Pete Finnigan's Oracle Security Weblog

I was down in London yesterday in some meetings and also speaking at the http://www.ukoug.com/calendar/show_event.jsp?id=3385 - (broken link) UKOUG Management And Infrastructure SIG on the subject of Oracle Security tools. I will post up the slides later.

The discussion got around to the issue i call "the access issue" - this is basically that any direct connection to the database requires the IP address, port number, service name or SID and a valid username and password. Often the IP address could be found easily using scanning tools such as nmap. My experience of most sites is that a username / password can be guessed easily. That leaves the SID/Service name. If a database has used a default such as ORCL - yes I do see that used in production databases - really - or simple things like PROD10g or DEV10g then they are guessable and tools exist to find these. This discussion has relevance because at most sites there is no internal protection of the database. That is you can connect a laptop/PDA or whatever or use an existing desktop (most sites ship standard builds often including an Oracle client to most desktops) and attempt to connect to the database. This for me is the biggest issue I see. Think for a minute...

If you can stop people attempting a connection to the database, i.e. only the appserver and a small number of staff can connect (DBA) and there is firewalling, packet filtering etc then this makes the database much better in terms of security. All the normal config issues do not go away it just means that its become harder for anyone to attempt to take advantage of a bad configuration or weak password or similar.

This is all about recognising that the threat is likely to be internal and not external and that traditional perimmeter security doesn't work for protecting access to the data held in corporate or government databases. The security for the data must be with the data. Layered security simply must prevent direct access to the data. This doesn't mean that the configuration issues have gone away it just makes them harder to exploit. This is a good plan in securing data.

Anyway during this discussion I was making the point about most desktops having standard builds that may include an Oracle client and also most sites simply potentially allowing access directly to the database if someone were to plug in a laptop or use the desktop. I suggested (tongue in cheek) that a clever hacker may for instance work for the drinks vending company and he may have an Oracle client in the vending machine which happens to be connected to the corporate network. I have looked at these machines in the past whilst idley waiting for a vend and noticed CAT-V cables eminating from the back of them , anyway it was said in fun yesterday but this morning I saw a post on BugTraq titled "Hacking Coffee Makers" - what a coincidence!