Looks like another mass SQL Injection attack is making the rounds. The attackers likely used Google or another service to select potentially vulnerable sites and then launched the attack from there. Yet another example of the importance of checking your code regularly for these types of vulnerabilities. read more ...

Applications that allow users to run code in an authenticated context (IIS, SQL Server) could be at risk from privilege escalation attacks. The threat to SQL Server is describes as follows: "SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.". OK - so this is no SQLSlammer since non-default configurations are requried but it is still worthy of mention. read more ...

Kevin Beaver has highlighted some SQL Server 2008 features that may interest readers.  Feel free to download the CTP and take it for a "spin" yourselves.  I am impressed by the database encryption options but I hope this won't lull developers into thinking they don't have to secure individual data fields.  Database encryption addresses a different threat than does field-level encryption.  For example, someone stealing your MDF poses a different threat than someone exploiting a SQL injection vulnerability on your site.  Kapeesh?
 read more ...

Microsoft has released the CTP for SQL Server 2008. On the security side, Microsoft is touting the ability to encrypt entire databases, database files, backups, and logs. Most of this has been available from 3rd parties for some time. I guess I should see how many of those were purchased by Microsoft? (grin) Also they are claiming improved auditing. The spec sheet talk about the Surface Area Configuration Tool but that has been around for some time now - this sounds like a marketing re-hash. read more ...

I wanted to personally apologize for the delay in Discussion Forum moderations. Usually I stay on top of this but have slacked off a bit as of late due to some external pressures and left some un-moderated messages out there for a week or so. I am working to keep the spambots at bay with CAPTCHA instead of moderation so should have something to alleviate this issue soon. Thanks for your patience and keep the questions coming! 

Apparently a new worm has appeared on the Internet that uses SQL injection to infect sites with malicious code and spread itself. The worm uses a SQL injection attack on Microsoft SQL Server and Sybase databases (as evidenced by the worm's attacks on the sysobjects table). I seem to recall Caleb Sima of SPI Dynamics warning about this a few years ago. Take it seriously folks - SQL Injection is everywhere. Notice how the author of the article closes with "Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack." He fails to realize - the problem is NOT with SQL Server. The problem is with the web application (or with the MDAC in some of the payload exploit code).  read more ...

While the overall effectiveness of penetration testing as a security mechanism is debatable, it sure is fun. Apparently Court TV (soon to be called "Tru TV") has figured this out as well and has a new series where security professionals (clad in DEFCON t-shirts galore) break into car dealerships, jewelery stores, and other high-value targets as pen-testing consultants. I haven't seen them using any database or application attacks yet but it will probably happen eventually as they routinely gain remote access to internal networks.  read more ...

I have added a page to the site to host security tools I have created for security engagements and/or other projects. Of course, I fully intend to release free tools on a regular basis relating to SQL Server security (as noted by the recent release of the command-line version of SQLPing3). Many of these tools are very useful as well and can be purchased at a reasonable cost. The first tool is DHCP Sentry - a tool to help you locate rogue unauthorized DHCP servers on your network. read more ...

I have finally posted an alpha release of the command-line version of SQLPing3. Please provide any feedback at the download area for any errors or comments you have concerning this version. Keep in mind that this alpha release only contains the high-level switches. The ability to disable or alter the scan options will come later once the application is stabilized. For now the command-line switches are as follows:

SQLPing3cl - SQLPing3 Command Line version - alpha release

Syntax: sqlping3cl.exe -scantype [range,list,stealth] -StartIP [IP] -EndIP [IP]
-IPList [FileName] -UserList [FileName] -PassList [FileName] -Output [FileName] read more ...

One of the developers of the Paros Proxy (an excellent tool for scanning for SQL injection and XSS vulnernabilities) has begun a commercial spin-off called Milescan Web Security Auditor. The commercial version promises commercial support, documentation, and advanced features. At this point I am not sure what the advanced features are but it looks like this should not negatively affect the original Paros Proxy. That is good news for those of us who love the original. I wish them the best in their commercial endeavors but hope the original project continues to grow. read more ...

I hate to post announcements concerning internal administrative issues but for those concerned the version database on this site now properly sorts the builds in descending order by default. You can thank the authors of 3.4.0 build of the UDT DNN (www.dotnetnuke.com) module for the fix. I'm amazed I was patient enough to wait for a fix before going in and royally botching the module in an attempt to fix it. Sometimes it pays to wait it out. I appreciate everyone's patience in waiting for it to be repaired. read more ...

Well, apparently there has been some budget cutting at the UN and developer training must have been first to get the axe. A SQL Injection issue allowed the site to be defaced - and if that's all that happened to them they should consider themselves lucky. The lesson: it can happen to all of us. Remain diligent and make sure all of your developers have security training. read more ...

OK - so I wasn't able to make it to Las Vegas for Black Hat and DEFCON this year. That bites. But I did troll a bit on the highlights and thought I would share this gem. Apparently, an NBC reported attempted to go undercover at DEFCON and was dumb enough to tell this to the organizers. I'm not sure if she was naive or if they are really good at smelling a rat. Either way - busted. Enjoy.  read more ...

Here is an excellent dissection of a typical SQL Injection attack with detailed descriptions and screenshots. Truthfully - I'm not sure why we don't see more of these given the sheer number of exploitable sites out there.  read more ...

Just when you were getting used to SQL Server 2005, Microsoft gives a glimpse a the next release. From a security perspective, they are touting the capability to seamlessly add encryption without changing your applications, encrypted backups, and advanced logging which will supposedly provide user-level details (not sure if they are talking about data-level changes or schema changes but we'll soon find out). Go ahead and give it a look! read more ...