[Previous entry: "A paper on how to find Oracle SID's"] [Next entry: "Details of a 10g PL/SQL Unwrapper available"]
Google hacking and Oracle database security audits
February 3rd, 2009 by Pete
Post to del.icio.us
Post to Furl
I have just returned from teaching my class "how to perform a security audit of an Oracle database" in Helsinki, Finland which was fun; having a ride back to the airport in Pasi's Subaru Impreza on icy roads was also fun! -
One of the areas I mention in the material of the course is the issue of google hacking, made famous by Johnny Long some years ago. A key issue for any site undertaking to secure their Oracle databases is containment of data and knowledge on a need to know basis of the databases, administration, problems and anything really that would help someone break into your Oracle database. I was just surfing Google for something else and saw a pdf of a paper by Emin Islam Tatli called "Google hacking for cryptographic secrets". The paper is around three years old but its a good overview of some of the techniques and the one thing I particularly noticed is the useful list of free tools to help people check their own sites. These include the Google hacking database, goolink, sitedigger and Gooscan.
This area is interesting for me, it is not Oracle database security specifically but as I said I always recommend clients do some basic surfing of the net on Google (but not just google, you should also check Metlink, Yahoo, MSN etc as well - or better a search aggregation site such as Dogpile) to test if any of their Oracle architecture is exposed to the net, or any meta data such as architetcure diagrams (physical and logical) or any details of the databases (IP, usernames, SID, Ports, passwords....), particularly are staff posting on forums, newsgroups, mailing lists etc and divulging details of your problems.
This is a worthwhile endevour in these days of people focusing on stealing data and identities. Anyone (someone inside your organisation perhaps) looking for an "angle" to steal your data is going to take the easy option and not only download exploits from the net using search engines to find them but also looking for details of your systems to aid the theft of that data.
Downloading some of the google security tools that use the GHD (Google Hacking database) and testing them against your own site is worthwhile - make sure that your own company policies allow security tools to be installed first though!
