PeteFinnigan.com Limited Oracle Security Newsletter Issue 002
Welcome to the latest PeteFinnigan.com newsletter; in fact the first newsletter since the first one five years ago almost to the day. Please let me appologise first to anyone who has received this newsletter twice, as you may have seen from my blog entries I am having troubles with various ISP's and server sofwtare and desktop sending email newsletters. It seems the technology has not moved on much in the last few years but the ISP's have become very wary of bulk email - perhaps rightly so. I have finally settled on a web based solution that hopefully is now reliable
When I started the PeteFinnigan.com Limited newsletter in July 2003 and added some pages to my website (PeteFinnigan.com); These were the subscribe to the PeteFinnigan.com Limited newsletter page where details of how to subscribe are posted - i.e. send an email to email@example.com. The second page added is the un-subscribe from the PeteFinnigan.com Limited newsletter page or you can simply send an email to firstname.lastname@example.org. Finally I added a recent Petefinnigan.com newsletter page where recent newsletters can be found. Well that was the idea, I ended up writing one newsletter in July 2003 and sending it out to the first few subscribers and also adding it to my site and then relaxed and waited to get around to writing the next newsletter. I waited too long, got too busy with work and other things and also then discovered my own pre-cursor to blogging, which was my Oracle Security Ramblings pages where I wrote some 13 or so short articles about Oracle Security. Then I decided I should get a proper blog and installed and tested a few but ended up settling on GreyMatter and actually in the end became one of the developers of the blog software.
So five years went by so fast, 1200 blog posts later and over 900 subscribers to the mailing list I decided its time i actually got around to publishing it. Many people still subscribe, there have been 4 this week so far. A few weeks ago I sat down in front of the computer and decided to get on with it, then I had to decide what to use, how to publish, how to manage it and more. The first problem was that some of the email addresses were on an old email account and also in old obsolete software that would not load on my latest machines. To cut a long story short, I managed to load the old software on an old PC, unzip the archive, add it to the email client and then proceeded to extract email addresses. Thankfully most of the subscribers emails are in my current email account and in Thunderbird.
I decided to use Email Marketing Pro after testing a number (around 10) software packages that either ran from the webserver where PeteFinnigan.com is located or on the desktop. In the end i went with this Windows software package mainly because I don't like the idea of maintaining lists of addresses and names on a webserver - Thats the security gremlin in my brain. Thats also why I chose Greymatter blog software in the end as it didn't use a database to store its posts and other configurations. Therefore no chance of SQL injection against it! So now, I have the email addresses loaded, software at the ready and I am typing in the second PeteFinnigan.com Limited newsletter in the admin interface of Email Marketing Pro. So, decisions, decisions....
Next I had to decide on the format and what to publish, when to publish and so on. For this first (2nd) newsletter its a bit more adhoc than the next ones will be, I hope to settle on some kind of structured format, but bear with me as I play with it. In terms of frequency, not sure yet, but I will certainly not be sending out the next one in 5 years time! - I guess it's more going to be based on giving something thats not necessarily on the site. I don't want to regurgitate whats already on the site but I also don't want to have completely hand written content each time, that would probably not work in terms of my time. So my feeling at the moment is that the newsletter will be fairly regular (2 - 4 weeks), possibly also ad-hoc if something big is going on, not necessarily the same length each time. I subscribe myself to a number of newsletters from the programming world, security world and also the web-development world and those newsletters range from long and detailed (Bruce Schneier's for instance) to short and ad-hoc (Neil Sheerings).
So I am planning to include something unique and hand written each letter (obviously around Oracle Security), a summary of any Oracle security news, probably some sample posts from the blog and forums, some details on training dates and speaking dates if relevant and, well..... I don't know exactly yet but it will be interesting!
I will also post up the newsletters on my site at the recent PeteFinnigan.com newsletters page sometime after publishing.
Oracle Security News
There has been quite a bit happening in the Oracle security world over the last month or so. The latest in the long line of Oracle Critical Patch Updates (July CPU 2008) and a number of researcher advisories came out soon after. More interestingly just this week we had the first Oracle Security Alert for over three years and the first since CPU's began in 2005. This was because a researcher calling himself Kingcope released a 0-day exploit in Apache used as part of Weblogic. This was a denial of service attack and it scored 10.0 on the CVSS 2.0 rating system.
[digression] It is interesting to note the use of anonymous pseudonyms or aliases used by hackers or researchers. I am interested not because I want to understand the need for anonymity or similar but because I like to try and see if I can find out who these people are. I have a reasonable success rate with this but never spend more than ten minutes or so on it. In the case of Kingcope I found out who he was in a matter of minutes. Why do I want to do this? - interest really, being someone who performs security audits is like being a detective and its fun to assess and find evidence and to see what you can prove and make of it. I do this all the time during Oracle database security audit assignments. It is interesting to understand what you are being told by clients and also what you find technically. I usually find that most departments do not fully understand or know what the others are doing and hence have a different view of reality. This is often very detrimental to security. As part of my own security audit service for Oracle databases I am keen to understand who accesses the database, from where and how, I want to know how data flows into and out of the database and also importantly I want to know how the database is managed. I have also got as huge back of technical scripts and tests that I perform to supplement this but I find that clients are always impressed with the overall knowledge they gain over how their data is managed and used.[end of digression]
What else has happened recently? well the very nice and very fast Oracle password cracker worauthbf written by Laszlo Toth has been released. This is worth downloading and testing and using to ensure that you have strong enough passwords in your own databases. Sentrigo have also launched a new product based on Sentrigo Hedgehog called vPatch.
I also saw today in an email from someone inside Oracle that Oracle have officially released the new version of Oracle Audit Vault.
What are we up to?, I should say first that this is not intended as a sales pitch, I want in each newsletter to talk about a little of the research and work we are up to, the fact of life is that this will almost always be around service or product but could be around research for conference papers; just a fact of life, sorry!
Well I am currently working on our new database scanner called oscan. There will be more on this soon and I will most likely open up the software to beta testers later this summer. The tool is written in C and is aimed at multiple platforms, is scalable and also separates the front end (policy and check management and reporting) from the actual engine. The key difference between this scanner and all other scanners on the market is that it doesn't concentrate on CPU and version compliance; it does do this but doesn't make a big thing of it like all other scanners. Most commercial scanners test for existence of known exploit attacks aimed at recent CPU's. My opinion is that the reason is aimed around subscription based licensing. Whilst this aids the vendor it doesn't necessarily aid the customer.
My focus has always been around access, data use, privilege and control (we don't ignore CPU's but don't make a big fuss over them) and configuration. This is more realistic in terms of heading towards a secure database. Another unique selling point will be that we (when it goes on sale) will not be keen to simply sell a tool "out of the box", we would like customers to have us help them perform a detailed audit and use this to drive a baseline standard and therefore define what the scanner will do. A scanner will (in my opinion) be used for a couple of distinct purposes:
- To scan new databases that have had none, or little security work done on them. i.e. check for security against a known standard (the policy created as part of the pre-hand-done-audit)
- Check hardened databases for compliance against the same policy The policy would be derived from a document or could start as a scanner policy configuration, but better to start as a document.
All new databases should of course be built to this standard and number (2) above would then be used. Of course all policies and standards are moving targets, research changes as does database versions, customers use of those databases......
Our existing tools are written in SQL, PL/SQL, C, Awk, KSH, vbscript and consist tens of thousands of lines of code written over the last 5 years. These scripts will most likely remain for hand conducted audits and will be maintained internally and used exclusively by our consultants. I have toyed with licensing these as well.....
That's all for now for this newsletter, thanks for reading, I hope to see
you on the next newsletter.
[You have received this email newsletter because at sometime between July 2003 and now you have subscribed to the PeteFinnigan.com Limited newsletter by sending an email to email@example.com - if for any reason you do not wish to continue receiving this email newsletter then please send an email to firstname.lastname@example.org and we will remove you from our mailing list subscriber list. For our legal and privacy statement please read the link contents]