Announcement

Collapse
No announcement yet.

security breach help please

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • security breach help please

    Hi all, I am in need of desperate help here,,,, I work for a big international company and recently I have had to update 2 windows 2003 servers with SP1 and several other patches. one of these servers has an SQL DB on it holding HR information..
    Since patching the servers there apparently has been a security breach with my user name on it, I dont have the full details of what the breach is, But I have been suspended from my job pending further investigations.(great!)

    What I would like to know is does any of the MS patches for W2K3 (inc sp1) have any effects on SQL? and why would my user name appear in the logs as logging on (when I haven't)
    I saw a spreadsheet stating my username and I had logged on 3 times but only a few seconds apart. could it be a drive mapping that I made while patching that I must have ticked a permenant?

    Any help please would be wonderful, especially links to MS articals..

    thanks in advance

    Cliff

  • #2
    Re: security breach help please

    sorry, i doen't know what you're question is....
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: security breach help please

      Cliff,
      Get proper legal or union help first (I dont know which country you are in) and get things done "officially" rather than informally on a forum.

      You will need to provide more details (if you have them) about what was logged. You will also need to think if anyone else could have got access to your account (e.g. leaving a computer logged on). I'm unclear if you are 'charged' with unauthorised access to a SQL server dB or to the computer it lives on.

      Again, get legal advice on employment law in your country and follow it. Dont risk mucking things up by doing stuff yourself.

      Good Luck!
      Tom
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: security breach help please

        OK Questions are
        can windows 2003 patches including SP1 have an effect on SQL and the way it operates
        and can anyone explain my logon ID showing up in the event logs when I have not logged on, could it be a persistent drive mapping?

        Comment


        • #5
          Re: security breach help please

          1) Possibly because SQL server uses windows networking and can access the windows API
          2) Yes, when you access a network share this can (if auditing is enabled) generate a logon event.

          Tom
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: security breach help please

            Thanks Tom

            I'm not 100% sure as yet what I am accused of, but I will find out in due course. I know the basics of what I am alleged to have done, but no more than that..

            I have sourced legal advise, but computers seems to be a grey area for most legal people, I'm in the UK

            Maybe I'll win the Lotto and wont have to worry!


            Cliff

            Comment


            • #7
              Re: security breach help please

              You really should find out from your supervisor EXACTLY why they have suspended you and to get it all in writing.

              This should include each instance of your "security breach", what it entailed and what damage was done by this security breach. Again get everything in writing. If need be then send all corresondence via a lawyer or via recorded/special delivery.

              Not sure if this site will help any.

              http://www.scl.org/

              Comment


              • #8
                Re: security breach help please

                get legal help

                Comment


                • #9
                  Re: security breach help please

                  Cliff:

                  I don't know you but your posts sound much more earnest than most.

                  If you had admin rights and you wanted to do damage, I would expect you would be bright enough to create a dummy account (and cover your tracks) and do it from there. I know that's what I would (have) do (done).

                  Thus I believe your supervisor is a hopeless idiot that fell in to this job without appropriate credentials. I fear this is a hopeless situation as idiots rarely have the capability to realize they are such -- as they are merely idiots.

                  Best of luck to you.
                  Cheers,

                  Rick

                  ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                  2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                  Comment


                  • #10
                    Re: security breach help please

                    Originally posted by rvalstar View Post
                    Cliff:

                    I don't know you but your posts sound much more earnest than most.

                    If you had admin rights and you wanted to do damage, I would expect you would be bright enough to create a dummy account (and cover your tracks) and do it from there. I know that's what I would (have) do (done).

                    Thus I believe your supervisor is a hopeless idiot that fell in to this job without appropriate credentials. I fear this is a hopeless situation as idiots rarely have the capability to realize they are such -- as they are merely idiots.

                    Best of luck to you.
                    I agree with you there 100%, if some has admin rights to the domain and servers and they really want to do something they would create a dummy account and then log on from a totally different location or terminal. I mean come on its like planning on stealing from the bank and calling the cops at the same time and asking them to come get you lol.
                    Either your supervisor is a complete idiot and moron or was just looking for a way to fire you. Like above posters mentioned "Get every thing in writing and get legal help".
                    Best of luck.

                    Comment


                    • #11
                      Re: security breach help please

                      Guys...thanks for all your input, I hopefully have the issue solved now, I have had an unoffical phone call telling me they have made a mistake and the problem came about from me deleting the event logs, they though I was hiding something, but all I was doing was following a work instruction we have for configuring servers, which says reduce the event logs to 2048 and doing so you have to delete the logs.....

                      So just waiting for the official phone call now...Shame I have 2 interviews lined up with other companies as well

                      Thanks again for all your input and support

                      Great site and great users


                      Cliff

                      Comment


                      • #12
                        Re: security breach help please

                        Man, Cliff, you'd think they would be aware of their own procedures before going around suspending people willy-nilly!!! Would you PM me the name of your employer, so I know who NOT to apply to in the future?!


                        Tom
                        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                        Anything you say will be misquoted and used against you

                        Comment


                        • #13
                          Re: security breach help please

                          And I hope you intend to attend those 2 interviews.

                          Next time export the logs before you clear them. Also, 2048 is a bit small for server logs.
                          Cheers,

                          Rick

                          ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

                          2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.

                          Comment


                          • #14
                            Re: security breach help please

                            Originally posted by rvalstar View Post
                            And I hope you intend to attend those 2 interviews.

                            Next time export the logs before you clear them. Also, 2048 is a bit small for server logs.
                            LOL... ours are set to 16Mb and they STILL fill up too quick for us to keep track of on some boxes...


                            Tom
                            For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                            Anything you say will be misquoted and used against you

                            Comment

                            Working...
                            X