New Talk Planned

I'm introducing a new talk for 2016:  Securing SQL Server.  Here's my abstract: A default SQL Server installation is reasonably secure, but "reasonably secure" doesn't cut it anymore in an era in which one bad line of code, one week password, or one open port can result in your customer database ending up on Pastebin.…

uMatrix

Not too long ago, I was using ScriptSafe selectively to block Javascript on webpages.  Back in about June, that started breaking Google searches, and I had to abandon it---which makes sense because it looks like ScriptSafe itself has been abandoned.  Since then, I’ve come upon my new Javascript blocker of choice:  uMatrix.  uMatrix is definitely…

WOXCompliant

Chris Bell of Water Ox Consulting has recently released sp_WOXCompliant, a tool which helps you check your instances for compliance.  His first goal is to get STIG tests in place. I ran it against a local instance I use in a VM.  I haven't put much effort into securing this instance for various reasons, so I…

XP_CMDSHELL Is Not A Security Risk

Sean McCown has a fantastic blog post on how xp_cmdshell is safe by default and turning it on is not a security risk. I've seen auditors freak out when they see this on and have seen DBAs obstinately refuse to use any solution which requires shelling out. This is the wrong attitude to take, as…

How to prevent all hacking attacks ever

Gizmodo had this interesting article today. I found it apropos because I had a conversation with my wife today about my PayPal account and a random e-mail I got from the company that I needed to reset my password because somebody had been monkeying around. (No worries, no money changed hands. I think it was probably…

Unacceptable

SQL injection vulnerabilities were up in 2014.  Sounds like a bunch of product managers need to buy copies of Tribal SQL and read the SQL injection chapter.  Seriously, SQL injection should have died a decade ago and my presentation on the topic should simply have historical value. On the Anthem breach, Chris Bell is fed up…

DDOS attacks explained

If you are a gamer (and chances are that if you are reading this post, you are), you've likely heard of the Lizard Squad attacks on PSN and XBL. Kotaku has a great post explaining what DDOS attacks are and why they're so difficult to prevent. As I was fairly n00bish on the matter, I found…

More On Free SSL Certs

Earlier this week, I blogged about Let's Encrypt, a new, free certificate authority.  Let's Encrypt looks like a great service, but it's not out yet and I'm not sure if it will be generally applicable.  For example, if I want to host my website on Azure, I might not be able to use this service…