Welcome to Romanian SQL Server User Group Sign in | Join | Help

Browse by Tags

All Tags » computer security   (RSS)

South Korea's worst online security breach (so far)

Long time, no posting, but here is a security related news article that drew my attention: http://www.bernama.com.my/bernama/v5/newsworld.php?id=607450 A security breach at one of South Korea's top Web portals basically led to the loss of personal data Read More...
Posted 12 august 2011 23:54 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

Schneier on securing data at rest vs securing data in motion

Here's an interesting older article from Bruce Schneier on securing data at rest , which goes over some of the points I mentioned earlier in my Who needs encryption? post. Read More...
Posted 5 octombrie 2010 22:28 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)
Filed under:

SQL Server 2005: Execution Context

This post is based on an old presentation I gave several years back. A video of the presentation used to be available here , but today I couldn't get it to work, so I am attempting to make available most of the information from the presentation within Read More...
Posted 25 august 2010 05:13 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

New attack on AES-256

A new attack improves significantly on previous attacks against AES-256, see: http://schneier.com/crypto-gram-0908.html#8 . This doesn't mean that AES-256 is broken yet, but the surprising bit here is that AES-128 is not susceptible to this particular Read More...
Posted 15 octombrie 2009 03:05 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

SQL Injection watch blog

I was looking for information on a new SQL injection attack when I stumbled upon this very useful blog: http://s3cwatch.wordpress.com/ . It's worth a look from time to time, to get an idea of what attacks are going on in the wild. Read More...
Posted 15 august 2009 00:34 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

Basic SQL Server Security concepts: ownership, CONTROL, TAKE OWNERSHIP

I realized today that while I have discussed earlier object permissions , I have not gone into the details of object ownership. I want to cover the following here: ownership of objects, how it can be changed, and the relatively new permission CONTROL Read More...
Posted 12 august 2009 01:39 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

TechCrunch anatomy of the Twitter attack

http://www.techcrunch.com/2009/07/19/the-anatomy-of-the-twitter-attack/ The first step of registering an old email account to receive the password from a current account was a nice and easy way to break into an email acount. After that, things pretty Read More...
Posted 24 iulie 2009 02:38 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)
Filed under:

A SQL Injection attack and search engines

A few weeks after my previous posting of a SQL Injection Advisory link, a new SQL Injection attack came up. Here's a post describing it; it also includes other useful links: http://www.rtraction.com/blog/devit/sql-injection-hack-using-cast.html A search Read More...
Posted 5 august 2008 21:07 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

New Microsoft Security Advisory on SQL Injection

This came up yesterday: http://www.microsoft.com/technet/security/advisory/954462.mspx . It has good information and links. Read More...
Posted 25 iunie 2008 20:56 from Laurentiu Cristofor's blog @microsoft.com | (Comments Off)

A discussion of password authentication schemes

I have talked in the past about how passwords for SQL logins are protected in SQL Server (see this post ). I would like to describe this scheme in a more generic way and compare it with the alternative of encrypting the passwords, because I have seen Read More...
Posted 9 mai 2008 22:45 from Laurentiu Cristofor's blog | (Comments Off)

Security in a nutshell

Here's an attempt to succintly describe why achieving security is difficult: The engineer wants to implement a program P that allows users to perform action A. The hacker looks at program P and wonders how can he use it to perform actions other than A. Read More...
Posted 23 aprilie 2008 22:48 from Laurentiu Cristofor's blog | (Comments Off)
Filed under:

SQL Server: Password policy FAQ

I am starting this post to collect frequent Q&A related to password policy. I plan to keep updating the post if anything new is worth adding to it. Note that this FAQ does not cover SQL Server Compact Edition. Also note that BOL stands for Books OnLine. Read More...
Posted 21 februarie 2008 02:18 from Laurentiu Cristofor's blog | (Comments Off)

Can encryption make you more vulnerable?

A recent article brings up this question and argues that encrypting data at rest can open the door to a new range of security and usability problems. Speaking only of the security aspects, I both agree and disagree, so I'd like to add a few comments on Read More...
Posted 12 februarie 2008 02:57 from Laurentiu Cristofor's blog | (Comments Off)

SQL Server undocumented password hashing builtins: pwdcompare and pwdencrypt

First, I must say that I don't know why these exist in an undocumented form. They have been around for a long time and a search on their names gets me back pages of hits. Being undocumented means that their actual implementation may change slightly from Read More...
Posted 31 octombrie 2007 20:08 from Laurentiu Cristofor's blog | (Comments Off)

SQL Server 2005: A note about the use of certificates

To avoid any confusion, this post is not about the use of certificates for securing the communication between a client machine and the server; instead, this refers to the use of certificates created via the CREATE CERTIFICATE DDL. I am prompted in writing Read More...
Posted 5 octombrie 2007 05:59 from Laurentiu Cristofor's blog | (Comments Off)
More Posts Next page »