I'm introducing a new talk for 2016: Securing SQL Server. Here's my abstract: A default SQL Server installation is reasonably secure, but "reasonably secure" doesn't cut it anymore in an era in which one bad line of code, one week password, or one open port can result in your customer database ending up on Pastebin.…
Pluralsight Reviews: Ethical Hacking: Reconnaissance/Footprinting
This review covers Dale Meredith’s Ethical Hacking: Reconnaissance/Footprinting. The material in this course follows pretty closely to the Certified Ethical Hacker material on the topic, and I think Meredith’s rendition has many of the same benefits and flaws that I found with the CEH literature. The course is 3 1/2 hours long, so it might…
uMatrix
Not too long ago, I was using ScriptSafe selectively to block Javascript on webpages. Back in about June, that started breaking Google searches, and I had to abandon it---which makes sense because it looks like ScriptSafe itself has been abandoned. Since then, I’ve come upon my new Javascript blocker of choice: uMatrix. uMatrix is definitely…
Pluralsight Reviews: Play By Play: Website Security Review
I had the pleasure of watching Troy Hunt go through a website security review with Lars Klint. This video definitely gets a 5-star rating from me because Troy walks through a step-by-step process, explaining to a developer with a relatively limited security background what the problems are, how you can trigger these problems, and---most importantly---how…
WOXCompliant
Chris Bell of Water Ox Consulting has recently released sp_WOXCompliant, a tool which helps you check your instances for compliance. His first goal is to get STIG tests in place. I ran it against a local instance I use in a VM. I haven't put much effort into securing this instance for various reasons, so I…
XP_CMDSHELL Is Not A Security Risk
Sean McCown has a fantastic blog post on how xp_cmdshell is safe by default and turning it on is not a security risk. I've seen auditors freak out when they see this on and have seen DBAs obstinately refuse to use any solution which requires shelling out. This is the wrong attitude to take, as…
How to prevent all hacking attacks ever
Gizmodo had this interesting article today. I found it apropos because I had a conversation with my wife today about my PayPal account and a random e-mail I got from the company that I needed to reset my password because somebody had been monkeying around. (No worries, no money changed hands. I think it was probably…
Unacceptable
SQL injection vulnerabilities were up in 2014. Sounds like a bunch of product managers need to buy copies of Tribal SQL and read the SQL injection chapter. Seriously, SQL injection should have died a decade ago and my presentation on the topic should simply have historical value. On the Anthem breach, Chris Bell is fed up…
DDOS attacks explained
If you are a gamer (and chances are that if you are reading this post, you are), you've likely heard of the Lizard Squad attacks on PSN and XBL. Kotaku has a great post explaining what DDOS attacks are and why they're so difficult to prevent. As I was fairly n00bish on the matter, I found…
More On Free SSL Certs
Earlier this week, I blogged about Let's Encrypt, a new, free certificate authority. Let's Encrypt looks like a great service, but it's not out yet and I'm not sure if it will be generally applicable. For example, if I want to host my website on Azure, I might not be able to use this service…
36 Chambers - The Legendary Journeys: Execution to the max! 