Saturday, February 13, 2010

password or pa$$w0rd?

This week I had 2 cases where I had the "what!? You 're kidding me, right?" feeling. Both were password related.

I had to give some remote support on a CRM system and the password for the administrator account was pa$$w0rd. I guess the people administrating this systems don't have a clue about what it would mean to loose this asset.

Since I am a MSSQL DBA people automatically assume that I have no clue about linux systems. The other day I got agitated in a meeting because somebody said that linux was not important. I apparently reacted in a way which got the attention of some people because suddenly I got a request to look at a postfix server. When I connected over SSH to the server I had to use an account called administrator and I'll let you get the password ... yep, it was password. I needed root to access some files but my contact was not absolutely sure about the password so I tried my luck and yes, it was password.

Security is not something simple, but some basics like a good password policy and auditing for weak passwords are simple. There are no excuses for these mistakes.

Monday, February 8, 2010

GreenSQL

On the first of February I went to a talk by Yuli Stremosky about GreenSQL at OWASP. Yuli gave a very nice talk. He started explaining that shared hosting is not an option for the security aspect since you can be hacked through another website. He quickly explained SQL injections and SQL tautologies.

GreenSQL is a firewall that has to protect you from SQL injection. Basically it works on a reverse proxy-principle. Your application/webserver connects to the GreenSQL Proxy which verifies the query and gets the data from the database.

There are 4 modes to run GreenSQL in:
The IDS mode uses a risk matrix engine that scores the incoming queries and blocks the suspicious queries. The IPS mode uses an heuristics engine to find suspicious queries. If a query is considered illegal, it is checked against a white list. An illegal query results in an empty result set.

GreenSQL uses a pattern matching engine to analyse the SQL queries. The following queries automatically are considered illegal:
  • database administrative commands
  • commands that change a database structure
  • commands that access the file system
I had contact before this talk with the GreenSQL people to see what there plans are for commercial databases like Oracle, DB2 an MS SQL. I got an answer and they are working on it.

Phishers steal CO2-emission certificates

When I was looking through my RSS feeds this morning I came across an article from WebWereld where they talked about the fact that phishing is also used for stealing CO2-emmision certificates.

These certificates are issued for free by the EU and companies trade them between each other, just to be able to pollute more. The day price at the moment they where stolen was 2,5 EUR a piece.

It makes makes no sense to me at all. If I understood the article correctly the certificate does not impose CO2-emission limitations to companies. So basically it is normal that the EU would ask nothing for this certificate, because it does not give you any privileges.

Isn't it kind of weird then that a company is ready to pay 2,5 EUR for something that actually doesn't do anything for your company? The funny part is then that people start stealing these things. It kind of remind me when I was at school and saw kids fight over little plastic disks called flippo's.