Hi,
Welcome to the latest PeteFinnigan.com newsletter; in fact the first
newsletter since the first one five years ago almost to the day.
Please let me appologise first to anyone who has received this newsletter
twice, as you may have seen from my blog entries I am having troubles with
various ISP's and server sofwtare and desktop sending email newsletters.
It seems the technology has not moved on much in the last few years but
the ISP's have become very wary of bulk email - perhaps rightly so. I have
finally settled on a web based solution that hopefully is now reliable
When I started the PeteFinnigan.com Limited newsletter in July 2003 and
added some pages to my website (PeteFinnigan.com); These were the
subscribe to the PeteFinnigan.com Limited newsletter page where details of
how to subscribe are posted - i.e. send an email to news@petefinnigan.com.
The second page added is the un-subscribe from the PeteFinnigan.com
Limited newsletter page or you can simply send an email to
unsubscribe@petefinnigan.com. Finally I added a recent Petefinnigan.com
newsletter page where recent newsletters can be found. Well that was the
idea, I ended up writing one newsletter in July 2003 and sending it out
to the first few subscribers and also adding it to my site and then
relaxed and waited to get around to writing the next newsletter. I waited
too long, got too busy with work and other things and also then discovered
my own pre-cursor to blogging, which was my Oracle Security Ramblings
pages where I wrote some 13 or so short articles about Oracle Security.
Then I decided I should get a proper blog and installed and tested a few
but ended up settling on GreyMatter and actually in the end became one of
the developers of the blog software.
So five years went by so fast, 1200 blog posts later and over 900
subscribers to the mailing list I decided its time i actually got around
to publishing it. Many people still subscribe, there have been 4 this week
so far. A few weeks ago I sat down in front of the computer and decided to
get on with it, then I had to decide what to use, how to publish, how to
manage it and more. The first problem was that some of the email addresses
were on an old email account and also in old obsolete software that would
not load on my latest machines. To cut a long story short, I managed to
load the old software on an old PC, unzip the archive, add it to the email
client and then proceeded to extract email addresses. Thankfully most of
the subscribers emails are in my current email account and in Thunderbird.
I decided to use Email Marketing Pro after testing a number (around 10)
software packages that either ran from the webserver where
PeteFinnigan.com is located or on the desktop. In the end i went with this
Windows software package mainly because I don't like the idea of
maintaining lists of addresses and names on a webserver - Thats the
security gremlin in my brain. Thats also why I chose Greymatter blog
software in the end as it didn't use a database to store its posts and
other configurations. Therefore no chance of SQL injection against it!
So now, I have the email addresses loaded, software at the ready and I am
typing in the second PeteFinnigan.com Limited newsletter in the admin
interface of Email Marketing Pro. So, decisions, decisions....
Next I had to decide on the format and what to publish, when to publish
and so on. For this first (2nd) newsletter its a bit more adhoc than the
next ones will be, I hope to settle on some kind of structured format, but
bear with me as I play with it. In terms of frequency, not sure yet, but I
will certainly not be sending out the next one in 5 years time! - I guess
it's more going to be based on giving something thats not necessarily on
the site. I don't want to regurgitate whats already on the site but I also
don't want to have completely hand written content each time, that would
probably not work in terms of my time. So my feeling at the moment is that
the newsletter will be fairly regular (2 - 4 weeks), possibly also ad-hoc
if something big is going on, not necessarily the same length each time. I
subscribe myself to a number of newsletters from the programming world,
security world and also the web-development world and those newsletters
range from long and detailed (Bruce Schneier's for instance) to short and
ad-hoc (Neil Sheerings).
So I am planning to include something unique and hand written each letter
(obviously around Oracle Security), a summary of any Oracle security news,
probably some sample posts from the blog and forums, some details on
training dates and speaking dates if relevant and, well..... I don't know
exactly yet but it will be interesting!
I will also post up the newsletters on my site at the recent
PeteFinnigan.com newsletters page sometime after publishing.
There has been quite a bit happening in the Oracle security world over the
last month or so. The latest in the long line of Oracle Critical Patch
Updates (July CPU 2008) and a number of researcher advisories came out
soon after. More interestingly just this week we had the first Oracle
Security Alert for over three years and the first since CPU's began in
2005. This was because a researcher calling himself Kingcope released a
0-day exploit in Apache used as part of Weblogic. This was a denial of
service attack and it scored 10.0 on the CVSS 2.0 rating system.
What else has happened recently? well the very nice and very fast Oracle
password cracker worauthbf written by Laszlo Toth has been released. This
is worth downloading and testing and using to ensure that you have strong
enough passwords in your own databases. Sentrigo have also launched a new
product based on Sentrigo Hedgehog called vPatch.
I also saw today in an email from someone inside Oracle that Oracle have
officially released the new version of Oracle Audit Vault.
What are we up to?, I should say first that this is not intended as a
sales pitch, I want in each newsletter to talk about a little of the
research and work we are up to, the fact of life is that this will almost
always be around service or product but could be around research for
conference papers; just a fact of life, sorry!
Well I am currently working on our new database scanner called oscan.
There will be more on this soon and I will most likely open up the
software to beta testers later this summer. The tool is written in C and
is aimed at multiple platforms, is scalable and also separates the front
end (policy and check management and reporting) from the actual engine.
The key difference between this scanner and all other scanners on the
market is that it doesn't concentrate on CPU and version compliance; it
does do this but doesn't make a big thing of it like all other scanners.
Most commercial scanners test for existence of known exploit attacks aimed
at recent CPU's. My opinion is that the reason is aimed around
subscription based licensing. Whilst this aids the vendor it doesn't
necessarily aid the customer.
My focus has always been around access, data use, privilege and control
(we don't ignore CPU's but don't make a big fuss over them) and
configuration. This is more realistic in terms of heading towards a secure
database. Another unique selling point will be that we (when it goes on
sale) will not be keen to simply sell a tool "out of the box", we would
like customers to have us help them perform a detailed audit and use this
to drive a baseline standard and therefore define what the scanner will
do. A scanner will (in my opinion) be used for a couple of distinct
purposes:
All new databases should of course be built to this standard and number (2) above would then
be used.
Of course all policies and standards are moving targets, research changes
as does database versions, customers use of those databases......
Our existing tools are written in SQL, PL/SQL, C, Awk, KSH, vbscript and
consist tens of thousands of lines of code written over the last 5 years.
These scripts will most likely remain for hand conducted audits and will
be maintained internally and used exclusively by our consultants. I have
toyed with licensing these as well.....
PeteFinnigan.com Limited Oracle Security Newsletter Issue 002
Introduction
Oracle Security News
[digression] It is interesting to note the use of anonymous pseudonyms or
aliases used by hackers or researchers. I am interested not because I want
to understand the need for anonymity or similar but because I like to try
and see if I can find out who these people are. I have a reasonable
success rate with this but never spend more than ten minutes or so on it.
In the case of Kingcope I found out who he was in a matter of minutes. Why
do I want to do this? - interest really, being someone who performs
security audits is like being a detective and its fun to assess and find
evidence and to see what you can prove and make of it. I do this all the
time during Oracle database security audit assignments. It is interesting
to understand what you are being told by clients and also what you find
technically. I usually find that most departments do not fully understand
or know what the others are doing and hence have a different view of
reality. This is often very detrimental to security. As part of my own
security audit service for Oracle databases I am keen to understand who
accesses the database, from where and how, I want to know how data flows
into and out of the database and also importantly I want to know how the
database is managed. I have also got as huge back of technical scripts and
tests that I perform to supplement this but I find that clients are always
impressed with the overall knowledge they gain over how their data is
managed and used.[end of digression]
PeteFinnigan.com News
Finishing Up
That's all for now for this newsletter, thanks for reading, I hope to see
you on the next newsletter.
Kind regards
Pete
[You have received this email newsletter because at sometime between July
2003 and now you have subscribed to the PeteFinnigan.com Limited
newsletter by sending an email to news@petefinnigan.com - if for any
reason you do not wish to continue receiving this email newsletter then
please send an email to unsubscribe@petefinnigan.com and we will remove
you from our mailing list subscriber list. For our legal and privacy
statement please read the link contents]