Comments on: Passwords leakage from MS SQL Server http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/ Slavik's Blog Mon, 08 Mar 2010 10:21:01 -0800 http://wordpress.org/?v=2.9.2 hourly 1 By: Week 36 in Review – 2009 | Infosec Events http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/comment-page-1/#comment-4236 Week 36 in Review – 2009 | Infosec Events Thu, 11 Feb 2010 10:42:34 +0000 http://www.slaviks-blog.com/?p=160#comment-4236 [...] Passwords leakage from MS SQL Server – slaviks-blog.com Turns out that SQL Server saves in clear text user credentials of users logging in using SQL Server native authentication. [...] [...] Passwords leakage from MS SQL Server – slaviks-blog.com Turns out that SQL Server saves in clear text user credentials of users logging in using SQL Server native authentication. [...]

]]> By: CI http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/comment-page-1/#comment-3970 CI Mon, 05 Oct 2009 21:37:37 +0000 http://www.slaviks-blog.com/?p=160#comment-3970 I definitely agree with you guys. This is a security issue. I think that the biggest point here is "Most breaches are perpetrated by skilled insiders". What if adminA steals the credentials of adminB? What a mess... I don't understand why Microsoft corp. doesn't acknowledge the issue. In my mind, the fix wouldn't be that hard to implement. Thumbs up for your effort trying to reason with Microsoft corp. But, only the Microsoft corp. clients can make Microsoft corp. move. It's only by making the information available, what you just did, that MS will move. Only my personal thoughts, for what they are worth. Regards, Statistique I definitely agree with you guys. This is a security issue. I think that the biggest point here is “Most breaches are perpetrated by skilled insiders”. What if adminA steals the credentials of adminB? What a mess…

I don’t understand why Microsoft corp. doesn’t acknowledge the issue. In my mind, the fix wouldn’t be that hard to implement.

Thumbs up for your effort trying to reason with Microsoft corp. But, only the Microsoft corp. clients can make Microsoft corp. move. It’s only by making the information available, what you just did, that MS will move.

Only my personal thoughts, for what they are worth.

Regards,
Statistique

]]> By: Slavik http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/comment-page-1/#comment-3920 Slavik Thu, 03 Sep 2009 21:57:10 +0000 http://www.slaviks-blog.com/?p=160#comment-3920 @Statistique Thanks for the kind words and I agree that MS customers should try and influence MS to fix the issue. From my point of view, passwords should be never handled by the server except when created. Only hashes. @Statistique
Thanks for the kind words and I agree that MS customers should try and influence MS to fix the issue.
From my point of view, passwords should be never handled by the server except when created. Only hashes.

]]> By: Statistique http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/comment-page-1/#comment-3919 Statistique Thu, 03 Sep 2009 20:54:57 +0000 http://www.slaviks-blog.com/?p=160#comment-3919 I definitely agree with you guys. This is a security issue. I think that the biggest point here is "Most breaches are perpetrated by skilled insiders". What if adminA steals the credentials of adminB? What a mess... I don't understand why Microsoft corp. doesn't acknowledge the issue. In my mind, the fix wouldn't be that hard to implement. Thumbs up for your effort trying to reason with Microsoft corp. But, only the Microsoft corp. clients can make Microsoft corp. move. It's only by making the information available, what you just did, that MS will move. Only my personal thoughts, for what they are worth. Regards, Statistique I definitely agree with you guys. This is a security issue. I think that the biggest point here is “Most breaches are perpetrated by skilled insiders”. What if adminA steals the credentials of adminB? What a mess…

I don’t understand why Microsoft corp. doesn’t acknowledge the issue. In my mind, the fix wouldn’t be that hard to implement.

Thumbs up for your effort trying to reason with Microsoft corp. But, only the Microsoft corp. clients can make Microsoft corp. move. It’s only by making the information available, what you just did, that MS will move.

Only my personal thoughts, for what they are worth.

Regards,
Statistique

]]> By: Slavik http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/comment-page-1/#comment-3917 Slavik Wed, 02 Sep 2009 22:02:38 +0000 http://www.slaviks-blog.com/?p=160#comment-3917 @Michael Hi Michael, thanks for the comment. Well, think about all the test systems you know. How many users have admin privs on them? How many of them have the same privs on production? How many use the same password? And how many share the same password with other, personal systems like their banking account? I think that the main issue here is the fact that no one should ever see the passwords because they are reused. Cheers, Slavik @Michael
Hi Michael, thanks for the comment.
Well, think about all the test systems you know. How many users have admin privs on them? How many of them have the same privs on production? How many use the same password? And how many share the same password with other, personal systems like their banking account? I think that the main issue here is the fact that no one should ever see the passwords because they are reused.

Cheers,
Slavik

]]> By: Michael K. Campbell http://www.slaviks-blog.com/2009/09/02/passwords-leakage-from-ms-sql-server/comment-page-1/#comment-3916 Michael K. Campbell Wed, 02 Sep 2009 21:52:20 +0000 http://www.slaviks-blog.com/?p=160#comment-3916 Frankly, cool finding - and this is the first I've heard of it. But I don't think it's an issue. And I really mean that. Anyone with the ability to take advantage of this already has credentials enough to do wicked things with SQL Server if needed. Likewise, if code can get installed to do this as some sort of malicious payload, it's already a part of the TCB and can CHANGE credentials, create its own, and so on. So... while I think finding this was cool, I don't think it's a security issue. Frankly, cool finding – and this is the first I’ve heard of it.

But I don’t think it’s an issue. And I really mean that. Anyone with the ability to take advantage of this already has credentials enough to do wicked things with SQL Server if needed. Likewise, if code can get installed to do this as some sort of malicious payload, it’s already a part of the TCB and can CHANGE credentials, create its own, and so on.

So… while I think finding this was cool, I don’t think it’s a security issue.

]]>