PeteFinnigan.com Limited Oracle Security Newsletter Issue 004
Welcome to issue 004 of the PeteFinnigan.com Limited newsletter; actually the first for some time, actually a very long time. This email newsletter is sent out to each of you who have registered to get this newsletter and it will also be published on our website. If you are reading this on the website then please also register to get the email version first. Do so by sending an email to email@example.com
Training in York
We are arranging an Oracle Security training event in York, UK from September 21st to September 25th. This is a unique event where Pete Finnigan will teach our 4 main classes back to back. You do not need to attend all four classes but it is recommended to attend all of the classes. The classes start with how to perform a security audit of an Oracle database which is a two day class and goes on to teach a one day class on how to do secure coding in PL/SQL. We then spend one day designing practical audit trails for the Oracle database and the final day is looking at locking down Oracle. This final day brings together everything that we have learned and also shows that we can take a vulnerable sample system (database and application) and secure the data at the database level with some very simple ideas.
This is a great opportunity to learn about securing data in an Oracle database from one the worlds leading experts. Sign up for the classes now. Details are available here: Oracle Database Security Training In York 2015
I will be teaching single classes also at upcoming Oracle University Expert Summits next year in London and Berlin. The dates are to be finalised so watch this space for details.
I will be speaking a number of times this year at various events. I will be talking about designing audit trails in the Oracle database in London on September 15th at the UKOUG SIG. I will also have three slots at the upcoming UK Oracle User Group conference, back again this year in Birmingham. I will speak about passwords in the database, how to set, manage, crack, design and more. I will also speak about design decisions for your database and applications that affect security such as where to put the data, functionality, privilege models, users involved, RBAC and much more. Finally I will also have an Oracle Security round table session; these have always been popular and always get good attendance and good discussions.
Oracle Security News
I was mentioned in the recent July CPU advisory for the "security in depth" section for contributing to the security of the Oracle database. The advisory is here: CPU July 2015.
There is a new database password algorithm in the 12c; in 126.96.36.199 when it was introduced there were hints in the documentation (I was not in the 12c Beta so I don't know if this was in the Beta) that a new password algorithm was added to the database using SHA2 but this failed to materialise in the 188.8.131.52 database when released. When 184.108.40.206 was released this new algorithm was present. This is SHA2 with a 512 bit key using also PBKDF2 which adds a slow down effect for password crackers. The intention clearly to make it harder to crack passwords. There are some issues though. It also states in the documentation that the PBKDF2 rounds are pre-done in the client and that the last SHA2 step is done in the database. All of the previous algorithms and their hashes are available by default in 220.127.116.11 so all previous crackers still work. It is up to you as the implementor to remove the creation of the old password hashes by setting the server allowed logons to 12a.
I wonder why the new SHA2 algorithm didn't make it into 18.104.22.168? whats worse is that Oracle also added a much simpler password algorithm, a HTTP Digest to 22.214.171.124 and also to 126.96.36.199. This makes cracking passwords actually much simpler and faster as its just MD5. The way that the HTTP Digests are added and stored has changed between the two 12.1.0.x versions in that common users HTTP Digest is available in the pluggable databases in 188.8.131.52 but only in the root container in 184.108.40.206.
So new strong algorithm added and much weaker one added at the same time.
OK, that is it for this time. Please take note of our up-coming classes in York, England in September from the 21st to the 25th. If you would like to attend see the link above and we would love to see you here in York and teach you all about Oracle Security.
[You have received this email newsletter because at sometime between July 2003 and now you have subscribed to the PeteFinnigan.com Limited newsletter by sending an email to firstname.lastname@example.org - if for any reason you do not wish to continue receiving this email newsletter then please send an email to email@example.com and we will remove you from our mailing list subscriber list. For our legal and privacy statement please read the link contents]