Speaking Twice on Oct 1, 2013

Carolina Technology Conference:

To start things off, I’ll be speaking in the morning at the Carolina Technology Conference. I have a 40 minute slot from 10:05 – 10:45 AM Eastern. I’m shooting for a 30-35 minute presentation with 5-10 minutes of questions. Here’s the information on the talk:

Building a Secure Infrastructure for Database Servers

In warfare, understanding your enemy is a supreme advantage. The same is true when it comes to protecting a modern database platform. We’ll get into the mindset of an attacker, looking at the methods and techniques attackers use to go after SQL Server. Once we understanding the threats, we’ll then examine defensive techniques to secure and protect your data (and not just your servers), using both new and creative methods, as well as the tried and true.

For instance, end databases are only one part of the overall Extract, Transform, Load (ETL) pipeline for most organizations. As recent, successful attacks have shown, attackers are now looking at other areas to steal your data. I will walk you through common scenarios and examine the various points an attacker may target, how those points can be attacked, and what you can do to secure them. We’ll look at the whole implementation, from the source system which originates the data all the way through to the database backups.

PASS DBA Fundamentals Virtual Chapter:

During the lunch period here on the East Coast of the USA I’ll be giving a webinar for the DBA Fundamentals virtual chapter. That will be at 12 noon Eastern, 11 AM Central. This will be via LiveMeeting. Here’s the information on the talk:

 What You Absolutely Must Know about SQL Server Security

Data security breaches are in the news regularly. In many cases, these breaches are due to poor or incomplete security configurations. In this session we’ll look at the basic Microsoft SQL Server security model and what you need to look at for your own system. We’ll cover the top things to check both inside and outside of SQL Server to lock down your databases while still providing the access your users need. Finally, we’ll also talk about how what you should be auditing regularly to ensure your SQL Server stays secured.

Advertisements

Installing SQL Server 2008 on a machine with .NET Framework 4.0? Read this.

The SQL Server Premier Field Engineer blog has a post about an issue with installing SQL Server 2008 on a system where the .NET Framework 4.0 is already installed:

 SecurityException / ‘The process was terminated’ errors installing SQL 2008 when .Net Framework 4.0 is installed

The first workaround is probably the easiest for most folks, which is to copy the install files locally and then perform the install. This isn’t a SQL Server problem, per se, as the blog post indicates. Rather, it’s due to the tightening down of some security in .NET.

PASS BoD: I’m voting for Allen Kinsel

There are some very good names up for this year’s PASS Board of Directors. However, I wanted to write a post about one guy in particular: Allen Kinsel. Why Allen?

Allen is “Good People:”

That’s a saying we have in the South when we describe someone we respect and admire. Every opportunity when I’ve been able to work with Allen (and every opportunity has been tied to PASS), I’ve been impressed with:

  • His professionalism towards the task at hand and the people involved.
  • His passion to see PASS succeed.
  • His willingness and desire to work with others.
  • His sound judgment on difficult decisions that someone must make.

Allen Gets the Pain Points:

The first key goal Allen lists is this one:

 Prioritizing and investing more dollars in PASS IT to improve our member-used systems.

As a chapter leader, a PASS volunteer, and a SQL Saturday organizer, I can attest first hand that the PASS IT infrastructure is in great need of some attention and tender loving care. The folks working IT do a lot. They work hard. They’ve made some wise choices, like choosing to go to Office365 rather than maintaining their own Exchange environment. Think about the hours they freed up not supporting Exchange any more. However, I bet they could do even more for us if we could get some more attention to the IT side of things. Allen wants to do just that. That benefits all of us.

Allen Has Experience with PASS Like Few Others:

Visit Allen’s candidate page. Then click the link under his picture for his application. Allen has been serving PASS for almost 10 years. He does an outstanding job, which is why he received the PASSion Award in 2009. He has been on the BoD before. Allen knows how to do the job, can do the job, has the experience for the job, and the passion for the job. I can’t say that about any other candidate, as good as they are. That’s a key reason Allen stands out to me.

Allen Has a Vision to Grow the Community:

Look at Allen’s other two top goals:

  • Making an additional IT investment to bring PASS’s membership roster up-to-date.
  • Convincing the Board to implement committees that mirror the current portfolios.

The fact of the matter is that a lot of folks ask the question, “What’s in it for me?” They join organizations that they perceive as valuable to their goals, their current situation, and their future. Allen wants to increase the value of PASS to its members. I understand that there are no specifics behind that phrase “increase value” because getting specifics has been a hard thing for some time now. I’m sure one of the reasons is because PASS can’t say, “We are certain we have X members,” to which another organization could say, “Great, you qualify for this discount, or we’ll offer this to your members for free.” So getting a hold of accurate membership numbers is key.

Another thing I see is that Allen wants to develop more leaders in the community. That’s the last of the big three. He wants to get committees going under each focus area. As someone who tried to break in and do something that was:

  • Not a transitory task like program selection committee.
  • Above the local chapter level.
  • Wasn’t a regional mentor slot.
  • Didn’t require being a member of the Board of Directors.

I found that there wasn’t anything along these lines earlier this year when I asked. So that means that being able to do long term, above chapter level commitments, volunteer work for PASS was a gap. Allen is looking to fill that gap. That gives us more opportunities to serve and grow. It increases the “warm bodies” that can help move PASS forward. As I have said already, Allen gets it.

Allen Gets My Vote:

As I said, there are other good candidates for the BoD. However, I can’t articulate why I am going to vote for the other candidates on my list like I can Allen. That says something great about Allen. When Allen said he was running, it was a no brainer for me. I’m definitely voting for Allen. If you don’t know much about Allen, I’m not surprised because he does a lot of things for PASS out of the limelight. However, I’d urge you to go check out Allen’s credentials, correspond with him, and make your own call about whether he’s worthy of your vote. I think he’ll stand up to the test.

Don’t Rush When It Comes to Privacy Data

The Dataloss list sent the following article through yesterday afternoon:

 Obamacare Employee Accidentally Sends Out 2,400 Social Security Numbers

This is concerning, but I hate to say it, not unexpected. We know that the weakest link in security is always people. Likely a worker was trying to be helpful and didn’t think. As a result, an email with an Excel spreadsheet full of names and Social Security Numbers was sent out.

What was concerning is that this should have been picked up by any decent Data Loss Prevention (DLP) solution. It sounds like such a solution, even though we’re dealing with privacy data, isn’t in place. Perhaps it is in place but not configured correctly. This isn’t surprising given these quotes from the article:

 “Users of the exchange will need to provide sensitive information, including Social Security numbers, that will be sent to a federal hub to verify such things as citizenship and household income….

“All states and the federal government, which also is setting up exchanges for some states, are scurrying to get the complex system running in less than three weeks.

“‘The people who believe in this are so driven that there’s a subcontext of “Just let us do our job and get as many people signed up as possible, and we’ll pick up the debris later,”’ said Steve Parente, a University of Minnesota finance professor who specializes in health IT issues.

“Parente testified on Capitol Hill earlier this week, urging caution in pushing the federal hub online before it has been thoroughly tested.

I obviously can’t validate the truthfulness of these quotes. That’s not my point. Instead, I want to point out what we see too often with regards to deployments. Most IT folks, especially IT security folks, have seen implementations pushed through before they’re fully vetted. Obviously, there are differing levels of risk depending on what the implementation does. When it comes to privacy data, however, there should be a measured and thoughtful process for deployment that includes testing the system properly. Too often we see data exposed, especially privacy data, because a suit somewhere wanted a system implemented and the staff to “pick up the debris later.” In other words, we see quotes like this often across a multitude of systems. So long as this “full speed ahead” attitude is the majority one for decision makers, and so long as this is generally accepted by the customers of those decision makers, we will continue to see these kinds of leaks.

After all, it’s near impossible to tighten everything down as it is in a properly tested system. We always have to deal with the human element. Then there’s the unknown, such as a bug in the code that no one uncovered during standard user acceptance testing (which is why fuzzing has become more popular over the years). When we accelerate implementation at the cost of testing and other details-oriented tasks, we should expect even more breaches. Given that we can’t avoid sharing this sensitive data in order to get services, we’ve got to push back against this “implement now” attitude. The truth of it is that as IT workers, we typically have little clout. The reason we have little clout is because a decision maker is going to say, “The customers want this now!” Therefore, as customers, we have to push back and say, “We want this, but only when you’ve done your due diligence in tightening the bolts properly.”

Database DoS Whitepaper from Securosis

Securosis has released a whitepaper on their research with regards to database denial-of-service attacks. This whitepaper is platform agnostic. It does mention specific vulnerabilities that have been exposed and attacked with respect to database platform, but only to the extent that they show it’s a universal problem.

One of the things the whitepaper covers are some potential ideas for attacks. For instance, adding a few thousand items to a shopping cart, then adding a few items and refreshing in a repetitive cycle. The refresh causes stock to be rechecked meaning the DB is hit. With such a large shopping cart you get locking and blocking and if you have enough clients, you can get the DB to stall, thereby bringing down the app. It also considers some of the available countermeasures.

All in all, it’s a high level document that should prompt DB pros to think about how to protect the DB, especially if availability is important (when isn’t) and if unavailability costs the organization money.

 

Dealing with Database Denial of Service whitepaper

Why Government Required Backdoors Are a Bad Idea

I’ve heard the argument, “I’ve got nothing to hide. If it helps them catch the next guy, I’m all for it.” Even if that’s 100% true and even if every single person in goverment with access to the data is 100% genuine and sincere in doing his or her job, here are four issues that position misses.

The Bad Guys (Cyber Crime) Have Smart People

We know there are smart folks working for cyber criminals. Not all the folks working for them are smart. However, money is a powerful motivator and that does attract some very smart individuals. In some jurisdictions, criminal hacking activity is worn like a badge of honor and can get a person out of poverty. It’s the same idea as why the drug culture is celebrated by some.

What the government is betting on, even if it’s unintentionally, is that the bad guys aren’t smart enough to find and exploit the same back doors. This is a bad assumption. We already see evidence that some of the malware exploits we see are very sophisticated. It’s been assumed that there are backdoors. However, dedicating resources towards an assumption means pulling resources from what should be a sure thing for something that may not exist. As more and more stories come forward that say the backdoors are definitely there, it’s now about assigning more resources towards what should be a bigger sure thing, and one that cannot be stopped.

Consider what we use computer systems for now. You might not have anything to hide from the government. However, do you want your banking login, you credit card number, etc., swiped by a criminal?

The Bad Guys (Cyber Crime) Can Get Lucky

The government is also betting that the bad guys won’t “get lucky” and happen on to the backdoor and break it. Sometimes security vulnerabilities and bugs are found through a slightly uncommon use of a resource. All it takes is one of these and the backdoor is revealed and the criminals are in. And once they are in, they’ve got access to whatever you do on your computer.

Nation State Actors Can Allocate Nearly Unlimited Resources

A nation state actor can pull the code and decompile it and put a team of folks on the code to analyze it. They can take apart hardware components and, again, allocate a team, to figure out how it all works. If they suspect there’s a backdoor, then that team will be looking for said backdoor. And nation state actors can put their own smart people on these teams. This has an appeal that cyber criminals can’t generate – patriotism for one’s nation when one isn’t motivated by the money a cyber criminal can offer.

Why would they target a regular user? They could to provide a hop from inside the right county. They could to get info or access to somebody you do know.

Someone Could Decide to Sell Secrets

Fuchs provided information to the USSR from the British and American Manhattan projects. The Walkers provided classified information for years. A nation state actor can offer some big bucks. They can offer sex and drugs and appeal to other vices. That’s why our intelligence folks constantly run counter-espionage stings. Would they run such activities if their was never anyone to catch? Exactly.

Folks who are responsible for building the backdoors or who are knowledgeable to how they work or where they are can be turned and then the backdoor is no longer a secret. BTW, it doesn’t just have to be a nation state actor. Organized crime has done this, too.

So given these four issues, government required backdoors are a risk to everyone’s security. I can understand the mentality that leads to thinking it’s a good idea. It becomes a type of tunnel vision that filters out the possible negative impacts. Even if you are of the mindset that you have nothing to hide (from the government), you still don’t want those backdoors. And when you consider that the backdoors have been reported in encryption mechanisms as well, it’s just bad all around. That’s why security folks are making such a big deal out of all of this. Yes, we kind of shake our heads and go, “It was inevitable,” however, that doesn’t mean we have to like it or approve of it.

Sometimes I don’t understand Microsoft’s vulnerability classifications

Here’s a great example:

MS13-079 – Vulnerability in Active Directory Could Allow Denial of Service (2853587)

Basically, this patches a vulnerability where an attacker can send a specially crafted LDAP query to an Active Directory domain controller and cause the LDAP service to fail. Here’s the attack scenario I see:

  1. Start or gain control on a domain connected system.
  2. Query DNS for list of DCs.
  3. Send crafted LDAP query to all DCs, thereby dropping LDAP service on all DCs.

Since communicating with Active Directory requires LDAP and you can effectively DoS the AD infrastructure, this isn’t a small issue. I’m assuming it’s not rated critical because:

  • It was a privately reported vulnerability.
  • There is no public exploit yet.
  • There is no attack in the wild, targeted or otherwise, yet.
  • It’s not easy to craft the exploit. (I hope this is the case).

However, I would still think this should have been rated critical given the impact if exploited.

Previous Older Entries