chain and padlock

A new malware attack on SQL Server

Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of “MrbMiner” on SQL Server instances exposed to the Internet with passwords that can be brute-forced. According to the report it installs an application written in C# by the name of assm.exe which communicates with a command-and-control server to download a digital
-> Continue reading A new malware attack on SQL Server

macro shot of stainless steel padlock

Picking up the pieces after the DBA has left: taking ownership of a SQL Server instance

WARNING: This post contains information that can get you fired if you use it without express written permission. In some jurisdictions it might get you jail time as well. Let’s assume you are a consultant, and a customer has called you in a panic because they have lost access to their production environment. Let’s assume
-> Continue reading Picking up the pieces after the DBA has left: taking ownership of a SQL Server instance

red LED signage

What is a strong password anyway?

Background Fellow Microsoft MVP Troy Hunt (blog | Twitter) has been operating the website Have I Been Pwned (HIBP) for a number of years now. For the record, “pwned” is pronounced like “owned” but with a “p” in front of it. Don’t use the term in public unless you’re in a room full of information security
-> Continue reading What is a strong password anyway?

Detail of a building in Ottawa, Canada

SQL Server 2019 is here

With the release of SQL Server 2019, I wanted to highlight in a single place some things that I’m excited about. Drawing on sessions I presented this year at SQLBits and SQL Saturday Edmonton respectively, these are features in SQL Server 2019 for the busy DBA: UTF-8 in-engine support Intelligent query processing features Replacing sqlcmd
-> Continue reading SQL Server 2019 is here

A steel padlock

When security and news collide

Behold! There’s a scary monster called skip‑2.0, announced by ESET: This backdoor targets MSSQL Server 11 and 12, allowing the attacker to connect stealthily to any MSSQL account by using a magic password – while automatically hiding these connections from the logs. Such a backdoor could allow an attacker to stealthily copy, modify or delete
-> Continue reading When security and news collide

Convert legacy password storage without aggravating your users

In a previous post I wrote about storing password hashes in a database, which raises the question of how to convert an existing legacy password storage system to use hashes (or even no passwords!) without annoying the people who use your system. Dial ‘S’ for Secret Let’s assume that you have inherited a database which stores passwords
-> Continue reading Convert legacy password storage without aggravating your users

How to really store a password in a database

Recently I wrote: Don’t store passwords in a database. I stand by this statement. I expected a lot of flak because I didn’t explain myself. This post goes into a bit of an explanation of my position, as well as how to go about storing something in a database that can be used for authenticating
-> Continue reading How to really store a password in a database

My IT department installed an antivirus with SQL Server

Time for another short blog post, and this one combines two topics I am very passionate about: security, and SQL Server performance. Let’s start by talking about “antivirus” and what that means in today’s world. The term antivirus (AV) itself is outdated; traditionally, AV products detected malicious activity through fixed patterns of code or patterns
-> Continue reading My IT department installed an antivirus with SQL Server

Do you even PowerShell, bro? An ode to dbatools and dbachecks.

Shall I compare thee to Management Studio? Thou art more scriptable and consistent. Those out-of-memory errors do tend to lose hours of work. And I mean, SSMS doesn’t run from the command line. Sometimes I get those line-endings errors, Not to mention IntelliSense bombing out; And figuring out which tab I was in can be
-> Continue reading Do you even PowerShell, bro? An ode to dbatools and dbachecks.