Windows (Trusted) Authentication Vs SQL (Mixed-Mode) Authentication

Just a quick post for my future reference on the differences between Trusted authentication and Mixed-mode Authentication used by SQL Server

Windows Authentication

  • When a user connects through a Windows user account, SQL Server validates the account name and password using the Windows principal token in the operating system. This means that the user identity is confirmed by Windows.
  • SQL Server does not ask for the password, and does not perform the identity validation.
  • Windows Authentication is the default authentication mode, and is much more secure than SQL Server Authentication.
  • Windows Authentication
    • uses Kerberos security protocol,
    • provides password policy enforcement with regard to complexity validation for strong passwords,
    • provides support for account lockout,
    • and supports password expiration.
  • A connection made using Windows Authentication is sometimes called a trusted connection, because SQL Server trusts the credentials provided by Windows.

SQL Authentication

  • When using SQL Server Authentication, logins are created in SQL Server that are not based on Windows user accounts.
  • Both the user name and the password are created by using SQL Server and stored in SQL Server.
  • Users connecting using SQL Server Authentication must provide their credentials (login and password) every time that they connect.
  • When using SQL Server Authentication, you must set strong passwords for all SQL Server accounts.
  • Three optional password policies are available for SQL Server logins.
    • User must change password at next login
    • Enforce password expiration
    • Enforce password policy
  • SQL Server Authentication cannot use Kerberos security protocol.
  • Supports environments with mixed operating systems, where all users are not authenticated by a Windows domain.

Source: http://msdn.microsoft.com/en-us/library/ms144284.aspx

Exploiting ActiveX

I’ve been reading a very interesting paper over the weekend. It’s about exploiting ActiveX controls implemented in the Microsoft Windows OS (mostly IE).
The article is very lucid and easy to understand even for beginners. The paper is titled “ActiveX – Active Exploitation” and it’s written by ‘warlord’

Highly recommended. You can find the article here. I’m also adding it to my Reading Room for future reference.

Deobfuscating Javascript Malware

An edited version of this post has been added to my company blog at Checkmate

Some days back I was greeted by a Google Safe browsing warning when I tried visiting a ‘known’ site. As I was sure it was supposed to be clean and harmless site, I thought it would be good to dig further into this problem. The trail led to interesting amounts of codes, concepts and techniques.

Malware writers are very smart nowadays (haven’t they always been ?). They know that once their code is understood it most likely to be detected by anti-malware applications. To delay detection by such applications, they resort to a wide range of techniques. In this blog post I’ll be discussing the most potent and easily created malware.

Javascript has become the boon and bane of the Internet. It provides greater interactivity with the user but can also be used by malware writers to infect innocent users. Javascript is a client-side scripting technology which means the processing of the script is handled by the user’s browser.

Obfuscation is the concealment of intended meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret.

JavaScript is sometimes obfuscated to prevent users from easily understanding their functionality. ( Legitimate uses are to prevent stealing of code)
Continue reading

Hakin9 magazine contest

Hakin9 is out with another contest. They’re giving out three latest issues of Hakin9 absolutely free.

After the last contest, I received my copy of Hakin9 in about 10 days and the issue was awesome. I can’t wait to check out the contents of the upcoming issues.

The current issue addresses advance hacking techniques like ASLR and Stack Canaries. The theme of the issue is “21st Century Hacking Techniques

Issue 05/2009 of Hakin9 magazine

Head over to their website at http://www.hakin9.org/en to know more about the contest and the articles in the current issue.

SQL Injection in Stored Procedures

My colleague Dhiraj Ranka wrote about a very interesting topic of SQL Injections.
Though Stored Procedures provide certain protection from SQL injections, an improper implementation voids all such protections.

Dhiraj has demonstrated an SQL injection in a Stored Procedure which has not been constructed properly.

The crux of the issue lies in using the system Stored Procedure sp_executesql which takes a string as parameter and executes it. The string is generally a SQL query. So the entire premise of using stored procedures to prevent query injections fails as the input is directly inserted into the SQL query.

Read the detailed example at http://dhirajranka.wordpress.com/2009/08/25/sql-injection-stored-procedure/

Another interesting account of improper usage of Stored Procedure is demonstrated at
http://palisade.plynt.com/issues/2006Jun/injection-stored-procedures/

Regards,

Indian Honeynet Project (IHP) Launched

The official India chapter of the Honeynet Project was launched some time back.

I’ve joined in as a member as it is a very interesting project and will provide for many learning opportunities.
I’ve even submitted a report on the initial setup and analysis that we’ve done at our office. You can check it out at
http://honeynet.org.in/projects_and_reports.htm

For further details about the initiative visit http://honeynet.org.in/index.htm

Zero for 0wned zine – ZF05

I know this is ‘old’ news, but I was a bit busy so could not post it here.

ZF05 has been released to stands where the ‘hackers hack the hackers‘ …hehe

Pretty interesting stuff. Make sure to read the hackers comments embedded in between the text – which by the way is pretty huge !!

Check it out at http://r00tsecurity.org/files/zf05.txt
Here’s a snippet of what to expect 🙂
– Kevin Mitnick
– Dan Kaminsky
– Hacking in gitmo
– darkmindz
– elitehackers.info
– Binary Revolution
– hak5
– blackhat-forums
-….and many more