Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
     
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Welcome, Guest. Please Login.
Nov 19th, 2017, 4:35am
News: Welcome to Pete Finnigan's Oracle security forum
Home | Help | Search | Members | Login
   Pete Finnigan's Oracle Security Forum
   Oracle Security
   Oracle Security
(Moderator: Pete Finnigan)
   Alexander Kornbrust - Black Hat 2005 Presentation
« Previous topic | Next topic »
Pages: 1  Reply | Notify of replies | Send Topic | Print
   Author  Topic: Alexander Kornbrust - Black Hat 2005 Presentation  (Read 9111 times)
rado
PeteFinnigan.com Newbie
*






   
View Profile |

Gender: male
Posts: 4
Alexander Kornbrust - Black Hat 2005 Presentation
« on: Jul 27th, 2005, 7:51am »
Quote | Modify

What do you think about the latest info coming from Alex Kornbrust. It seems that there is no safe way to keep the data inside the database secured. Is there someone who attend this Black Hat presentation and who could write in the forum more details about Alex's findings.
URL from the news:
Oracle's encryption not secure, researcher says
The best encryption that DBMS_OBFUSCATION_TOOLKIT offers is 192-bit encryption by using Triple DES (3DES) algorithm in Oracle9i. I don't know how this is changed in 10g but it seems that it doesn't matter because anyway, everyone who have an DBA account could decrypt the data. Is the Transparent Data Encryption (coming with 10g) the only preferable way to keep the data secure, especially when there is requirement that is coming from "security company standards". For example, I know that for all companies that are working with Visa, there is a requirement for at least 256-bit or 512-bit (I am not sure) encryption key that they must used.
I just want to initiate some discussion about this subject - "How to keep our data secured within an Oracle database by using encryption"
« Last Edit: Jul 27th, 2005, 7:53am by rado » IP Logged

Radoslav Rusinov,
Oracle DBA
http://dba-blog.blogspot.com
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #1 on: Jul 27th, 2005, 2:33pm »
Quote | Modify

Hi Rado,
 
Thanks for your post about Alex's talk at Black Hat in Las Vegas. I have seen the text for his talk and was also aware of the news article you mention but I don't think I can talk about specific details here yet as I don't know if it has been given yet or whether the talk notes would be made public. I am reasonably sure Alex will publish them on his own site Red Database Security when he gets back.
 
That said we can still discuss the general issue. I want to make two points really for now. The first is that the underlying problem with Oracle's DBMS_OBFUSCATION_TOOLKIT and DBMS_CRYPTO packages is not the algorithms themselves but the issue of key management.  This is an issue to which Alex alludes in his talk. There are other issues as well.  
 
The second issue is that at present TDE in 10gR2 doesn't on the surface look any more secure that the previous methods employed by Oracle. A number of bugs have already been found in TDE that allows the keys to become known easily.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
rado
PeteFinnigan.com Newbie
*






   
View Profile |

Gender: male
Posts: 4
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #2 on: Jul 27th, 2005, 3:24pm »
Quote | Modify

Hi, Pete
 
Thank you for your reply. Oracle are doing many efforts for improving the database security but for now there are so many bugs and findings that are discovered very frequently. The last thing - "patch for the security patch" doesn't sounds well.
 
I am supporting the idea for opening of this kind of forum - related mainly to Oracle security and I hope that it will become very popular.
IP Logged

Radoslav Rusinov,
Oracle DBA
http://dba-blog.blogspot.com
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #3 on: Jul 27th, 2005, 4:42pm »
Quote | Modify

Hi Rado,
 
Thanks for your reply. Yes you are right at the moment there are a lot of issues with bugs, patches that need to be patched, silent fixes, advisories released for unfixed bugs and of course the fact that a lot of bugs are still not fixed (those reported on sites such as Red Database Security and Argeniss)but we should not forget that Oracle have made some great strides forward with new functionality (TDE, OS audit as xml, FGA and RLS...) in recent years and also they have improved their patch process a bit - at least on the documentation side - there needs to be work done on getting fixes done quicker and also on their recent problems of patches for patches, quality and testing. But it is better than random security advisories we had before that no one knew when to expect that included much less details.
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
rado
PeteFinnigan.com Newbie
*






   
View Profile |

Gender: male
Posts: 4
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #4 on: Jul 29th, 2005, 7:41am »
Quote | Modify

Hi All,
 
For everyone who is interested - the link for the previously mentioned presentation:
http://www.blackhat.com/presentations/bh-usa-05/BH_US_05-Kornbrust/BH_US _05-Kornbrust.pdf
IP Logged

Radoslav Rusinov,
Oracle DBA
http://dba-blog.blogspot.com
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #5 on: Jul 29th, 2005, 3:21pm »
Quote | Modify

Hi Rado,
 
Have you managed to open it? I tried to view it in IE and also downloaded it but neither option worked. I have emailed blackhat to ask if it is a problem their end.
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #6 on: Jul 29th, 2005, 3:26pm »
Quote | Modify

Plus, forgot to mention Esteban Martínez Fayó - presentation is available here and Cesar Cerrudo's is available here. At the moment I cannot read theirs either..Sad - I will get a newer version of acrobat and see if that works. As far as I know Alex, Esteban, Cesar and David Litchfield were the only ones to talk about Oracle
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
rado
PeteFinnigan.com Newbie
*






   
View Profile |

Gender: male
Posts: 4
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #7 on: Jul 29th, 2005, 3:40pm »
Quote | Modify

Hi, Pete
 
I sent them as three attached pdf files to you official email.
 
Best regards
IP Logged

Radoslav Rusinov,
Oracle DBA
http://dba-blog.blogspot.com
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #8 on: Aug 4th, 2005, 2:59pm »
Quote | Modify

Hello
 
an updated version of the presentation is available on my website:
 
 
Cheers
 
 Alexander Kornbrust
« Last Edit: Sep 17th, 2009, 5:18pm by Pete Finnigan » IP Logged
Pete Finnigan
PeteFinnigan.com Administrator
*****




Oracle Security is easier if you design for it

   
View Profile | WWW | Email

Gender: male
Posts: 309
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #9 on: Aug 4th, 2005, 3:42pm »
Quote | Modify

Thanks Alex,
 
welcome to the forum!
 
cheers
 
Pete
IP Logged

Pete Finnigan (email:pete@petefinnigan.com)
Oracle Security Web site: http://www.petefinnigan.com
Forum: http://www.petefinnigan.com/forum/yabb/YaBB.cgi
Oracle security blog: http://www.petefinnigan.com/weblog/entries/index.html
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #10 on: Aug 4th, 2005, 6:34pm »
Quote | Modify

Hello  
 
here a short summary of my presentation. Interception of encryption keys is easy if a hacker (or DBA) installs a special package which intercepts all parameters and pass the parameter to the original package. DBA permission is not always required.
 
 
1. Install a dbms_crypto package with the same specification as the original dbms_crypto.
 
Sample see dbms_crypto_fake.sql
 
2. Create a private synonym or modify the public synonym.
 
That's all. You find all encryption keys in the log file of your web server.
 
 
It is possible to mitigate the risk (a little bit) by
 
  * using full qualified names (e.g. SYS.DBMS_CRYPTO)
 
 
 
Regards
 
 Alex
« Last Edit: Sep 17th, 2009, 5:16pm by Pete Finnigan » IP Logged
Joshua Wright
PeteFinnigan.com Newbie
*






   
View Profile | Email

Gender: male
Posts: 6
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #11 on: Aug 5th, 2005, 8:35pm »
Quote | Modify

Alex,
 
Your presentation materials are awesome.  I really enjoyed reading them, especially the nonsense quotes in the beginning of the presentation.
 
Thank you,
 
-Josh
IP Logged
kornbrust
PeteFinnigan.com Newbie
*





   
View Profile |

Gender: male
Posts: 27
Re: Alexander Kornbrust - Black Hat 2005 Presentat
« Reply #12 on: Aug 6th, 2005, 2:59pm »
Quote | Modify

Josh,
 
Most people believe that the product documentation or specialised books are saying the truth.  
 
DBMS_CRYPTO/DBMS_OBFUCSATION_TOOLKIT is nearly useless in the current architecture. This has also side effects to the Oracle product stack.  
 
Oracle itself is not able to store the passwords/data in a secure manner. That is probably the reason why Oracle itself is using dbms_crypto/dbms_otk very rarely.  I know only 4 components (ultrasearch, MGW, DM and Grid Control) in the database which are using dbms_crypto/otk.
 
Regards
 
 Alex
« Last Edit: Aug 6th, 2005, 3:00pm by kornbrust » IP Logged
Pages: 1  Reply | Notify of replies | Send Topic | Print

« Previous topic | Next topic »

Powered by YaBB 1 Gold - SP 1.4!
Forum software copyright © 2000-2004 Yet another Bulletin Board