL Injection watch blog
I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild. Read More...
Posted 14 August 09 02:34 by lcris | 0 Comments   
Filed under , ,
Basic SQL Server Security concepts: ownership, CONTROL, TAKE OWNERSHIP
I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL Read More...
Posted 11 August 09 03:39 by lcris | 0 Comments   
Filed under , , ,
TechCrunch anatomy of the Twitter attack
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ The first step of registering an old email account to receive the password from a current account was a nice and easy way to break into an email acount. After that, things pretty Read More...
Posted 23 July 09 04:38 by lcris | 0 Comments   
Filed under
A SQL Injection attack and search engines
A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search Read More...
Posted 05 August 08 12:07 by lcris | 0 Comments   
Filed under , ,
New Microsoft Security Advisory on SQL Injection
This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links. Read More...
Posted 25 June 08 11:56 by lcris | 0 Comments   
Filed under ,
A discussion of password authentication schemes
I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post ). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen Read More...
Posted 09 May 08 01:45 by lcris | 0 Comments   
Filed under ,
Security in a nutshell
Here's an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A. The hacker looks at program P and wonders how can he use it to perform actions other than A. Read More...
Posted 23 April 08 01:48 by lcris | 0 Comments   
Filed under
SQL Server: Password policy FAQ
I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Read More...
Posted 20 February 08 04:18 by lcris | 2 Comments   
Filed under ,
Can encryption make you more vulnerable?
A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I'd like to add a few comments on Read More...
Posted 11 February 08 04:57 by lcris | 0 Comments   
Filed under , ,
SQL Server undocumented password hashing builtins: pwdcompare and pwdencrypt
First, I must say that I don't know why these exist in an undocumented form. They have been around for a long time and a search on their names gets me back pages of hits. Being undocumented means that their actual implementation may change slightly from Read More...
Posted 31 October 07 11:08 by lcris | 0 Comments   
Filed under , ,
Basic SQL Server Security concepts: SIDs, orphaned users, and loginless users
I am grouping here two topics (orphaned users and loginless users) that are actually very different, but I have often seen confusion between them, so I am covering them together in an attempt to dispel that confusion. In a previous discussion of logins Read More...
Posted 25 October 07 05:42 by lcris | 0 Comments   
Filed under , , ,
SQL Server 2005: A note about the use of certificates
To avoid any confusion, this post is not about the use of certificates for securing the communication between a client machine and the server; instead, this refers to the use of certificates created via the CREATE CERTIFICATE DDL. I am prompted in writing Read More...
Posted 04 October 07 08:59 by lcris | 1 Comments   
Filed under , , ,
SQL Server 2008: Transparent data encryption feature - a quick overview
I have kept silent on this feature while it was being developed, but as it has now been publicly advertised in various ways (being mentioned here , here , here , and here , for example), I think it is probably time to write a bit about it. Given that Read More...
Posted 03 October 07 04:55 by lcris | 2 Comments   
Filed under , , ,
Security and copy protection
I have been watching the SQL Server Security forum for several years now and there is one question that gets spawned about once a month under different titles. It invariably begins with a request for guidance on how to secure access to a database, which Read More...
Posted 24 September 07 03:57 by lcris | 0 Comments   
Filed under , ,
More Posts Next page »

Search

This Blog

These posts are provided "AS IS" with no warranties, and confer no rights.

Syndication

Page view tracker