A colleague experienced a rather unsettling event today. Their e-mail account was compromised and used to send out scam messages asking for funds to be transferred abroad to most of the e-mail addresses they had ever used to send and receive e-mail.
When your e-mail account has been taken over, you’re in for a world of trouble. A quick reaction is most important, because your e-mail account is most likely used to request password resets for other accounts.
- If you still have access to your account, immediately change the password.
If you no longer have access to your account (i.e. the hacker changed your password), immediately contact the provider. Providers will have special help lines or e-mail addresses you can use to report such incidents.
- When you get access to your e-mail account again, immediately check the following:
- Has any forwarding e-mail address been set?
Once in your account, hackers can forward your e-mail to another account. You might never know that they are still inside your e-mail account if you don’t explicitly check.
- Change your security question and answer.
Security questions/answers are used to reset passwords. Even if the question/answer has not been changed, the perpetrator had access to them and they are compromised.
- Verify any other password reset methods.
These could include mobile phone numbers, alternate e-mail addresses, etc.
- Has any forwarding e-mail address been set?
- Send out notes to your contact list to let them know that you have regained control and to please not take any action (such as send money, etc.)
- Review your account for any account reset e-mails, including in your trash.
Hackers will likely delete those e-mail messages, but they might have missed some. Your e-mail account is the key to many other accounts. Armed with access to your e-mail account, it’s often trivial to reset passwords on other sites.
Of course, if you don’t find any such notification messages, it doesn’t mean that nothing happened to your other accounts. You should ideally have a list of accounts (yes, all 398 of them…). Organize them from high priority to low and verify that you can still log on to those. Most of the time, that should be sufficient: if you can’t log on anymore, it means your password was reset. You’ll have to go through whatever reset procedures exist at that site.
However, some of the time, there are still sites today that will send your password in plain text to your e-mail account. If that happened, the hacker now has access to that account without you knowing. If the site provides a way to look at the last login time and origin, use that to check if it was abused.
- If you used the same password for any other account, immediately reset those also, to different passwords.
And just one more time: DO NOT EVER USE THE SAME PASSWORD FOR MULTIPLE ACCOUNTS – or if you do, approach it from a risk management perspective: your Twitter account is less valuable than your bank account which is less valuable (yes, really!) than your e-mail account. If you have accounts with different “risk profiles,” do not share passwords between them. And if this is over your head, that’s OK: DO NOT EVER USE THE SAME PASSWORD FOR MULTIPLE ACCOUNTS.
Use a password manager, there are lots of them out there. I prefer not to trust cloud providers, such as LastPass, with them. I use an offline password database only: KeePass. I can still transfer my password database (just a file) between devices using a variety of methods.
It’s also best not to turn on auto-submitting password helpers. They’re very convenient, but there are ways in which web pages can be compromised to load (invisibly) login pages from other sites. Your password manager will dutifully fill out the username and password and let it be intercepted by scripts running on the compromised page you are visiting.
I tell my students that “the Internet is evil, or evil is on the Internet.” For all the benefits a large network such as the Internet offers, exercise caution to protect your accounts. Real damage can be done from a continent away!
by Sven Aelterman.
Another good source is here.
I really meant to write a quick post about attending SQL Saturday 234 in Baton Rouge much earlier, but it’s only now that I’ve arrived in Baton Rouge (first time visitor) that I’ve finally been able to sit down and do it.
I am very much looking forward to the event. I haven’t been to a SQL Saturday with such a diverse lineup of topics, but it should be interesting. I consider myself an IT generalist and I will certainly enjoy meeting people with a lot of different backgrounds.
I will be presenting two sessions, one on FILESTREAM (of course…) and one on SSISDB, the SSIS Catalog in SQL Server 2012. The sample scripts are already uploaded to the SQL Saturday site. If you want to dig a little deeper in either one, please come see me.
As part of my research for my Managing SSISDB talk, I came across an interesting script by Mike Davis. The script intends to copy an environment in the SSISDB. Mike does a good job explaining why this is useful. The SSIS Catalog does not provide a UI for that.
Mike’s script seems to work, but it has some shortcomings and a potentially problematic flaw. First, it does not actually create the environment, it leaves that up to the user first. Second, it does not copy the references (which projects the environment is linked to) or the permissions. The third shortcoming, and the potential for problems, is that it just copies sensitive variable values from the source environment to the destination environment. This is risky, because each environment gets its own encryption key and certificate.
I have come up with an improved script that addresses the shortcomings (pending some code to copy the permissions, not done yet). It is a much more complicated script because it involves the use of loops (but I avoided using CURSOR). However, instead of directly inserting rows in the database tables (not officially supported), I am using the published stored procedures in the catalog namespace.
The entire script, with inline comments, is available here. However, the different steps in the script are outlined below.
- Obtain some info about the source environment (name and folder name). To use the script, you only provide it with the source environment’s ID (you can obtain that from the Catalog UI).
- Create a name and description for the new environment.
This is easily customizable for your needs. The new name is the source name + the current date in ISO format. The new description is the source description + newline + “Copied by <username> on <date>.”
- Create the environment, using catalog.create_environment.
- Copy the variables, including decrypting sensitive values, using catalog.create_environment_variable.
- Copy the permissions (not currently included).
- Create references to the new environment in all projects that reference the source environment, using catalog.create_environment_reference.
The code for #6 is more complicated than I’d like it to be, due to Microsoft’s decision to provide two different ways of referencing variables which is based on folder names and environment names instead of IDs. I find it hard to explain, but here’s a go at it.
Understanding the internal.environment_references table
This table contains the information about which projects reference which environments. It uses the ID of the project, but the name of the environment and sometimes the name of the folder of the environment, no IDs there.
Normally, you’d reference an environment to a project using the Catalog UI. You can reference an environment from the current folder or from another folder. If you reference an environment from the current folder, this becomes a relative (type = R) reference. If you reference an environment in a project deployed to a different folder, this becomes an absolute (type = A) reference. R references do not store the environment’s folder name in the internal.environment_references table. The value of the environment_folder_name is NULL for R type references. For A type references, the environment_folder_name is set to the name of the folder. (That’s part of the flaw in Microsoft’s decision… why use names when each folder has an ID available?)
Because there is no restriction to create two environments with the same name in different folders, this poses a problem when you’re reading the contents of the table. It requires that you know which folder the environment you’re copying is stored in. Then, you need to find the environment references that have an environment with the name of your source environment, but you need to have info about the project (you need to join with the internal.projects table for that, using the project_id column). It’s only by knowing the folder in which the referenced project is deployed that you can properly determine if the reference you’re looking at is the reference to your environment or to an environment with the same name in a different folder. But remember the different types of references… what if the environment_folder_name is NULL? See above: it means that the environment is created in the same folder as the project.
That is why there is a fairly complex compound condition in the WHERE clause of the SELECT statement that picks up the next reference:
((R.environment_folder_name = @environment_folder_name AND R.reference_type = 'A' AND F.name <> R.environment_folder_name) OR (R.reference_type = 'R' AND r.environment_folder_name IS NULL AND F.name = @environment_folder_name))
- Part I: If the reference type is absolute, then the environment_folder_name in the table needs to be different from the name of the folder of the project, but the environment_folder_name needs match that of the source environment’s folder name (remember the source and new environment are both in the same folder).
- Part II: If the reference type is relative, then the environment_folder_name in the table needs to be NULL, but the project’s folder name needs to match the folder name of the source environment.
A few more notes
- I am working on providing additional code to copy the permissions.
- You might think it would be nice to be able to create the copy of the environment in a different folder. However, the Catalog UI does provide Move command. So, after you execute this script (and COMMIT the transaction), you can then use the GUI to move the new environment to any folder you like.
by Sven Aelterman.
First of all, thanks and congratulations to the organizing team! Setting up a record attendance (555 actual attendees) is no small feat. It was great to be there.
I have uploaded the SQL script files I used in my SSISDB session to the SQL Saturday site. The presentation (PDF) is available from my SkyDrive account. In addition, if you would like the modified Lesson 2 from the MSDN ETL Sample that contains the 1,000x loop, see this link.
For other upcoming training in Atlanta, there is a SharePoint Saturday on June 8. The Atlanta Code Camp 2013 was also announced. It will be on August 24 at Southern Poly (where it has been the previous two years). I am looking forward to the call for speakers for the Code Camp. There is no web presence for this year that I can find yet.
SQL Saturday Atlanta 2013 is around the corner: this Saturday, May 18. Like in previous years, the event will be held at the GSU location in Alpharetta, GA. It looks to be a full event with a great roundup of speakers and sessions.
I wasn’t originally scheduled to speak. Due to a cancellation in the BI track, I will be presenting a new talk on Managing the SSIS Catalog. The details of the talk are here.
You can also check out the pre-con talks that are being held on Friday. You can register for the pre-cons from the event home page.
As a follow-up to my blog series on Windows 8 (1 | 2 | 3), I felt compelled to write something about Windows RT. Just like Windows 8, Windows RT is receiving lots of press, mostly around how it’s a commercial failure. Apparently, Microsoft has sold “only” about 1 million Surface RTs and I can see how compared to the iPad that’s meager. But by itself, I know lots of organizations that would like to sell a million units at $499-$699.
About 2 months ago, I purchased an ASUS VivoTab RT, a Windows RT tablet. It pretty much has the same specs as the Microsoft Surface RT, but without it’s keyboard dock, it’s lighter. With the keyboard dock, the battery life is longer. Less than a month after I got the tablet, it was dropped and slightly damaged (screen survived, case was bent). Not willing to spend the next 3-some years with a dent in my tablet, I decided to send it back for repairs. I knew it could cost me, although I expected that my AMEX purchase protection would kick in. However, much to my pleasure and to ASUS’ credit, they fixed it at no charge.
I did have to spend about 25 days without it, and hard to imagine as it may be after having only had the tablet for about 30 days, I really missed it (and so did my kids, but for very different reasons). It turns out that after a month, I had already changed my workstyle around this new device I could carry a lot more places than the much heavier Lenovo X230 Tablet.
I’ve long been a proponent of the Tablet PC form factor (the form factor Microsoft launched around 2002) that provides pen input and more recently also touch. I’ve had several Tablet PCs from Compaq, HP and Lenovo and will continue to get that form factor for my main device. However, a lighter tablet has some advantages. Here is the short list of why I missed my tablet and why I believe Windows RT may yet hold promise:
- Remote Desktop: while you can get an RDP client for most tablets, Microsoft’s Windows Store RDP client is designed very nicely. When I am troubleshooting a problem at a user’s desktop or in a classroom, I can log on to a server from my tablet, rather than from the other user’s computer (which decreases the security of my domain admin account).
- Snap: for some Windows Store apps, like Skype and Twitter, this really makes a lot of sense.
- Swiping: not unique to RT (it’s also in 8), the swiping gestures just make sense. Swipe from the right to get the Charms bar (silly name, but great concept to get a unified UI for search, settings and sharing between apps), from the left to return to a previous app (or snap), from the bottom to access the menu.
It becomes so intuitive that when I recently picked up an iPad, I started swiping to get to the home screen. I’ve used many iPads before and I know to press the home button to get to the home screen, but the swiping gestures just felt natural.
- Full USB port: I can plug in a flash drive or many other USB devices with a standard USB A interface (the VivoTab RT requires a dongle without the keyboard dock, but that’s a minor annoyance only).
- Office 2013: Even though the version of Office 2013 that comes with Windows RT has somewhat limited features and comes with licensing gotchas, having the power of Word, Excel and PowerPoint with SkyDrive integration is a useful complement.
The one thing that’s missing for me is pen-based input. In order to get that, you need a full-blown Windows OS, which you can find on the Surface Pro, Lenovo Twist and others, but at a much increased price.
What about the lack of Windows Store apps? Every time I check the Windows Store, more apps have been added. I try to be conservative when it comes to apps, but these are apps that I use regularly: (many of these are free!)
The kids love the Dr. Seuss books, Fresh Paint and Angry Birds (of course).
I do agree with some reviewers that the quality of the out-of-the-box Mail, Calendar and People apps is below what I would expect. I can use them with Office 365, but many necessary features for true productivity are missing at this time. Prime example is the inability to flag an e-mail for follow-up or to manage tasks. Hopefully, that’s coming in one of the future releases.