Chip's Blog‎ > ‎

Archived Posts

posted Aug 16, 2010, 11:29 AM by Chip Andrews   [ updated Nov 27, 2011, 5:40 PM by Chip Andrews ]
GreenSQL Creates SQL Proxy - Monday, September 12, 2011
An open source/commercial company has created a proxy tool for MySQL, PostgreSQL, and SQL Server that promises to detect and block SQL injection attacks for existing applications. While fixing the applications would be the best solution - that is not always possible if you don't have the source code. This is an interesting concept and certainly worth investigating. I wonder how long it will take before people start working on ways to bypass the filters using obfuscation techniques. read more ...

Hacker Gangs on the Rise - Wednesday, June 22, 2011
Anyone else find it disturbing that names such as Anonymous and LulzSec are making the news on a semi-daily basis? If nothing else - this new sensationalism around computer security may heighten awareness and get people to pay more attention to the subject.  read more ...

Mass SQL Injection Attack Appears to Target MS SQL - Friday, April 01, 2011
Hundreds of thousands of websites are defaced using a mass SQL injection attack that attempts to lure visitors to nefarious websites. Of course the redirect sites were quickly closed but the attack does several things: (1) it shows that SQL injection worms are here to stay as predicted by security experts such as Caleb Sima (2) it shows that many sites are still vulnerable and (3) it shows that many attackers are still not being very creative. This attack was a warning. People should take note: this could have been a lot worse as many of these sites contain sensitive information that could have easily been extracted by a variety of means since there was clearly a vector.  read more ...

MySQL.com Website Hacked - Sunday, March 27, 2011
More proof that SQL injection can happen to anyone I guess (I should probably do another code review myself when I get a chance). That said - I thought one of the response posts on Slashdot was interesting: "Defending against SQL injection isn't rocket science. It's brain surgery." Well said! There is no secret or magic elixir - just good coding, review, and testing. Even then - you're probably screwed eventually anyway.  read more ...

Way behind on moderating - Thursday, February 03, 2011
I apologize to those of you waiting for responses on the message boards. I've been insanely busy and way behind on my moderating duties. The messages have been approved and I will begin posting the version database upgrades ASAP. Thank you to those that contributed version information! --UPDATE: I have added some code to email me daily of any non-spam posts so that I can get the approvals done on a daily basis. read more ...

Give your family the gift of a porn-resistant Internet - Monday, December 20, 2010
While not specifically a SQL Server security issue, I highly recommend using the OpenDNS.com service for your home or business Internet. It is very simple to set up and even includes a client for using the service on a dynamic IP address. Once your LAN is set up to use the DNS service, it is a simply a matter of configuring the DNS filter to block porn, drugs, adult, or other websites you want to keep your kids (and yourself) from using. Basic filtering services are free and the service is a godsend for those with digital devices all over the house including iPads, laptops, gaming consoles, and other devices whereby the kids might be able to get to nefarious locales on the Internet. Of course - this level of protection is not good enough for experienced users who can simply change their DNS settings (assuming they have the rights) but for most home users this level of enforcement will more than suffice. read more ...

Massive check fraud scheme using...You guessed it...SQL Injection - Thursday, September 09, 2010
Another example of the fact that SQL injection just doesn't seem to want to go away. I'm especially concerned that companies who hold such vital information as checks would have such lax security but I guess I'm not surprised. You'd be surprised how many loan companies and banks have SQL injection issues on their web sites.  read more ...

Site Offline from 8/9-8/12 - Thursday, August 12, 2010
Many apologies for the outage as I know many of you depend on our version database. Apparently my hosting provider is attempt to migrate some of their sites to new infrastructure and the upgrades are not going to plan in some cases. Of course - I first caught wind of this when I was out of town so I haven't been able to get hands-on with the fix until now. Thanks for your patience. read more ...

Black Hat Vegas Envy - Tuesday, July 13, 2010
For those attending Black Hat and DEFCON later this month - I'll have the be there in spirit only (again) due to vacation and work scheduling issues. Have fun and let me hear the stories of what I missed. Catch you later. read more ...

Excellent Article on SQL Server Security Auditing - Monday, June 07, 2010
I'm kicking it old school on this one: I often get asked to provide folks with advice on performing SQL Server audits. Of course, there is no easy way to reply to that question without suggesting various books on the subject. However, Kevin Beaver has done an excellent job compiling a good starting point for most audits as well as a compendium of tools to help get the job done. Sadly this article has been out for many years but I overlooked it somehow.  read more ...

SQL Injection via Bumper Sticker - Friday, March 26, 2010
OK - this was just hilarious. Slashdot has a fun article on using a custom sticker to mess with OCR-capable license plate cameras. Anyway - the picture tells it all. read more ...

Frank Brown Contributes New Features to SQLVer Application - Thursday, January 21, 2010
Frank Brown has taken sqlver 1.0 and additional features such as: 1. default port to 1433 if none specified 2. match & print description string for internal version # 3. replaced dns.resolve with dns.getHostEntry (resolve is deprecated). Select category "discovery tools" under "Free Tools" section of this site to see the new code. read more ...

Metasploit Framework 3.3 Adds New SQL Server Features - Friday, November 20, 2009
With the 3.3 version of the Metasploit Framework comes the news that it now includes features specific to SQL Server as evidenced in the following quote: "Microsoft SQL Server support has been overhauled, with the addition of a brand new native Ruby TDS driver exclusive to the Metasploit Framework and a large number of new modules. Microsoft SQL Server 2000 through 2008 versions have been tested with the new modules. The MSSQL and Oracle login modules can now brute force passwords from a dictionary file." Certainly features of interest and something to start playing with right away. With tools like this, it might be very feasible for attackers to build custom executables (say, on USB drives with autorun.inf files) that can stage attacks on SQL Servers from inside the firewall.  read more ...

ISC Sends Reminder on SQL Server Service Ports - Monday, October 26, 2009
ISC has released a reminder about the dangers of TCP 1433 and UDP 1434 traffic and what it means (usually). It should be noted that with multiple instances, restricting your attention to 1433/1434 traffic could be shortsighted. Please be sure to use a tool such as SQLPing3 or other scanner to ensure that you have identified as many instances of SQL Server as possible - no matter what port it might be listening on. (I still cringe when I finish a sentence with a proposition...)
 read more ...

TJX Indictments Mean We Get More SQL Injection Details - Monday, August 17, 2009
With the indictments coming in for the TJX hacking incident, many more details regarding the nature of the SQL Injection attacks are coming to light. Woe be to he that fails to heed the warnings herein.  read more ...

SQL Server Considered for Future Version of Exchange - Saturday, July 25, 2009
This has been kicking around for years but it appears Microsoft may be looking at this for a post-2010 version - for real this time. In any case - this may put an even greater emphasis on SQL Server security. Let's hope if they do implement it as a store - they ship with all of the connectivity options disabled by default. The last thing we need is more surface area exposure. read more ...

Suspected Turkish SQL Server Injection Attack on U.S. Military - Friday, May 29, 2009
In yet another high-profile Microsoft SQL Server injection attack, the U.S. Army appears to be the latest victim of a web-based application attack. Details are sketchy and it is not clear how much, if any, sensitive information was exposed but with database access I suspect the odds are pretty good that some sensitive information was compromised. read more ...

Shameless Plug for Network Toaster - Friday, May 22, 2009
While the thread of applicability to SQL Server security is virtually non-existant, I wanted to shamelessly mention one of my pet projects. A few friends of mine and myself have collaborated to build a new business installing proven (meaning - we use them for ourselves and our customers) open source software applications on 1U rack-mount hardware. In our travels, we kept running into delays deploying open source applications caused by hardware sourcing and testing. It's a fun project and I encourage you to take a look if you are into applications like Untangle (Network Security), Knowledge Tree (Document Management), and Moodle (Online Learning). read more ...

SQL Server 2008 SP1 Released - Monday, May 04, 2009
OK - you got me - SP1 for SQL Server 2008 has been out for about a month now but in lieu of any other SQL Server news as of late I thought I would mention it as we all seem to be knee deep in recession woes, H1N1 virus news, and the summer movie media blast. Enjoy the season folks. I'm looking forward to some time on the lake and maybe some camping. I'll be more timely with my posts going forward. read more ...

Excellent Article on Scripting SQLPing3cl.exe - Monday, March 09, 2009
onpnt at blogs.LessThanDot.com has put together an excellent article on scripting SQLPing3cl.exe (still in alpha) for discovery purposes. He/She has put together some excellent database code to store the results for reporting as well so give it a look. I'll go ahead and say for the record that I still intend to finish the tool and I appreciate the patience everyone has shown with the tool. I've been very busy for quite some time but I intend to finish the tool soon so that all current SQLPing3 functionality and switches are supported.

 read more ...

SQL Server Buffer Overflow in sp_replwritetovarbin - Tuesday, February 10, 2009
A buffer overflow has been identified in older (and un-patched) versions of SQL Server. The vulnerability affects older editions/service pack levels including: SQL Server 2000, SQL Server 2005 Service Pack 2, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon). read more ...

SQL Injection on Kaspersky Website - Sunday, February 08, 2009
A SQL Injection attack has been staged against security software vendor Kaspersky. The only thing notable about this particular event was that the attacker apparently thought defacing the site was a responsible way to report the vulnerability. Let it be known that this is "not" the way to do things. Hopefully the lesson to be learned here is that SQL injection vulnerabilities are still pervasive. read more ...

Vulnerability in Extended Stored Proc Forces MS to Release a Patch 961040 - Thursday, December 25, 2008
You may often notice that in the SQL Server recommendations on this site, there are references to disabling certain extended stored procedures. Here's why: Microsoft has released a patch for a buffer overflow in an extended stored procedure that exists on both SQL Server 2000 and 2005. The extended stored procedure in question is master.dbo.sp_replwritetovarbin and is available to any authenticated user. A patch is recommended immediately since exploit code is in the wild. In addition to the MS link (below) - you can read more here: http://www.sec-consult.com/files/20081209_mssql-sp_replwritetovarbin_memwrite.txt read more ...

SQL Injection via Cookie attempts to exploit the new MSIE hole - Friday, December 12, 2008
SANS has an interesting analysis of a new SQL Injection attack that uses cookies for initial exploitation. We has a poster on the discussion forum who saw something similar a few days ago. This attack appears to be a hybrid - using SQL injection to put links into database table data that connect users to a site that uses the MSIE 0-day exploit (XML parser issue - http://isc.sans.org/diary.html?storyid=5458). read more ...

Web Application Firewall Discussion at ISC - Sunday, November 23, 2008
Due to the recent outbreak of SQL Injection bots making the rounds, ISC made a recommendation of several web application firewalls (see link below). They do a good job of prefacing this with warnings about this being a stop-gap measure only - and I commend them for that. Unfortunately, I feel that these are a mixed bag technology. While it is true that these tools can be useful in the short term, I fear that laziness being what it is (preferred) - people will implement them in lieu of actually fixing the application(s). If you do implement these tools, please do so only when combined with fixed deadlines for actually addressing the real problems of your application. read more ...

BusinessWeek Hit by SQL Injection Attack - Monday, September 15, 2008
Here's another example of SQL Injection on a very popular website. Again - I believe that the SQL Injection based worms that are now appearing are going to have the positive side effect of forcing these sites to get their code fixed. What is frightening to think of is: How long has this vulnerability been manifest in the application and how much sensitive information (customer subscription data) might already be lost? Again - the smart attackers don't advertise their presence.  read more ...

New SQL Injection Worm Targeting MSSQL - Tuesday, August 12, 2008
Another worm is making the rounds. I really don't see much new in this particular variant but it should be noted that the frequency of these attacks is increasing.  read more ...

Buffer Overflow in SQL Server Convert Function - Tuesday, July 08, 2008
As part of the Black Tuesday release this month from Microsoft, we have a critical vulnerability in most all editions of SQL Server relating to the Convert function. Definitely get your patches in place for this one. read more ...

Microsoft Releases KB Article on SQL Injection - Tuesday, July 01, 2008
Good grief. You know SQL injection attacks are getting bad when Microsoft releases a KB article that doesn't even have to do with their code! I guess whatever helps spread the word is a good thing but with the time period that SQL injection has been around I'm not so sure that the problem is a lack of awareness. More than likely - the problem appears to be a lack of will - but maybe I am getting jaded. In any case - there are some freebies in the article include an ASP source code scanner for SQL injection as well as links to HP's Scrawl tool which is a stripped-down version of WebInspect that focuses on SQL Injection. Enjoy! read more ...

Researcher at Blue Hat Convention Has Bad News for SQL Server - Sunday, May 18, 2008
Well - SQL Server and most all other Windows services that implement impersonation - that is. Apparently, due to the way Windows Server 2003/XP and below use impersonation in Windows services, it is possible to escalate privileges from services that would otherwise be running with a lower level of privilege. The attack was demonstrated by Cesar Cerrudo and he used SQL Server as one of the example exploits (user must be a SQL System Admin). Microsoft appears to have addressed some of the issues with Vista and Server 2008 but not entirely according to Cerrudo. It's worth keeping an eye on this one. read more ...

Massive SQL Injection Attack Targets Websites Using SQL Server - Friday, April 25, 2008
Looks like another mass SQL Injection attack is making the rounds. The attackers likely used Google or another service to select potentially vulnerable sites and then launched the attack from there. Yet another example of the importance of checking your code regularly for these types of vulnerabilities. read more ...

New Priv Escalation Security Vulnerability (951306) Affects SQL Server - Saturday, April 19, 2008
Applications that allow users to run code in an authenticated context (IIS, SQL Server) could be at risk from privilege escalation attacks. The threat to SQL Server is describes as follows: "SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.". OK - so this is no SQLSlammer since non-default configurations are requried but it is still worthy of mention. read more ...

Quick SQL 2008 Security Highlights Article - Wednesday, March 19, 2008
Kevin Beaver has highlighted some SQL Server 2008 features that may interest readers.  Feel free to download the CTP and take it for a "spin" yourselves.  I am impressed by the database encryption options but I hope this won't lull developers into thinking they don't have to secure individual data fields.  Database encryption addresses a different threat than does field-level encryption.  For example, someone stealing your MDF poses a different threat than someone exploiting a SQL injection vulnerability on your site.  Kapeesh?
 read more ...

SQL Server 2008 CTP Released - Tuesday, February 26, 2008
Microsoft has released the CTP for SQL Server 2008. On the security side, Microsoft is touting the ability to encrypt entire databases, database files, backups, and logs. Most of this has been available from 3rd parties for some time. I guess I should see how many of those were purchased by Microsoft? (grin) Also they are claiming improved auditing. The spec sheet talk about the Surface Area Configuration Tool but that has been around for some time now - this sounds like a marketing re-hash. read more ...

Apologies for Forum Moderation Delays - Sunday, February 03, 2008
I wanted to personally apologize for the delay in Discussion Forum moderations. Usually I stay on top of this but have slacked off a bit as of late due to some external pressures and left some un-moderated messages out there for a week or so. I am working to keep the spambots at bay with CAPTCHA instead of moderation so should have something to alleviate this issue soon. Thanks for your patience and keep the questions coming! read more ...

First Mass SQL Injection Worm? - Tuesday, January 08, 2008
Apparently a new worm has appeared on the Internet that uses SQL injection to infect sites with malicious code and spread itself. The worm uses a SQL injection attack on Microsoft SQL Server and Sybase databases (as evidenced by the worm's attacks on the sysobjects table). I seem to recall Caleb Sima of SPI Dynamics warning about this a few years ago. Take it seriously folks - SQL Injection is everywhere. Notice how the author of the article closes with "Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack." He fails to realize - the problem is NOT with SQL Server. The problem is with the web application (or with the MDAC in some of the payload exploit code).  read more ...

New "Tiger Team" TV Show Focuses on Penetration Testing - Wednesday, December 26, 2007
While the overall effectiveness of penetration testing as a security mechanism is debatable, it sure is fun. Apparently Court TV (soon to be called "Tru TV") has figured this out as well and has a new series where security professionals (clad in DEFCON t-shirts galore) break into car dealerships, jewelery stores, and other high-value targets as pen-testing consultants. I haven't seen them using any database or application attacks yet but it will probably happen eventually as they routinely gain remote access to internal networks.  read more ...

Commercial Tools Page Added - Sunday, November 04, 2007
I have added a page to the site to host security tools I have created for security engagements and/or other projects. Of course, I fully intend to release free tools on a regular basis relating to SQL Server security (as noted by the recent release of the command-line version of SQLPing3). Many of these tools are very useful as well and can be purchased at a reasonable cost. The first tool is DHCP Sentry - a tool to help you locate rogue unauthorized DHCP servers on your network. read more ...

SQLPing3 Command Line - Alpha release - Wednesday, October 24, 2007
I have finally posted an alpha release of the command-line version of SQLPing3. Please provide any feedback at the download area for any errors or comments you have concerning this version. Keep in mind that this alpha release only contains the high-level switches. The ability to disable or alter the scan options will come later once the application is stabilized. For now the command-line switches are as follows:

SQLPing3cl - SQLPing3 Command Line version - alpha release

Syntax: sqlping3cl.exe -scantype [range,list,stealth] -StartIP [IP] -EndIP [IP]
-IPList [FileName] -UserList [FileName] -PassList [FileName] -Output [FileName] read more ...

Acunetix Whitepaper on Web Services Vulnerabilities - Sunday, May 13, 2007
Acunetix has posted an article of web services security that discusses (at a high level) some of the threats to web services - including SQL injection. It's a good primer if someone tries to tell you that web services avoid the security problems of existing web applications. Full Disclosure: Acunetix is a SQLSecurity.com advertiser but did not pay for this posting. read more ...

Imperva Releases Free "Scuba" Vulnerability Scanner for Multiple Databases - Sunday, May 06, 2007
Hey - I'm always a fan of free so check it out (from their press release): "Scuba by Imperva is a free, lightweight Java utility that scans Oracle,DB2, MS-SQL, and Sybase databases for known vulnerabilities and configuration flaws. Based on its assessment results, Scuba creates clear, informative reports with detailed test descriptions. Summary reports, available in Java and HTML format, illustrate overall risk level. With Scuba by Imperva, you are quickly on your way to meeting industry-leading best practices for database configuration and management." read more ...

SQLPing3 Released - Sunday, April 22, 2007
SQLPing 3.0 is the evolution of the SQLPing product to the .NET Framework using code from SQLRecon. I have incorporated the brute-force capabilities of SQLPing2 into this version so that it should now contain all features from SQLPing2 and we can finally retire that code. Please let me know if you have any questions or concerns. Sample userlist and password files are included for demonstration purposes. It is highly recommended you replace them with your own custom dictionaries. read more ...

SQLRecon/SQLPing Updates - Tuesday, March 27, 2007
I have re-compiled SQLRecon 1.0 with .NET Framework 2.0 for those of you who have been keeping up. Just pick up the new version under FREE TOOLS. I have had multiple requests for improvements to SQLPing2 but I am leaning towards implementing brute-forcing into SQLRecon and re-releasing the tool as SQLRecon 2.0. Let me know what you think. I'd prefer not to maintain SQLPing2 any longer since it doesn't have near the discovery features of SQLRecon and is written in, gasp, VB. If I never see another line of Visual Basic in my life that's just fine with me. No hate mail from you VB lovers out there - I know you love it. read more ...

03-20-07 Site Undergoing a Version Upgrade - Tuesday, March 20, 2007
SQLSecurity.com is currently in the middle of a software upgrade. I will re-post the older blog entries soon so stay tuned. All other content should be intact. Please inform me if you have any issues. Thank you. read more ...

02-12-07 A Collection of Excellent Articles about SQL Injection - Monday, February 12, 2007
Acunetix has posted an excellent series of articles on web application security including several on SQL injection specifically. Of particular interest is a story on SQL injection detection methodologies and Google hacking. In the interest of full disclosure: Acunetix is an advertiser of this website but has not paid for this announcement. read more ...

01-30-07 Microsoft Releases KB Article on the SQL 2005 Express/Vista Issue - Tuesday, January 30, 2007
It appears Microsoft has finally presented an explanation and workaround for those wishing to run SQL Server 2005 Express on Windows Vista. The problem stems from changes in the way Windows Vista treats administrative accounts and is worth reading simply to understand that process. Thanks to Ken Klaft for pointing me to the article. read more ...

12-16-06 SQL Server 2005 Express not compatible with Vista - Saturday, December 16, 2006
For those of you planning to jump on Windows Vista for all those supposed new security improvements - you may want to slow your roll. Apparently, the new OS does not work with the current version of SQL Server 2005 Express - the version specifically targeted to non-server Windows installations. SQL 2005 Service Pack 2 is supposed to address this but it is still in beta. What will this mean for security? Possibly a delay in Vista deployment. Don't think about going back to SQL 2000 - it doesn't work either. Best bet? Wait for SQL 2005 SP2 before you make a move to Vista on any machines running SQL Server desktop editions. read more ...

11-7-2006 Article on Forensic Tamper Detection is SQL Server Tables - Tuesday, November 07, 2006
Amit Basu has submitted an excellent article on implementing forensic tamper detection in SQL Server which I've offered to host on this site. Feel free to discuss on the discussion forum if you have questions or concerns, I'm sure he'll be happy to explain.  read more ...

10-23-06 New Organization Created To Promote Application Security - Monday, October 23, 2006
Tim Mullen has started a new open-membership security organization with a provocative name. The organization called ' or 1=1-- (http://www.apostropheor1equals1dashdash.com/) will be a think-tank of sorts, providing fresh ideas around application security. If nothing else, the name alone should have some web applications all over the web throwing exceptions left and right (or doing data dumps from the short circuit) when someone mentions the site. Gotta love it. read more ...

09-10-06 Article on Building Secure Protocols - SSPI discussed - Sunday, September 10, 2006
For anyone who has ever assembled a SQL Server connection string, the phrase "Integrated Security=SSPI" is probably very familiar. Now is your chance to read about how hard it is to construct secure network protocols and what kinds of planning are needed. Even if you are mostly an applications-focused developer, this information is a great foundation. read more ...

07-21-06 Looks like ISC has solved the mystery - Friday, July 21, 2006
ISC has concluded that the spike in TCP 1433 is probably due to someone using the old MSSQL 2000 preauthentication vulnerability to exploit unpatched SQL Servers. From all indications, it may be a simple product of the Metasploit framework which includes the exploit code. The lesson: someone out there still has unpatched SQL 2000 boxes out there connected directly to the Internet. Alas. read more ...

07-19-06 TCP port 1433 scans spiking at ISC - Wednesday, July 19, 2006
ISC is reporting a spike in TCP 1433 (default SQL Server posrt) scans across the internet as detected by Dshield. As SQL Server professionals - we all know what that means. Make sure you do not have any exposed SQL Servers and that you are fully patched. Also - if you are able to capture any packets, please alert isc.sans.org. read more ...

07-11-06 Application Security Scanners Galore - Sunday, July 09, 2006
I've been adding plenty of products to the Assessment Tools section of the site under "SQL Server Related Tools". Please feel free to remind me of any I might have missed. My personal favorite of non-commercial tools is Paros but it would be interesting to see if there are other tools out there equally as powerful. read more ...

05-11-06 What should we do when we find a vulnerability? - Thursday, May 11, 2006
You've been there.  You're on some site, tooling around looking at news, articles, whatever.  Suddenly, you see a parameter being passed in a URL and throw a single quote up there just to see if the software is well written.  Then, as usual, the application throws an exception and you see the ubiquitous SQL Server syntax error (depending on database type).  What do you do?  Inform the author of the site?  Fill out a web request form?  Or - just keep your mouth shut and be sure not to give that site your personal information?  The article is a good example of why the latter (unfortunately) is becoming more and more necessary.
 read more ...

04-18-2006 SQL Server 2005 SP1 goes RTM - Sunday, April 23, 2006
SQL Server 2005 Service Pack 1 has been released.  One noticable difference right off the top is that Microsoft has removed "some" of the confusing separation of service packs based on versions and additions.  One download should get you going for all versions (desktop, enterprise, developer, standard) but if you have Express Edition - nope - you have a separate download, sorry.  Oh well - I would have hoped for a SP loader that would be smart enough to detect what I am running and download additional components appropriately.  They are getting closer though.  NOTE:  Microsoft has actually been doing this for some time (2000 SP4 maybe?) but I thought I'd comment on it anyway.
 read more ...

Migration largely complete - Wednesday, March 01, 2006 - Wednesday, March 01, 2006
Well - that was fast - the tools are back online and the free analysis page is working again. Please enjoy and let me know if you find anything that is broken or otherwise missing. Now I'm off to find some cool new skins... read more ...

Site Upgrade in Progress - Tuesday, February 28, 2006 - Tuesday, February 28, 2006
In case you haven't noticed, I have upgraded the site to DNN 4.0.2 and am in the process on integrating a few custom features. Currently offline are the Free Tools section and the Free Analysis. Both are in progress and should be operational shortly. I appreciate your patience. read more ...

Excellent article on SQL Server Security Testing - Tuesday, February 28, 2006 - Tuesday, February 28, 2006
This is an excellent TechTarget article on SQL Server security testing by Kevin Beaver. The highlight of the article is a great list of tools available for SQL Server security testing - including multiple SQL injection tools. Many of the tools are free and I highly recommend you give them a look. I'm a bit surprised that Paros didn't make the list but some newer tools like Absinthe are quite impressive.  read more ...

Article on 10 tricks attackers use to access SQL Server - Tuesday, February 28, 2006 - Tuesday, February 28, 2006
Informative article on how attackers commonly compromise SQL Server systems. Besides the scenarios, there are also some great tool descriptions including (plug here) SQLPing, SQL Injector, Metesploit, and Abinsthe. Keven Beaver does it again. read more ...

Testing Testing Testing - Thursday, December 15, 2005
Now that we have a release for SQL 2005 in our grubby little hands, its time for some good ole pen testing, surface area analysis, and more port scans than you can throw nmap at. If anyone has identified anything interesting, please pass it along. So far, SQLPing and SQLRecon don't seem to have any problem identifying the new SQL Server version assuming you have the appropriate level of host access for the selected scan types. Of course, I am seeing more detection from WMI and SCM scans rather than the TCP/UDP scans in the past now that TCP/IP is disabled in the default install. The think the more interesting items to identify are (a) what levels of privilege are required for the SQL runtime , (b) what does the average SQL user have access to, and (c) what configuration settings changes are people making that may lead to compromise and why. Stay tuned. read more ...

SQL Server 2005 goes RTM - Friday, October 28, 2005
SQL Server 2005 and Visual Studio 2005 Professionsal have been released to manufacturing. You should begin to see it on your networks soon - especially if you have an MSDN subscription and some decent bandwidth. I've had no problems identifying the betas with SQLRecon or SQLPing but with each release there could be minor changes. Let me know if anyone experiences trouble with discovery. Like all SQL Server editions, this one will require patches, maintenance, and careful configuration. I think you'll be pleasantly surprised at the reduced surface area of this release. read more ...

SQL Server Security School - Friday, October 07, 2005
Not sure how I forgot to post this earlier but I did record a webcast series on SearchSQLServer.com on SQL Server security topics. Check them out! If there are any topics you'd like to see in a future webcast please let me know.  read more ...

SQL Server 2005 coming soon - Need a Preview? - Friday, September 30, 2005
OK - it's been kinda quiet lately on the SQL Server front that's for sure. But look on the bright side, SQL Server 2005 is right around the corner. For those of you looking for a preview of the newest features check this link. If you're hungry for more SQL Server security content then get ready because I'M BACCKKKK!! read more ...

Never made it to Black Hat - Apologies to all! - Friday, July 29, 2005
OK - so I had every intention of going to Black Hat this week. I was packed. I had my new laptop ready to go. I was ready for my training course with NGS Software and Special Ops Security. Then, Saturday night I became ill and had to be admitted to the hospital. Diagnosis? No Black Hat. Anyway, I am fine now but still out some non-refundable tickets. I am really sorry I didn't get to see everyone and will do everything I can to schedule some other events to make up for missing out on my social obligations (grin). Check you guys next time... read more ...

Web Application Security Training at Black Hat - Sunday, July 10, 2005
I will be one of many trainers for a course on web application security at Black Hat in Vegas July 25-26. Any who are interested are encouraged to sign-up and I will also be around for few of the following days if you want to meet or grab a meal. I look forward to meeting as many of you as I can! read more ...

Microsoft gives us a date for SQL Server 2005 - Wednesday, June 08, 2005
At Teched Orlando, Paul Flessner announced that Nov 7, 2005 is the release date for SQL Server 2005 and Visual Studio 2005. At least now we can plan around it. read more ...

Microsoft WSUS goes RTM - At last! - Wednesday, June 08, 2005
Microsoft's WSUS product has been released to manufacturing and was distributed attendees at Teched. This version is supposed to help us patch SQL Server installations enterprise-wide in the same way that SUS has been patching Windows clients (and servers) for years. Feel free to post or send email regarding your experiences with it. read more ...

SQL Server 2000 SP4 Released - Monday, May 09, 2005
In case you haven't heard by now SP4 for SQL Server 2000 has finally been released. This release includes all post-SP3 security fixes, MSXML 3.0 SP6, MDAC 2.8 SP1, and 64-bit support features (see details). At last, a good, clean starting point for your remediation sessions. Of course, what you make up for in patch quantity you'll lose in bandwidth for this behemoth (70 MB for most folks). Nevertheless, thanks for the service pack Microsoft. This beats hotfixes all day long... read more ...

MSDN Article on Security in SQL Server 2005 - Friday, May 06, 2005
Article by Don Kiely on the new security features of SQL Server 2005 and what it means for you. Subject to change of course. read more ...

Idera SQL Compliance Manager - Friday, April 22, 2005
Idera's SQL compliance manager provides a powerful auditing and compliance solution for Microsoft SQL Server users. SQL compliance manager provides: low overhead data collection, a central repository of audit data, a central management console, pre-defined compliance reports, an auditors console for ad-hoc queries, reporting and forensic analysis, and efficient, secure data archival. read more ...

SQL Server 2005 Virtual Labs from Microsoft - Thursday, April 07, 2005
Are you ready to experience SQL Server 2005? Announcing the launch of the SQL Server 2005 Virtual Hands on labs. In these labs, you will get to experience many of the new features in SQL Server 2005 including CLR integration, XML support and deep business intelligence integration. Just follow the link and experience SQL Server 2005 for yourself read more ...

WMSDE - Something else to keep our eyes on - Monday, March 28, 2005
Microsoft has released a special version of MSDE to be released with Windows Sharepoint Server and requires Windows Server 2003. This version has a custom schema making it different enough from MSDE to warrant a new acronym. rumor has it WMSDE does not have the 2GB database size limit nor the 5 concurrrent connection limit. More SQL - another good reason to use SQLRecon and get em located. read more ...

SUS - too hot! WUS - too cold! WSUS - just right? - Monday, March 28, 2005
Microsoft has announced the release candidate open evaluation for the successor to Windows Update Services (WUS) now called WSUS (Windows Server Update Services). Why do we care? Because this version includes security patches for SQL Server, MSDE, and WMSDE. The question remains, how good will support be for multiple instances? What about service packs? Can the patches be rolled back? How can we be sure the patches are installing properly? I can't wait for the answers. Let's hope for the best. I for one appreciate Microsoft getting onboard with helping SQL Server admins! (NOTE: Apparently WSUS requires SQL/MSDE so plan on yet another addition our list of applications that use SQL!) read more ...

Patching SQL Server Checklist at TechTarget - Monday, March 28, 2005
I just finished a two-part series on finding and patching SQL Servers in your organization for TechTarget. Part 1 is currently posted at TechTarget with Part 2 coming up shortly. In the future I will be providing additional content which I'll be sure to let you know about including more checklists and a webcast series.  read more ...

SQLRecon 1.0 Released - Tuesday, March 22, 2005
SQLRecon v1.0 has been released to the public as a free tool. SQLRecon performs both active and passive scans of your network in order to identify all of the SQL Server/MSDE installations in your enterprise. Due to the proliferation of personal firewalls, inconsistent network library configurations, and multiple-instance support, SQL Server installations are becoming increasingly difficult to discover, assess, and maintain. SQLRecon is designed to remedy this problem by combining all known means of SQL Server/MSDE discovery into a single tool which can be used to ferret-out servers you never knew existed on your network so you can properly secure them. Thanks to all who helped me with the testing: Jason Morrow, Ken Klaft, Matt Wagenknecht, and Erik and Steve at SpecialOpsSecurity.com. Documentation available at Specialopssecurity.com. read more ...

Chip Andrews a Founding Member of Special Ops Security, Inc. - Tuesday, March 22, 2005
In case you haven't figured it out by now, I've joined forces with some of my favorite IT security colleagues (Erik Pace Birkholz and Steven Andres) and helped form Special Ops Security, Inc. which provides training and consulting on IT security issues. This association will in no way affect SQLSecurity.com or the content provided here. I am proud to be part of Special Ops and I am confident my experiences there will only me to be even more involved with keeping this site current, accurate, and relevant.  read more ...

Jimmers releases code to reveal DTS connection passwords - Tuesday, March 01, 2005
DTSConnPass - utility to decrypt DTS package Connection passwords. If you export a DTS package as a structured file, just point this application at it to reveal the passwords used in the those connections. Again - more proof that local symmetric encryption used to persist credentials without an out-of-band key is nothing but a shell game. Use Windows authentication whenever possible and minimize the need to persist this kind of information. read more ...

Debate on the security of stored procedures and parameterized queries - Wednesday, February 23, 2005
This debate occurred on TheServerSide.NET and the original poster was way off on this topic but the first rebuttal (scroll down to "Mind your PQs" by Frans Bouma) does an excellent job of explaining the details and dispelling the myth that stored procedures prevent SQL injection. For anyone who wants to see why parameterized queries are so important (even when calling your stored procedures) then give this a good read.  read more ...

New SQL Server discovery tool "SQLRecon" to be released soon - Wednesday, February 09, 2005
In association with Special Ops Security, I will soon be releasing a tool called SQLRecon to the general public. The tool will include at least 7 different SQL Server discovery methods and will include both active and stealth scanning modes. The tool is primarily targeted towards security professionals and administrators who are tasked with securing their enterprise and need to find every SQL Server on their network (and their versions). I am not aware of any commercial or non-commercial offering that does a better job at finding SQL Servers. Stay tuned. read more ...

SQL Server Brute Force Scanning Surge - Friday, December 31, 2004
According to ISC SANS, there have been a large number of SQL Server authentication brute force attempts being made. There appears to be a certain executable responisble for this which has apparently been around for a while (http://securityresponse.symantec.com/avcenter/venc/data/hacktool.sqlck.html). Check the ISC website (isc.sans.org) for more and stay tuned.

A few observations:
  • You can create an alert for error# 18456 and send emails or pop-ups to an admin (automatically throttled to 1 per minute to prevent denial of service)
  • You can use the profiler to log more detailed messages about the event (but you still won't get the IP - Microsoft - are you listening?) and use triggers to respond (http://tinyurl.com/6x87s)  read more ...

Microsoft Webcast on SQL 2005 Security - Thursday, December 09, 2004
Want a glimpse at some of the new security features in SQL Server 2005? Check out this webcast - it's free and downloadable at any time. Enjoy. read more ...

FxCop 1.312 Adds Check for SQL Injection - Thursday, November 04, 2004
The FxCop tool from Microsoft, which scans .NET assemblies for various development flaws, has added a check for SQL Injection flaws in its security checks. This check will determine if a SQL command was assembled using the appropriate SqlCommand object or via string-building. I haven't fully tested the feature yet but for a free tool - it's hard to beat. read more ...

New SQLSecurity Group Policy Template Project - Tuesday, October 26, 2004
I've started a new project concerning the construction of a custom administrative template for Group Policy that will include (of course) SQL Server policy settings such as authentication mode, logging level, and netlib support but also any policies that can help secure the enterprise. Most notably - I'm looking for registry hacks to prevent Internet Explorer issues (I use Firefox but many of us still support IE) and other ubiquitous applications. Please contribute! The overall plan is to end up with a large template we can apply to any Active Directory domain and lock down hundreds or thousands of machines with relative ease and speed - especially when there are security issues out there with no readily available patch. read more ...

Nicholas Petreley on Linux vs Windows Security - Friday, October 22, 2004
Why is this relevant to SQL Server you ask? Well, in his discussion of Windows Design he uses the SQL Slammer worm and the multi-instance capability of SQL Server 2000 to illustrate why Microsoft's designs rely too much on RPC. It's an interesting analysis but RPC has very little to do with SQL Slammer. SQL Slammer was about improper input validation and the question of whether discovery service should have been an optional item and disabled by default. If anything, its an example of poor code review and a lack of secure deployment defaults. That's my take. read more ...

SQL Server Remains on the SANS Top 20 List - Monday, October 11, 2004
Despite the fact that most visitors think SQL Server security is improving (according to a recent non-scientific poll here at this site), SQL Server remains a major security problem on most Windows systems. So - any guesses as to why SQL Server remains such a big security problem? Lax deployments? Stealth installations? Poor security management? Perhaps its time for a more aggressive approach? read more ...

Free MS Webcast on Runing MSSQL on XPSP2 - Monday, October 04, 2004
Microsoft is hosting a free webcast on resolving issues related to running SQL Server 2000 on XP SP2. For the record, SQL Server should probably not be running on a "client" operating system anyway except on maybe developer workstations. For those, I recommend removing ALL netlibs anyway and using shared memory to connect to the local instances. This should prevent all remote clients from connecting to SQL Server which is probably just what local developers need anyway. read more ...

SQL Server 7.0 Denial of Service Vulnerability - Thursday, September 30, 2004
While I have seen no verification from Microsoft of this and have not tested it myself, a denial of service vulnerability of SQL Server 7.0 has been released on Buqtraq. Handle with care and, as always, protect connectivity to SQL Server to all untrusted clients. It would seem web hosting providers would be at the greatest risk since providing outside connectivity is very common in those scenarios.  read more ...

Quiet Times in SQL Server Land - Friday, September 17, 2004
Let's face it - It's been real quiet in the world of SQL Server security as of late. Not a lot of new vulnerabilities, tools, or technologies now that SQL Server 2000 has become more mature. I'm sure we'll have more to talk about when Yukon arrives but until then I would like to ask you all what gaps you are still having when it comes to SQL Server security tools. I've added a new survey to the main page - please feel free to respond in regards to what you think is still missing - or write me if your ideas are not listed. Thanks read more ...

SQL Server 2005 Express Edition Replaces MSDE - Wednesday, June 30, 2004
According to MSDN, SQL Server 2005 Express Edition will replace MSDE as the free offering to get people started with SQL Server. In addition, a technical preview is now freely downloadable from the MS site given even non-beta program participants a taste of what's to come. read more ...

Microsoft SQL Server Security Analyzer - Friday, June 25, 2004
Tool to inspect a SQL Server installation and compare its configurating against Microsoft's security recommendations. read more ...

Windows XP SP2 and how it will affect SQL Server - Wednesday, June 23, 2004
Microsoft is warning you ahead of time of some changes that will take place in Windows XP Service Pack 2 and the effect this will have on your SQL Server installations (including MSDE). Keep in mind that XP is still a workstation technology so MSDE installations and developer workstations are the most likely to be affected by this. The bottom line is that since the XP Firewall will be enabled by default, MSDE/SQL installations will be inaccessible to clients in most scenarios (TCP 1433/ UDP 1434 connections). Those using named pipes will be able connect if File and Printer Sharing on the local subnet is enabled. This can be a good thing folks unless XP SP2 ships with File and Printer sharing enabled by default - then your installation could still be at risk. Even so - don't get lazy - keep your patches current. read more ...

SANS - SQL Server Scanning on the rise- beware - Tuesday, June 01, 2004
There is a disturbing report from SANS about some increased SQL Server scanning activity from what may be a new SQL Slammer variant. Be sure to keep those SQL Servers fully patched and don't connect them to the network until they are.  read more ...

Slashdot Blog on new SQL Server Security Features in Yukon - Tuesday, June 01, 2004
There's a link on the Slashdot blog to an article with the details. Plenty of humorous commentary on the Slashdot site as always. Enjoy. read more ...

Imperva Releases Whitepaper on SQL Injection Signatures Evasion - Wednesday, April 28, 2004
Some excellent technical analyses of how attacks might circumvent SQL Injection Signatures. The content is excellent but I must add that if you are depending on signature detection to protect you from SQL Injection then you're fighting a losing battle. Better still - try coding your applications to prevent SQL Injection in the first place and avoid the onslaught of false-positives that you are sure to endure. Also on the site is an excellent paper on Blind SQL Injection. read more ...

Phatbot/Agobot/Gaobot May Use SQL Server for Injection - Sunday, April 25, 2004
Looks like past flaws in SQL Server are part of a new variant of an existing worm now propogating. I've read some reports that worms are not only looking for known flaws in SQL Server but also weak passwords on administrative accounts (such as 'sa'). More reason than ever to establish and enforce a policy for SQL Server and MSDE installations in your organization. read more ...

Article from Jeremiah Grossman on SQL Injection - Monday, April 05, 2004
For anyone who's looking for an article on the subject of SQL Injection targeted at the layman, Jeremiah Grossman of WhiteHatSec (www.whitehatsec.com) has just the thing. If only more web developers (and those who pay them) would take note! read more ...

New Tool added - SQLVer - Enumerate SQL Server Versions - Friday, February 27, 2004
OK - this one's for those that want to get the version of a SQL Server instance withuot logging into the server and without having administrative privileges on the box. I actually wrote this several months back as part of SQLPing.NET 1.3 Beta but later when using it for penetration tests I noticed that it was darned inconvenient when the target was blocking UDP 1434. So came SQLVer which uses the "false connection" mechanism to make SQL Server think we want to place nice and attempt a login at which point it coughs up the version information. Syntax is sqlver.exe [host] [port]. Enjoy - .NET version included - with C# source. If someone wants to port it to other languages I'll be happy to include it in the archive. --Chip read more ...

New! Version Database Added to SQLSecurity.com - Friday, January 30, 2004
I've added a new tab for the SQL Server version database. I'm especially glad to see this since it is much easier to maintain, allows for greater interaction with site visitors, and Ken Klaft has volunteered to help maintain the database going forward. Please post any corrections/additions to the discussion forum on that page. read more ...

MSDE appears in Windows Update...Sort of - Thursday, January 22, 2004
While I have yet to see the first instance of a SQL Server service pack or hotfix in Windows Update on any of my client machines, it has begun to appear in Windows Server 2003 (only). Apparently, the inclusion of MSDE as part of the Sharepoint Services install has prompted Redmond to include MSDE patches under the cloud of "Operating System" updates. For those of you who use Software Update Services (SUS), you've no doubt seen the second of these updates appear in your approvals list this week. Let's hope this trend continues to all Windows platforms and for all versions of SQL Server! read more ...

SQLSecurity.com has changed hosting providers - Tuesday, January 20, 2004
I want apologize in advance for any interruptions in service anyone may have endured as SQLSecurity.com was recently moved to a new hosting provider. My older provider was giving me less than exceptional service at a much higher price. The last straw was an "upgrade" that took the site offline for 6 hours with no explanation or apologies. Hopefully we'll have a much better experience here. I appreciate everyone's patience as DNS cache values can vary and I'm sure many of you got some nasty messages from my old hosting provider (who is still down BTW as I write this). read more ...

Remote MDAC Vulnerabilty using UDP 1434 - Tuesday, January 13, 2004
New MDAC Vulnerability is a reverse spin on MS02-039 whereby a response to a discovery packet sent by a victim can be specially crafted to cause a buffer overrun on the victim's machine. An attack could not be initiated remotely but once the victim sends a discovery packet, the attack could begin. Vulnerable MDAC versions are 2.5-2.8. Looks like patch time again. read more ...

Here comes 2004! - Sunday, December 28, 2003
In an effort to update the user interface and streamline future updates, I've ported the SQLSecurity.com site using portal technology from the DotNetNuke (www.dotnetnuke.com) project. This should allow for quicker updates and give me greater flexibility to delegate content management tasks (not that anyone else but me really gives a crap). In addition, support for RSS (Really Simple Syndication) has been added along with better logging. Next think I need to do is work on a cool skin for the site but my graphical skills are at best rudimentary. If anyone is looking to pitch in - I'll gladly accept any help I can get. read more ...