Database Security Oracle Vs. SQL

David Litchfield has published a paper “Oracle Vs. SQL Server” on his website http://www.databasesecurity.com you can download it directly from here.

This seems to follow on from a posting I noticed a few weeks back from a Microsoft blog of Jeff Jones regarding SQL Server 2005.

So this highlights the fact that Microsoft are starting to make progress with their SDL program and Oracle don’t seem to have a handle on Security.

However this can also provide people with a false sense of security. These reports are looking specifically at the vulnerabilities of the products only e.g. MS SQL Server and Oracle. Consider the database code that your developer has created:

  • Has he or she developed code with security in mind?
  • Do they even know about writing secure code?

It might be very possible that your database which happens to be sitting on your SQL 2005 server is bypassed with a SQL injection.

The BBC Honeypot with WinXp

The BBC thought it would create a Windows XP Honeypot to see what would happen.
And….
SEVEN HOURS OF ATTACKS
36 warnings that pop-up via Windows Messenger
11 separate visits by Blaster worm
3 separate attacks by Slammer worm
1 attack aimed at Microsoft IIS Server
2-3 “port scans” seeking weak spots in Windows software

Not surprising really, I’ve heard of other stories whereby someone has installed a plain vanilla box without a firewall onto the internet and was it was owned within 20 minutes. Even if that story was not true it would most likely be owned within a few hours or at least on the same day.

Full details of story here at the BBC website.

Web 2.0 is great right?

Web 2.0 best described by the guys that coined it, O’Reilly and “What Is Web 2.0
Design Patterns and Business Models for the Next Generation of Software”
website should provide you with some insight into what exactly it is.

However as with everything these days, the more cooler stuff you add, the more vulnerable it is. Which is highlighted in this article over at Help Net-Security “Top 10 Web 2.0 Attack Vectors“.

So when the powers to be come running into your office with we need to have this Web 2.0 stuff because everyone else has it! Remember the attack vectors associated with it and ensure you provide a risk assessment and if possible business case to either justify it’s usefulness vs security risk… in plain English do we really need this stuff?

No doubt in just about all cases there are going to be some components of Web 2.0 that will benefit the organisation. You probably really do need some of them and/or have no choice in the matter and you may already be using some of them.

Just don’t forget to apply the security principles to Web 2.0 that you are using on your network.

Yes I’m using Web 2.0 here by blogging 🙂

Network Security Toolkit (NST v1.4.0)

Network Security Toolkit (NST v1.4.0)

This release is based on Fedora Core 4 using the Linux Kernel: 2.6.15-1.1831_FC4 or 2.6.15-1.1831_FC4smp. Many new NST WUI features and capabilities have been included with this distribution:

* Time Management – NTP, hardware clock and system clock management.
* Network Packet Capture – An enhanced NST WUI web-based front-end to the tethereal network protocol anaylzer.
* Network Packet Capture Manager – Provides a means to manage network packet capture files on a NST probe.
* An enhanced NST WUI web-based file system mounting page.
* PDF rendering for most output including network packet capture decoding.
* Enhanced directory and file viewing pages with auto refresh.
* Introduced browser session saving for many NST WUI pages.
* Add a simpilfied front-end to the NST WUI for beginner users.
* Network Monitoring – integrated the Nagios networking tool into the NST WUI.
* Better navigation and flow when using the NST WUI pages.

Most networking and security applications have been updated to their latest version.

Download it from their Website and sourceforge

Applying the Principle of LUA on Windows XP

Microsoft have released a white paper on “Applying the Principle of Least Privilege to User Accounts on Windows XP” which I assisted in reviewing.

Running Windows or any OS for that matter with only the level of access required is a Defense in Depth strategy, which means taking a layered approach. However it’s not easy as an IT Administrator or Developer to run in LUA mode and get your job or tasks done, this paper will assist in running Windows in a LUA mode.

In addition and as mentioned before, I highly recommend Aaron Margosis excellent Blog on running with LUA, if you can’t find a solution to something regarding LUA the answer or reason will be over at Aaron’s Blog.

View the Whitepaper or download a Word version now!!

More patching & ISO Image from MS

More patching from the usual Microsoft monthly patch updates. All are critical, so get patching again!! Details of the January Bulletin also incorporate the WMF update, more info here.

Microsoft has also made available an ISO image of this months updates for Windows Update only, which means the office, Exchange and other updates are not included. Still, this is a handy download and I’ve found it useful already. Details and download from here.

You are running with LUA (Non-Admin).. right?

In my previous post about “More on the WMF vulnerability” and what can you do, I assumed everyone is running with a LUA (Least-Privileged User Account) aka an account without Admin rights, member of the user group only or domain users only.

I should have stated as Point 1. Run with a LUA account!!

So just in case you are still running an admin account to do your email and surf the web, now might be a very good time to change this BAD habit!!

For more info see Aaron Margosis excellent Blog… it’s the best resource around on running LUA with Windows.

Running with LUAP is a must!


Running your Windows machine or any machine for that matter should always be carried out with a LUAP (Limited User Access Privilege) i.e. a NON-ADMIN Account!!

The problem is most people don’t and this is predominetly due to Windows default logon from a factory install CD as Administrator.

Is it a pain to run with a non-admin account, well not really, there are a few tricks and tweaks that you can make. Perhaps if you are using a machine for Games only, then you might have an argument.

Take a look at this blog from Aaron Margosis of Microsoft