SQL Archives - The Silicon Underground

Home » SQL

Common security attacks and countermeasures

Dave Farquhar security May 3, 2017September 27, 2017adobe, Adobe Reader, chrome, denial of service, EMET, excel, Exploit, firewall, java, Password, password database, passwords, printer, proxy, SEO, SQL, web browsers 0 Comment

As a security professional, I talk to a lot of people about common security attacks and countermeasures. I’m not always certain the people I’m talking to know what these things mean. I am almost certain they aren’t willing to ask.

I know it’s more complicated than it was when I took my Security+ exam a decade ago. The stakes are much higher now. The attacks I had to identify caused inconvenience, but someone conducting a successful smurf attack on your printer won’t get you in the headlines. Today’s attacks will.

Patch management strategy

Dave Farquhar security April 3, 2017November 19, 2018999, adobe, Canada, contractor, Exploit, good security, google, hacker, hacking, java, microsoft, microsoft patches, nessus, oracle, PDF, scanner, SCCM, server, sprint, SQL, sysadmin, verizon, vulnerability, wsus 2 Comments

Vulnerability management and patch management are close relatives. In most companies, think of them as siblings who hate each other. That’s usually how it plays out. It doesn’t always have to be that way, but it takes some thought and strategy from both sides. Here are some ideas for patch management strategy.

SQL injection explained

Dave Farquhar security July 19, 2016November 26, 2018Exploit, HR, html, PHP, SQL, Wordpress, XKCD

I’ve never seen SQL injection explained really well, until one of my coworkers did just that. I’m going to try to repeat his explanation here, because SQL injection is something that everyone seems to expect everyone else to just know.

SQL injection (sometimes abbreviated SQLi) is the technical term for getting a form in a web site to run SQL commands when it shouldn’t. You need to know this if you get into vulnerability management and especially web app pen testing. Here’s what it is and how and why it works.

Job hunting on your own vs. using a recruiter

Dave Farquhar Uncategorized April 28, 2016November 24, 2016cissp, contracting, DBA, hiring manager, LinkedIn, linux, phone, SQL, sysadmin

A former coworker contacted me last week. He’d been employed in the same place for the last 16 or 17 years and he couldn’t remember how to look for a job. Who better to ask than a guy who’s changed jobs 9 times in the same timeframe? One obvious question to ask regards job hunting on your own vs. using a recruiter.

In fairness to myself, government contracting causes a lot of job-hopping. And in fairness to him, the game’s changed a lot since the last time he had to play. IT Recruiters existed back then, but back then when you wanted a new job, you found it yourself.

I still use both methods.

Resources for learning SQL

Dave Farquhar Servers and Networking September 30, 2015November 26, 2016databases, microsoft, Microsoft Access, mysql, oracle, quirks, SQL, sysadmin

Whether you’re a sysadmin, an analyst, or use a computer for something else professionally–even if you’re not a database administrator or developer–SQL is a useful skill to know. I’ve gotten by for 20 years without knowing much more SQL other than simple SELECT statements, but those days are rapidly winding down–if I want to be good at my current job, I’m going to have to take some time to learn SQL. If you’re in the same boat, here are some resources for learning SQL.

Here are two resources:

http://pgexercises.com/

https://sqlschool.modeanalytics.com/the-basics/introduction/

SQL is the underlying language behind Oracle, Microsoft SQL, MySQL, PostgresSQL, and probably a few other databases I’m forgetting. If you’re doing something beyond Microsoft Access, it’s probably using some kind of SQL. Each implementation has its own quirks but the basics remain the same between all of them.

What I would have done to secure the Astros’ database

Dave Farquhar Baseball, security June 18, 2015August 12, 2018baseball, breach, China, facebook, hacker, Houston Astros, Korea, Major League, Major League Baseball, North Korea, phone, Russia, SQL, Two-factor authentication

The now-infamous breached Houston Astros database sounds like a classic case of what security professionals call Shadow IT: a project that the business needs, done without adequate involvement from security and, most likely, from the IT department as well.

These kinds of things happen a lot. A go-getter implements it, cutting through red tape to get a useful project done in record time, and it’s great until something goes wrong.

In this case, “wrong” meant a competitor got into the database and stole trade secrets.

Predicting the future, circa 2003

Dave Farquhar security, Windows September 26, 2014September 13, 2014BSD, discipline, laptops, linux, microsoft, microsoft security, phenomenon, podcast, RDP, server, SQL, unix, VPN, WAN, windows nt

In the heat of the moment, I searched my blog this weekend for quotes that could potentially be taken out of context and found something rather prophetic that I wrote in the heat of the moment 11 1/2 years ago:

Keeping up on Microsoft security patches is becoming a full-time job. I don’t know if we can afford a full-time employee who does nothing but read Microsoft security bulletins and regression-test patches to make sure they can be safely deployed. I also don’t know who would want that job.

Who ended up with that job? Me, about a year after I left that gig. It actually turned out I was pretty good at it, once I landed in a shop that realized it needed someone to do that job, and utilized that position as part of an overall IT governance model.

How to patch less

Dave Farquhar security, Windows March 20, 2014April 15, 2017chrome, CPU, DISA, firefox, firewall, GUI, internet explorer, microsoft, Microsoft Office, mindset, optimizing, oracle, router, server, servers, SQL, STIG, vulnerability, web browser, web browsers, Windows Server

One of my former supervisors now works for a security vendor. He told me the other day that someone asked him, “Does your company have anything so I don’t have to patch anymore?”

The answer, of course, is that there’s nothing that gets you out of ever having to patch anymore. To some degree you can mitigate, but there’s no longer any such thing as a completely friendly network. The reasoning that you’re behind a firewall doesn’t work anymore. On corporate networks, there’s always something hostile roaming around behind the firewall, and you have to protect against it. If you’re on a home network with just a computer and a router, your computer and router attack each other from time to time. That’s the hostile world we live in right now. Patching is one of the fundamental things you have to do to keep those attacks from being successful.

That said, there are things you can do to patch less. Read more

DROP DATABASE wordpress;

Dave Farquhar Apache, Linux, This weblog February 7, 2013apache, CPU, error message, error messages, firewall, GB, Midnight Commander, mysql, PHP, RAM, server, SQL, ssd, URL, web browser, Wordpress

This week, I doubled back down in earnest to get my webserver running on the hardware I bought a year ago.

After getting Apache, PHP and MySQL installed on the box and playing together nice, I installed WordPress and got it running. Then I tried backing up and restoring files from my existing server, and the server didn’t like that one bit.

Tag your imported WordPress content with Simple Tags

Dave Farquhar Apache February 3, 2013February 2, 2013apache, mysql, optimizing, Similar Posts, SQL, Wordpress

Unlike many bloggers, I blogged for a decade before moving to WordPress. That meant I had a pile of old posts with no tags on them. One of the nice things about WordPress is that you can use the tags in conjunction with a plugin like Similar Posts to display links to related content at the end of each post. And trust me, when you blog for a decade, a lot of your stuff is related.

It’s also sad how much of that old content becomes obsolete, but the 2% that stands the test of time and continues to get readers year over year is satisfying, too.

Here’s how to tag your old content–wherever it came from–quickly and easily.

← Previous