Security
Security
The September 2007 update for SQL Server 2005’s Books Online (BOL) is finally available for download. The update has been available online since, well, September but this time it took the UE group forever to make the download available. Because of “technical issues,” whatever they might be.
Anyway, go grab it*. An updated BOL is one of your more valuable SQL Server resources.
* No guarantees the link will work forever, or even for very long. But Google always knows.
Update: BOL is now part of Microsof Update! How long has that been? Forever, and I just noticed it? Either way, cool!
Microsoft has just announced that PDC (Professional Developers Conference) will be back 27–30 October 2008 in Los Angeles. That’s good.
But it will be interesting to see how they uniquely position PDC versus TechEd*, now that TechEd has been separated into separate developer and IT weeks in Orlando.
* Interesting link for TechEd: http://www.microsoft.com/events/teched2007/default.mspx. The link says 2007, but at the moment it it is about TechEd 2008.
I attended a lot of sessions at DevTeach in Vancouver last week. It’s one of my favorite conferences because it is relatively small and therefore intimate, yet it attracts some amazing speakers, including some fine speakers from Microsoft.
Unlike some conferences, all speakers deliver their sessions from their own laptops instead of from a desktop machine provided by the conference. Not surprisingly, most speakers are running Vista since it is Microsoft’s latest and greatest client OS.
But it struck me at how many problems speakers were having with Vista. I’m not sure I attended a single session where some problem didn’t arise (but maybe I’ve blanked the good experiences out of my memory). One speaker couldn’t get the projector to work with Vista without technical help from the A/V support staff, then the magnifier was so small as to be worthless, making it hard to see important stuff. Many machines were slowed to a crawl, presumably from the combined performance-sucking power from PowerPoint and Vista’s Aero interface, not to mention Visual Studio or SQL Server Management Studio.
The carnage was impressive. It seems that Vista pushes the limits of laptop technology. Apparently the OS demands not only a new laptop but a top of the line version of the laptop with all the processor and memory you can throw at it.
And me? No problems at all. I had one issue with Diskkeeper kicking in during a session but I shut that off and problem was over. PowerPoint, Visual Studio, and whatever else I had to run, no problem.
I’m running Windows XP. I think I’ll stick with it for a while longer, maybe even after I replace my three-year-old laptop. Sorry, Microsoft!
At SQL Server Magazine Connections at DevConnections in Las Vegas last week, I had the opportunity to geek out on SQL Server security for a full day at the end of the conference. Attendance was great and I hope that everyone left with a solid foundation of understanding of SQL Server security.
One question that came up was about the Surface Area Configuration utility that ships with SQL Server 2005. The question was whether SAC is cluster-aware. At the time I was showing the command-line version of the tool, but it really applies to both that and the GUI tool. Showing my developer bias, I didn’t know the answer but promised that I’d find out.
The answer is that yes, it is cluster aware, at least to the extent that you can configure remote computers with it. In the GUI version of the tool, use the Change Computer link on the opening page:
In the command line version of the tool, use the -S switch to specify the name of the remote computer. If you leave off this switch, SAC connects to the local computer.
If anyone has specific experiences using SAC in a cluster environment, I’d love to hear about them!
By the way, if you’re not familiar with the command line version, it is a handy way to export and import settings, making it relatively painless to configure multiple SQL Server instances the same way. See the sac Utility entry in BOL for more information.
There’s a cool new cartoon series that deals with security for end users, SecurityCartoon.com. It’s sometimes silly, but it gives good explanations of email, phishing, and general malware for non-tenchical people. It comes from Drs. Sukamol Srikwan & Markus Jakobsson of the computer science department of Indiana University. Based on their bios, they have some pretty solid security credentials.
Check it out, then share with family and friends!
I just found out that I’ll be doing a full day, post-conference session on SQL Server 2005 security at SQL Server Magazine Connections at DevConnections in Las Vegas this November.
I’m excited beyond words! I’ve wanted to do this for a long time, and we’re going to geek out on keeping data safe from villans.
Here’s the draft description:
There are few corporate assets as valuable in the information age as data. Enterprises spend billions to collect and generate it, slice and dice it in every conceivable way to mine marketplace intelligence from it, and replicate and back it up using elaborate, redundant schemes. Yet it is all too common to slack on security. Sure, SQL Server 2005 is designed to be "secure by default," but once you add databases and start letting users and their applications access the server you have already poked holes in the security. SQL Server comes with plenty of features that let you secure data, but it can be hard to get a handle on the right ones to use in your environment. During this day of security, we'll explore myriad security features in SQL Server 2005, including granular permissions and how to design an effective authorization system, owners and schemas, and how they can help secure a database, the security issues and dangers with running SQL-CLR code, how to run T-SQL code in different security contexts, the comprehensive encryption features that can protect data, creating and enforcing password policies, how SQL Server protects catalog views and secures metadata, protecting against SQL injection attacks on the server, and more. You'll see lots of code and get lots of practical ideas for how to secure your database. Prerequisites: You'll need to have a good understanding of the basic database features and functions of SQL Server for this workshop, and it helps to have butt heads with SQL Server a time or two trying to get something to work without completely disabling security.
I’ll post more later as I develop the outline and contents.
OWASP, the Open Web Application Security Project, has finally released its updated list of Top 10 critical Web application security flaws. If you do Web development, I rather stronly suggest that you be familiar with all the vulnerabilities on the list and how to avoid them. If you take care of all 10, you’ll have a reasonably secure site. It won’t be totally secure because new attacks appear every week, and security takes vigilence.
Practice safe computing!
I’m in Montreal this week for DevTeach, a user group-oriented developer and SQL conference that is one of my two favorite conferences. Montreal is a great city (particularly for the stomach!) and they do a great job with the conference.
Yesterday were the pre-cons, covering .NET 3.0, VB.NET, and SQL. I sat in on part of Kevin McNeish’s .NET 3.0 session and learned lots of great information about Windows Workflow. It’s great how that technology has matured into something amazingly powerful.
The Tuesday morning keynote has started. Jean-Rene has announced that DevTeach is hitting the road. The next stop will be Vancouver 26-30 November, and will include both DevTeach and SQLTeach. I hope to be there; that should be a great time to be in Vancouver!
The main keynote event is Pablo Casto, Microsoft’s ADO.NET wunderkind. Julie Lerman’s excitement about the keynote was justified (causing her to miss the Vermont .NET User Group meeting for the first time ever to get here in time). Pablo talked about the current thinking at Microsoft about the Microsoft Data Platform. ON the surface, this is the same sort of thing they’ve been talking about since the introduction of ADO, but baby, it’s come a long way since then!
The Microsoft Data Platform:
- Provides a uniform way of describing business data
- Gives each app and appropriate view of the data
- Enables the creation of services, from reporting to synchronization to integration
- Applications and services use the same data model
A key part of the platform is the Entity Framework and the Entity Data Model, which is coming of age. I’m blown away by the possibilities of what this all means for application infrastructure. But what I didn’t know until today—apparently it was announced a couple of weeks ago—is that all this will not ship with Orcas. Instead pieces and parts will RTM at various times in 2008. That sucks, but so be it.
Well, it's about time! John Robbins of Wintellect is the debugging alpha geek, and the new edition of his seminal Windows debugging book is finally out: Debugging Microsoft .NET 2.0 Applications. This is sort of the second edition of his earlier Debugging Applications for Microsoft .NET and Microsoft Windows. But the new book focuses on .NET debugging, leaving the unmanaged code debugging for another book.
I just can’t say enough about how great this book is. I was an unpaid technical reviewer, and I learned a ton of new stuff with each new chapter that arrived in my inbox. Let me tell you, if you think that debugging .NET apps means stepping through the code and using the watch window with visualizers, you’re not even scratching the surface of the tools and techniques available. He includes megabytes of code, including some very nice tools that enhance your ability to squash bugs.
The best part of the book is that John has a lot of experience debugging Windows applications, and he included a lot of sage wisdom in the book. He teaches courses in debugging for Wintellect and does their debugging consulting, so he has plenty of real-world experience. He cut his teeth at NuMega developing debugging tools, so he knows the tools. And he’s a genuinely nice guy (who even lived in Alaska for a while).
Here’s the blurb I wrote about the book:
John is the master code pest exterminator, and this book is one of the few that every .NET developer must have on the bookshelf! It's an intense read, but the book covers debugging from the most superficial step-through techniques in Visual Studio through most gnarly low-level .NET-Windows interaction bug. Best of all, the book is filled with the sage wisdom that John has developed over his many years of helping developers find and eradicate the worst, most pernicious, bugs.
Highly recommended. I would be afraid to code .NET without this book at my side.
Google has launched a Code Search tool, designed to make it easier to find snippets of code. The service looks interesting. I’m working on a project with the installation APIs in .NET 2.0, and tried to find an example of using the ManagedInstallerClass (despite the fact that the documentation says that it’s for internal use only). This was my search:
lang:"c#" ManagedInstallerClass
If found two hits, one of which showed me an interesting way to use it.
I tried to find the same thing in VB, but initially couldn’t find the magic way to indicate the language. lang:VB? lang:“VB.NET”? lang:“Visual Basic”? Another variation? Fortunately, the Advanced Search link provides a combo box with a complete list of languages. “Basic” it is. No samples for ManagedInstallerClass though, alas.
There’s a good spread of languages, certainly all the ones I’m interested in, including SQL.
There are lots of flexible options for searching, including regex. Options include searching by language as I did above, specific files or directories, specific packages, and code license types.
The only thing I don’t like so far is that there doesn’t seem to be an easy way to get context information of the page where the code is coming from. Most of the code I looked at was in some kind of archive file, with no link to the Web page that might give information about the code. Often you can figure it out from the link, but not always.
Give it a try. It seems to be a nice, targeged way to find useful code. The FAQ ‘splains it all. It’s still a Google Labs project, so I assume that means it will evolve quickly.
It has been a great summer that I’ve mostly stayed home, but it’s time to hit the road. Next week I’ll be visiting three INETA user groups to talk about security. At the Inland Empire .NET User’s Group in southern California and Little Rock .NET User Group in Arkansas I’ll be talking about SQL Server 2005 security from a developer’s perspective. At the Dallas .NET User Group in Texas I’ll be talking about least privilege development and showing off Aaron Margosis’ LUA Buglight and other tools. In Dallas, Ron Jacobs from Microsoft’s Patterns & Practices Group will be speaking as well during an extended meeting.
If you’ve in any of these areas those evenings, come join us! Details are on the groups’ Web sites.
I recently attended a 1.5 day conference put on by the ASSERT Center at the University of Alaska Fairbanks. Yes, this is the school that exposed my personal information to hackers, and conference host is the department that received the award by Homeland Security. Aargh.
But I digress. One of the few interesting sessions at the conference was by Mario Garcia of Texas A&M University in Corpus Christi. He talked about PwdHash, an interesting tool developed by a few folks at Stanford University.
The idea is that when you go to a site that requires a password, you enter a special character sequence—by default, “@@”—in the password field, followed by the password. PwdHash takes the password, adds the domain of the Web page to it, and hashes it. That becomes the password sent to the site. Obviously, you’d need to create a new password using PwdHash, or update an existing password.
The protection from phishing comes from having the domain added to the password before hashing. If you enter your PayPal password on a phishing site, the wrong domain is used and so the hash doesn’t match the actual PayPal password. That makes the password unusable on PayPal. Strictly speaking, it also protects against weak passwords, since a hash of anything is almost always going to be a relatively strong password.
There may be ways to attack this. For example, I need to check into the security of the key used for hashing. But it sounds like a big step up in security and worth looking at. They have extensions for IE and FireFox.
How safe is our money held by FDIC institutions? The whole system may not be secure, if the security weaknesses at the FDIC revealed by a recent GAO report is any guide: “Information Security: Federal Deposit Insurance Corporation Needs to improve Its Program.” According to the summary, besides six previously reported weaknesses, GAO found 20 new problems.
“Most identified weaknesses pertain to access controls over (1) user accounts and passwords; (2) access rights and permissions; (3) network services; (4) configuration assurance; (5) audit and monitoring of security-related events; and (6) physical security that are to prevent, limit, or detect access to its critical financial and sensitive systems and information.”
The weaknesses are in FDIC’s network, not its member banks. Not to sound overly dramatic, but who knows what a security breach at FDIC would mean for banks?
Where has the billions we’ve spent on homeland security been going?
You can get the one page summary here, or the full report here (both are PDFs).
Geez. Despite all the tough talk about security, Microsoft continues to screw it up.
I have an account on a Microsoft extranet site. I received an email today saying that my password would expire in 15 days. So I went to the site, logged in with my existing credentials and went to the change password page. It prompts for the old password, and you have to type the new password twice. Good so far.
No matter what I tried, nothing would take. There is a link to a pop-up with the Account Password Policies, which explains that you need a complex password: minimum of eight characters, mix of upper and lower case, numbers, symbols, etc. That’s good, but every password I tried would give me an error “there was an error while attempting to set the password.” I was also trying 25–character passwords, but later found out that the maximum is 14 characters. There’s nothing about that in the policies.
In desperation I—gasp!—called the technical support number for the site, naturally a long distance call for me. After navigating the usual menu of options and waiting for someone, I got a pleasant lady on the line. She went through all the stuff that she had to do, and still no joy. But at least the message I was getting changed (I think because I started using shorter passwords), to a long explanation in red that the password I was trying did not meet the complexity requirements. But, they all did.
After I tried it a few times she implied that I was not using a qualified password, I told her the last password I had tried: “qKa5$KucX#lD”. This is autogenerated by a tool I use for such things. Definitely meets the requirements.
Her surprising reaction: Why are you using such a complicated password??? You should use something easier to remember, like “Soccer2006”!!! (That doesn’t actually meet the complexity requirements so needs modification, but that’s not the problem.)
A Microsoft representative is telling me that I should dumb down my password?????? Don’t they want this system to be secure? I realize that with changes required by the complexity requirements for this site it would be tolerably okay, but the Microsoft representative recommended a common word and a common number?
Sheesh. This is why we still have untrustworthy computing! The brass talk a good talk, but the people in the trenches are still giving advice like this.
Current status of the change password problem: She logged in as me and tried a few passwords that she thought were good and got the same error message. So we’re escalating the problem since she couldn’t solve it.
Damn! The phishers and virus delivery bad guys are getting good! This one was so good that it almost got me. I even bypassed Outlook turning off the email links to click through!
Here’s the email:
And here is the Web page it takes you to:
Sigh. Plenty of clues, had I been paying attention. First, the email isn’t addressed to me. Right domain, wrong user. Second, Outlook turned off links. Third, and this is what stopped me (in time, I hope), is that the web page uses an IP address instead of google.com. If you go to www.google.com and try to get the toolbar, it’s a domain name.
Moral: even if you know what phishing and other malware looks like, you can still be burned.
And now, excuse me. I have to run a spyware/virus scan on my computer, since I went to a malware web site.
Updated: This isn’t a phishing attack, of course, as I originally said. It uses phishing techniques, but it is in fact a means of delivering malware. As near as I can tell without having let it get installed! And my virus and spyware scan came up clean. I hope that is good news….
asp.netPRO has posted my July Secure ASP.NET column, Security via <machinekey> in ASP.NET 2.0. It’s an exploration of how ASP.NET uses the options in <machineKey> to affect encryption.
Since writing the column I’ve learned about some subtle issues, so I’ll probably write about those next month.
The Anti-Phishing Working Group has a nice site with information about phishing. Lots of statistics and information about the threats, an archive of phishing attacks, ways to report it, and lots of resources.
I wonder if InfoCard will help? Time may tell….
For a few years I’ve been doing a periodic column for Informant Communications and their asp.netNOW e-newsletter. It has been published at various frequencies over the years, but currently it is monthly. I started writing a Troubleshooting ASP.NET column, which morphed into Secure ASP.NET a couple of years ago. Sometime I’ll have to put together a list of the troubleshooting columns, although they are all old enough to only apply to ASP.NET 1.x.
Here is as complete a list of the ASP.NET security topics, in reverse chronological order:
2006
2005
2004
It is with a great deal of humility yet pride that I announce that I have been selected to recieve the National Leadership Award from the National Republican Congressional Committee. I am deeply honored by this generous award, proud of all my hard work and the support of loving family and friends over the course of my life. I truly feel that this is the pinnacle of my life and career; nothing can top this.
And co-chairmanship of the prestigious Business Advisory Council? Please, I’m not worthy!
Um, huh? What’s that? In order to recieve this generous award I have to be generous to the Republican Party in turn?
Yes, indeed, this is a political fundraising scam (see here, here, and, ooo, this one is really good...) Oh, for Pete’s sake, do this Google Search to join in the fun. I REALLY love the bio pages where people include it as a real honor. Sheesh. The party has apparently doing this for five or six years.
Obviously they don’t even do the most basic research into who they are calling. If they knew even the smallest thing about me they would know that I would prefer to live in modern-day Bhagdad to supporting the Republican Party. Please, no offense if you’re Republican (or Iraqi). It just ain’t my party. Democrat isn’t either.
Anyway, for Google searching’s sake, here are the caller’s details:
- Eileen Phrase (sp?) called on “behalf of Congressman Tom Reynolds” (Bummer. Many of the Google searches were calls on behalf of Tom deLay. Now, being called on behalf of an actual indicted Congressperson would truly be an honor. Is anyone investigating Tom Reynolds?)
- About the National Leadership Award from the national Republican Congressional Committee
- Phone I was asked to call: 866–338–8289
Here is where I might have made some gut-level comment about scumbag Republicans, scumbag political fundraisers, yada yada yada. But the system in Washington is so very broken and pathetic. What good would it do? Sigh.
Please, don’t be taken in by this scam. It’s tantamount to clicking a link in spam, which encourages the scourge.