Pete Finnigan's Oracle security weblog

[Previous entry: "Colin Maxwell talks about WS-Security in JWSDP 1.5"] [Next entry: "Slight update to the default password check scripts"]

An interesting case of information disclosure

Post to del.icio.us   Post to Furl  

I was surfing the orablogs website the other day and found an entry in Duncan Mills weblog that looked interesting. he writes an Oracle weblog and I noticed a security related post so my interest was piqued. The post is not directly related to Oracle security itself but was in part related. Duncan reported some hacker attempt to get into his site by trying to exploit ssh. The reason that they did this is because of a previous posting to his blog - One thing leads to another that talked about his project to create a JSF based blog application. The final paragraph of this entry talked about how he had set up ssh to access the groundside.com site for people who were going to help in the project. He also announced that he had work to do in tightening the security.

This whole blog entry reminded me of some work I did on the new SANS 6 day hands on "Securing Oracle Track" that I have been writing for SANS. I covered information leakage in one of the modules, indeed i briefly mentioned the same in the book Oracle security step by step - A survival guide for securing Oracle. I did some research into this issue when writing about it for SANS. Quite frankly it is amazing in Oracle database and server terms and application terms what information some companies will leak to the Internet, either in newsgroups, mailing lists or even on corporate websites.

I have seen all manner of information, such as network configurations, usernames, passwords even, IP Addresses, applications used, third party and in-house, job specifications, even security policies and guidelines (very useful for a hacker to know the password policies!). I have even seen the source code for the authentication recently for a web based application that will interact with an Oracle database posted to a newsgroup where one of the developers wanted to ask a question.

This is a key lesson that companies need to learn. If you post details of IP Addresses, usernames, passwords and applications structure and even source code to the Internet or post your policies and working practices to publicly accessible web sites you should not be surprised if you get attacked.

Companies need to educate employees on these issues, its important.

I think in Duncan's case it’s a lot less worrying as it’s a public project anyway and he doesn't have live production data that can be lost to worry about. Also the main point is he understands the issue.

There has been 4 Comments posted on this article