Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 18 visitors online    

Pete Finnigan's Oracle security weblog


Home » Archives » May 2005 » Tom writes about anonymous postings

[Previous entry: "Another nice flashback paper"] [Next entry: "Amis blog has a good paper on SQL quirks"]

Tom writes about anonymous postings

May 7th, 2005 by Pete

Post to del.icio.us   Post to Furl   Digg!

I saw one of Tom Kytes post the other day to his blog titled "Is being anonymous bad?" and read it with interest. One of the things I have talked about here in the past "An interesting example of information leakage posted to my blog entry" (I should point out that Tom emailed me to say this leakage has been now fixed).

Information leakage can take place when employees of your company’s joining newsgroups or mailing lists and inadvertently post comments to threads that include details of critical information such as hostnames, IP Addresses, usernames, passwords and many other useful details to hackers.

Tom's post is about whether anonymous postings are good or bad on mailing lists or newsgroups. Tom says being anonymous is a good thing and he does not have a problem with anonymous postings on AskTom.

This is an interesting thread, some companies do not allow employees to post to newsgroups or mailing lists with company email accounts or to use identifications that could show that there is a connection with the employer from the posting. This can be a good idea to prevent information leakage BUT it is OK stopping people posting from work but if all they do is post anonymously or from home then you have no control over them to ensure that they do not give out details still. A poster may be anonymous but may give out real information such as an IP Address and details of a particular piece of software being run (say Forms). What happens now if someone uses google hacking techniques to locate vulnerable forms servers? - I talked about "Information leakage and goole hacking" recently - They could find your companies server still and exploit it. If you have a policy to stop information leakage you need to ensure that if employees are banned from posting from work that they understand why and do not still leak details from home. They may think its safe because they are anonymous - but may not be after all.


May 2005
SMTWTFS
1234567
891011121314
15161718192021
22232425262728
293031    

About

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Search weblog

Home and Archives

Weblog Home
Weblog Archives

Recommended reading

Oracle Security Step-by-Step (Version 2.0)

Useful links

Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Other useful blogs

Web Development
SQL Server Security

Syndication - Feeds

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0

Other Links


Valid XHTML 1.0!