Hi Everyone,
Welcome to the October 2008 newsletter. It has been about two months since the
last one (issues 002 is also now on line at
Newsletter 002
on my website) but it is not five years like the last gap. In the last newsletter I promised )
(well OK, promised is a bit strong) to get the next one out in 2 to 4 weeks..:-),
perhaps I should refrain from promises and just get a newsletter out as soon as I can.
Well, as you know the last newsletter took around 5 years to get out, well five years
since the previous one; when i decided it was time to get a newsletter out I had a
problem that i described last time, the old list of subscribers was stored in a backup
of an obsolete news/email program and I had many issues with software to send,
dedicated server based (where my site petefinnigan.com is hosted), desktop based
software, ISP SMTP issues and bulk email. Anyway; to cut to the chase I have now
got a much more stable platform this time, the plan is that this will help me manage
the newsletter and also get it out easier and more often. I promise I won't talk
about this again going forward, I promise, back to Oracle security after this.
One last point is that I have decided that the newsletter will be simply text
based as most people can handle this. After the last newsletter I got a number
of complaints from people around HTML/Text format and I have decided that
text is the best overall solution that suites most people.
I have a number of dates booked for my 2 day training class
(taught be Pete Finnigan) on how to perform a security audit of an
Oracle database. I have taught this class quite a number of times over
the last year and it has become very popular with all types of delegates;
from developers, DBA's, designers, security testers, auditors, managers...
The class is not all things for all men and is clearly based around the whole
process of performing a security audit of an Oracle database, from cradle to
grave (planning wot write up), there is a lot of material, fast paced, lots of
demos and a huge amount of useful information for anyone planning an audit,
hiring someone in or actually wanting to do the audit themselves.
Details can be found here: -
Oracle Database Security Audit Training - including an agenda and also
dates for the classes. I am teaching the class on October 28th and 29th in Edinburgh,
then in Holland on November 3rd and 4th and Sweden on November 19th and 20th.
In December I am also teaching it in Germany (9th and 10th December) and
Norway (15h and 16th December).
Registration details can be found on the page above, i would love to see any of
you there, the course is always well received and popular.
I am currently working with a US based company to organise my training
class in the states early next year on multiple dates/locations. Please
let me know if you are interested, I will also post more details when we
have worked them out.
I have spoken a number of times over the last couple of months on the
subject of Oracle security in London, Reykjavik and also on a webinar
organised by Sentrigo. The webinar was recorded by Sentrigo through the
gotomeeting software. I downloaded and watched it and the recording is quite
good, so much so that I am now considering recording my training class in a
similar manner to offer it as self study distance learning (It is early days
yet on this, but if anyone is interested please let me know as that would spur
me to get it sorted and available quicker. I have had a few enquiries around
this possibility already).
Back to the webinar, this is worth downloading or streaming as you can get
a chance to hear me speak about Oracle security without leaving your desk /
laptop. In the talk I start with a live "real life" demo of how to hack an
Oracle database and how to find and steal credit cards.
Lastly on the subject of speaking events, I have also lined up three
slots at the UKOUG in December in Birmingham, the first is my "back to basics"
talk. The talk is not intended for beginners but is more of a "I am an
accomplished DBA now, what do I do first with security". This talk went
down really well last time I gave it, so its worth turning up for. I also
have a two hour masterclass slot on the last day (I havent completed it yet,
its based loosely on last years but with substantial updates, if there is
anything you would like including now is your chance!!). Finally I have
also landed an Oracle security round table slot (for the third year running)
and this year we have some great guest pannelists, myself, Paul Wright,
Slavik Markovich and also the special gues Duncan Harris of Oracle who runs
the CPU process amongst other things.
The highlights this month have been the release of my Oracle Password
cracker written completely in PL/SQL. I have created a page dedicated to it -
Oracle Password Cracker in PL/SQL - that includes details of why I
wrote it, how it works and also download links.
This is a great tool for anyone to use as it doesn't have any dependencies
and can be run as a SQl script through SQL*Plus or any other Oracle client.
The whole idea behind releasing this tool was to encourage people to test
the strength of their database passwords and to fix the weak ones. Most
clients I talk to do not test password strength or have audit enabled or
have password profiles. Most obviously have weak passwords; whilst they
accept that passwords should be checked there is often a backlash against
using binary based tools such as woraauthbf. This is a shame but I can see
the issues with binary based tools. Hence I decided a SQL*Plus script would
be good to encourage people to test passwords. Its not as fast as woraauthbf
but it catches the key issues fast such as username=password, password=default,
password=dictionary word or for short passwords, hence its a great tool for
everyone to resolve the issue. If you need more proof, take a look at the
recording of my webinar session above where I show very graphically how
this is one of the core issues that allow "real attacks" against Oracle
databases to succeed.
I was credited in Oracles advisory for the October 2008 CPU. This will be
accompanied by an advisory from me over the next few days but in the meantime
I can let you know what it was I reported to be fixed. The APEX (Oracle
Application Express; was HTML DB; was Porject Marvel) has users/schemas
installed in the database that have excessive privileges, and I mean really
exessive. I reported this to Oracle and they have turned around pretty quick
to work on fixing the privileges to reduce them. This is commendable from
Oracle as in the past they have not judged excessive privileges as a security
bug as such because there is not a direct attack vector. I applaud the change
and actions on this.....
My blog had its 4th anniversary last month and I created a post to briefly
summarise the history of the blog -
Happy 4th birthday, Pete Finnigan's blog
OK, that is it for this newsletter, I am not making any rash promises but I
will hope to get another one out pretty soon. Thanks for listening and I hope
you are around for the next one.
PeteFinnigan.com Limited Oracle Security Newsletter Issue 003
Newsletter Format
Oracle Security Training News
USA Based Training
Speaking Eents
Oracle Security News
October 14th CPU (Critical Patch Update)
Happy 4th birthday to my blog
Finishing Up
[You have received this email newsletter because at sometime between July
2003 and now you have subscribed to the PeteFinnigan.com Limited
newsletter by sending an email to news@petefinnigan.com - if for any
reason you do not wish to continue receiving this email newsletter then
please send an email to unsubscribe@petefinnigan.com and we will remove
you from our mailing list subscriber list. For our legal and privacy
statement please read the link contents]