Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 52 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » February 2005 » Google hacking and reverse engineering Java

[Previous entry: "Use of Windows login details - single sign on for web applications"] [Next entry: "tracing inside a PL/SQL procedure"]

Google hacking and reverse engineering Java

February 9th, 2005 by Pete


I ordered Johnny Long's book "Google Hacking for penetration testers" from Amazon.co.uk on Monday and it just arrived today. Thank god the rain was not too hard as our postman left the package behind our garage - not a very clever plan! - and it was quite wet when I got home at tea-time. Luckily the books were not damaged.

Obviously I have not had the time to read the book yet but I have had a quick flick through. The subject of Google hacking is very relevant to all companies who expose anything at all via a web site or via computer systems that are exposed to the Internet. If you run an Oracle database or Oracle tools such as iSQL*Plus and they are exposed to the net then it is easy to find your site in Google and if sites found can be matched with known exploits you could become the victim of a scripted attack. This is an exciting new way to hack or rather reconnoitre attacks.

The book seems very thorough in its discussions of Google and hacking. There is only a short mention of Oracle specifically near the end of the book in discussions about SQL Injection. That said there is plenty for those with an interest in Oracle security. Johnny starts the book with a look at how to use Google and then a look at the advanced features or rather operators. He then talks about hacking basics and pre-assesment. Then network mapping, locating exploits and finding targets. he then looks at some standard searches and also shows how to find things like web servers, passwords et al. Johnny then talks about protecting your own site from Google hackers and also automating searches.

I am looking forward to reading this book, its quite long at almost 500 pages so it may take me some time. I need a link on learning how to speed read I guess. I have quite a backlog of books to read at the moment..:-(

Whilst I was ordering Johnny Longs book I noticed by chance another book "Covert Java: Techniques for Decompiling, Patching and Reverse Engineering" by Alex Kalinovsky, so i ordered this book at the same time. I am not an expert Java programmer - I have dabbled a bit. I know C++ better and C much much better. I like to follow some of the Java posts on the net and Java is quite an important technology in Oracle circles. The Java procedures in the database are not as much written about as PL/SQL and there is not a huge amount out there on securing Java in an Oracle context. I also follow the posts of the JDeveloper programmers on OraBlogs. I have always been sceptical of using Java in the database as there are many tools out there to decompile the bytecode and turn it back into source code so firstly it can be read (trade secrets divulged?) or hacked (Trojans) or many other issues. So when I saw this book it looked like an ideal opportunity to understand the issues of reverse engineering Java and how it works, how we can protect against it and how real the issue is. Again I have not read the book yet (of course) but when I have I will report back and also pen some details on the security of Java in the database with respect to the issues I have mentioned. Looks like an interesting read though.

February 2005
SMTWTFS
  12345
6789101112
13141516171819
20212223242526
2728     

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!