Databases Reference
In-Depth Information
It is unfortunate that this awareness did not help circumvent Spida. It is
also unfortunate that in the same article Microsoft continues to say:
Important:
There is no bug in SQL Server that permits this penetration; it
is a vulnerability that is created by an unsecured system.
This may be important to Microsoft, but it certainly is not important to
Microsoft's customers. Furthermore, one can claim that shipping with an
empty password IS a bug and after Spida, Microsoft quickly changed the
shipping password for
sa
, and today Microsoft is far more proactive in
making sure that its customers are better protected even if it is “not a
Microsoft bug.”
Incidentally, weak default passwords also exist in other database prod-
ucts. Before version 9i R2, Oracle shipped with a password of
MANAGER
for
the
SYSTEM
account and a password of
CHANGE_ON_INSTALL
for the
SYS
account—both accounts providing elevated privileges.
The next type of attack you should be aware of uses password crackers.
These tools automate the process of signing onto your database and use a
file of words to guess passwords. They iterate through all of the words in the
files, and if your password is included in this list, they will eventually man-
age to sign onto the database.
An example of such as tool is SQLdict, which you use to run a dictio-
nary attack on a SQL Server instance; you can download the tool from
www.ntsecurity.nu/toolbox/sqldict. To use it, you first need to get a pass-
word file—a great place for those is ftp://ftp.ox.ac.uk/pub/wordlists/.
Once you have the file(s), open the tool, point it at the target SQL Server,
enter the target account, load a password file, and click the Start button, as
shown in Figure 4.4. If your password is in the dictionary file, it will even-
tually be cracked.
SQLdict is a simple tool that a hacker may use. As a DBA testing the
strength of your passwords, you will typically use another form of tools
mentioned in the next subsection.
4.3.2
Implementation options: Promote and verify the
use of strong passwords
Resolving the issues detailed in the previous subsection is easy. Don't use
empty passwords. Don't leave any default passwords. Audit your passwords.
Use password best practices. Use a password cracker tool—after all, the
Search WWH ::
Custom Search