Pete Finnigan's Oracle Security Weblog

A few things to report about Oracle Security after we have had a short break for familly holidays and also because of a lot of work being done over the last few months. It is nice to be busy in these recessed times.

I am going to be down at Oracle's UK HQ at Thames Valley Park next week on Wednesday the 8th doing a two part talk on http://www.ukoug.org/calendar/show_events.jsp?year=2010&month=09&day=08 - (broken link) Oracle Security for the UKOUG. This should be fun as I am going to do a lot of demos and demos always have the possibility to go wrong; so its exciting especially as I have only loosely planned them and will do it unstructured...should be fun... hope to see some of you there.

I have been using twitter quite a bit over the recent couple of months, more than I have in the past mainly because I have been setting up some websites for a client with a social networking element. Please feel free to follow me at my twitter profile. Its not just Oracle security there, but also a splash of general IT Security, hacking, web development, SEO, SN and coding (although I have not found my coding people to follow yet!).

PFCLScan - our enterprise security scanning tool and database vulnerability scanner now has its own web page - called PFCLScan of course!

I saw yesterday - note the ad-hoc nature of this blog, i have a few things I wanted to mention - a blog post via TheRegister. It caught my eye as the writer of the blog Charles Anderson also lives in York (The original one in England, not the New one in the states!) and he had also just been to North Wales on holidays. He posts a blog post "Somebody wants me dead!" that really caught my eye. It seems scammers who used to send emails telling you that some relative you have never heard of has died and left a few million in a foreign bank account and that you can have it all if you send some money and your bank details; yeh right! Well this post says Charles got an email telling him there is a contract on him and he has been followed for a couple of weeks. If the author gets $50,000 US then he will not execute the contract... wow.. I wrote a comment on Charles blog but because its one of these major sites its impossible to comment unless you are also a member of that or one of the other general sites; which I am not. So i left it and decided to mention it here.

Also in my Oracle Security forum Marcel-Jan posted a note to say that Oracle have broken the links to Arup Nanda's excellent multi-part paper on Oracle Security, Project Lockdown. Well Marcel-Jan has found a link to the complete paper as a PDF and its listed on the forum post - Project Lockdown is not gone, but hard to find

There has also been two new books published on Oracle Security recently, the first is "secure Oracle - 100 things you can do to get it done" - by Patrick J McShea. Any book on Oracle security is welcome but this one has some slight issues i will get out of the way first. What irks me most is things like pages 27 - 53 (over 25 pages of listing!) are simply a list of insert statements reported there as taken from my site. I am not bothered that they are from this site, there is a link there to credit Marcel-Jan who created it but why buy a book with a listing thats over 25 pages long. Then pages 95 - 111 are the same, a big listing of insert statements for a different peice of code. It would have been better to have these as a download and not print them. Also irking me is the fact that the code font seems to be the same as the text making it hard to distinguish between the two - a nice distinction in font/size would have been worthwhile.

The book also makes an initial bold statement on the rear cover that there are a number of books out there on Oracle security but most are theory and not practical. Hmmmmmm, The SANS Oracle Security-step-by-step was certainly not theory. Arups Excellent HIPAA book was also quite a lot of step-by-step practicallity. My two chapters of the new Oak Table book on user and data security are also quite practical - at least I think so. Also the second new book is the ISACA "Security, Audit and control features - Oracle database 3rd edition" This is an excellent book and in its third edition. I have all three and there newest is worth having even if you have a previous one. This is an excellent practical book. Also I suspect Patrick meant securing specifically so probably didnt include books like David Knox's two parter, the latest published recently. Davids book is also very practical but focused on features rather than out and out hardening. There are quite a few books out there now, plus the checklists like the SCORE and the CIS benchmark and the DoD STig which are also practical in nature.

Back to Patricks book. I have not read all of Patricks book yet cover to cover but skimmed it all a couple of times and read closely around 100 pages so far - I have a few plane trips soon to give me some forced reading time..:-). The book is not bad in terms of content so far but there are some things I dont agree with and also some silly technical typo errors. Also the main idea of the book is to create Patricks toolkit and install it in the database being checked. I personally dont like this idea (how he has done it only - i do like the idea of basing the book round a toolkit) as I dont think you should install objects and certainly not security scan results in the database being tested. BUT, a lot of others do this particularly the US government and companies that use the S.R.R. scripts from the US DoD. These take a similar approach. The code Patrick provides could be modified to not reside in the database being tested though. There has clearly been a lot of work put into the book and thought on structure and on helping people take a practical approach to securing Oracle - well done for that Patrick.

Finally I think the book would have benefitted from peer review before it was published, maybe Patrick can do this for the next release. The SANS book is no more so its nice to see a book in a similar veign.

Its also nice to see two books dealing with Oracle security and both taking a practical approach.

OK, back to my clients report!