Browse by Tags

Finding information about which account xp_cmdshell is running as
If you ever needed to debug a permission related issue when using xp_cmdshell, you have probably realized that a crucial piece of information is about what particular account xp_cmdshell is executing under. If you are the administrator of the database, Read More...
Posted 27 October 09 02:24 by lcris | 0 Comments   
Filed under , ,
bing adds twitter integration
See it work at: http://www.bing.com/twitter . [UPDATE 10/22/2009]: Reactions: http://googleblog.blogspot.com/2009/10/rt-google-tweets-and-updates-and-search.html http://www.businessinsider.com/henry-blodget-well-what-do-you-know-google-is-actually-nervous-about-microsoft-bing-2009-1 Read More...
Posted 21 October 09 12:59 by lcris | 0 Comments   
Filed under ,
New attack on AES-256
A new attack improves significantly on previous attacks against AES-256, see: http://schneier.com/crypto-gram-0908.html#8 . This doesn't mean that AES-256 is broken yet, but the surprising bit here is that AES-128 is not susceptible to this particular Read More...
Posted 14 October 09 05:05 by lcris | 0 Comments   
Filed under , ,
SQL Injection watch blog
I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild. Read More...
Posted 14 August 09 02:34 by lcris | 0 Comments   
Filed under , ,
Basic SQL Server Security concepts: ownership, CONTROL, TAKE OWNERSHIP
I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL Read More...
Posted 11 August 09 03:39 by lcris | 0 Comments   
Filed under , , ,
TechCrunch anatomy of the Twitter attack
http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ The first step of registering an old email account to receive the password from a current account was a nice and easy way to break into an email acount. After that, things pretty Read More...
Posted 23 July 09 04:38 by lcris | 0 Comments   
Filed under
bing has launched!
I haven't posted anything new for some time, but now I have some news related to my current area of work: bing is Microsoft's new search engine, it has launched yesterday, and you can now find it at www.bing.com . Give it a try and let me know what you Read More...
Posted 01 June 09 10:56 by lcris | 0 Comments   
Filed under , ,
SQL Server: Windows Groups, default schemas, and other properties
Exceptions are dangerous because people like to simplify their thinking process using rules, so exceptions always carry the risk of being overlooked. In security, exceptions are a bad thing because they make the model more complex and complex systems Read More...
Posted 22 August 08 04:15 by lcris | 0 Comments   
Filed under ,
A SQL Injection attack and search engines
A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search Read More...
Posted 05 August 08 12:07 by lcris | 0 Comments   
Filed under , ,
New Microsoft Security Advisory on SQL Injection
This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links. Read More...
Posted 25 June 08 11:56 by lcris | 0 Comments   
Filed under ,
A discussion of password authentication schemes
I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post ). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen Read More...
Posted 09 May 08 01:45 by lcris | 0 Comments   
Filed under ,
Security in a nutshell
Here's an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A. The hacker looks at program P and wonders how can he use it to perform actions other than A. Read More...
Posted 23 April 08 01:48 by lcris | 0 Comments   
Filed under
An interesting book: Scott Rosenberg's "Dreaming in Code"
If you are wondering why software is hard to make or if you know why, but you would like to see how others deal with the issue, you may enjoy reading Scott Rosenberg's book, " Dreaming in Code ". I picked it this weekend and while I didn't finish it yet, Read More...
Posted 31 March 08 12:49 by lcris | 0 Comments   
Filed under
SQL Server 2005: How to debug login failures (18456, anyone?)
In my series of new posts on old topics, I decided to gather today several pieces of information that I think will help in debugging SQL Server login failures. Although most information should remain useful for future versions as well, some of it may Read More...
Posted 21 February 08 04:05 by lcris | 0 Comments   
Filed under ,
SQL Server: Password policy FAQ
I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Read More...
Posted 20 February 08 04:18 by lcris | 2 Comments   
Filed under ,
More Posts Next page »

Search

This Blog

These posts are provided "AS IS" with no warranties, and confer no rights.

Syndication

Page view tracker