Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "A new Oracle security blog in English and German and some Oracle security videos"] [Next entry: "Software should defend itself: Oracle CSO"]

New paper on Oracle native authentication in 9i and 10g

Laszlo Toth has released a new paper on the details of the changes between 8i, 9i and 10g Oracle native authentication including detailing some of the weaknesses and also including some proof of concept code. The paper shows that the authentication in all three versions of the protocol is subject to brute force or easy decryption of the password if a session can be sniffed and the AUTH_SESSION and AUTH_PASSWORD can be grabbed. The paper is titled "Oracle native authentication version 9i and 10g" and is available from Laszlo's site and is worth reading.