Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 60 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Oracle Security papers

The following list of links aims to bring together a collection of some of the white papers, articles and presentations out there on the internet about database security and Oracle security in particular. The lists below include papers written by Pete Finnigan for other websites, for this website and for many conferences world wide. This page also includes many papers and presentations written by many other people.

If anyone has any good links or papers about Oracle security in particular that I have not found myself yet, please let me know the URL and I will add them to the list below. Please email pete@petefinnigan.com.

Oracle Security papers written by Pete Finnigan

The following are papers written by Pete Finnigan for various web sites.

Paper Title Description
Secure PL/SQL coding
This is the talk i did a couple of times last year (2012) for the UK Oracle User Group; once in London and once in Edinburgh. The talk is all about PL/SQL and coding issues that can make the PL/SQL code exploitable. I did a live demo showing how a vulnerable Peice of PL/SQL code in a schema can allow an attacker to execute any PL/SQL code in that same schema or access any data in that schema where he would not normally have access. The talk looked at SQL Injection, finding bugs, securing PL/SQL, license features, tamperproofing and more.
Identify Yourself In The Oracle Database
I gave this talk at the conference last year for the UKOUG and then subsequently at one SIG and also a conference in Norway and also for an OWASP chapter meeting in Leeds. I held back on adding the slides to my site in case i did the talk again but the time has come to add them now. The talk covers identity and accountability in the database looking at what values that identify a person are captured in the session via various means and also what values that may identify a person are then transfered over to the audit trail. We also looked at "what is identity" and "what is identity at the database level" and discussed accountability in the database. The two are linked, you cannot be accountable if you cannot be identified. I also looked at spoofing details of identity in the database. This is a serious issue if you use core audit or if you rely on identifiers for security products such as VPD or FGA or system triggers. I finished off the talk with a discussion about detecting spoofing and preventing spoofing/identity theft in the Oracle database.
We Must Secure Data not Software
I gave a talk at the UKOUG security day at Bletchely Park on September 13th. This was about the problem of understanding that you must secure data and not the software itself. This should be obvious but it doesn't seem to be to most people. I also covered the process of securing that data.
Securing Oracle - Part 1 (0.2 Meg)
Securing Oracle - Part 2 (0.1 Meg)
Securing Oracle Demos Notes(0.07 Meg)
I gave a two part talk to the UKOUG Unix SIG in Thames Valley park on September 8th 2010. The talks were really focusing on the issue of securing the data not the database software. There were plenty of demos (6 in all) that ranged from a simple downloadable exploit to a much more stealthy attack. The main idea was to show the risk to the data and where it really is, who can access it and how they might avoid your security.

I have included the pdf's of the slides from the two talks and also I have written down the steps I took during the demos as when I have done demos previously people have emailed asking for videos etc. The steps are the best i can do!

Logica Guru4Pro Presentation(0.4 Meg)
This is the presentation I have on June 2nd at Logica on the outskirts of Den Haag. This was a great presentation, well attended and also some great questions and discussions. The focus of the presentation is how easy it is to steal data and what should the first steps be in protecting that data.
Paper reviewing Sentrigo Hedgehog Enterprise(2.3 Meg)
This is a paper i have written to review the setup and use of Sentrigo HedgeHog Enterprise Edition. The paper focuses on how to use Hedgehog and covers the two major rule sets that are available, vPatch and custom rules. the papers gives 3 detailed examples for each rule set and shows how to set up and use them and also shows demo exploitation of the database to show that Sentrigo Hedgehog is alerting on the rules set up to capture the inappropriate traffic.
The right method to secure an Oracle database (Webinar with Sentrigo, March 9th and 11th 2010) (0.6 Meg)
The right method to secure an Oracle database - 6 Slides (Webinar with Sentrigo, March 9th and 11th 2010) (0.3 Meg)
This is the webinar I did in conjunction with Sentrigo on March 9th and 11th 2010. The talk covers the process of securing an Oracle deatabase but with a proper focus to the task rather than simply following a checklist. A checklist is fine for general hardening but not for securing data as there is no method to ensure that the data that must be protected has indeed been protected. This is based on the same talk given at the UKOUG and is modified slightly from that. So this is now the latest version.
The right method to secure an Oracle database (UKOUG Birmingham, Nov 30th 2009) (0.6 Meg)
The right method to secure an Oracle database (UKOUG Birmingham, Nov 30th 2009) (0.3 Meg)
These are the slides from my presentation at the UKOUG conference in Birmingham for 2009. The talk is closely based on the same talk done previously at the northern server tech day and also at the inaugural OWASP meeting in Leeds. This is now the latest copy of these slides and I probbaly will not give the same talk again or update them again.
The right method to secure an Oracle database (OWASP Leeds, Oct 14th 2009) (0.6 Meg)
The right method to secure an Oracle database (OWASP Leeds, Oct 14th 2009) (0.3 Meg)
This is the presentation i gave at the inaugural OWASP Northern chapter (soon to be, he he), currently Leeds chapter. This was a good meeting, the first of many I hope; a good crowd and myself and Justin Clarke speaking. This is the paper I gave in York earlier in the year but its been modified quite a bit and I also had one hour this time so the discussions went a bit deeper than York.
The right method to secure an Oracle database (Webinar with Sentrigo, July 22nd 2009) (0.9 Meg)
The right method to secure an Oracle database - 6 Slides (Webinar with Sentrigo, July 22nd 2009) (0.6 Meg)
This is the webinar I did in conjunction with Sentrigo on July 22nd 2009. The talk covers the process of securing an Oracle deatabase but with a proper focus to the task rather than simply following a checklist. A checklist is fine for general hardening but not for securing data as there is no method to ensure that the data that must be protected has indeed been protected.
The right method to secure an Oracle database (UKOUG UNIX SIG, Wolverhampton, May 20th 2009) (0.9 Meg)
The right method to secure an Oracle database - 6 Slides (UKOUG UNIX SIG, Wolverhampton, May 20th 2009) (0.6 Meg)
This is my presentation from the UNIX SIG organised by the UKOUG. This is the same talk I did recently in York so see the description there. The slides have been updated slightly though so this is the latest version of them.
Oracle Security Masterclass (OUGF, Helsinki, Finland, May 14th 2009) (1.7 Meg)
Oracle Security Masterclass - 6 slides(OUGF, Helsinki, Finland, May 14th 2009) (1.1 Meg)
This is the Oracle security masterclass slides I presented in Helsinki, Finland to the OUGF on May 14th. The slides are based on the masterclass presented at the UKOUG last December in Birmingham, UK. The slides have been modified slightly so this is the lastest version available. The bulk of the talk was live demonstrations so even though there are 70 slides you really needed to be there to get the full effect!
The right method to secure an Oracle database (UKOUG Northern Server Tech Day, York, April 28th 2009) (0.9 Meg)
The right method to secure an Oracle database - 6 Slides (UKOUG Northern Server Tech Day, York, April 28th 2009) (0.6 Meg)
This is my presentation from the third northern server technology day organised by the UKOUG. This time it was held in my home city of York, so that was fun. The talk is slightly based on one small part of the master class I did last year at the UKOUG conference. The focus of the talk was on one idea alone; this is to start with the data not start with a checklist. Checklists still have value but they are not specific enough to your own organisation so we need to focus specifically on the data first.
Using Oracle VPD in the real world (UKOUG DBMS SIG, Slough, March 17th 2009) (0.5 Meg)
Using Oracle VPD in the real world 6 Slides(UKOUG DBMS SIG, Slough, March 17th 2009) (0.2 Meg)
This is the paper I gave at the UKOUG DBMS SIG held in the Baylis hotel in Slough on the 17th March 2009. The paper is an update of the one I did a year or so ago. The focus is not around the nitty gritty of how to use VPD (Virtual Private Database), (FGAC)Fine Grained Access Control, (RLS) Row Level Security, wow so many names for one technology but on the security implications of using a security technology. VPD provides additional controls on the access to data at the level of the data but the implementation of this technology in your database must also be considered and protected. It is also important to consider the data and the possibilities to bypass the controls in VPD. So the focus of this paper is really around making sure that you implement it securely. The code from the talk is also available as a file called vpd2.sql.
Oracle Security Masterclass (UKOUG Birmingham, December 5th 2008) (1.7 Meg)
Oracle Security Masterclass 6 Slides (UKOUG Birmingham, December 5th 2008) (1.1 Meg)
This is the second paper I gave this year at the UKOUG conference. The masterclass is becoming a bit of a tradition. This is the third one that I have given and this years is a completely new presentation. I had intended to refresh and update last years but decided on a complete new one. This year I also departed from the previous years and included a lot of demos and also decided to cover a small number of issues in depth. This year I covered how easy it is to steal from an Oracle database and also how to audit in depth user accounts, access to credit card data and also issues around accessing the operating system. The focus is on depth and not trivial checks of access.
Oracle Security Basics (UKOUG Birmingham, December 1st 2008) (0.9 Meg)
Oracle Security Basics 6 Slides (UKOUG Birmingham, December 1st 2008) (0.3 Meg)
This is the first paper I gave this year at the UK Oracle User Group conference in Birmingham. The papes title is derived from the "back to basics" day we had with the UKOUG back in February. This was a successful event and it was good to give this paper again. The basics is not meant to mean absolute basics but is intended for a DBA who is experienced but is perhaps not experienced in security. Therefore this paper's aim was to highlight the core security issues that he/she should look at first. This is based on the February paper given in London but is not the same. The talk back in February was for one hour but this time I had just 45 minutes so its cut down a bit; the paper is also updated in quite a few places with some new and modified slides.
Oracle Security Masterclass (White-hats London, September 26th 2008) (1.2 Meg)
Oracle Security Masterclass 6 Slides (White-hats London, September 26th 2008) (0.6 Meg)
This is the Oracle Security Masterclass that I did for the White-Hats group at the Institute of directors in London on the 26th Septemeber 2008. The talk went very well and was well attended. The masterclass is based around previous talks at RISK and also the Webinar done recently. I used a similar demonstration of hacking an Oracle database to steal credit cards as I did for the recent webinar. The focus of this talk is also based around the issues, i.e. why does an Oracle database become insecure and also focusing on the key issues in the database. The core of the talk discusses how to plan and conduct a security audit of an Oracle database.
Oracle Security Masterclass (Webinar with Sentrigo, September 23rd 2008) (0.4 Meg)
Oracle Security Masterclass 6 Slides (Webinar with Sentrigo September 23rd 2008) (0.1 Meg)
This is the webinar session that i did with Sentrigo on September 23rd 2008. This was a good session where I did a ten minute demo of hacking and stealing credit cards from the database. I then discussed some of the core issues that are normally wrong with a database.
Oracle Security Masterclass (Skrr Fall Conference, Reykjavik, Iceland 12th Sept 2008) (1.9 Meg)
Oracle Security Masterclass 6 Slides (Skrr Fall Conference, Reykjavik, Iceland 12th Sept 2008) (1.0 Meg)
This is my two hour Oracle Security masterclass that I gave at the Skrr Fall Conference in Rekyjavik, Iceland on September 12th 2008. The masterclass is aimed at getting everyone up to speed on why an Oracle Security audit is needed and how it fits into the whole process of securing an Oracle database. An audit is the important first step in securing an Oracle database. The results flow into process of fixing a database, testing and rolling out to all databases. The bulk of the talk focused on what the issues are and how a database can be attacked and then how to perform an audit at a high level.
Archive And Purging In A Security Context (UKOUG Archive And Purge Special event) (0.7 Meg)
Archive And Purging In A Security Context (UKOUG Archive And Purge Special event) - 6 slides per page (0.4 Meg)
This is my presentation I gave at the UKOUG Archive and purge special event in London at the SAS Raddison, Portman Square on the 15th July 2008. This is a completely new paper aimed specifically at the archive and purge special event but with a firm focus on the security aspects of archive and purge. I concentrated on two things, the archiving and purging of security data, such as audit and also on the security aspects of the normal business processes involved in archiving and purging business data.
Oracle Security Tools (UKOUG Northern Server Day) (0.8 Meg)
Oracle Security Tools (UKOUG Northern Server Day) - 6 slides per page (0.5 Meg)
This is my presentation I gave at the UKOUG Northern Server Technology Day in Newcastle on the 19th June 2008. The paper is based on that below given at the Management and Infrastructure SIG. The paper was originally given at the 2007 conference in Birmingham but has changed slightly.
Oracle Security Tools (UKOUG Man & Inf SIG) (0.8 Meg)
Oracle Security Tools (UKOUG Man & Inf SIG) - 6 slides per page (0.5 Meg)
This is my presentation I gave at the UKOUG Management and infrastructure SIG at the Oracle city office in London on the 17th June 2008. This paper is based on the same one given at the UKOUG conference in Birmingham last year but has some changes made to it.
Oracle Forensics (OUG Scotland) (0.6 Meg)
Oracle Forensics (OUG Scotland) - 6 slides per page (0.3 Meg)
This is my presentation I gave at the Oracle User Group Scotland DBA SIG in Edinburgh on April 30th 2008. The presentation is based on the one I did for the UKOUG conference in Birmingham last year but has had quite a few edits done to it since. So its worth downloading the latest copy this time.
Oracle Security Basics (OUGN) (0.8 Meg)
Oracle Security Basics (OUGN) - 6 slides per page (0.3 Meg)
This is my presentation I gave at the Oracle User Group Norway in Oslo, Norway on the evening of the 22nd of May. The slides are based on the earlier Oracle security basics presentation done for the UKOUG in london in February and subsequently updated for the UK Northern Security Group below. These slides were updated again for the talk in Norway so are changed slightly from the version below so for anyone interested in this talk its worth getting the latest version here.
Oracle Security Tools (OUGN) (0.8 Meg)
Oracle Security Tools (OUGN) - 6 slides per page (0.3 Meg)
This is my presentation I gave at the Oracle User Group Norway in Oslo, Norway on the evening of the 22nd of May. The slides are based on the earlier Oracle security tools presentation done for the UKOUG conference in Birmingham last year. These slides were updated slightly for the talk in Norway so are changed slightly from the version below so for anyone interested in this talk its worth getting the latest version here.
Oracle Security Audit (RISK 2008) (1 Meg)
Oracle Security Audit (RISK 2008) - 6 slides per page (0.5 Meg)
This is my presentation I gave at the RISK 2008 conference in Oslo, Norway on the 23rd of May. The slides are based on the earlier Oracle security masterclass presentation i did for the main UKOUG conference last year in Birmingham. That talk was 2 hours long. This talk is a subset of some of the slides and condensed to one hour. The content was also changed in places and a number of new slides were added so it's bu no means the same talk as Birmingham.
Oracle Security Masterclass (0.8 Meg)
Oracle Security MasterClass - 6 slides per page (0.3 Meg)
This is my presentation I gave at the Northern UK Security Group on the evening of 14th April 2008 in Leeds. This is a cut down version of the masterclass and the back to basics presentation. Its mostly the same as the previous basics paper but a number of the slides were tweaked, so its worth downloading this updated version.
Oracle Security Webinar (0.4 Meg)
Oracle Security Webinar - 6 slides per page (0.15 Meg)
This is my presentation from the presentation I gave live via a webinar on March 28th 2008 over the internet. this paper is based on my Oracle security masterclass but also included a 15 minute demonstration of hacking an Oracle database and locating and stealing credit card data.
Oracle Security Basics (0.8 Meg)
Oracle Security Basics - 6 slides per page (0.5 Meg)
This is my presentation from the UKOUG Back to basics event held in London on February 28th. This was a first of a kind special event that included Tom Kyte, Pete Finnigan, Jonathan Lewis and Julian Dyke. Each presenter attempted to reduce their skill area to more basic tenets to allow people will less experience (perhaps after completing Oracle training) to go to the next level. The event was well subscribed and of course I spoke about getting the Oracle security basics sorted and right.
Using Oracle VPD in the real world (0.7 Meg)
Using Oracle VPD in the real world - 6 slides per page (0.3 Meg)
This is my presentation from the UKOUG Unix SIG held in London on January 22nd. the presentation is about using VPD in the real world and as would be expected from me it targets the issues around securing VPD itself. It puts VPD in perspective in that it is not a holistic solution but should be part of an overall security solution and itself should be hardened otherwise it can be easily bypassed.
Oracle Security Masterclass (4.1 Meg)
Oracle Security Masterclass (1.2 Meg)
This is my two hour Oracle Security master class from this years UKOUG conference in Birmingham delivered on December the 6th. The paper starts by looking at why someone may want to hack an Oracle database, the types of attacks and some background. The bulk of the presentation concentrates on how to perform a security audit on an Oracle database. Finally the paper rounds up with a brief look at the next steps to take after the audit is completed.
Oracle Forensics (1.4 Meg)
Oracle Forensics (0.4 Meg)
This is my presentation from the UKOUG conference in Birmingham 2007 on December the 5th. The paper is covering the farely new subject of Oracle Forensics. The interest in this area has grown over the last few years mostly due to the issues of data theft and identity theft growing vastly. The paper looks at what Oracle forensics is, where to find out information, what research is going on. It then looks at where its possible to find forensics information and then launches into some examples of how to mine for data and clues.
Oracle Security Tools (1.6 Meg)
Oracle Security Tools (0.6 Meg)
This is my presentation from the UKOUG conference in Birmingham 2007 on December the 4th. This is a paper that looks at what Oracle security tools are available both commercial and also mostly free. The paper attempted to review all the types, look at classifications and also tested whether Oracle had provided anything and also discussed some of the key issues with deploying Oracle security tools and then went on to demo a lot of the tools that are available.
Oracle 11g Security (1.2 Meg)
Oracle 11g Security (0.2 Meg)
This is my presentation from the UKOUG DBMS SIG held at Chesford Grange (Le Meridien Warwick) on November 7th 2007. This paper explores the new features added to Oracle 11g that are specifically added to enhance security. I also covered some of the key security risks with an Oracle database and showed how 11g has made great strides towards improving the protection against those issues. I also covered some of the more subtle additions added to 11g that improve security but are not publicised as such. The talk then goes into some details around some of the core new security features.
Oracle Security On Windows (1.8 Meg)
Oracle Security On Windows (0.6 Meg)
This is my presentation from the UKOUG Windows SIG held at Blythe Valley park on September 25th 2007. This paper explores the security of Oracle databases on Windows. I have investigated what is available information wise and also what specific bugs and exploits have been found for Oracle on Windows. The paper also looks at common security issues and investigates how to perform a security audit at a high level.
How to unwrap Oracle PL/SQL This is my presentation slides from BlackHat Las Vegas 2006. In this talk I show how it is possible to unwrap PL/SQL that has been wrapped with a 9i or lower wrap utility and in the process show how the wrapping mechanism works internally. I also discuss the changes in the 10g wrapping algorithm.
Pete Finnigan Podcast about PL/SQL wrapping This is a podcast I did with Mark Brunelli after my talk at BlackHat. I discussed the issues around the PL/SQL wrapping mechanism used and why its weak.
Hacking and Securing Oracle This paper was presented to the UKOUG Northern Server technology day in Leeds in April 2007. The paper discussed some of the issues and problems that can lead to an insecure Oracle database being deployed. The paper includes many practical examples as well as advice on how to secure an Oracle database.
Encrypting data, is it possible to prevent access? This is a paper that I presented at the UKOUG conference in Birmigham in November 2006. I investigate and explore all of the options to encrypt data as it flows through an application that uses an Oracle database as its data store. I look at the free and commercial options available to prevent data theft on the network, the operating system and also within the database. I look at the built-in packages, the problems of key management and also at the viability of solutions to secure data within the database.
Does VPD, FGA or audit really cause performance issues? This is a presentation that I gave at the UKOUG conference in Birmingham in November 2006. This paper explores the common myth or perception that adding audit to a database is a surefire way to kill the database performance. Pete has real world experience building audit trails in big databases and he looks at database audit technologies, VPD and FGA and shows that by carefully planned designs and implementations its possible to use these technolgies effectively without killing the performance.
An Oracle Security Masterclass This is the 2 hour Oracle Security master class that I gave at the November 2006 UKOUG conference in Birmingham. This paper discusses where to find information about Oracle security, what tools are available and much more. The paper explores all of the different types of epxloit that can occur, it includes many exploit examples and finishes with an overview of how to secure an Oracle database
How to Secure Oracle in 20 Minutes This is a short paper that I gave at the InfoSecurity conference in London in 2006. The paper gives a seat of the pants ride into Oracle security and shows why its better to secure an Oracle database in advance of an attack, rather than to attempt to defend it whilst an attack is occuring. Also despite the common sense view that securing in advance is better, the paper does give some hints on things that may work quickly if you are under attack.
Many ways to become DBA This is a pdf of the presentation that I made fisrt at the OUG Scotland conference in Glasgow on October 4th 2005 and then subsequently at a number of other conferences around the world during the last two years until around the middle of 2006. The paper evolved over time and was updated for each presentation. The link included is to the latest version of the presentation. The paper talks about the problems encountered with the security of an Oracle database. I cover where to find information, what the main problems are, some example exploits and problems. I talk about how to audit the database for issues and also then some ideas on how to secure them. Bear in mind that this is a 45 minute presentation and I have tried to give a feeling for the whole area of Oracle security in the database.
Oracle Row Level Security: Part 2 This is the second part of a two part paper that has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This second part follows on closely after the first part and now explores how to review what row level security settings have been implemented and also discovers how to find out if row level security has been used and whether the real SQL with new predicate can be found. This is done using trace files and the use of dictionary views. Various issues with implementing row level security are discussed along with suggestions on how to protect the implementation.
Oracle Row Level Security: Part 1 This is the first part of a two part paper that has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper gives a thorough overview of implementing row level security in an Oracle database. An example implementation is shown along with test cases to show how the functionality works. The paper then goes on to discuss some of the issues with row level security and also shows what information relating to a row level security implementation can be extracted from the database with various different methods. various examples are given.
Detecting SQL Injection in Oracle This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper shows some of the places within Oracle where information in the form of trace files, audit logs or by looking into the data dictionary can be used to detect SQL injection. It keeps its feet on the ground and explores a good set of ideas to simply show what is logged and stored by the system when an abuse occurs. It gives advice on which are viable methods and which are not. Read this paper to get a good idea of the wealth of information Oracle keeps about what users do.
An introduction to simple Oracle auditing This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper describes a basic overview of Oracles built in audit features and then goes straight into some simple examples based around auditing user account access to the database. Pete shows how to use some simple SQL queries to find a number of types of abuse such as attempts to guess usernames and passwords, sharing database accounts and access at strange times of the day. This paper should be invaluable to any organisation who wants to see real benefits from using Oracle's audit by showing how basic abuse types can be easily translated into an audit trail and how to check that trail for those abuses.
SQL Injection and Oracle - 1 This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. The paper describes the issues of SQL injection against Oracle databases and uses a simple PL/SQL procedure to demonstrate which parts of the technique are possible. The first part of this paper explores the subject and presents examples.
SQL Injection and Oracle - 2 This is the second part of the SQL injection and Oracle paper written by Pete for security focus and follows on from the first part by showing some techniques to find out what privileges the user being injected from has. The paper goes on to discuss detecting SQL injection and some simple ideas to protect against this type of attack.
A simple Oracle security scanner This paper describes some of the common security issues associated with an Oracle database installation and was written for security focus. The paper is based around a simple SQL script that checks for a small number of common security issues with Oracle databases.
Exploiting and protecting Oracle This was the major paper i wrote for a previous employer about Oracle security written with an attackers viewpoint in mind. I wanted, with this paper to explore some of the main areas of Oracle and question where there could be security issues. The paper proved very popular.

URL updated to point at the original of the file at Pentest LTD. The file on Security Focus has been removed.

Revealing clear text passwords from the SGA This is a posting I made to securityfocus to the pen-test mailing list to describe a situation whereby it is possible with some default privileges to dump the library cache and then read it using the standard package UTL_FILE and if any Oracle database users passwords have changed then read those passwords in clear text.
Exploiting and protecting Oracle - The Internet Security Conference Insight Newsletter This is a newsletter article I wrote for TISC to introduce the paper I wrote for a previous employer. This insight paper details some of the issues in securing an Oracle database. To access the paper go to the link above and search for Pete Finnigan and clink on the link.
Default password list for Oracle This is the password list I created for a previous employer. I don't maintain that list anymore. Any list of Oracle default users and passwords is relatively easy to create by searching through the installation directories of Oracle softare, the HTML documentation and also from various web sites on the Internet. I have additional usernames and passwords that I will make available soon from here.

NOTE :- This link is unfortunately now dead, a new link to a good list of Oracle default passwords has been added at the end of this page. Search with CTRL-F with "Oracle default password list" in this page.

Investigation of default Oracle Accounts This is the first paper i did for a previous employer listing Oracle default accounts and their known passwords. I included this list in the large Oracle security paper "exploiting and protecting Oracle" that I wrote. A free login is required for this site.

Oracle Security checklists

This section brings some major Oracle security checklists recently published on the Internet. Both lists are based on the SANS book "Oracle security step-by-step - A survival guide for Oracle security" written by Pete Finnigan and published in January 2003 by the SANS Institute.

The following are major Oracle security checklists

Paper Title Description
Oracle database security benchmark This document is produced by the center for Internet security and is one document in a series of benchmark documents. Each document aims to provide a minimun standard with which to secure a particular piece of software to. In this case it is the Oracle database. The document is based in part on the SANS step-by-step guide on the same subject by Pete Finnigan. A scoring tool is also in development to accompany the benchmark.

This document has been updated to version 1.1. If you download just the benchmark you do not get the change history for the document but if you download the scoring tool the benchmark and change history are included. Quite a few changes have been made to the paper. Also as indicated the scoring tool is also now available from the same URL.

Oracle database checklist UPDATED 23-Sep-2004 This document has just been updated to version 2.0 to reflect the changes made in the new version 2.0 printing of the SANS Oracle security step-step-guide. Check out the changes.

This document was produced for the S.C.O.R.E initiative on the SANS website. This document written by Pete Finnigan and is based on the SANS book "Oracle security step-by-step". This document is meant as a checklist to be used when auditing an Oracle database installation. It is not a how to document and doesn't inclued detailed SQL or operating system commands but provides a comprehensive security check list for Oracle. The paper is available as a MS Word document or pdf file. Word version and PDF version

Oracle Database Management System Security Standard ADDED 3-Sep-2005

I found this checklist by chance whilst searching for something else. This is a checklist dated 12 March 2003 so is a couple of years out of date. The contents are not the best I have seen for an Oracle Security checklist but are not a bad starting point for someone needing a checklist. The SCORE and CIS lists are much better and much more complete but don't dismiss a smaller list such as this. It has some mistakes in it and is clearly out of date but the structure is quite good.

Oracle database hardening ADDED 19-Nov-2005

I found this Oracle security checklist recently whilst searching google. This is an Oracle written paper and is quite good as a starting point to secure Oracle. The list is quite good in its scope and coverage. The security items covered are included in other lists and some are known for some years but this is a good list and a very good starting point for anyone wanting to secure an Oracle installation.

Oracle Security papers written by Other authors

The following papers and articles on Oracle database security were written by other authors for various web sites. I am including URL's to the papers here to try and bring together the best Oracle security papers available on the Internet into one place.

Paper Title Written for Written by Description
Protecting Oracle databases www.appsecinc.com Aaron Newman This is a good paper giving an overview of some of the issues and vulnerabilities surrounding Oracle database security. It covers many of the key areas and discusses some ideas for protecting Oracle.
Protecting Oracle databases presentation www.appsecinc.com Aaron Newman This is a presentation Aaron has given a few times dicussing Oracle security and protecting against vulnerabilities. The presentation is based around the above paper.
Hackproofing Oracle Application Server www.ngssoftware.com David Litchfield This is Davids excellent paper covering some of the important database server security issues and also including great coverage of Oracle Application Server issues. The paper also includes a very comprehensive default user password list.
Hackproofing Oracle www.oracle.com Howard Smith Howards paper is an excellent start to securing the RDBMS against attacks. The paper describes Oracle's Own internal efforts with ethical hacking.
Securing Oracle Network Traffic www.dbspecialists.com Roger Schrag Excellent paper covering many aspects of securing Oracle Net8. The paper covers securing the listener to refuse or accept requests from specific IP addresses. Also covered is using ssh (Secure Shell Protocol) to make Net8 more secure and also Roger talks about optionally tunnelling through firewalls.
Oracle's Latest Security Patches May Attract Hackers www3.gartner.com John Pescatore News report about the latest slew of Oracle security alerts.
Hackproofing Oracle 9iAS www.appsecinc.com Aaron Newman This paper is a presentation given by Aaron. The paper coversa good overview of 9iAS security issues.
Best Practices for Securing Oracle www.idefense.com   This is a good overview paper on how to secure Oracle databases. This paper can be downloaded by filling in the form on the above URL and then the paper will be emailed to you.
Developing a database security plan www.oreilly.com Marlene Theriault, William Heney This is the sample chapter from the excellent book "Oracle security". This was the first major book on the subject and has only fairly recently been joined by another work by Marlene and Aaron and more recently the SANS step-by-step guide.
Database Security 101   Richard D Newallis, SPRINT Good Oracle security strategy introduction document describing various threats and levels of protection. Detailed Oracle security is not covered to any depth as the bulk of the paper could be applied to any database implementation. But, this is a very good paper overall.
Oracle database Security: Tips and Tricks DBCORP Information Systems Inc Simon Pane These are the presentation notes for an Oracle security talk made for DBCORP. The paper covers a good overview of the basic Oracle security issues and gives a top 10 best practice tips for Oracle security. The paper also covers a multitude of other good Oracle security settings and tips. This presentation can be used as an excellent Oracle security check list.
Hacker Proofing Your database www.osborne.com Marlene Theriault, Aaron C Newman Sample chapter from the Book Oracle Security Handbook.
An overview of Oracle database security features www.sans.org Lorraina Hazel, CNE Good overview paper of the Oracle security features in the Oracle RDBMS.
Oracle Idiosyncrasies   Yong Huang Good small artilces page including a security issue with the listener. The rest are worth reading as well.
Oracle Executables   Yong Huang Not really security but it is useful to have a list in one place of what some of those files are in the bin directory. This list can be useful in deciding what can be secured and / or deleted.
Speculation of X$ Table Names   Yong Huang Again not really security but it is useful to have a list in one place of what some of the x$ tables are and what they are used for.
Conducting a Security Audit of an Oracle Database www.sans.org Egil Andresen Quite a good overview paper written to describe how to audit an Oracle database. Quite wordy in the beginning describing the technicalities of auditing before getting into some Oracle specifics. Overall covers quite a bit of ground and very well worth the time to read it.
Implementing Data Encryption

Alternate Link

www.interealm.com Roby Sherman Excellent paper covering data encryption within the Oracle database. Covers some of the poular myths surrounding encryption. Also includes some performance tests using encrypted examples.
Introduction Oracle database Security http://cellworks.washington.edu Scottie Swenson Reasonable presentation paper on Oracle security.
Internet Security With Oracle Row-Level Security

Alternate Link

www.interealm.com Roby Sherman Excellent paper covering Oracles Row Level Security including simple examples.
A security checklist for Oracle 9i www.oracle.com Rajiv Sinha Good starter paper on how to secure Oracle 9ifrom the Oracle security team themselves. You will need a free logon to read this paper, simply go and register on the site.
Oracle Security FAQ www.orafaq.com Frank Naude Good range of "how to" facts and snippits.
A security checklist for Oracle 9iR2 www.oracle.com Unknown Good starter paper on how to secure Oracle 9iR2 from the Oracle security team themselves. This is an updated version of the paper above. You will need a free logon to read this paper, simply go and register on the site.
Implementing Data-Level Monitoring With Oracle Fine-Grained Auditing

Alternate Link

www.interealm.com Roby Sherman Paper showing good simple examples of fine grained auditing. This paper shows in simple terms how to use this new audit feature.
Dissassembling the oracle redo log www.orafaq.com Graham Thornton Excellent paper detaing how to read Oracle redo logs from the trace files. This is a useful paper when contemplating forensics after an intrusion. If audit was not used then this could be one method to find out what has happended. later versions of Oracle bring LogMiner to help in this area.
General Security Controls within Oracle   Diane Wynne Very basic review document used as a general checklist for Oracle security issues. More comprehensive lists are available but this could be used as a basic starting point.
Oracle Database Audit Program www.auditnet.org Plusnina, Svetlana Oracle security review checklist. Quite basic in terms of background information but quite useful otherwise.
Pal's Linux RDBMS Library www.palslib.com   This website contains a list of Oracle security papers and links amongst other things. I think most of the Oracle security links are covered here also but this good site is worth keeping an eye on for new links.
Oracle Security Alert Page otn.oracle.com   This is the main page where new security alerts are released by Oracle. It is possible to subscribe to receive news of new alerts as they happen. A free login is required to access this page.
Implementing the Database Resource Manager

Alternate Link

www.interealm.com Roby Sherman This is a detailed paper giving an overview of the resource manager functionality. Whilst not specifically security related this article could be useful in a security context as controlling resources could be used to prevent denial of service attacks.
Encryption of data at rest www.appsecinc.com Aaron Newman This is an excellent paper detailing issues with encrypting data held within a database. It also covers quite well issues with hiding the encryption keys.
Ensuring 100% security in e-commerce applications www.dba-village.com Geert De Paep This is a presentation given by Geert at the EOUG conference in Copenhagen in 1999. This paper describes how to implement row level security, aka fine grained access control in Oracle 8i. A free login is required for this site.
The integration of internets LDAP with Oracle 8i www.dba-village.com Danny Gielen This fine paper discusses the integration of LDAP into Oracle 8iR2. The paper discusses the advantages of using LDAP with Oracle. A free login is required for this site.
Changing the apps database password in Applications Release 10.7 www.dba-village.com Henk Van't Net This short paper discusses how to change the apps database password in 10.7. A free login is required for this site.
A Major Oracle 9.0.x Security Hole (unbreakable my foot...)

Alternate Link

www.interealm.com Roby Sherman Short paper describing how the ansi join syntax bug works in Oracle 9i.
Calling Java from PL/SQL www.unix.org.ua   Extract from the O'Reilly book "Guide to Oracle 8i Features". This extract shows how to call Java from PL/SQL. This is important to know if you wish to protect your Java enabled database from misuse!.
Utilities for Oracle9iAS otn.oracle.com   Link to a set of seven utilities provided free of charge from Oracle. The main two of interest from a security perspective are: "Interactive Log File Viewer for Oracle9iAS" and "Infrastructure DB Randomized Password Retriever". The former is a menu driven tool to look at all of the log files generated by 9iAS. This can be useful from a security perspective and the latter is a tool to retrieve the underlying infrastructure database randomized passwords. I will leave it to you to figure out what that can be used for!!.
Fine-Grained Auditing otn.oracle.com   Very short introduction paper on Oracle fines grained audit in the Oracle 9i database daily feature section. A free login is required to access this site.
Symbolic Link Inconsistency and Behavioral Change in 9i

Alternate Link

www.interealm.com Roby Sherman Short paper describing how the symbolic link behaviour has changed in Oracle9i.
Securing Oracle 9iAS 1.0.2.x otn.oracle.com Stephen Comstock Superb paper on securing the application server from Oracle themselves. Quite a long and thourough paper. A free login is required to access this paper.
Fine Grained Access Control asktom.oracle.com Tom Kyte Excellent paper discussing fine grained access control and giving examples of the row level security PL/SQL package. This paper was part of a series of articles by Tom on the new 8i features.
Controlling Database Access technet.oracle.com   Online documentation from Oracle explaining how to control access to an Oracle database.
Oracle Advanced Security technet.oracle.com   Online documentation from Oracle explaining the feature set of Oracle advance security.
Database Security in Oracle 8i technet.oracle.com   Overview paper describing the major security features in Oracle 8i and how they work. Good paper to read to get an idea of what does what in Oracle security wise.
Autonomous Transactions asktom.oracle.com Tom Kyte Another paper in the new 8i feature series explaining autonomous transactions. This feature can be particularly useful in auditing based on database triggers.
How to become another user in SQL*Plus asktom.oracle.com Tom Kyte Short paper from AskTom that shows the very well un-documented feature of the values command in the alter user syntax to become another database user without knowing that users password.
Creating Virtual Private Databases with Oracle8i - Part 1 www.oracle.com Mary Ann Davidson Good paper from Mary Ann Davidson who works in Oracles security division. This is a good overview paper on the new (in 8i) Row Level Security features. Very well written.
Creating Virtual Private Databases with Oracle8i: Part 2 www.oracle.com Mary Ann Davidson Second part of the above paper.
How to generate random numbers in PL/SQL asktom.oracle.com Tom Kyte Short paper from AskTom that shows how to generate random numbers from PL/SQL. It should be noted that there are security concerns with using DBMS_RANDOM as part of any cryptography - See the SANS guide for details.
Database - The Final Firewall www.sans.org S. Brian Suddeth Good paper describing the many layers that can be used in "defense in depth" when applied to an Oracle database. The paper goes on to describe many areas of Oracle secuity and recomend many configurations and settings.
Protecting Your Database www.oracle.com Kevin Loney Short paper written for Oracle publishing and detaing 6 tips for securing an Oracle database. Good basic starting point for Oracle security.
Virtual Private Databases chinaunix.net   Example code showing how to implement VPD within Oracle.Ignore that fact that it tries to load in chinese, the text of the example is in fact in English.
How to store a password asktom.oracle.com Tom Kyte Short paper from AskTom that shows how to encrypt a password in the database or rather hash the username and password. This is for version 8.1.5 and also solutions are suggested for 8.1.6 and after with DBMS_OBFUSCATION_TOOLKIT.
DAIS: A Real time data attack isolation system for commercial applications Department of Information systems, UMBC , baltimore Peng Liu Excellent paper describing how to detect changes and reads in an Oracle database with view to dececting hacker access. This is a very technical paper.
Securing Databases www.sans.org Paul Carmichael Good overview paper discussing database security. Quite well structured, although trying to be general it is mostly about Oracle. The paper covers a good range of issues.
Database Security in High Risk Environments www.sans.org Joaquin A. Trinanes High level paper not restricted to just Oracle discussing how and why to secure databases.
Database Driven Oracle Security www.oracledbaexpert.com   Basic paper to show how to build security between users and Oracle.
Write a simple security audit script for Oracle www.praetoriate.com Donald K Burleson Basic page that gives some small pieces of SQL to check the data dictionary for excessive privileges and privileges granted with the admin option. There are just 4 tips but useful all the same.
Oracle database listener security guide: March 2003 www.integrigy.com Integrigy This is a superb paper going through the issues with listener security and good tips and steps on how to protect and tighten up a listener installation. Excellent paper, one of the better Oracle security papers around. Read it!.
Expert offers tips on securing Oracle databases www.searchoracle.com Robert Westervelt, SearchOracle.com News Writer This is a news item on searchoracle that covers an interview with Donald Burleson where he discusses Oracle security issues and solutions. It is not a bad news item and discusses some of the basic issues. Published 15 july 2003
Oracle Label Security, Part 1: Overview www.dbasupport.com Jim Czuprynski, jczuprynski@zerodefectcomputing.com This is the first part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. Jims set of papers cover the basics, an excellent example and flows through a sample implementation sucessfully. Well worth reading.
Oracle Label Security, Part 2: Implementation, page 1 www.dbasupport.com Jim Czuprynski, jczuprynski@zerodefectcomputing.com > This is the second part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 2 page 1.
Oracle Label Security, Part 2: Implementation, page 2 www.dbasupport.com Jim Czuprynski, jczuprynski@zerodefectcomputing.com This is the second part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 2 page 2.
Oracle Label Security, Part 3: Administration, page 1 www.dbasupport.com Jim Czuprynski, jczuprynski@zerodefectcomputing.com This is the third part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 3 page 1.
Oracle Label Security, Part 3: Administration, page 2 www.dbasupport.com Jim Czuprynski, jczuprynski@zerodefectcomputing.com This is the third part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 3 page 2.
How to write an Oracle security plan www.dbasupport.com Marlene Theriault and William Heney This paper is based on chapter seven of the O'Reilly Oracle security book. This paper is a very good discussion of how to write an Oracle security plan.
Automated Data Encryption Management www.dbazine.com Mike Hordila Excellent recent paper that discusses encryption within the Oracle database and provides a PL/SQL library for encrypting data using an automated solution. Well worth the read!
Even pros struggle with Oracle security www.searchoracle.com By Ellen O'Brien, SearchOracle.com News Editor Recent news item published on 11 September 2003 covering. This news article talks about the issues of public privileges in Oracle. Mary Ann Davidson, Oracles security chief is interviewed in discussion with Aaron Newman.
How to connect 2 ... n SSH Tunnels www.akadia.com   An excellent short paper showing how to use ssh tunnels to connect SQL*Plus to an Oracle database. Thanks to Jared Still for bringing this one to my attention.
> Unraveling the sweater - Oracle security part 1 www.evdbt.com Tim Gorman First part of an excellent two part paper examining Oracle and hackers. This was printed in the winter 2003 RMOUG newsletter. This part talks about loopholes and user authentication. A shell script tool is provided to illustrate the issues. A link to this tool is available on our tools page.
Unraveling the sweater - Oracle security part 2 www.evdbt.com Tim Gorman Second part of an excellent two part paper examining Oracle and hackers. This was printed in the spring 2003 RMOUG newsletter. This part talks about the network and the TNS listener. A shell script tool is provided to illustrate the issues. A link to this tool is available on our tools page.
Oracle8i Virtual Private Databases www.evdbt.com Tim Gorman This is a presentation given at the DBA SIG of the UTOUG on 14 February 2001 by Tim. This presentation gives an overview of row level security and comes with a brief example using the scott user.
Using Oracle8i and Oracle9i Log Miner www.evdbt.com Tim Gorman This is Tims paper providing a road map of the development and use of the Log Miner tool. Whilst this is not a true security paper, it is still useful to the security practitioner as Log Miner can find a use in the forensics area particularly when auditing is not enabled.
Using Oracle8i and Oracle9i Log Miner www.evdbt.com Tim Gorman This is Tims powerpoint presentation on the same subject as the paper above.
Using Oracle8i and Oracle9i Log Miner www.evdbt.com Tim Gorman This is the presentation and word doc together as a zip file.
Oracle 9i Rel 2 - XDB Port Nightmares

Alternate Link

www.interealm.com Roby Sherman Nice paper showing various methods of changing and removing xdb ports.
Oracle password decrypt - Toplink Mapping workbench www.planet-source-code.com super_jecht Short paper posted 26 Jan 2004 to Planet source code showing how to encrypt the password that is normally encrypted by the Oracle toplink mapping workbench tool. Even though decryption is not shown this is easy to implement from this algorithm. See OTN Datasheet for details of the use of this tool.
Leveraging Oracle database security with J2EE container managed persistence http://otn.oracle.com Matt Piermarini and
David C Knox
This recent paper by Oracle - written by David Knox and matt Piermarini explores the issues of security when using J2EE application development and Container Managed persistence (CMP). This model is great for storing and managing data effectively and for creating rapid application development opportunities but it can also render the databases security features ineffective. This paper explores this issue and in particular shows how to use the CMP model for J2EE whilst still ensuring effective database security.
Oracle default password list www.cirt.net   This is a very good list of default Oracle users and known passwords. Use this list to audit your database. There is also a list available with the code from the SANS step by step book, see here
Oracle Label Security, Part 4: Conclusion www.dbasupport.com Jim Czuprynski, jczuprynski@zerodefectcomputing.com This is the fourth and final part of this excellent article series covering the subject of Oracle label security (OLS). This set of papers compliments and extends the Oracle documentation on the subject of Oracle label security. This final paper talks about using OLS and also about extending the audit trail to cover changes made to the OLS security policies. Jim also covers modifying and removing OLS from your database.