Restoring Access to Microsoft SQL Server

by Dmitry Kirsanov 26. August 2013 13:29

As a note to system administrator – what to do, when your one and only administrators account is locked on your SQL Server.

You need to perform 5 quick steps. More...

Two Things To Learn From LinkedIn

by Dmitry Kirsanov 7. June 2012 15:45

LinkedIn logoAs you already know, the LinkedIn passwords were supposedly leaked and became available online in form of hashed data. Or they were not, but it doesn’t really matter.

What really matters for you as for web developer is to see mistakes of LinkedIn developers and learn from them.

1. Website Performance

When people learned, that their passwords were jeopardized and these passwords could be the keys to other systems as well, they rushed to change the password. All at once. And LinkedIn has about 161 millions of users so far. No, of course there are thousands of dead accounts and people who haven’t heard about the problem yet, but still – many millions of people logged into their accounts, went to the profile settings and started the password changing procedure.

As the result, many people couldn’t do that, because the machines, responsible for that feature, were too busy. If you were among those who tried to change his password the day it hit the news, you could see that Ajax window, saying it’s waiting for the operation to complete. I did it from second attempt, since my password was one year old anyway.

More...

Essentials of Microsoft Internal Security Policy

by Dmitry Kirsanov 11. April 2012 07:41

Microsoft Security Essentials logo

Here’s some morning fun for security experts out there.

A few days ago I needed to arrange a payment to Microsoft. The credit card used in transaction wasn’t available the week after transaction, when the company decided to charge it. Not a big deal, I only needed to provide the details of an alternate card. Here is the fragment of an e-mail I’ve got regarding the issue:

“Due to security policy, we strongly recommend you send these details via fax or attached to an e-mail. Please do not type these details in the e-mail body. If you wish, you can provide us with these details via phone.”

More...

Introduction to PowerShell - part 4 - Security

by Dmitry Kirsanov 23. March 2012 01:42

One of the qualities of the PowerShell, one of the scales to mark it’s success was the Security. It is also the first question asked when someone new to PowerShell is trying to run the PowerShell script.

The previous generations of scripting environments, like the Windows Scripting Host with it’s notorious VBS files sent automatically over e-mail by all sorts of worms and trojans – they cried for better security, and not only in terms of getting over the problems, but also in terms of applying newest standards and technologies.

So this video training article is about the security in Windows PowerShell. More...

Black SEO: Referral Spam

by Dmitry Kirsanov 27. February 2012 11:19

Google bannerWhen writing articles about SEO, it’s easy to fall into one of two categories. Either you will write something, that everybody knows, or something that is perhaps shouldn’t be revealed, as it will loose it’s value very quickly because of misuse.

So you don’t see many articles about the Search Engine Optimization here, mainly because I am trying to be original. However, I can’t count on everyone to study the subject and avoid traps, so part of my articles are like “Achtung, minen” sign for those, who focus on other areas of life than Informational Technology.

So, this article will be about so called Black SEO discipline named “Referral Spam”. What it is, how it works and why you should avoid it. More...

Securing Corporate Identity - 3 Things You Shouldn’t Leave Behind

by Dmitry Kirsanov 5. December 2011 16:57

The new culture of making business “more social” brings so many new possibilities and chances, it’s hard to analyze the consequences of every step you take. We are doing so much in order to use the latest features of the web, that don’t recognize the jeopardy hidden in most innocent things we do.

In October of 2011 I took an experiment, which lasted for two months and gave me so interesting results, that I couldn’t resist to share. For some of you these findings could be shocking and reveal something new, but the reason for the experiment was purely to prove what seemed logical even without the experiments. More...

Security through obscurity

by Dmitry Kirsanov 8. November 2011 19:46

Rather short note for pen-testers.

Sometimes you have software which is contacting some web services – especially interesting when it’s about transferring files.

Sometimes some software packages, especially custom ones, made for a small number of customers, may have web services open for consuming by that software.

Pay attention to it. Sometimes there are exposed functions which could be exploited in a way that developers were not able to imagine.

For example, during my most recent pen-test, I was able to put files, delete and execute on server using only functions of exposed web service. Needless to say, I wouldn’t need any hacking tools or social engineering to penetrate networks of their customers as well.

This topic is rather omitted in CEH and similar courses, but with some base knowledge of programming you could kill the whole family of rabbits with one shot.

Also, as a side note about pen-testing. I noticed that even when you’re using simplest technique, a “no-brainer” one, customer will call you “hacker” or “genius” just to not call their developer or system administrator an idiot.

See the forest behind the trees

by Dmitry Kirsanov 8. November 2011 19:29

Today I was walking by the city and suddenly seen the car of one of our local IT companies. The motto on the side of the car said – “we see further”. Yeah, right.

For years it was a dream of each and every CEO to look one step further than others. To be what they call “visionary” or even “strategist”. To keep the hand on the pulse of technology, you know. To use possibilities before others react.

However, funny thing is that most of them don’t see the forest behind the trees. They fail not only to predict, which is more or less ok, as sales guy is not necessarily an analyst. They fail to see the trend in their own niche, living processes inside their own organization. So what you can read in LinkedIn and similar resources is mostly chewing out the same “enlightening” gum .

The biggest and most consumed chewing gum these days is the cloud. Cloud computing that is. Without understanding of what cloud is, usually CEOs think about the same features of it:

  • No more server room, we can place everything in the cloud, so this will save us money.
  • All of our clients will use our solution which is placed in the cloud, so we won’t funk up with servers and this will save us money.
  • We will save money on IT staff – less nerds in staff is always good.

Et cetera.

Recently I met a solution plan which was designed with pink glasses of SAAS (Software As A Service). That is a currently successful corporate application which is about to “go cloud” so all customers will use one web site and won’t need to install the application locally. The (rather hidden) problem is – this application will require administrative privileges on customer’s Active Directory, which means – all computers of the company. And all customers will use the same instance of that application. And there are nuclear power plant operators among the customers.

I would say – “one ring to rule them all”, but you remember the story, right?

Corporate PR specialists run into social networks without insight. They don’t understand the consequences, they are just playing poker. They don’t understand, for instance, that what they are doing is less effective than using a computer program to do the same thing. And when they are starting to use that program, they themselves become useless, as creativity (the only genuine thing that computers don’t have, but can imitate) can be borrowed through outsourcing or simply dismissed.

The same is with HR and some other specialties – it becomes more automated, then it will become a “cloud” application and then it will become part of someone else’s responsibilities to operate that application. Which will always be more effective than most human specialists.

These days, creativity, speed and precision alone are not enough. You need the knowledge, which is always neglected and seems like always will be. ‘Enlightened CEO’ was the core of the dot-com bubble problem and is the same with any technology-related  hype. Because technology is based on knowledge and decision-makers just lack it.

Look at the top players in IT business. The most successful ones are the ones founded and led by scientists, not by entrepreneurs. Talking about software companies, Apple and Google were found by scientists. Microsoft as well. When CEOs were not scientists, like in Google, they didn’t make any technological decisions, like what their product will look like and how it will work.

However, most other IT companies are led by entrepreneurs, sometimes with insignificant experience in IT, who make key decisions. And fail.

So, the morale of the story. You can’t just use someone else’s knowledge and experience, mainly because you won’t have complete access to it, but only to public portion of it. You must have your own. And prove to yourself that you have it.

 

The devil, as you know, is in details. There was a  time when you could just copy what others did and chances are – you would be fine (remember IBM PC?). These days, with the cloud and SAAS and other buzz terms that may come to your mind, the frontier is much wider and you should be a great analyst in order to understand why someone else’s solution works this way with such success – because there are many details which are hidden from view, hiding somewhere in the cloud and won’t apply to your case.

Think what you’re doing, don’t look at others.

Password policy of our time?

by Dmitry Kirsanov 4. November 2011 06:18

PasswordWhen I began studying computers in beginning of 90s, I adopted the password policy of that time, which stated that passwords should be at least 8 symbols long and be complex, meaning that there shall be a number, uppercase and lower case symbols, and would be nice if there would also be a special character.

With Windows NT 4 we had addition to that rule, which was rarely used in practice, that the password should be longer than 14 symbols, as otherwise it could be hacked in a matter of seconds.

Windows has additional rules in corporate environment, but all of them are basically about the length, complexity and maximal age of the password. However, while you can enforce that in corporate network, most people are far from understanding the underlying idea of password policy, can’t estimate the cost of weak password, and overall they are ready to adopt the policy only if it will be reasonable enough.

So I decided to create such policy for myself, and take a look what I came up with:

More...

What could be worse than that?

by Dmitry Kirsanov 3. November 2011 05:59

Have you ever think about all the possible things that could happen when you become subject of business espionage through hacking of your server? Either of the whole farm or one and only server you have in your organization? What are the possible scenarios you went through in your fantasies or security planning?

Here is one idea you didn’t go through. Imagine, that your server is hosting installation files for software which is used either on other computers inside of your organization or outside of it. Even funnier – you have part of your network which is separated from the  Internet but still it uses piece of software, whose installation files are stored on compromised machine.

Using technique called repackaging, intruder could change these installation files so you wouldn’t distinguish them from the original ones. They would look and behave identically but would also install Trojan horse. In case of targeted attack this Trojan horse wouldn’t be recognized by antivirus software, as it couldn’t be found on other machines in the Internet.

While very sophisticated, this attack is also very simple to implement and potentially could supply attacker with precious information for years.

I am not aware of any attempts of this kind were implemented ever, so probably could patent it. Too bad, hacking techniques wont be patented. But anyway, we are going to talk about “white hat” repackaging pretty soon, so stay tuned!


Month List