AOA Forums AOA Forums AOA Forums Folding For Team 45 AOA Files Home Front Page Become an AOA Subscriber! UserCP Calendar Memberlist FAQ Search Forum Home


Go Back   AOA Forums > Software > Data Security

Data Security Viruses, Firewalls and Safe computing


Reply
 
LinkBack Thread Tools Rate Thread
  #1 (permalink)  
Old 3rd September, 2009, 05:39 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

SQL Vulnerability Leaves Passwords In The Clear, Researchers Say

Written by Daniel
Thursday, 03 September 2009
With no patch forthcoming from Microsoft, Sentrigo launches workaround for flaw

Sep 02, 2009 | 05:02 PM
By Tim Wilson

A vulnerability in Microsoft SQL Server could enable any user with administrative privileges to openly see the unencrypted passwords of all other users, researchers said today. [Front page...]
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #2 (permalink)  
Old 4th September, 2009, 10:19 AM
Chief Systems Administrator
 
Join Date: September 2001
Location: Europe
Posts: 13,075

This seems to be a non-issue to me really. Let me explain why, for those who are interested.

Point one.
MS SQL server supports two types of authentication. One type of authentication is against the Active Directory, which is a centralised authentication system. The other type of authentication is against a local database held inside the SQL server.

Active Directory (AD) provides a central single point of control. If you need to change the password for a database user that's used on 12 servers, you simply change it once on AD.

Under the local database method, you'd have to change the password on each individual server - that's 12 servers you'd have to make sure you got.

Thus good security practice is to only use authentication against Active Directory (known as Windows Authentication), because it simplifies the management of user accounts. This "vulnerability" doesn't affect authentication via Active Directory. So, if you're already following good security practice, this issue will never affect you.

Second point...
The vulnerability mixes up administrative access. A database administrator can administer a database, but would not be a system administrator. Thus, the database administrator would not have access to read/write memory.

A system administrator may have access to read/write memory, if they have been granted permission to do so (which is the case by default). However, someone in such a position would also be in a position to change your password, do the naughty deed, and then change it back without you knowing.

If you cannot trust your system administrators, then all bets are off. However, sensible organisations also have a mechanism for auditing what occurs. So, if an administrator does bad things, the fact that they have done so is recorded. That in it's own right is a strong deterrent.
__________________

Last edited by Áedán; 4th September, 2009 at 10:21 AM.
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
  #3 (permalink)  
Old 4th September, 2009, 06:21 PM
Daniel ~'s Avatar
Chief BBS Administrator
 
Join Date: September 2001
Location: Seattle Wa.
Posts: 45,606

Half the stiuff I put up front page is done in the hopes someone here will clarify things for me...Thanks Aedan! ":O}
__________________
"Though all men live in ignorance before mystery,
they need not live in darkness...
Justice is foundation and Mercy ETERNAL
."
DKE

"All that we do is touched by Ocean
Yet we remain on the shore of what we know."
Richard Wilbur

[img]/forum/attachments/random-nonsense/16515-sigs-dan_drag.jpg[/img]
Subscribers! Ask Pitch about a Custom Sig Graphic

Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
IE 7 and 8 Default Security Leaves Intranets At Risk Daniel ~ Data Security 0 14th April, 2009 05:58 PM
God resigns, leaves Google in charge! Daniel ~ Random Nonsense! 4 28th January, 2008 09:05 PM
Google leaves punters high and dry danrok Reader's Retailer Ratings & Commentaries 8 26th August, 2007 07:07 PM
8K3A clear cmos jumper wont clear cmos Tismedt EPoX MotherBoards 1 2nd December, 2002 10:20 AM
Turning off passwords in XP? Wa11y Mobile Devices and Networking 11 15th September, 2002 08:22 PM


All times are GMT +1. The time now is 02:25 AM.


Copyright ©2001 - 2010, AOA Forums
Don't Click Here Don't Click Here Either

Search Engine Friendly URLs by vBSEO 3.3.0