Call: +44 (0)1904 557620 Call

Log Archives

June 2024
May 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
March 2022
February 2022
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
July 2019
June 2019
May 2019
March 2019
December 2018
November 2018
September 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
October 2017
September 2017
August 2017
July 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
December 2015
October 2015
July 2015
June 2015
July 2014
June 2014
April 2014
March 2014
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
January 2013
September 2012
June 2012
February 2012
September 2011
July 2011
June 2011
April 2011
March 2011
February 2011
January 2011
December 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004


06/28/2024: Can we Add C Style Pointers to PL/SQL?
06/25/2024: Extreme PL/SQL
05/28/2024: Can we Hack an Oracle APEX Application?
05/08/2024: Can We Add New Language Features to PL/SQL?
03/18/2024: Locate an Error in Wrapped PL/SQL
03/06/2024: Attention PL/SQL Programmers - is your PL/SQL at risk of breach?
02/19/2024: How to Secure all of Your Oracle Databases - Part 1
02/12/2024: Happy 21st Birthday to Limited
01/29/2024: Securing APEX
01/23/2024: Investigate an Oracle Database Breach
01/17/2024: Happy New Year for 2024
12/29/2023: ACCESSIBLE BY Clause in PL/SQL
12/28/2023: Oracle Permissions and Statements or Actions
12/22/2023: Cracking APEX Passwords
12/18/2023: Apex Dictionary Views and their Security Mechanism
12/11/2023: Oracle Forensics - Missing User IDs
12/04/2023: Secure Password Store - Wallets
11/27/2023: SQL Firewall in 23c - UKOUG and Scripts
11/20/2023: UKOUG 2023 - Using Database Vault in Real Life
11/15/2023: UKOUG Conference 2023 - Reading - Two Oracle Security Talks
11/07/2023: SQL*Plus Error Logging - SPERRORLOG Table
11/03/2023: Logging Errors in SQL*Plus
10/24/2023: User Least Privilege in the Oracle Database
10/20/2023: An Appreciation of Auditing and Securing Oracle
10/16/2023: Oracle Database Passwords
10/13/2023: Secure Coding in PL/SQL
10/09/2023: alter session set current_schema
10/02/2023: Good Audit Trail Design
09/29/2023: ERP Oracle Database Security
09/22/2023: Oracle Forensics Response
09/18/2023: Database Vault without Database Vault
09/15/2023: Create Onion Layers of Security
09/11/2023: Adaptive Audit and Adaptive Security
09/08/2023: Securing Data in Oracle Databases
09/04/2023: GDPR and Oracle Database
08/25/2023: New GDPR Book and the Oracle Database
08/21/2023: Oracle 23c And Removing Traditional Audit - Part 3
08/17/2023: Coding, Languages and Oracle
08/14/2023: Re-Enable Traditional Audit in 23c
08/11/2023: Oracle 23c Traditional Audit De-supported
07/31/2023: Recovering PL/SQL Source Code
07/20/2023: Review an Oracle Database for Security Issues
07/14/2023: Oracle security and ERP systems and ACE
07/11/2023: A Thought Experiment - Application in the Root Container?
07/07/2023: Securing Insecure Oracle Databases
07/03/2023: Oracle Unified Audit Target Data
06/30/2023: Happy 29th June
06/26/2023: Read Only Users in 23c
06/22/2023: Proxy Connections and the SQL Firewall in Oracle 23c
06/19/2023: SQL Firewall Oracle 23c - Part 3
06/16/2023: SQL Firewall Oracle 23c - Part 2
06/13/2023: SQL Firewall Oracle 23c - Part 1
06/05/2023: Oracle 23c Deprecated Parameters that could Affect Data Security
05/26/2023: Creating a DIRECTORY - Forensics Example in 23c
05/23/2023: Are Oracle 23c Shipped Profiles Weak
05/15/2023: Are we Securing Oracle or are we Securing Data in Oracle?
05/09/2023: Oracle 23c Schema Level Grants
05/02/2023: Oracle 23c Dictionary Protection
04/18/2023: Oracle 23c New Longer 1024 Character Passwords
04/14/2023: Oracle Protected Users in 23c
04/07/2023: The New DB_DEVELOPER_ROLE in Oracle 23c
04/06/2023: Oracle Database Free 23c - Database Security
03/30/2023: Free Tool to Check The Privileges of an Oracle User or Role
02/09/2023: 20 Years of Securing Data in Oracle Databases
10/21/2022: Looking for GRANT ALL on objects
09/30/2022: Adding Scripting Languages to PL/SQL Applications - Part 1
08/09/2022: Granting ALL on Database Objects
08/05/2022: Do You Worry Your Companies data is Being Stolen?
07/29/2022: Searchlight a Product to Make Finding Data Easy
06/07/2022: Oracle Security - Hidden Grant When Create a Role and Revoke in a CDB
05/25/2022: Adaptive Database Auditing and Security
05/11/2022: The challenges of securing data in an Oracle database
03/30/2022: Add License Checks Anywhere in your PL/SQL
03/22/2022: Software from Building Blocks - Fast Development - One Month Projects
03/10/2022: Make Pete Finnigan a remote expert part of your team
03/02/2022: Do we Need to Revoke PUBLIC from a User?
02/23/2022: Strong Passwords with Oracle Wallets
02/15/2022: How I Write an Oracle Security Training Course
02/12/2022: Happy 19th Birthday Limited
02/10/2022: Pete, Did You Deliver The Wrong Product?
02/08/2022: How do we Train Staff to do Oracle Security?
02/03/2022: Looking Forwards To 2022!!
02/03/2022: Joel Kallman Day
02/03/2022: Designing Good Audit Trails for an Oracle Database
02/03/2022: Happy 17th Birthday to this Oracle Security Blog
02/03/2022: Register for a Free Webinar with PFCLForensics for Breached Oracle Databases
02/03/2022: PFCLForensics is released a tool for forensic analysis of a breached database
02/03/2022: Should We Security Patch Oracle Databases?
02/03/2022: Unwrapping PL/SQL Source Code and Proving the Code is Recovered
02/03/2022: Redo Log Endian and Magic Number
02/03/2022: Oracle Security Training Presentations
02/02/2022: Happy 18th Birthday Limited
02/02/2022: TCPS Connection With an Oracle Instant Client
04/06/2020: PL/SQL, AST, DIANA, Attributes and IDL
04/02/2020: PL/SQL Machine Code Trace - event 10928
04/01/2020: Be Careful of What You Include In SQL*Net Security Banners
03/31/2020: Oracles Free TNS Firewall - VALIDNODE_CHECKING
03/30/2020: Add A SQL*Net Security Banner And Audit Notice
03/27/2020: ORA-28050 - Can I drop the SYSTEM User?
03/26/2020: Setting Users Impossible Passwords BY VALUES and Schema Only Accounts
03/25/2020: CoronaVirus - We are Still Open
02/17/2020: XS$NULL - Can we login to it and does it really have no privileges?
02/11/2020: Bug Bounty
01/28/2020: PL/SQL Package with no DEFINER or INVOKER rights - Part 2
01/24/2020: PL/SQL That is not DEFINER or INVOKER rights - BUG?
12/06/2019: Installing Oracle 19c on Linux
11/19/2019: Oracle Security Training Manuals for Sale
10/11/2019: SELECT ANY DICTIONARY - What Privileges Does it Have - SELECT_CATALOG_ROLE
10/08/2019: What Privileges Can you Grant On PL/SQL?
10/01/2019: ORA-01950 Error on a Sequence - Error on Primary Key Index
09/30/2019: ORA-01950 Error on a Sequence
07/11/2019: PFCLScan - Version 3.0
06/06/2019: PFCLATK - Audit Trail Toolkit - Checksums
05/19/2019: 3200 Clever hackers are in my PC; wow!!
03/12/2019: DBID Is Not Definitive When Used As An Identifier
03/11/2019: Hardening and Securing The Oracle Database Training in London
03/08/2019: Stop The DBA Reading Data in Subtle Ways
03/07/2019: Oracle Security Training in London with Oracle University
12/23/2018: Oracle Security Blog Posts
12/19/2018: Virtual Patching or Good Security Design instead?
11/20/2018: Oracle Privilege Analysis Now Free in EE from 18c and back ported to all 12c
11/14/2018: Super Lock an Oracle Database
09/15/2018: Oracle Core Audit - Do you Audit your Core database engine for breach?
07/19/2018: Oracle Security Training by Pete Finnigan in 2018
06/13/2018: Oracle Can Generate 6 Password Hashes When a User is Added or Password Changed in and Above
06/09/2018: Need Help with Oracle Security GDPR Training and Services
06/07/2018: Grants WITH GRANT OPTION
06/06/2018: GDPR
06/04/2018: GDPR for the Oracle DBA
06/03/2018: Limited Printed Oracle Security Training Manuals for Sale
06/02/2018: Oracle Security Training In York, UK, 2018
05/22/2018: Running Code as SYS From Another User not SYSDBA
05/21/2018: Who Should Grant Object Rights?
05/07/2018: Oracle 18c Security utl_file_dir and schema no authentication
04/13/2018: New Oracle Security Public Training Dates Available
03/06/2018: Training Class Manuals For Sale
02/15/2018: Pete Finnigan Presented About Oracle Database Vault and Oracle Security
10/11/2017: Grant DBA to yourself - exploit or not?
10/03/2017: New Oracle Security book - Oracle Incident Response and Forensics
09/06/2017: Oracle Security Training In York - October 30 - 31st 2017
08/30/2017: get_tab2.sql - Free Tool to show Privileges on an Object Updated
08/29/2017: What Are NULL pname entries in v$process?
08/25/2017: Pete Finnigan is now an Oracle ACE
08/25/2017: Oracle Security at UKOUG December 2017
08/17/2017: New Video of Oracle Security Vulnerability Scanning
08/08/2017: More Oracle Security Training Manuals for Sale
08/07/2017: New Oracle Security On-Line Training Dates Added
07/07/2017: Oracle Security Audit and Open Ports on a Database Server
05/26/2017: Oracle Security Training
05/23/2017: O7_DICTIONARY_ACCESSIBILITY and UTL_FILE_DIR in Oracle 12c release 2
05/08/2017: Oracle Security 12cR2 and Oracle Security Training Dates
05/01/2017: Oracle 12cR2 Security - Listener Port
04/12/2017: New Online Oracle Security PUBLIC Training Dates Including USA Time Zones
04/11/2017: In The Top 60 Oracle Database Blogs
04/05/2017: Oracle Security Training Manuals For Sale
04/04/2017: How to Perform a Security Audit of an Oracle Database Training in Athens, Greece
03/31/2017: Is SQL Injection A WebSite Problem?
03/23/2017: Can You Say That An Oracle Database is nn% secure?
03/22/2017: PFCLScan - A Security Scanner For Oracle Databases - New Website
03/15/2017: Validating The Length Of An Oracle Database Hashed password?
03/14/2017: Default Password Hashes for 11g Oracle Database
03/02/2017: 12.2 is Available For Download For Linux And Solaris
02/28/2017: Delete from AUD$
02/23/2017: Fourteenth Anniversary For Limited And New Website
01/12/2017: Two New Oracle Security Public Class Dates
12/16/2016: Oracle Security And Merry Xmas And A Happy New Year
08/31/2016: Data Loss
08/22/2016: Oracle Security Training
08/10/2016: Data Exposure, leakage and Reporting
08/08/2016: Oracle Security Talks, Training and Conferences
07/08/2016: Oracle Security Expert Seminar
06/06/2016: 5 Days Expert Oracle Security Training In Paris - 20th June 2016
05/26/2016: Amis Conference June 2nd and 3rd
05/25/2016: Are Zero Days or Bugs Fixed by CPU The Worst?
05/24/2016: Compartmentalised Oracle Security
05/23/2016: New Oracle Security Paper on Non-Production and Delphix
04/01/2016: Oracle Security And Delphix Paper and Video Available
03/31/2016: 3 Days of Oracle Security Training In York, UK
03/14/2016: Oracle Data Masking and Secure Test Databases
03/10/2016: BOF: A Sample Application For Testing Oracle Security
12/14/2015: Two New Oracle Security Presentations Available
10/22/2015: Oracle Security Training In York
10/01/2015: New Presentation - Building Practical Oracle Audit Trails
07/21/2015: Protect Your APEX Application PL/SQL Source Code
07/09/2015: Oracle Security and Electronics
07/06/2015: New Conference Speaking Dates Added
07/03/2015: Happy 10th Belated Birthday to My Oracle Security Blog
06/30/2015: Oracle Database Vault 12c Paper by Pete Finnigan
06/25/2015: Unique Oracle Security Trainings In York, England, September 2015
07/23/2014: Coding in PL/SQL in C style, UKOUG, OUG Ireland and more
06/25/2014: Integrating PFCLScan and Creating SQL Reports
04/17/2014: Automatically Add License Protection and Obfuscation to PL/SQL
03/05/2014: Twitter Oracle Security Open Chat Thursday 6th March
10/29/2013: PFCLScan Reseller Program
10/18/2013: PFCLScan Version 1.3 Released
09/04/2013: PFCLScan Updated and Powerful features
08/28/2013: Oracle Security Training, 12c, PFCLScan, Magazines, UKOUG, Oracle Security Books and Much More
07/31/2013: Oracle 12c Security - SQL Translation and Last Logins
07/23/2013: Hacking Oracle 12c COMMON Users
07/22/2013: Oracle Security Loop hole from Steve Karam
07/08/2013: Oracle Database 12c Security Auditing
07/05/2013: Oracle 12cR1 Database Security - Default Users
07/05/2013: Oracle Database 12c Security - Privileges and users - The Beginning
07/04/2013: Oracle 12c Security
06/24/2013: Credit Card Security and Passport Security
06/14/2013: Oracle Security Posts And Conferences
06/12/2013: Oracle Security WebSite Woes!
05/30/2013: Oracle Security Class and software for Oracle security
01/14/2013: Secure Coding PL/SQL
09/06/2012: Oracle Security Search Is Annoying and protecting PL/SQL code
09/05/2012: Oracles Java Patch
09/04/2012: New Oracle Security Talks
09/03/2012: New Oracle Security Presentation - Identity In The Database
06/20/2012: Oracle, Proxy, Obfuscation, Cookie Law, Talks, more...
02/13/2012: Oracle Security Training in Berlin ... and more ...
09/21/2011: More oradebug
09/21/2011: oradebug
09/19/2011: UKOUG Oracle Data Security Day presentation slides available
09/06/2011: Oracle Security Training in Denver, USA
07/06/2011: Cursor variable and global cursors security issues
06/24/2011: Training, twitter, Oracle security products
04/20/2011: New Oracle security papers and Oracle forensics tool
03/03/2011: SQL Injection Attack
03/02/2011: Oracle Security Training in the UK
02/21/2011: Oracle Database Firewall Controversy
01/28/2011: Techa Kucha In York
01/19/2011: Latest Oracle Security Critical Patch Update is out
01/04/2011: Oracle Security Training, Home For Christmas and a belated happy new year
12/02/2010: Snow, Woe and Oracle Security!
10/12/2010: Legal aspects of web and software design
10/06/2010: Conference talks, Training and a survey for David
10/05/2010: Free Oracle Security Webinar Recording On-Line
09/27/2010: Webinar: The right way to secure Oracle by Pete Finnigan - Wednesday 29 September 2010
09/23/2010: Oracle Post Exploitation and Password cracking
09/13/2010: English Football Fans Data Allegedly Sold to the BlackMarket
09/10/2010: Oracle Security Presentation Available
09/02/2010: Oracle Security
08/16/2010: Alex Hutton Podcast on data breach
08/13/2010: Would You Like A Job in Database Security?
08/06/2010: Hacking Oracle over the web and exploiting Database Vault
08/03/2010: Data Breach Survey Results
07/27/2010: The second IOUG / Oracle Security Assurance Survey
07/14/2010: 59 Security bugs fixed, 28 remotely expolitable, 13 in the database
07/07/2010: Pete Finnigan will be teaching Oracle Security in Tallinn, Estonia and speaking at UKOUG Unix SIG at TVP
07/01/2010: Do Oracle 11g features weaken security?
06/29/2010: V3rity has released a redo log mining tool to extract DDL from redo logs
06/24/2010: Leaking information about your database to help a hacker!
06/17/2010: New Public Oracle Security Training Class Dates announced
06/15/2010: New Oracle Security presentation available
05/05/2010: Public Demonstration of PFCLScan in Edinburgh Thursday May 13th
04/14/2010: 10g and 11g PL/SQL Unwrapper source code available
04/12/2010: Secure External Password Store
04/09/2010: Java forensics and Apps Security (twice)
03/25/2010: Webinar Recording and Laszlo's TNS hijack and downgrades Presentation
03/12/2010: A paper on Sentrigo Hedgehog and Pete Finnigan webinar slides
03/10/2010: Blocking Tools from using the database
03/08/2010: Pete Finnigan Webinar on Oracle Security
02/23/2010: SANS 2010 CWE/SANS Top 25 Most Dangerous Programming Errors
02/17/2010: SQL Injection and Java exploits
02/02/2010: Turkey, Germany, York, Holland and the Oak Table book
02/01/2010: The Oracle listener password algorithm
01/20/2010: Two new Oracle root kits
01/19/2010: Conferences, webinars, trainings, new training dates.....
01/05/2010: Training in York, England and Washington DC and adverts
01/04/2010: Hiding password hashes and a new sha1 Oracle password cracker
12/29/2009: Belated Christmas wishes and a happy new year to all readers
12/17/2009: The Oak Table book should be off to print
12/16/2009: Announcement: Oracle Security Training in Washington DC, March 25-26 2010
12/15/2009: Buying books, writing books and uploading slides
12/07/2009: Dennis has released a paper describing his FPGA cracker
12/03/2009: Unwrapping PL/SQL
11/30/2009: Two exploit versions of the ctxsys.drvxtabc.create_tables bug from Bunker
11/28/2009: A new Russian Oracle Security Tool
11/26/2009: New Oracle Security Book, UKOUG and Finland
11/19/2009: OS Authentication
11/17/2009: Revoking PUBLIC Execute on SYS.DMP_SYS
11/16/2009: Limited USA Partnership Announcements
11/13/2009: Pre-Announcement - Oracle Security Training in York in 2010
11/12/2009: Creating users creatively
11/10/2009: Russian Oracle Security Book
11/09/2009: Direct Grants, DBA, Invoker rights and definer rights
11/05/2009: Back from Prague and a new paper on explicit grants and roles
11/02/2009: One more point on Oracle password crackers
10/30/2009: Update to Dennis Yurichevs FPGA cracker plus exploit code for the CPU CVSS 10.0 bug
10/28/2009: Some training and speaking dates
10/27/2009: A new Oracle Security book.... or three!
10/26/2009: Cold remedies and Oracle Security
10/23/2009: Mary Ann Davidson fields security questions at Open World
10/21/2009: October 2009 Critical Patch Update is out; Paul has a paper on escalation to OSDBA
10/20/2009: Health Data Theft
10/16/2009: Oracle's October pre-cpu advisory is released
10/15/2009: OWASP Leeds meeting slides available
10/14/2009: SQL Injection and a presentation on data security
10/13/2009: Spoofing users and programs and presenting at OWASP
10/12/2009: Oracle's new Oracle database security and compliance solution
10/09/2009: Nice Summary of setting up audit options
10/08/2009: Expert Oracle Practices: Oracle database administration from the oak table
10/07/2009: How many Security bugs are in the Oracle database software product set
10/06/2009: Oracle Security Worst Practices
10/05/2009: 60 million password hashes/second Oracle password cracker available
10/02/2009: IOUG Data Security Report 2009 is out
09/30/2009: A grammatically correct random pass phrase generator
09/29/2009: SQL Injection - accessing additional tables via the where clause
09/28/2009: Default Users
09/24/2009: Backups are valuable
09/22/2009: Blog birthday, speaking, training and Oracle Java security
09/04/2009: Oracle delays the October CPU and 11g Release 2 is out
09/01/2009: A book, a database scanner and a magazine column and a few bugs
08/19/2009: Bypassing VPD through inference
07/24/2009: Hacking Oracle made easy
07/24/2009: The right way to secure Oracle slides available
07/22/2009: Rogue DBAs: Hidden Inside Security Threat
07/21/2009: Pete Finnigan webinar The right way to secure Oracle
07/16/2009: Escalate privileges to SYSDBA with CREATE USER
07/15/2009: Latest Oracle CPU is out
07/08/2009: Poor mans database vault
07/06/2009: A new database security auditing and scanner product, some BBED, ASM and AV
06/01/2009: 2 Day Oracle Security Seminar in York, England
05/21/2009: Two sets of slides added from Helsinki and Wolverhampton
05/11/2009: Checking if a password is valid using SQL
05/01/2009: The right way to secure a database
04/15/2009: April 2009 CPU is out
04/14/2009: Undocumented Oracle - Using ENUM's in PL/SQL
04/14/2009: New Oracle Security book out
04/02/2009: Oracle Security training in Edinburgh with Pete Finnigan
04/01/2009: A database installed version of who has privilege script
03/23/2009: SQL Injection Exploitation techniques
03/20/2009: Presentation on using VPD in the real world available
03/02/2009: IOUG Critical Patch Update Survey Results Are Out
02/11/2009: A new version of woraauthbf is available (The Oracle password cracker)
02/11/2009: Writing a password cracker in Perl
02/09/2009: Accessing Data Outside the data model
02/09/2009: Blog with Oracle Security posts
02/08/2009: Attacking Oracle with Metasploit
02/06/2009: Is it possible to steal data with just ALTER SESSION?
02/05/2009: Interview with SearchSecurity about Slavik's new Fuzzor
02/05/2009: Instrumentation - a god send for speed freaks - a god send for data thieves
02/04/2009: New version of Fuzzor available
02/03/2009: Details of a 10g PL/SQL Unwrapper available
02/03/2009: Google hacking and Oracle database security audits
01/22/2009: A paper on how to find Oracle SID's
01/16/2009: A PL/SQL Fuzzer / Fuzzor
01/14/2009: January 2009 CPU is out
12/31/2008: New Year Oracle Security
12/12/2008: Pete Finnigan's presentation slides available from UKOUG conference
11/27/2008: Oracle forensics paper - part 7 and an Oracle datablock dump tool
11/26/2008: Permissions required to run my PL/SQL Oracle password cracker
11/24/2008: A new exploit to bypass Oracle Database Vault has been released
11/17/2008: The question of revoking PUBLIC grants
11/12/2008: Podcast with Pete Finnigan on the subject of virtual patching
11/07/2008: UKOUG Conference is only 4 weeks away
11/06/2008: Some Oracle Security videos
10/24/2008: New CIS Oracle database benchmark
10/22/2008: Limited advisory for the October 2008 CPU released
10/21/2008: A new paper on PL/SQL Injection
10/20/2008: Exploiting CREATE ANY DIRECTORY to become a SYSDBA
10/17/2008: How to write injection proof PL/SQL
10/14/2008: October Critical Patch Update 2008 is out
10/13/2008: New version of cracker-2.0 the PL/SQL cracker - option to not reveal passwords
10/13/2008: Two new blogs on Oracle internals
10/02/2008: Happy Belated 4th Birthday to my blog
09/29/2008: Slides from my Oracle Security Masterclass at White-Hats are available
09/25/2008: Oracle Password Cracker written in PL/SQL is available
09/25/2008: Oracle Security talk available as slides and also video
09/23/2008: An update, slides, USA and a masterclass
09/17/2008: Oracle Security webinar with Pete Finnigan
09/15/2008: Oracle Security Masterclass slides available
08/29/2008: A new Oracle Password cracker that runs inside the database
08/28/2008: Designing application and code to use the minimum privileges
08/25/2008: Another Major UK Data Loss
08/13/2008: Stopping a user from changing his own Oracle database password
08/11/2008: Holidays, Patch re-releases and newsletters
07/31/2008: Conferences and Training Dates
07/30/2008: 0-day and the first security alert for 3 years from Oracle
07/28/2008: Is Oracle Security getting better or in other words is Oracle Security good enough?
07/24/2008: IOUG/Oracle Software Security Assurance Team joint survery
07/23/2008: Kurt Van MeerBeeck (jDul, DUDE) has started a blog
07/22/2008: Advisories for the July 2008 Critical Patch Update and exploit code
07/21/2008: Lateral SQL Injection needs no database privileges
07/18/2008: July 2008 Critical Patch Update (CPU) is the first to use CVE-ID numbers
07/17/2008: Sentrigo release Hedgehog vPatch
07/16/2008: July 2008 Critical Patch Update is out - a remote un-authenticated exploit revealed
07/15/2008: Archive and purge in a security context presentation slides available
07/14/2008: A new improved version of the woraauthbf Oracle password cracker is available
07/12/2008: nCipher provides encryption key management for TDE in Oracle 11g
07/11/2008: Oracle Patch Tuesday Is Coming
06/30/2008: SQL Injection tools
06/20/2008: An Oracle Security Survey by The IOUG and Oracle
06/18/2008: Hacking Oracle with a coffee machine?
06/11/2008: Sentrigo Hedgehog
06/05/2008: Two Oracle Security Presentations
06/04/2008: SYSDBA And Triggers And Invoker Rights
06/02/2008: Internet wars
05/22/2008: Talking, Training and statistics
05/21/2008: Read only Tables or Read only users
05/20/2008: Oracle Authentication Process and password algorithm
05/16/2008: Howard's DORIS script is available again - some security comments from me
05/15/2008: License Plate scanners and SQL Injection
05/14/2008: Oracle Application Server 10g ORA_DAV basic authentication bypass
05/13/2008: License plate SQL Injection
05/01/2008: Slides from OUG Scotland DBA SIG on Oracle Forensics available
05/01/2008: Conditionally firing triggers
04/30/2008: Lateral SQL Injection and Conferences and security training
04/25/2008: Slides from OUGN Norway and RISK 2008 Norway available
04/14/2008: Two remotely exploitable without authentication bugs to be fixed
04/08/2008: Fine Grained network Access Control in 11g
04/07/2008: C code API to encapsulate OCI
03/31/2008: A new version of the Oracle password cracker woraauthbf is available
03/28/2008: Slides from Pete Finnigan Oracle Security webinar available
03/22/2008: A new release of Inguma
03/15/2008: Pete Finnigan is doing a live webinar on Oracle Security March 28th
03/14/2008: Oracle security audit training in the Netherlands with Pete Finnigan
02/29/2008: Oracle Security Back to basics slides available
02/25/2008: Speaking events, SQL Hashes and clever password crackers
02/14/2008: Oracle Defending Against SQL Injection Tutorial
02/13/2008: A hint of Oracle's coding standards
02/11/2008: Oracle security conferences, illness and ....
02/07/2008: A default password script and a cracker helper script
02/04/2008: Limited becomes UK partner for Sentrigo Hedgehog
02/01/2008: Oracle database exploits available for January 2008 CPU fixes
02/01/2008: A new version of woraauthbf - The Oracle password cracker is released
01/30/2008: Limited Advisory for the Oracle Jan 2008 CPU
01/28/2008: Review of the book Practical Oracle Security
01/24/2008: Orablogs is no more (well soon)
01/23/2008: Pete Finnigan; new VPD in the real world paper available
01/21/2008: UKOUG Unix SIG 22nd Jan and more
01/16/2008: Oracle release the January 2008 CPU patch
01/14/2008: Sentrigo release a study of how many people apply a CPU
01/08/2008: Why does the parameter count change
01/07/2008: Happy New Year and an example of having your bank account compromised
12/24/2007: List of Security papers
12/21/2007: In memory backdoors in Oracle
12/21/2007: emkey and the importance of it in Grid Control security
12/16/2007: Mining Data from the Listener Log
12/09/2007: Pete Finnigan Oracle Security Masterclass presentation from UKOUG
12/09/2007: Pete Finnigan Oracle Forensics presentation from the UKOUG
12/09/2007: Pete Finnigan Oracle Security Tools presentation from UKOUG available
12/03/2007: Read only, best of Oracle security, locating passwords and UKOUG
11/25/2007: Eight ways to hack Oracle
11/21/2007: Personal details for 25 Million people go missing in the UK
11/20/2007: Would you like a job in Oracle security - Limited is hiring
11/17/2007: 10g and 11g password leak during install, honeypots and databases exposed to the internet
11/12/2007: Oracle 0-day bug to get SYSDBA access to the database
11/08/2007: Pete Finnigan Oracle 11g Security presentation slides available
11/06/2007: Exploit code to crash an Oracle database posted
11/06/2007: Pete Finnigan speaking about Oracle 11g Security tomorrow at UKOUG DBMS SIG
11/02/2007: DBMS_SQL new security features and ROWID hacking
10/31/2007: Does Oracle's Database Need More Security?
10/31/2007: Memory resident backdoors in Oracle
10/30/2007: Simple Oracle 11g Password check PL/SQL script
10/29/2007: Oracle Database Buffer overflow vulnerability in function MDSYS.SDO_CS.TRANSFORM
10/29/2007: Oracle Database Buffer overflow vulnerability in procedure DBMS_AQADM_SYS.DBLINK_INFO
10/29/2007: New presentation on Database Vault faults
10/29/2007: A new SQL Injection protection PL/SQL package
10/27/2007: David Litchfield has started a new blog
10/25/2007: Nice ideas to scrape the alert log in Windows
10/24/2007: CheckPwd version 2 A12 is released
10/23/2007: Oracle 11g for Windows is available
10/18/2007: Oracle plugs critical database, application flaws
10/17/2007: Oracle Issues Pile of 51 Security Patches
10/16/2007: October 2007 Critical Patch Update (CPU) is out
10/16/2007: Nice paper on time based blind SQL
10/15/2007: Creating a SYSDBA backdoor
10/13/2007: Oracle October CPU pre-release analysis
10/10/2007: Extreme SQL Injection
10/09/2007: The fastest Oracle password cracker in the world is released!!!
10/08/2007: Weakness in Oracles new 11g authentication protocol
10/03/2007: Nice SQL Injection cheat sheet
10/02/2007: The first Oracle 11g password cracker
09/26/2007: Oracle Security on Windows presentation uploaded
09/23/2007: September 2007 - 3 years of Oracle security blogging
09/22/2007: Oracle 11g Password algorithm revealed
09/19/2007: Oracle 11g Security - part 5 {Playing for time}
09/17/2007: Oracle 11g Security - part 4 {Times and dates and lengths}
09/16/2007: Decompilation - reality or myth
09/14/2007: Using Log Miner for database forensics
09/13/2007: 6 Oracle security presentations added to Oracle security white papers page
09/13/2007: Hacking hardened and patched Oracle databases
09/12/2007: Security analysis of the JInitiator buffer overflows
09/11/2007: Make Oracle PCI compliant
09/09/2007: Oracle security presentations
09/04/2007: Code Breaking
08/31/2007: Oracle 11g Security - part 3 {peek and poke}
08/26/2007: Oracle 11g Security - part 2 {The beginning}
08/22/2007: 11g and Oracle Security
08/21/2007: Oracle Forensics Paper part 6
08/19/2007: Pete Finnigan is now an independant and available for Oracle security work
08/14/2007: Oracle Forensics presentation and a new paper
08/10/2007: 11g is here
08/06/2007: Are security tools a virus or a trojan or even a danger?
07/31/2007: Checksumming on all supported versions of Oracle
07/24/2007: First exploit released for CPU July 2007
07/18/2007: CPU July 2007 is out
07/16/2007: Oracle UK systems accused in 'SSH hacking spree'
07/13/2007: A new Oracle security scanner written in Ruby
07/11/2007: Apex and its security model
07/10/2007: database security bloopers
07/10/2007: More SQL Injection
07/08/2007: Please dont SQL Inject a bank
07/05/2007: Checkpwd updated and also released for Mac
06/29/2007: ERP thesis questionnaire
06/28/2007: Using Field Programmable Gate Arrays (FPGA) to crack passwords
06/23/2007: Script to find all privileges assigned to a user/role - users complaint
06/20/2007: Data breach concerns running rampant, survey finds
06/18/2007: A New Approach to Database Security
06/13/2007: Database Vault presentation slides available
06/12/2007: Imperva launches a free database security scanner
06/11/2007: Nice list of security papers
06/10/2007: Amichai Schulman has started a database security blog
06/05/2007: Valid node checking as a simple free firewall for the database
06/04/2007: Another new paper on Oracle password cracking
05/29/2007: David Litchfield announces Open Software Database forensics toolkit
05/29/2007: Software should defend itself: Oracle CSO
05/29/2007: New paper on Oracle native authentication in 9i and 10g
05/28/2007: A new Oracle security blog in English and German and some Oracle security videos
05/24/2007: A new database security blog talks about propogating middle tier and application user identities
05/24/2007: Security guru blasts Oracle's patching policies
05/21/2007: UKOUG Unix Sig - Hacking and Securing Oracle
05/20/2007: 15 free SQL Injection scanners
05/17/2007: Oracle forensics part 4 - live response
05/15/2007: Oracle BI Suite and Row Level Security
05/11/2007: Getting started with Oracle security
05/09/2007: Oracle audit vault is available for trial download
05/06/2007: Pete Finnigan to speak about Oracle security
05/03/2007: Pete Finnigan UKOUG Leeds April 2007 slides available
04/28/2007: Oracle forensics in a nutshell
04/23/2007: I am speaking at the Northern Server Technology day tomorrow 24th April
04/20/2007: NGS have released an analysis for the April CPU 2007
04/19/2007: Analysis of April 2007 CPU
04/19/2007: Analysis: Automated Code Scanners: False Sense of Security?
04/18/2007: Oracle Updates Leave Critical Windows Flaw
04/17/2007: Oracle Critical Patch Update April 2007 is out
04/17/2007: 103 free security apps for Mac, Windows and Linux
04/17/2007: Milw0rm - Oracle exploits
04/12/2007: A new Oracle Security Apprentice?
04/09/2007: Oracle Assessment Toolkit
04/04/2007: 3 new papers on Oracle forensics
04/03/2007: Argeniss have released a simple Oracle root kit
04/02/2007: Bunker has released a 0-day Oracle exploit
03/30/2007: 2 new exploits for Oracle
03/29/2007: Cesar Cerrudo shows how to find more than 5 local 0-days in Oracle
03/28/2007: Site downtime
03/26/2007: 4 new Oracle exploits released
03/24/2007: SQLGotcha 4.0 beta released on Sourceforge
03/23/2007: Oracle sues SAP for allegedly behaving like it has toward Linux
03/22/2007: Interesting post on previous values in datafiles
03/17/2007: Oracle forensics, UKOUG and blog troubles
03/11/2007: Nice paper on BBED in French
03/06/2007: New paper on Oracle Forensics
03/05/2007: More Oracle exploits
03/05/2007: Researcher charts new, more dangerous Oracle attack
03/05/2007: New attack technique puts Oracle in crosshairs
03/05/2007: Oracle exploits available
03/03/2007: New and Improved Oracle Exploits Coming at Black Hat
02/27/2007: New paper: Cursor injection - attacking Oracle with just CREATE SESSION
02/25/2007: 11i Security papers available
02/23/2007: More on Oracle hacking techniques
02/20/2007: Hacking Oracle, but not in English
02/18/2007: Hacking SYS password added as a pdf
02/16/2007: Oracle TNS Protocol downgrade attacks
02/16/2007: How to hack SYS password without logging into the database
02/15/2007: Oracle 0-day exploit to be released - Blackhat Washington DC database security presentations
02/12/2007: Argeniss are now selling Oracle rootkits!
02/08/2007: Where's Larry? Ellison calls out sick at RSA Conference
02/07/2007: Oracle Database Vault is certified with PeopleSoft
02/05/2007: Detecting rootkits
02/05/2007: Comments are enabled on this blog again
02/02/2007: Users and Schemas
01/31/2007: BBED - Oracle Block Browser and EDitor - A hacker tool?
01/30/2007: Download some free chapters from the Oracle Hackers Handbook
01/30/2007: Oracle Hackers Handbook
01/24/2007: Transparent Data Encryption (TDE) certified for Apps 11i
01/24/2007: checkpwd has been updated to 1.22 and is around 30% faster
01/22/2007: Oracle password crackers just got faster
01/21/2007: Secure Passwords Keep You Safer
01/19/2007: Toolkit of generators and brute force tools
01/18/2007: Details Oracle Critical Patch Update January 2007 - V1.02 released
01/16/2007: Critical Patch Update January 2007 is out
01/16/2007: Definer rights AS SYSDBA security issue?
01/15/2007: new paper on oracle as sysdba connection weakness
01/14/2007: Oracle emulates Microsoft with advance patch notice
01/14/2007: Oracle To Patch 55 Database, App Server Bugs Next Week
01/12/2007: Oracle have announced a CPU pre-release feature
01/10/2007: Great paper on Oracle Applications 11i password weaknesses and decryption
01/05/2007: Teaching an Old Dog New Tricks
01/04/2007: 10 steps to creating your own security audit
01/03/2007: A good blog to watch for Oracle internals and hard to find info
01/01/2007: Stealing Oracle passwords from the wire
01/01/2007: It seems Dizwell has gone, come back (maybe) and gone again
12/29/2006: Happy new year!!
12/23/2006: Integrigy have released a completely new version of their listener check tool
12/21/2006: Oracle 11g will have SHA-1 hashed passwords and case sensitive passwords
12/20/2006: Evading Oracle IDS and audit appliances
12/20/2006: Hacking and hardening Oracle Express Edition - UKOUG 2006
12/12/2006: Oracle XE, where are the security patches?
12/12/2006: Pete Finnigan's InfoSec 2006 paper How to Secure Oracle in 20 Minutes
12/12/2006: SQL Injection, Are Your Web Applications Vulnerable?
12/08/2006: Nice paper on Securing Web Applications
12/08/2006: WinSID an Oracle instance discovery tool is available again
12/07/2006: Pete Finnigan's Oracle Security Masterclass UKOUG 2006 available
12/07/2006: A free PL/SQL fuzzing tool released
12/06/2006: for Linux and Windows is out
12/05/2006: The Best of Oracle Security 2006 (in German)
12/05/2006: Pete Finnigan's UKOUG presentation on FGA, VPD and audit performance
12/04/2006: Tension between security vendors, bug hunters continues to simmer
12/01/2006: Oracle launches identity governance project
11/30/2006: Week of Oracle bugs axed--for now?
11/24/2006: Carelessness Runs Amuck With Zero Day Vulnerabilities
11/23/2006: Week of Oracle zero-days planned
11/22/2006: Oracle in the Crosshairs for Week of Exploits
11/22/2006: Oracle Security Patch Causes Insecurity
11/22/2006: Pete Finnigan's presentation from UKOUG 2006 in Biringham on Encryption
11/21/2006: Argeniss are to release an Oracle 0-Day exploit every day for a week
11/20/2006: Securent Could Be a Fine Addition for Oracle
11/13/2006: UKOUG starts tomorrow
11/08/2006: 10gR2 and failed_login_attempts
11/06/2006: Oracle password crackers
11/03/2006: There is a newer version of the orabf Oracle password cracker available
11/01/2006: checkpwd Oracle password cracker now supports multi-core CPU's
10/31/2006: Jonathan Lewis has a new weblog
10/30/2006: myspace hacked
10/27/2006: Best Practice for securing E-Business Suite updated
10/26/2006: BT buys security outsourcer Counterpane
10/26/2006: Help in handling Oracle vulnerabilities
10/23/2006: Users look for details on Oracle's next database
10/20/2006: Oracle releases 101 patches in quarterly update
10/20/2006: Oracle fixes 101 flaws
10/20/2006: Using procedures to access data only
10/18/2006: Oracle plugs 101 security flaws
10/18/2006: Oracle Issues Monster Security Patch
10/18/2006: Details of bugs fixed in CPU October 2006 released
10/17/2006: October 2006 Critical Patch Update (CPU) is out
10/16/2006: Oracle to provide clearer vulnerability ratings
10/16/2006: Oracle Security Alerts Get Overdue Makeover
10/16/2006: Tmorrow is patch Tuesday - the Oct 2006 CPU is due!
10/14/2006: SANS Oracle S.C.O.R.E. document has been updated
10/13/2006: Security bug in not fixed yet
10/11/2006: Oracle will improve the CPU documentation with the Oct 17th 2006 CPU
10/11/2006: Applying CPU's
10/09/2006: Tom has discovered a PL/SQL oddity
10/08/2006: Data breaches near 94 million
10/07/2006: Using JAZN LDAP for security in Portal
10/07/2006: Some good SQL Injection links
10/06/2006: Oracle 11i and SSO
10/04/2006: A portal exploit or security advice
10/04/2006: Oracle's Security Plans
10/03/2006: SQLGotcha version 3.0 is available
10/01/2006: Oracle promises tighter security for SOAs
09/29/2006: Security professionals at risk from hacking laws
09/29/2006: Ethical hacking in Oracle
09/28/2006: Security Inside
09/25/2006: Eddie on another undocumented function
09/25/2006: Project lockdown
09/22/2006: Only 6% of identity theft can be attributed to data theft.
09/22/2006: Cybercrime Is Getting Organized
09/20/2006: Two years of Oracle Security blogging and still going strong
09/19/2006: Exploit screencasts
09/18/2006: Pete Finnigan at UKOUG 2006
09/15/2006: Cache missing for fun and profit
09/12/2006: IT Underground conference in Rome cancelled at last minute
09/09/2006: Identity theft is becoming main stream
09/08/2006: Nice network trace tool
09/07/2006: Pete Finnigan podcast interview on Oracle security
09/05/2006: Nice idea on audition using trace events
09/04/2006: I will be speaking at the IT Underground in Rome
09/03/2006: Interesting post about protecting PL/SQL
09/03/2006: Nice post by steve about Federal Information Security Management Act (FISMA)
09/01/2006: Nice post on an undocumented function - Reverse
08/31/2006: How not to create user authentication
08/31/2006: Oracle's Ellison to take stage at next RSA confab
08/31/2006: Oracle's Ellison to strut his stuff at RSA 2007
08/30/2006: New additional syndication feeds for this blog
08/30/2006: Application centric security
08/29/2006: Nice post on the Logica blog about LDAP user info
08/29/2006: Duncan speaks about Common Criteria Security Evaluations
08/28/2006: on Linux is out
08/26/2006: Spotlight on Oracle security
08/26/2006: DMZs, SSL, RAC, OracleAS 10g and Oracle E-Business Suite 11i
08/25/2006: Unpatched enterprise security bugs proliferate
08/25/2006: is out for Solaris
08/24/2006: Mr. Know-IT-All's Oracle Security Challenge
08/22/2006: is out for Windows, MVS and HP/UX
08/21/2006: Oracle root kits part 2
08/18/2006: MatriXay a new way to penetration test web apps and databases
08/17/2006: Oracle expert warns of weakness in PL/SQL
08/17/2006: Databases at war
08/17/2006: Oracle Announces General Availability of Oracle(R) Identity Management 10g Release 3
08/15/2006: Stephen Kost has a new Oracle security blog
08/15/2006: Integrating Oracle with the Windows Active Directory
08/14/2006: Oracle Database Patch Sets
08/14/2006: Blinded By The Glare Of Facial Piercings At Black Hat (Or, The One That Got Away)
08/09/2006: Defcon 2006: Oracle not so unbreakable
08/08/2006: High bidders with low motives
08/08/2006: How to Unwrap PL/SQL BlackHat las vegas 2006 presentation slides are available
08/07/2006: Tom has an interesting post on Security via obscurity
08/06/2006: BlackHat Last week
07/28/2006: An interesting thread on Alex's DBMS_ASSERT paper
07/28/2006: A new Oracle exploit revealed on the bugtraq list
07/27/2006: SQL Injection video
07/27/2006: How to bypass the protection implemented by DBMS_ASSERT
07/26/2006: Oracle Password Repository
07/24/2006: Blackhat Las Vegas 2006 and unwrapping PL/SQL
07/19/2006: Oracle's summer update fixes 65 flaws
07/19/2006: Oracle plugs 65 security holes
07/19/2006: Oracle Patches 65 Vulnerabilities
07/19/2006: Oracle owns up to patching problems
07/18/2006: Alex has an analysis of CPU July 2006 and also advisories
07/18/2006: All database patches are available this time
07/18/2006: Eric Maurice speaks about the July CPU
07/18/2006: CPU July 2006 is out
07/14/2006: oh the irony...
07/10/2006: Mary Ann speaks - on security testing rules
07/10/2006: Security vulnerability disclosure - part 1
07/07/2006: Nice three part article on FGA
07/07/2006: Where is
07/05/2006: More on SYSDBA caching
07/03/2006: Nice post by Eddie about undocumented pragmas
07/02/2006: Great SQL injection paper
07/02/2006: A follow up on Stephens SYSDBA post
06/29/2006: An interesting post on Stephen's Oracle blog about SYSDBA passwords
06/28/2006: Survey: Hardware, not hackers, usually causes Oracle database downtime
06/20/2006: Social Engineering, the USB Way
06/19/2006: Five best practices for Oracle applications developers
06/19/2006: DB2 Security Glitch Makes IBM Whine
06/13/2006: A blog with some Oracle security entries
06/13/2006: Nice post about identities
06/12/2006: Building a Simple Firewall Using Oracle Net
06/12/2006: The DTI security breach survey is out
06/08/2006: An Expert's Perspective on the VA Data Theft
06/06/2006: is to be a terminal release
06/05/2006: Laurent on mod_plsql
06/03/2006: A nice post about risk based security
06/02/2006: undocumented pragmas
06/02/2006: Oracle blogs aggregator speeded up
06/01/2006: New paper Oracle Database Security
06/01/2006: Oracle, vis-a-vis Mary Ann Davidson, attacks poor coding practices
05/31/2006: Views on Mary Ann and an article about buggy code
05/31/2006: Oracle exec hits out at 'patch' mentality
05/31/2006: Oracle mending fences with security researchers
05/31/2006: Oracle's security chief lambastes faulty coding
05/26/2006: Project Lockdown
05/25/2006: Exploiting and protecting Oracle
05/25/2006: Rationalization, Sex, and Oracle
05/25/2006: Tripwire Partners with Oracle® to Enable Enhanced Security and Increased Compliance
05/25/2006: Pete Finnigan blog back on orablogs
05/25/2006: Oracle adds to secure archiving, audit features
05/23/2006: Cisco, others invest $6.3m in Guardium
05/23/2006: Cisco, others invest $6.3m in Guardium
05/23/2006: Security Patch website
05/23/2006: The Patch Impasse: Front line perspectives from enterprise IT
05/22/2006: An excellent post by Lucas about object chnages and RSS feeds
05/22/2006: The hacker resistant database
05/22/2006: Site was down due to power failure at the ISP
05/18/2006: Password recommendations on Eddies blog
05/16/2006: Egor Starostin has a blog
05/16/2006: OraSRP open source SQL Trace profile tool
05/15/2006: David Litchfield has a new blog
05/11/2006: Oracle refuses to learn its lesson, experts say
05/08/2006: Oracle Internals: A good post by Doug about DUDE
05/07/2006: An Oracle security blog from Oracle
05/06/2006: Patched Oracle database still at risk, bughunter says
05/06/2006: Customers Wait for Oracle Security Patches
05/05/2006: Interesting thoughts on the Andrew Max blog about the recent 0-day view issue
05/04/2006: Oracle keeps many users waiting on April patches
05/03/2006: Researcher: Oracle Needs To Patch 44 More Bugs
05/01/2006: Patched Oracle database 'still vulnerable'
05/01/2006: Patched Oracle database 'still vulnerable'
04/30/2006: A quick update on my sites progress
04/28/2006: My site is moving now
04/21/2006: My site is moving so could go down for a short while
04/20/2006: Exploit code available for one of the bugs fixed in April 2006 CPU
04/20/2006: Security expert calls for Oracle makeover
04/20/2006: Argeniss are selling 0-day exploits for Oracle
04/20/2006: DBMS_SCHEDULER as a new alternative for DBMS_JOB by Patrick Sinke
04/20/2006: Oracles default password scanner released with CPU April 2006
04/19/2006: CERT Issues Alert for Oracle
04/19/2006: Alex has released an advisory for his bug in CPU April 2006
04/18/2006: What is amazing is that a lot of CPU patches are not available until May!!
04/18/2006: Oracle has released CPU April 18th 2006
04/17/2006: Happy birthday to Tom's blog
04/17/2006: Unbreakable, Unless You Shoot Yourself in the Foot
04/17/2006: 10 Infamous Moments In Security Research
04/17/2006: Great trip to Seattle to the PSOUG Oracle day 2006
04/14/2006: At the PSOUG Oracle day in Seattle
04/10/2006: Oracle releases, then pulls, zero-day database exploit code
04/10/2006: Oracle-Datenbanken gefhrdet
04/10/2006: Oracle Slip-up Results In Leaked Exploit Information
04/10/2006: Oracle has released details of a 0-day vulnerability including exploit code on Metalink
04/10/2006: Back blogging again about Oracle Security
03/24/2006: Mary Ann Davidson has started a blog!
03/23/2006: Oracle have sent out an email to advise customers to patch CPU Jan 2006 for on Linux
03/22/2006: Oracles New Search Efforts
03/22/2006: iSQL*Plus will be desupported
03/18/2006: switching from OID to Fedora Directory Server
03/16/2006: Experts unconcerned by RFID virus
03/16/2006: Chaos among PC Users over McAfee Update
03/16/2006: Microsoft goes public with Blue Hat hacker conference
03/13/2006: Fataler Fehlalarm bei McAfee VirusScan
03/11/2006: A site move (not far!) and some planned improvements and changes coming
03/07/2006: Security is the password
03/06/2006: Oracle Security Under Scrutiny
03/06/2006: Oracle on track of secure search
03/01/2006: An idal password reset function - NOT!
03/01/2006: Oracle releases critical, out-of-cycle patch
02/28/2006: Oracle publishes out-of-cycle security fix
02/28/2006: Oracle issues security patch
02/27/2006: Oracle releases an out of step security patch for E-Business Suite
02/26/2006: Oracle Integrating Identity Wares
02/23/2006: Sun's McNealy: Open Source Key To Security
02/23/2006: Lewis has a paper on Oracle security as well.
02/23/2006: Nice presentation by Lewis on Oracle Security
02/23/2006: Pete Finnigan's blog is back on
02/23/2006: Oracle Enterprise Manager now supports Microsoft
02/23/2006: Oracle Identity Management Spurs Global Adoption
02/21/2006: Security's Heaviest Hitters
02/21/2006: A GSEC paper on securing Oracle Collaboration Suite
02/21/2006: Securing Data Warehouses With OID, Advanced Security And VPD
02/21/2006: Tom has a great post about continuity of operations
02/21/2006: Andrew Clarke has a post about Google hacking Oracle
02/21/2006: Security experts see vulnerabilities in embedded databases
02/19/2006: OASIS stamps approval on WS-Security 1.1
02/19/2006: Secure the OEM Encryption Key
02/16/2006: New Oracle blogs aggregator
02/16/2006: pssst, want to read something secret?
02/13/2006: Inside job
02/12/2006: Oracle Starts Melding Security, ID Management Offerings
02/12/2006: Oracle Set to Refresh Key Software Packages
02/11/2006: SourceLabs puts its SASH around Oracle
02/09/2006: Good paper on password policies
02/09/2006: Brian Duff announces that is live
02/09/2006: Oracle defends security record
02/08/2006: Looks like Oracle will have its own blog aggregator and home
02/08/2006: Interesting listener.ora / listener password and VMS error
02/07/2006: Nice thoughts on Oracle internal people finding security bugs
02/06/2006: Inside Oracle's Patch Kimono
02/06/2006: Interesting thought on security advisories
02/05/2006: Oracle have released a FAQ to counter the mod_plsql 0-day bug
02/05/2006: A great snort rule to detect the mod_plsql 0-day bug
02/05/2006: Oracle aims to tone security muscle with Fusion
02/05/2006: leaking information about Oracle databases could be a dangerous thing
02/02/2006: patch set does not include latest security fixes!
02/02/2006: Alex has described a new work around for the mod_plsql 0-day bug
02/01/2006: Stephen Kost ( has released an analysis of the mod_plsql 0-day bug / workaround
02/01/2006: is available
02/01/2006: exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA
01/31/2006: How to connect to the database using Perl - with two way communication
01/31/2006: Information Week on the mod_plsql 0-day bug
01/30/2006: Gartner: Oracle no longer a bastion of security
01/27/2006: An argument rages in the ePress between Oracle and Litchfield
01/27/2006: Many ways to become a DBA presentation updated
01/27/2006: Details published about the mod_plsql 0-day bug
01/27/2006: Interesting comments about the David Litchfield bug and the Duncan Harris interview
01/27/2006: Alex has produced a document detailing the changes made by CPU Jan 2006
01/25/2006: Oracle is advising customers to patch the last CPU very quickly
01/25/2006: David Litchfield has released a workaround for an unpatched Oracle security bug
01/25/2006: Speaking engagements tomorrow and in April
01/25/2006: Harder-to-Detect Oracle Rootkit on the Way
01/25/2006: Oracle have re-released the Linux Jan 2006 CPU patch for
01/25/2006: Oracle security joke - a template for journalists
01/25/2006: Doug has some great comments on canned application security
01/25/2006: Oracle's patch application program OPatch is causing acess problems after applying interim patches
01/24/2006: Duncan Harris speaks on Oracle Security
01/22/2006: Alex has produced a detailed analysis of the Jan 2006 CPU
01/22/2006: The CPU Jan 2006 patch for HP/UX Application Server is empty
01/19/2006: Alex has added advisories for 23 security bugs fixed in 10g Release1
01/19/2006: Steven Feuerstein has started a weblog
01/19/2006: Bug DBC02 in CPU Jan 2006 found by Joxean Koret identified
01/17/2006: Red Database Security has released 5 Oracle security bug advisories
01/17/2006: Imperva discovers a critical access control bypass in login bug
01/17/2006: January 2006 Critical Patch Update Oracle security patch is released
01/16/2006: Interview with Oracle's security chief
01/16/2006: Lewis has an interesting post on Easy Connect
01/14/2006: Oracle is finally listening to customers about fix times and security patch quality
01/12/2006: Doug has posted an intersting note about executing of SQL script from URL's
01/12/2006: Dump
01/12/2006: Oracle have released an email warning customers about the latest worm
01/10/2006: Howard has some good advice on protecting against worms
01/09/2006: Justin talks about a new series of papers on Oracle security by Arup
01/09/2006: Oracle database worm mutates
01/08/2006: Oracle 'Worm' Exploit Gets Ominous Tweak
01/07/2006: A tiny digital camera
01/06/2006: up front security
01/06/2006: Frappr is mapping Oracle bloggers
01/05/2006: Niall has a good post - DBA as User
01/05/2006: The slashdot effect can be a problem for other sites
12/31/2005: More detailed analysis of the new Oracle worm
12/31/2005: A new variant of the Oracle Voyager worm is in the wild
12/31/2005: Metacoretex has been hacked
12/30/2005: Spammers again...
12/30/2005: David Knox on secure application roles
12/29/2005: State of the nation: referral spam, comments, content management, dedicated hosting and more
12/24/2005: A very happy christmas to everyone
12/24/2005: A nice paper on listener auditing
12/22/2005: standalone discoverer clients now sso compliant for E-Business Suite users
12/21/2005: Mary Ann Davidson announces that Fortify software will be used to find security holes in Oracle software
12/21/2005: Nice paper on database links
12/21/2005: Oracle Combines Its Identity Management Offerings
12/20/2005: Some more thoughts on the weakness of Oracle database passwords
12/17/2005: A new book Cryptography in the Database: The Last Line of Defense
12/16/2005: Another way to monitor the listener log for brute force attacks
12/16/2005: securing apache with Oracle
12/15/2005: The possible complexity level of Oracle database passwords is in question
12/14/2005: Integration Promises Still Haunting Oracle
12/14/2005: Another free Perl script to check the listener log
12/11/2005: A useful perl script to check for listener password brute force attempts
12/10/2005: Arup's new book and some networking
12/09/2005: Good overview of SOA security
12/09/2005: CIS Oracle security checklist referral
12/08/2005: DBMS SIG conference today - A security focus
12/07/2005: I am presenting at the DBMS SIG in Melton Mowbray about Oracle security
12/07/2005: Laurent talks about restricting the power of RMAN
12/07/2005: Oracle PL/SQL for DBA's
12/06/2005: Bugs
12/05/2005: Oracle security checklist
12/05/2005: Some details of listener password exploits
12/04/2005: A sample package to manipulate LDAP
12/04/2005: Nice post about LOG ERRORS potential performance issue
12/04/2005: CPU July 2005 and CPU October 2005 have problems!!
12/03/2005: Pete Finnigan is back after a week away from blogging!
11/25/2005: 0rm has updated orabf the Oracle password cracker
11/24/2005: Oracle Database security checklist from Oracle
11/24/2005: US DoD database security technical implementation guide V7, release 1
11/22/2005: Happy 20th birthday Windows
11/22/2005: A DoD Security Guidelines document for databases
11/22/2005: Some news items about the SANS TOP-20 release
11/22/2005: SANS has released a new top 20 list of vulnerabilities
11/20/2005: Two new speaking events added to my site
11/19/2005: A new Oracle security checklist paper from Oracle
11/19/2005: How many Oracle databases are exposed to the net?
11/18/2005: Listener password management features
11/18/2005: A good comparison between Oracle and SQL Server features
11/18/2005: Determining if a patch set has been applied to an Oracle database
11/18/2005: Laurent on hidden parameters
11/18/2005: David Litchfield has started a blog and talks about the worm
11/17/2005: OracleXE beta 2 released
11/17/2005: David Litchfield has started a database security portal
11/17/2005: Oracle's email on Thor Technologies and OctetString
11/17/2005: LDAP
11/17/2005: Oracle buys two security software companies
11/15/2005: Oracle responds to the password algorithm weakness paper
11/14/2005: Problems with the October CPU discovered
11/14/2005: Disclosure or advertising?
11/12/2005: DBMS_ASSERT can be used to protect against SQL Injection
11/12/2005: Mary Ann Davidson on how to evaluate software security
11/11/2005: Commercial rainbow cracking
11/11/2005: Oracle XE will get upgrades with security fixes rather than patches
11/09/2005: More than 275 new security bugs found last week in the Oracle 10g database
11/09/2005: Many ways to become DBA
11/08/2005: Bruce Schneier blogs about the Oracle password weakness paper
11/08/2005: What Are the Default Restrictions on Oracle Passwords?
11/07/2005: Oracle adds fine-grain features to ID security
11/07/2005: Oracle Worm Proof-of-concept
11/07/2005: CNET news on the Oracle worm
11/07/2005: Voyager worm targets Oracle databases
11/07/2005: A movie about Oracle homeland security solutions
11/06/2005: Oracle alerts customers to the so called voyager worm
11/04/2005: Why Protect Fort Knox Borders But Ignore The Gold?
11/03/2005: Oracle has released a new security vulnerability fixing policy and process
11/03/2005: Mary Ann speaks about security strategy
11/02/2005: Oracle Express - will we get security patches? - I truly hope so
11/01/2005: UKOUG so far
11/01/2005: Oracle worm in the wild
10/30/2005: UKOUG tomorrow
10/30/2005: Oracle Express - friend or foe?
10/29/2005: Some news stories about the josh oracle password paper
10/27/2005: Josh has released a paper about the Oracle password algorithm
10/27/2005: Flaw hunters pick holes in Oracle patches
10/26/2005: Some fight back on Oracle security bugs - old news article
10/22/2005: Exploit circulating for newly patched Oracle bug - It can crash an unpatched database server
10/21/2005: Researcher: Oracle Patch Set Flawed Again
10/21/2005: An example of using DBMS_CRYPTO
10/21/2005: My site was on the BBC 1 breakfast - well a picture of a link to it was!
10/20/2005: Easy connect identifier
10/20/2005: An exploit has been published for database security bug DB27
10/20/2005: Alex has posted an excellent analysis of the CPU Oct 18 database security bugs
10/19/2005: Women who know Oracle and security
10/19/2005: Some news about the CPU October 18 2005 Oracle security patch set
10/18/2005: CPU October 18th a few comments
10/18/2005: Security Critical Patch Update October 18 is out
10/16/2005: comments and how to re-enable them on this blog
10/14/2005: How to encrypt/decrypt strings with the dbms_obfuscation_toolkit package
10/13/2005: Prevention and detection better than cure
10/12/2005: The Age talks about David Litchfields open letter to Oracle
10/11/2005: Security, SOX and Oracle Incentive Compensation
10/10/2005: WebGoat an application to learn how to hack!
10/10/2005: A new paper on SQL Injection
10/08/2005: Some more posts on bugtraq about David Litchfields open letter to Oracle
10/07/2005: Slight correction to the HTMLDB advisories
10/07/2005: Red Database Security has released 6 new Oracle security bug advisories
10/07/2005: Researcher lashes out at Oracle's security effort
10/06/2005: Link to David Litchfields original post
10/06/2005: David Litchfield writes an open letter to the security community and Oracle customers
10/05/2005: OUG Scotland
10/03/2005: Good thread on Oracle brute force password cracking and OUG Scotland
10/03/2005: A couple of papers by Mladen Gogala
10/01/2005: The Six Dumbest Ideas in Computer Security
10/01/2005: Oracle and Sarbanes Oxley
10/01/2005: Amis has a good post on debugging client side SQL*Net
09/30/2005: more failed_login_attempts!
09/29/2005: More details on default failed_login_attempts
09/29/2005: More security help in 10g R2
09/29/2005: Nice example of the new password store in 10g R2
09/27/2005: Quite a nice post about debugging with DBMS_DEBUG
09/26/2005: Another Larry news article on security from OOW
09/26/2005: Larry Ellison speaks about fixing security bugs
09/25/2005: A new paper on a security hole in Application Server Control
09/24/2005: Meet the experts (Oracle Security) at Oracle Open World - an open standard for securing Oracle
09/24/2005: Happy first birthday to my Oracle security blog!
09/21/2005: Oracle Proxy Users
09/19/2005: Some testing of orabf (Oracle password cracker) speed by Marcel-Jan
09/19/2005: A nice fix for the Overwrite any file via desname in Oracle Reports bug
09/17/2005: On Security, Is Oracle the Next Microsoft?
09/17/2005: An interesting post on patch scheduling and disclosure
09/17/2005: Google has added a great blog search tool
09/15/2005: Oracle Locks Up 'Federated' App Server
09/15/2005: Alex's SQL Injection advisory is available in German
09/14/2005: Alex has released details about a common SQL Injection vulnerability in Oracle reports
09/13/2005: A small correction to a post about DBMS_SYSTEM.KSDDDT
09/12/2005: Amis talks about the need to remove USER from PL/SQL and SQL code
09/12/2005: Some Perl and problems with referral spammers
09/09/2005: Nice paper by KK Mookhey and Nilesh Burghate - Detection of SQL Injection and Cross-site Scripting Attacks
09/09/2005: 10g Release 2 for Windows is available
09/07/2005: jDUL / DUDE (Database Unloading by Data Extraction) - an alternative to DUL
09/06/2005: archivelog mode - or not?
09/05/2005: Wifred notes that Patch has a bug in Oracle forms
09/05/2005: Pre DBMS_RANDOM
09/04/2005: Security firm considers changing its policy on public disclosure of security vulnerabilities
09/03/2005: CPU July 2005 patch set for Application Server Windows has a problem
09/03/2005: Congratulations to Mark Rittman on for Oracle magazines Oracle ACE of the year 2005
09/01/2005: 0rm's Oracle password cracker orabf has been updated
08/31/2005: Alex has added a page to compare the available Oracle password crackers
08/29/2005: A career change and some site revamping
08/27/2005: 1.02 Million hashes/second Oracle dictionary and brute force password cracker available
08/26/2005: Alex has released version 1.1 of Checkpwd - the Oracle dictionary password cracker
08/25/2005: Full disclosure list: Summary of the password algorithm and a C code plug-in for John The Ripper password cracker
08/25/2005: A correction to the author and URL for
08/24/2005: A perl script to brute force database connections
08/24/2005: Alex Kornbrust has released a Linux version of his Oracle password cracker
08/23/2005: A second thread on c.d.o.s. about the Oracle password algorithm
08/23/2005: Red Database Security has released more Oracle password algorithm information
08/23/2005: Details of the Oracle password algorithm were revealed by its creator in 1993
08/23/2005: undocumented Oracle?
08/22/2005: Red Database Security has released a standalone Oracle password cracker
08/22/2005: New Online MD5 Hash Database
08/22/2005: Crack Oracle Security like a peanut!
08/22/2005: A short download of Tom Kytes new book is available
08/19/2005: Radoslav Rusinov's Blog and mod_plsql passwords in clear text
08/19/2005: Alex Kornbrusts Black Hat presentation on reverse engineering Oracles encryption packages
08/18/2005: Doug talks again about ? and catpatch.sql
08/18/2005: Bell Labs Dept 1127 has finally gone
08/17/2005: My site and Blog are available again
08/16/2005: OPatch, wherefore art thou?
08/16/2005: Is it just me or is Orablogs not reachable again?
08/16/2005: Hashattack 2.0 tool : ooops incorrect link on the tools page
08/15/2005: Two excellent papers on a new method to combat parameter validation and SQL Injection
08/15/2005: Robert shows how easy it is to read data from websites directly into the database
08/14/2005: The rise of Oracle blogging
08/14/2005: Oracle Security expert: More developer education is needed
08/12/2005: Prime number researchers put encryption algorithms such as RSA at risk
08/12/2005: New TNS protocol full client available for testing listener security
08/11/2005: Hashattack - Oracle password tool update to version 2.0
08/11/2005: A good page describing Oradebug
08/11/2005: Some good tips on Dougs blog?
08/09/2005: Oracle simplifies SOAs
08/08/2005: slashdot discussion about Mary Ann Davidsons recent news article
08/08/2005: Joshua Wright has provided a free tool to check Oracle accounts for common passwords
08/06/2005: 10gR2 the CONNECT role has finally been sanitized
08/05/2005: Database Vendors Shouldn't Kill the Messenger
08/05/2005: Esteban Martinez Fayo has a fantastic black hat presentation on SQL Injection
08/04/2005: 10g Release 2 is available for download for Windows
08/04/2005: Some response to Mary Ann's article
08/01/2005: Demystifying MS SQL Server & Oracle database server security
08/01/2005: Black Hat Confab to Spotlight Database Security
08/01/2005: Ingrian DataSecure - A network appliance based encryption solution
08/01/2005: Security Matters
07/29/2005: VeriSign boosts security with iDefense acquisition
07/29/2005: Grid Group Issues Security Requirements
07/28/2005: iDefense ups the bidding for bugs
07/28/2005: Oracle's 10g Encryption Feature Is a Fine First Step
07/27/2005: Mary Ann Davidson fights back - When security researchers become the problem
07/27/2005: web seminar for Oracle roadmap of Oblix integration
07/27/2005: Oracle's encryption not secure, researcher says - Alexander Kornbrust plans to detail his findings at Black Hat
07/27/2005: Oracle Patches Its Security Patches - Database patches fix flaws found in previous fixes
07/25/2005: New Oracle Security Forum opened
07/23/2005: [Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package
07/23/2005: Oracle's correction to the April CPU patch email has been posted to Bugtraq
07/22/2005: Oracle Confirms Holes in Two Latest Patch Sets
07/22/2005: David Litchfield sets the record straight
07/22/2005: More problems with the April Critical Patch Update - does it ever stop?
07/22/2005: A list of all the news articles about Alex Kornbrusts advisories
07/21/2005: An Oracle spokeswoman speaks to TheAge
07/21/2005: a retro news article : Ellison: Oracle remains unbreakable
07/21/2005: More trouble looming for Oracle? - Black Hat is next week - there are 4 talks about Oracle Security
07/21/2005: The Register talks about the bugs
07/21/2005: Six Unpatched Flaws in Oracle Database Products
07/20/2005: Oracle researcher announces high-risk database flaws
07/20/2005: A couple of bloggers talk about Oracle's unpatched bugs
07/20/2005: Oracle-Patches mehr als 600 Tage berfllig
07/20/2005: Oracle Simplifies SOA, Web Services Security
07/20/2005: Why it is important to encrypt credit card information
07/20/2005: Security experts round on Oracle over unpatched holes
07/20/2005: Oracle dragging heels on unfixed flaws, researcher says
07/19/2005: Sun has released an alert notification (15 July 2005) about multiple security vulnerabilities in Oracle affecting SunMC
07/19/2005: A Russian language news article about unfixed Oracle security bugs disclosure
07/19/2005: Red Database Security releases security advisories for high risk unfixed Oracle bugs
07/16/2005: More news on silent fixes in CPU July 2005
07/15/2005: A good German new item on CPU 12 July 2005
07/15/2005: Oracle are asking customers to download CPU July 2005 for 10.1.0.x again as there is a problem
07/15/2005: Oracle has been silently fixing security bugs in CPU July 2005
07/14/2005: Internet News talks about Oracles latest Critical Patch Update
07/14/2005: Grant talks about securing Forms applications with SSL
07/14/2005: Same problem again as April CPU - CPU July 2005 failed to fix a bug it says it did fix
07/13/2005: Oracle Simplifies SOA Security
07/13/2005: has a good news story about CPU July 2005
07/13/2005: Computer World is also talking about CPU July 2005
07/13/2005: ZDNet news talks about the Critical Patch Update 2005
07/13/2005: Security advisories released detailing 4 of the bugs fixed in CPU July 2005
07/12/2005: Self signed SSL certificates with JInitiator
07/12/2005: CPU 12 July 2005
07/12/2005: Critical Patch Update July 12 2005 is available
07/12/2005: A great new free Oracle instance discovery tool - WinSID
07/11/2005: Two security bugs found and reported to Oracle in 10g Release 2 already!
07/11/2005: The next Critical Patch Update is due tomorrow - 12 July
07/11/2005: European software patents have been ditched
07/08/2005: Paying a ransom to read your data
07/08/2005: Is it possible to check whether Oracles CPU update emails are *real*?
07/08/2005: David Litchfield has released an advisory for the recent CPU 12 April vulnerabilities
07/07/2005: Oracle have issued a second email with another exploitable vulnerability in in CPU 12APR
07/07/2005: Oracle have issued an email alert that CPU April 2005 is vulnerable to exploit
07/07/2005: I have updated my RSS feed to output 40 words instead of 20
07/07/2005: Oracle 10g Release 2 is available for Linux X86
07/07/2005: Oracle 10g Release 2 is available for Linux X86
07/07/2005: Some spiffy new security bits in 10g Release 2
07/06/2005: 10g Release 2 allows deletion of datafiles
07/05/2005: orablogs is back
07/05/2005: Reverse engineering patches!
07/05/2005: Off Topic: I have started a second blog on web development
07/04/2005: Frank talked about form-based authentication with struts
07/02/2005: A new sample installation session for Oracle Password Repository (OPR) version 1.1.8
07/02/2005: Oracle Password Repository (OPR) is updated to version 1.1.8
07/01/2005: whilst on the subject of orablogs - version 2 is in the wings
07/01/2005: Orablogs still seems to have DNS issues
07/01/2005: Marcus Ranum interview on Security Focus
06/29/2005: 10g Release 2 PL/SQL and SQL new features
06/29/2005: A security issue with OPR version 1.1.7
06/28/2005: Niall says Oracle 10gR2 should be out on June 30 - for Linux
06/28/2005: Protecting network based storage
06/28/2005: A new version of OPR is released
06/27/2005: Installing Oracle Password Repository (OPR) - a walk through
06/26/2005: Ed informs us that 10gR2 should be out this month
06/24/2005: An excellent XSS cheatsheet
06/24/2005: Frank talks about Bruce Schneier's book secrets and lies
06/23/2005: Grant talks about patch 2 for 9.0.4 for certified Linux and Mac clients
06/23/2005: Doug followed up on DBA_REGISTRY
06/23/2005: Orablogs seems to be down - or maybe not!
06/22/2005: Pete Finnigan is now a member of the Oaktable network
06/21/2005: An issue with DBA_REGISTRY
06/20/2005: 10gR2 adds a wrap package procedure, TDE and makes DBMS_OUTPUT output unlimited
06/20/2005: Security is a major force in the new 10g Release 2 database
06/18/2005: OT: RSS fixes just done
06/18/2005: Changed my RSS feed to spit out the first 20 words and a link to the entry
06/17/2005: An interesting alternative technique to crack passwords
06/17/2005: Britain's hi-tech crime wave
06/17/2005: Oracle unveils its identity management suite
06/16/2005: Another great Windows internals site
06/14/2005: A nice Windows internals website
06/14/2005: Brian talks about why JPasswordField.getText() is deprecated
06/13/2005: A book on Peoplesoft for the Oracle DBA
06/12/2005: Shay talked about version control through JDeveloper
06/11/2005: OT: Another Apple post
06/10/2005: Interesting post in Amis about who called me
06/10/2005: A truss like tool for IBM AIX and a file undelete program
06/10/2005: Oracle reinforces their identity management software offerings
06/09/2005: Default passwords for Oracle BPEL Process manager
06/08/2005: Debu talked about EJB security hole
06/07/2005: Wait even enhancements in 10g
06/06/2005: ooops forgot the link
06/06/2005: DBA Audit 2.5 - An interesting audit product.
06/04/2005: OT: A book on how to build an Apple 1 replica
06/03/2005: SANSFIRE is coming up very soon
06/03/2005: A good book on reverse engineering
06/01/2005: Steve has improved his Custom JDBC URL example
06/01/2005: An interesting post about PeopleSoft and Oracle
06/01/2005: Steve has added an undocumented sample for fixed JDBC credentials
05/31/2005: Alex has released his paper on metalink hacking
05/30/2005: Chris was also talking about Alex's 42 bugs found in Metalink
05/30/2005: 42 security bugs found in Oracle's Metalink database - Some serious!
05/28/2005: A new short paper on Alex's site - How to change XMLDB Ports
05/28/2005: JHeadstart has some new features slated for the next release
05/28/2005: An interesting post on Frank's blog about calling PL/SQL from Java
05/26/2005: Alex is to talk at ITUnderground Warsaw and DOAG Freiburg
05/25/2005: Scarlet Pruitt's interview with Mary Ann Davidson is out
05/24/2005: IDG were scheduled to interview Oracle's CSO
05/24/2005: Oracle Password Repository (OPR) has been update
05/22/2005: A good list of Oracle discussion resources
05/21/2005: orablogs is back
05/21/2005: How to check which users can access the view DBA_USERS
05/20/2005: A good description of some of the Oracle default accounts
05/18/2005: A good paper on Oracle's random number generator
05/17/2005: SQLGotcha is on freshmeat
05/16/2005: nice paper by Doug Burns on Oracle parallel execution tuning
05/16/2005: A news aggregator
05/16/2005: Nice paper by Jonathan on DUAL internals and intricacies
05/15/2005: Marcel-Jan has an interesting tool on his site called SQL-Gotcha
05/13/2005: A select only user causing locks?
05/13/2005: Very interesting undocumented feature on Amis
05/12/2005: Nice list of Oracle's default ports
05/12/2005: Alex has an interesting new paper on modplsq and mod_plsql passwords
05/11/2005: A nice paper on latch internals
05/11/2005: Useful PL/SQL function that returns an MD5 sum for a string
05/10/2005: A great example of information leakage!
05/09/2005: Richard talks about diagnostics support pack and applications collection tool (ACT)
05/09/2005: Amis blog has a good paper on SQL quirks
05/07/2005: Tom writes about anonymous postings
05/05/2005: Another nice flashback paper
05/05/2005: Nice post on Amis about flasback
05/05/2005: Tug has an interesting post on software terrorists
05/05/2005: Follow up on direct appplication repository access
05/04/2005: alpha copies of two chapters of Tom's new book are available
05/04/2005: Interesting security news item
05/04/2005: Who_has_priv.sql, who_can_access.sql and who_has_role.sql updated
05/02/2005: Alex has updated his Oracle exploits page to add 5 more exploit codes
05/02/2005: Red Database Security issues two new Oracle security advisories
05/01/2005: A free script to find hidden users in your database
04/30/2005: Alex has added an Oracle exploits page to his site
04/30/2005: SmartDB Upgrades Oracle Migration Tool
04/29/2005: Mark has a post about Oracle's talks to buy Siebel
04/29/2005: There is a security problem with Critical Patch Update April 2005 and alert #65
04/29/2005: Tim Gorman has updated his excellent script
04/29/2005: Direct dictionary access again
04/28/2005: Ed also talked about Tom and direct dictionary editing
04/28/2005: Alex has a new paper on Yahoo hacking and Oracle
04/28/2005: Alex has a new paper on Yahoo hacking and Oracle
04/28/2005: Mark has made an update post on his SOX compliance
04/27/2005: Mark Coleman talks about Oracle and SOX compliance
04/27/2005: Alex has added days to fix to his Oracle security advisories
04/26/2005: A new paper on Oracle database passwords
04/26/2005: Alex Kornbrust has today released 3 new Oracle security advisories
04/26/2005: Tom talks about direct dictionary editing
04/25/2005: View privileges
04/25/2005: reading redo logs - The hard way
04/25/2005: Frank has a good post about security vulnerability reporting
04/23/2005: Some updated links on my Oracle security papers page
04/22/2005: Frank has a nice document recommendations
04/22/2005: A free version control e-book
04/20/2005: Tom Kyte has started a blog
04/19/2005: Frank has a good review of a secure coding book
04/19/2005: More insights to CPU 12 April and public exploit code
04/18/2005: Esteban Martinez Fayo releases his security advisories for CPU 12 April
04/18/2005: Making Oracle Forms more secure
04/18/2005: Jared Still has a new paper on protecting passwords
04/17/2005: Interesting analysis of CPU 12 April - To patch or not to patch
04/17/2005: Frank has a fix for Forms 10.1.2 for the SQL Injection issue
04/16/2005: Another news item about CPU 12 April
04/16/2005: Amis blog talks about recompling objects
04/15/2005: Another interesting Oracle-l thread on Oracle security auditing
04/15/2005: An interesting thread on Oracle-l about BBED
04/15/2005: Another CPU April 12 news item from eweek
04/14/2005: CPU 12 April researchers advisories
04/14/2005: CIS Oracle benchmark has been updated
04/13/2005: has a news item about CPU 2
04/13/2005: talks about the Oracle CPU April 12 patch release
04/13/2005: Oracle ships patches seeded with message digest data
04/12/2005: CPU April 12 - 2005 is released
04/12/2005: Debu has an interesting pointer to an Oracle security paper
04/12/2005: CPU - April 12 is coming?
04/12/2005: Frank talks about the OWASP security conference
04/12/2005: Alex Kornbrust has released a new paper SQL Injection in Oracle Forms
04/11/2005: O'Reilly CodeZoo
04/09/2005: An interesting post by Mark
04/08/2005: Alex Kornbrust has a new paper on google hacking and Oracle
04/06/2005: SearchOracle has an excellent Oracle security links page
04/05/2005: Amis Blog talks about writable external tables
04/04/2005: Pete's audit scripts updated
04/03/2005: Alex Kornbrusts repscan tested and added to oracle security tools page
04/02/2005: identity theft and database security
04/02/2005: Alex Kornbrust has presented at Blackhat Amsterdam on Oracle Rootkits
04/01/2005: New presentation on advanced SQL Injection
04/01/2005: A good paper about debugging XSLT
03/31/2005: Mark Rittman talks about Fine Grained Access Control
03/31/2005: NCipher have made product updates
03/31/2005: How the secret service decodes encrypted evidence
03/30/2005: A Cuckoo's egg
03/30/2005: Before I forget, some bloggers have been talking about Oblix / Oracle as well
03/30/2005: Some news reports about Oracle's purchase of Oblix
03/30/2005: Oracle buys oblix
03/28/2005: Ben talks about 10g flashback
03/28/2005: Amis blog talks about logging data in the same table
03/26/2005: Kevin Mitnik: New book The art of intrusion
03/26/2005: A new free Java based Oracle password management tool
03/22/2005: Jonathan Lewis on Row Level Security - part 2
03/19/2005: The JHeadstart blog talks about J2EE authentication and authorization with JHeadstart
03/19/2005: Mark Woan's GUI .NET password check tool updated link
03/14/2005: A GUI default password checking tool
03/11/2005: Sean Hulls weblog site is back up
03/10/2005: Jonathan Lewis on Row Level Security
03/09/2005: Google desktop search
03/09/2005: Oracle have made some big updates to alert #68
03/08/2005: Frank has an example on simple J2EE form based authentication
03/08/2005: Nice listener.log error parsing script
03/07/2005: Howard Rogers has started a new Oracle forum
03/06/2005: Alex has a new presentation on hardening Oracle client PC's
03/06/2005: Jared Still has a new site
03/05/2005: Sean Hull has started a weblog based around Oracle and open source
03/04/2005: Amis Blog has an interesting entry on multiple listeners
03/03/2005: Comments, spam and statistics spiders
02/25/2005: Interesting news post about Mary Ann Davidsons comments on security education
02/18/2005: Alex Kornbrust has updated his upcoming security alerts page
02/13/2005: Alex Kornbrusts Hardending Oracle Application Server presentation is now in English
02/11/2005: Alex has presentation notes available and a forthcoming paper
02/10/2005: tracing inside a PL/SQL procedure
02/09/2005: Google hacking and reverse engineering Java
02/09/2005: Use of Windows login details - single sign on for web applications
02/09/2005: Further advice on catpatch.sql
02/08/2005: Ed Has another post in the catpatch.sql series
02/08/2005: Oracle Security Tools page updated
02/07/2005: port 1521 and redirection
02/06/2005: Another undocumented parameter in use (_ash_enable)
02/05/2005: A password repository for Oracle
02/04/2005: New paper from Aaron Newman - Search Engines used to attack the database
02/04/2005: Google hacking search string database
02/04/2005: Alternate URL for Yong's site
02/03/2005: A very good paper about weaknesses in password security
02/03/2005: Tom talks about encrypting passwords in the database
02/02/2005: A repository of security papers -
02/02/2005: Yong Huang's web site is excellent
02/01/2005: Google hacking is on the up!
01/31/2005: Happy birthday to
01/31/2005: A script to call SQL*Plus without hardcoding passwords
01/30/2005: Andrej Koelewijn talks about google stopping comment spam
01/29/2005: Some interesting comments about CPU - Jan 2005 on c.d.o.s
01/28/2005: Interesting thread on Oracle-l about ftp'ing data into the database
01/28/2005: A bad way to migrate a database or a good way to retrieve crashed data
01/27/2005: Frank has a great blog entry about web application security
01/27/2005: Steve talked about an undocumented page on his site
01/26/2005: default passwords and Oracle default passwords
01/26/2005: Brian talks about site registration
01/25/2005: Updated internals and Oracle applications security page
01/25/2005: Amis blog talks about LOG4PLSQL
01/24/2005: Tom talks about proxy users
01/24/2005: Integrigy releases a useful impact analysis paper on CPU - Jan 2005
01/23/2005: Steve Kost has released an Integrigy advisory for CPU - January 2005
01/22/2005: oops missed off the link
01/22/2005: In the news page updated
01/22/2005: Michael Singer on Oracles Critical Patch Update
01/21/2005: Translation of German news article
01/20/2005: Search Oracle talks about the Critical Patch Update
01/20/2005: Alexander Korbrusts upcoming Oracle security bugs
01/19/2005: Alexander Kornbrust has an advisory for CPU - January 2005
01/19/2005: Another critical patch update news article - In German
01/19/2005: Eweek talks about the Critical Patch Update - January 2005 release
01/19/2005: Two news items about Oracles new security advisory
01/18/2005: Security alert released by Pete Finnigan
01/18/2005: Critical patch update - January 2005 is out
01/18/2005: The first Oracle security alert for Jan 18th - First quarterly scheduled security patch
01/18/2005: More on Sarbanes Oxley and Oracle
01/17/2005: HTML Kit
01/16/2005: Penetration testing research and cost effective security
01/15/2005: Great tool for security checking a PC
01/14/2005: Adam Martins Oracle password cracker seems to not be available
01/14/2005: Searching metalink from the MS search bar
01/13/2005: Sarbanes Oxley and Oracle
01/13/2005: Security ethics in vulnerability disclosure
01/12/2005: Amis blog has an entry all about OpenVPN
01/12/2005: Nice paper on checking Oracle password strength and enforcing it
01/11/2005: Howard Rogers has a good article about database links
01/11/2005: Daily, weekly, monthly checklists
01/10/2005: A nice simple DBMS_OBFUSCATION_TOOLKIT example by Nimzo Benoni
01/09/2005: Becoming another user
01/08/2005: CREATE SCHEMA - does it do what it says on the tin?
01/07/2005: Schema difference tool
01/07/2005: Does January 18th have special significance for Oracle?
01/05/2005: We have moved
01/05/2005: Frank has an interesting post about the movie Troy
01/04/2005: Frank has a review of Bruce Schneier book Beyond Fear
01/03/2005: Nice article on SQL Injection
01/02/2005: Some updates to the Oracle default password list
01/01/2005: Oracle security and content management
12/31/2004: Happy new year for 2005
12/30/2004: A free Perl based Log Analysis tool
12/29/2004: Role based security management in Oracle designer
12/28/2004: XML DB Beta program for Oracle 10g release 2
12/28/2004: Stefan talks about finding the cluster interconnect IP address
12/27/2004: Encrypting JDBC thin connections with SQL*Net
12/27/2004: Alert 68 vulnerabilities have been made public
12/24/2004: Web site statistics page added
12/24/2004: Amis blog has an intersting entry about a CJ Date seminar
12/23/2004: All the JDeveloper presentations from Oracle Open World
12/23/2004: Bruce Schneier talks about google desktop search security
12/22/2004: SYS.USER_ASTATUS_MAP missing values solved
12/21/2004: Database user account status's in SYS.USER_ASTATUS_MAP
12/21/2004: Mark has a good post about the new 10g Release 2 version
12/20/2004: Tools page updated
12/20/2004: Sitemap generation tweaked
12/20/2004: Disabling Oracle writes into NT event log
12/19/2004: Post about setting up and using autotrace
12/19/2004: Edwards post on Java running in the database
12/19/2004: Brian has a nice post about JDeveloper debugging
12/18/2004: Mark has found a good paper on programming Java in stored procedures
12/17/2004: Tools page updated
12/17/2004: Another good point about read only users
12/17/2004: Creating a read only user
12/16/2004: Howard Rogers on dropping the DBA, CONNECT and RESOURCE roles
12/16/2004: An interesting discussion about revoking privileges from SYS or DBA
12/16/2004: Information leakage and goole hacking
12/16/2004: Colin Maxwell talks about the issues of encrypting binary attachments
12/16/2004: newsletter will be re-launched soon
12/15/2004: Amis blog talks about SQuirrel - an open source database tool
12/15/2004: Frank has a nice post about improvements to web application security
12/14/2004: Arup Nanda has a paper on Oracle Security Auditing part 1 on
12/14/2004: sitemap added to
12/14/2004: Jonathan Lewis talks about the hidden benefits of Oracle 10g
12/13/2004: A useful post on c.d.o.s about ADMIN_RESTRICTIONS_{listener_name}
12/13/2004: Niall has clarified the ODBC trace issue
12/12/2004: Comments have been disabled from my weblog
12/11/2004: article : Finally, a sensible security scheme
12/10/2004: Justin Kestelyn sums up Oracle Open World
12/10/2004: Oracle have made a press release about the database 10g release 2 announcement
12/10/2004: Oracle patch set is now available for Linux
12/09/2004: Frank has a good example of simple J2EE form based authentication for ADF UIX
12/09/2004: The OOW keynotes are available online at OTN
12/09/2004: Justin talks more about the 10g R2 keynote at OOW
12/09/2004: Addendum to yesterdays auditing SQL from black box third party applications
12/09/2004: Two more accounts of the Chuck Rozwat 10g R2 keynote at OOW
12/08/2004: Oracle Database 10g Release 2 keynote at Oracle Open World
12/08/2004: Auditing the SQL a black box application submits to the database
12/07/2004: Mary Ann Davidson held a guru chat session at OOW
12/07/2004: Colin tells us the WS-Security Jars are not available with the developers release
12/06/2004: SANS announces the new Securing Oracle training course
12/06/2004: 10g Release 2 on the way?
12/05/2004: Ed's final post in the issues with not running catpatch.sql is there
12/05/2004: Howard Rogers has started a web log
12/04/2004: Edwards next post in the series of catpatch.sql issues.
12/03/2004: Next Edward Stangler post in the missing catpatch.sql series
12/02/2004: Three great papers on shell codes and encoding and decoding
12/02/2004: Ed's latest post in the catpatch.sql series - missing SELECT ANY DICTIONARY PRIVILEGE
12/01/2004: Another great recovery disk - This time a CD
12/01/2004: Application Security Inc has made a search page available for the ploicy check list
11/30/2004: Edward Stanglers next post in the not running catpatch.sql series
11/30/2004: Buffer overflows and hacking book list
11/30/2004: Tools page updated
11/30/2004: Ed had an interesting post yesterday about $ tables, DBA views and x$ tables
11/29/2004: A good list of Oracle security check items
11/29/2004: A live file system Linux floppy disk rescue system
11/29/2004: oops no link!
11/29/2004: Edward updates us on his catpatch.sql posting
11/28/2004: Looks like is available on more platforms now
11/28/2004: Frank Nimphius paper on J2EE security in Oracle ADF
11/27/2004: Edward Stangler talks about running catpatch
11/26/2004: James Morle's book is available as a free pdf
11/26/2004: Oracle and alert #68
11/26/2004: Mark Rittman talks about Trace format utilities
11/25/2004: Colin Maxwell talks about reducing the scope for encryption
11/25/2004: A new paper on HTMLDB and VPD
11/25/2004: event 28131, event 28119 and Row Level Security
11/24/2004: And still more news stories
11/24/2004: Frank has two interesting blog entries that relate to security
11/23/2004: Oracle secalert_us have sent out emails to tell some customers about the quarterly patch schedule
11/23/2004: Updates to the default password list and checker for SAP default users
11/23/2004: Frank Nimphius talks about displaying the authenticated username in ADF UIX using EL.
11/22/2004: Amis blog - shows how to create a certificate and configure OC4J to use it
11/22/2004: Two new books on Oracle security received
11/22/2004: And more...
11/22/2004: OraDep - A tool for analysing dependencies
11/21/2004: Frank Nimphius talks about showing/hiding UIX components based on isUserInRole()
11/21/2004: And there was more news...
11/20/2004: More news on the new patch schedule
11/20/2004: eweek: Alleged Oracle Scammer: I Am Not a Crook
11/19/2004: Three more news sites are talking about the new patch schedule
11/19/2004: An interesting example of information leakage posted to my blog entry
11/19/2004: Michael Singer of Intenet News talks about Oracles new patch schedule
11/19/2004: Slight update to the default password check scripts
11/18/2004: An interesting case of information disclosure
11/18/2004: Colin Maxwell talks about WS-Security in JWSDP 1.5
11/18/2004: Update to remote_os_authent=true post
11/18/2004: Oracle announce critical patch update schedule - beginning January 18 2005
11/17/2004: Two more takes on the Gartner / Oracle exploit information release reluctance
11/17/2004: Oracle Users Should Take Security Patch 68 Seriously
11/17/2004: Interesting post about PUBLIC privileges in
11/16/2004: 600 Oracle default usernames/passwords available
11/16/2004: Frank Nimphius has an entry about Bruce Schneier in his web log
11/16/2004: Colin Maxwell talks about keytool and keystores
11/15/2004: Default password lists and updates
11/14/2004: Exploits and blog software
11/13/2004: Interesting discussion on DBMS_SUPPORT versions
11/12/2004: Hack notes books
11/12/2004: Oracle VP database and server technology in Germany talks about Oracle patch schedules
11/11/2004: Colin Maxwell talks about securing web services using JDev and WS-Security
11/11/2004: Frank Nimphius talks about disabling Forms builder security in 10g
11/11/2004: Restricting object creation and alteration privileges
11/10/2004: Small update to the default password check scripts
11/10/2004: Patch set for Win32 is causing debate
11/09/2004: A new Oracle default password checking tool is available
11/09/2004: Amis blog - Script to clear out a users schema
11/08/2004: A lot of new pages on my site
11/07/2004: Two great papers and tools by Tim Gorman
11/06/2004: Post on ORACLE-L : Exploring Oracle November 2004 and REMOTE_OS_AUTHENT
11/05/2004: Patrik Karlsson releases OScanner - A new free Oracle security vulnerability scanner
11/05/2004: Oracle passwords : A few not too well known facts
11/04/2004: Howard Rogers has a new ebook out
11/04/2004: Don Burleson: Oracle fraud alert
11/03/2004: Nice four part paper on label security by Jim Czuprynski
11/02/2004: The patch set is out
11/02/2004: Can application names be changed to spoof logon triggers?
11/01/2004: Another good paper by Howard Rogers on read-only tables
10/31/2004: Howard Rogers new paper on secure application roles
10/30/2004: Interesting question about Sarbanes-Oxley on Oracle 7.3.3
10/29/2004: Can I connect to the database as the user PUBLIC?
10/29/2004: white papers section updated for Roby Sherman papers
10/29/2004: Brian Duff talks about connecting to Oracle servers with ssh
10/28/2004: massive data theft from a database in California
10/28/2004: interesting thread on how to secure a third party application
10/28/2004: Tales of the Oak Table - Dave Ensors comments on Oracle security
10/27/2004: more info on DBMS_SYSTEM.KSDWRT
10/27/2004: Oracle applications auditing
10/27/2004: Allowing a user read-only access to stored procedure source code
10/26/2004: Writing to the alert log
10/26/2004: 2 new books on Oracle security
10/26/2004: Frank Nimphius talks about JAAS and declarative J2EE security
10/25/2004: Another issue with alert 68 on AIX 32 bit
10/25/2004: Oracle issue an ALERT note saying use of OPatch for multiple patches can corrupt the inventory
10/25/2004: Ken Jacobs talks about the monthly patch release cycle
10/24/2004: says Oracle's Security Luck Runs Out
10/24/2004: Steve Feuerstein talks about best practices for NDS in 10g
10/23/2004: Is setting trace a security risk? - part 1
10/22/2004: You can search inside the SANS Oracle security step-by-step guide
10/22/2004: check_parameter.sql : script added to my tools page
10/22/2004: new shell for Windows
10/21/2004: Auditing DBA's?
10/21/2004: some interesting comments on ORACLE-L about alert #68
10/21/2004: More direct SGA access
10/21/2004: The code for the SANS Oracle security step-by-step book has had a small update
10/20/2004: Internetnews article : Customers Gripe About Oracle's Patch Plan
10/20/2004: More SQL Injection: A paper on Oracle SQL Injection by Stephen Kost
10/20/2004: creating read only tables
10/19/2004: An interesting SQL Injection paper
10/18/2004: A tuning book and security?
10/17/2004: Listener security guide
10/16/2004: computerworld have also picked up the patch quickly story
10/15/2004: where is the next monthly patch?
10/15/2004: eweek article on alert #68 discusses public exploit availability
10/15/2004: who_can_access.sql : a script to find uses and roles that can access a particular object
10/14/2004: SQL Injection papers
10/14/2004: Scanning for Oracle databases on your network
10/13/2004: expired passwords, ORA-01045 and password changes
10/13/2004: People are now looking for alert 68 exploits!
10/12/2004: which special characters can be used in Oracle database passwords
10/11/2004: preventing password leakage with SQL*Loader
10/11/2004: Oracle 9i union flaw
10/10/2004: Oracle remids all customers to apply Patches for alert #68
10/09/2004: who_has_priv.sql : script to find user who have been granted a system privilege
10/07/2004: Tools page has been updated again
10/07/2004: Hiding literal strings in PL/SQL
10/06/2004: Howard Rogers writes about Virtual Private databases
10/05/2004: who_has_role.sql : A script to find which users and roles have been granted a role
10/03/2004: Tools page updated
10/02/2004: find_all_privs.sql : A script to find all privileges allocated to a user or role
09/30/2004: Oracle announce that clients also need patching for alert #68
09/28/2004: Creating read only users
09/26/2004: Oracle Database 9i SQL Command Buffer Overflow Vulnerability
09/25/2004: eweek article: Oracle Users Take Aim at High Costs, Security Silence
09/24/2004: KK Mookhey writes about auditing Oracle security
09/23/2004: The SANS S.C.O.R.E. Oracle security checklist has been updated
09/22/2004: Arup Nanda is interviewed about the Oracle security patch nightmare
09/22/2004: Truncating the audit trail
09/21/2004: Are your system triggers firing?
09/20/2004: A new Oracle security based weblog