Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Security Training in the UK"] [Next entry: "New Oracle security papers and Oracle forensics tool"]

SQL Injection Attack



Marcel-Jan emailed me an article on arstechnica a few days ago and has now written a forum post titled "How Anonymous hacked HBGary".

This is intersting reading and shows that simple techniques can be used to abuse systems. If anyone has heard me speak at conferences and also in training then they will know I like to propogate the idea that simple things let companies down data security wise. A good example would be a mythical company who had spent a lot of money implementing data security within the database including controls, audit, encryption, VPD, Label, even DAM but then leave key data available in other places such as on paper, email systems, development systems, test systems and more. The security of an Oracle database does not depend on the Oracle software; i.e. we cannot simply apply security patches and assume that the database is secured, neither can we simply follow know hardening guides and assume our "data" is secured. This is because Oracle is complex and part of implementing is for the implementor to add their own designs (tables, views, data, screens and of course security and management) This is not Oracle's job its the customers. We also have to consider the data itself, know where it is, who can access and then plan how we will create strategic and technical solutions to protect the data.

Simple issues make data insecure or in the case of this article a companies systems themselves and even emails being accessed. These simple issues include passwords; if you don't protect passwords, enforce strong passwords and ensure accountability is in place - Audit or DAM or ... then its easy to break in.

This article is an interesting read and should waken up those who need to secure their data. The techniques used were not rocket science but also at one level were clever. Hacking an email system and then emailing the sys admin to get access to a server whilst pretending through email to be someone else is clever but not technically difficult. This is why security is difficult; because we must consider all aspects of data loss and therefore data security.