Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Another nice flashback paper"] [Next entry: "Amis blog has a good paper on SQL quirks"]

Tom writes about anonymous postings



I saw one of Tom Kytes post the other day to his blog titled http://tkyte.blogspot.com/2005/05/is-being-anonymous-bad.html - (broken link) Is being anonymous bad? and read it with interest. One of the things I have talked about here in the past "An interesting example of information leakage posted to my blog entry" (I should point out that Tom emailed me to say this leakage has been now fixed).

Information leakage can take place when employees of your company’s joining newsgroups or mailing lists and inadvertently post comments to threads that include details of critical information such as hostnames, IP Addresses, usernames, passwords and many other useful details to hackers.

Tom's post is about whether anonymous postings are good or bad on mailing lists or newsgroups. Tom says being anonymous is a good thing and he does not have a problem with anonymous postings on AskTom.

This is an interesting thread, some companies do not allow employees to post to newsgroups or mailing lists with company email accounts or to use identifications that could show that there is a connection with the employer from the posting. This can be a good idea to prevent information leakage BUT it is OK stopping people posting from work but if all they do is post anonymously or from home then you have no control over them to ensure that they do not give out details still. A poster may be anonymous but may give out real information such as an IP Address and details of a particular piece of software being run (say Forms). What happens now if someone uses google hacking techniques to locate vulnerable forms servers? - I talked about "Information leakage and goole hacking" recently - They could find your companies server still and exploit it. If you have a policy to stop information leakage you need to ensure that if employees are banned from posting from work that they understand why and do not still leak details from home. They may think its safe because they are anonymous - but may not be after all.