Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Defending Against SQL Injection Tutorial"] [Next entry: "Oracle Security Back to basics slides available"]

Speaking events, SQL Hashes and clever password crackers



I have managed, last week to update my speaking events list on my sites home page to include all the presentations I will be giving over the next couple of months. I am speaking this Thursday at the UKOUG back to basics event in London and I am looking forwards to that. Come and say hello if you are coming along to any of the events.

I was doing some research for a project last week and made a note of a new package http://download-uk.oracle.com/docs/cd/B28359_01/network.111/b28531/data_encryption.htm#CHDCDJHC - (broken link) DBMS_SQLHASH that some sites are marking as new for 11G but it's also there in 10gR2. This is an interesting package that allows the use of cryptographic hashes such as HASH_MD4, HASH_MD5, or HASH_SH1 (From DBMS_CRYPTO) to hash the result set of a SQL statement to allow the checking of data integrity. This allows data to be checked to see if it has been changed. The package with the function GETHASH can also be used to test the integrity of dictionary objects in a similar fashion to some of the commercial database scanners that are available. The package can of course be used to select the source of packages, triggers, views and more and hashes can be calculated and stored for later comparison.

Finally Lazslo sent me an interesting link to the methods Elcomsoft are using to make password crackers run at 20 times the normal speed by passing off the repetitive calculations to the parallel hardware available in graphics cards such as NVIDIA GeForce8 graphics boards. The page is titled "Elcomsoft Distributed Password Recovery"