Auditing an Oracle database for security issues is very important. provides all of the information and tools that you will need Click here for details of Limited's detailed Oracle database security audit service Click here for details of Limited's Oracle Security Training Courses
There are 51 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog

Home » Archives » March 2011 » SQL Injection Attack

[Previous entry: "Oracle Security Training in the UK"] [Next entry: "New Oracle security papers and Oracle forensics tool"]

SQL Injection Attack

March 3rd, 2011 by Pete

Marcel-Jan emailed me an article on arstechnica a few days ago and has now written a forum post titled "How Anonymous hacked HBGary".

This is intersting reading and shows that simple techniques can be used to abuse systems. If anyone has heard me speak at conferences and also in training then they will know I like to propogate the idea that simple things let companies down data security wise. A good example would be a mythical company who had spent a lot of money implementing data security within the database including controls, audit, encryption, VPD, Label, even DAM but then leave key data available in other places such as on paper, email systems, development systems, test systems and more. The security of an Oracle database does not depend on the Oracle software; i.e. we cannot simply apply security patches and assume that the database is secured, neither can we simply follow know hardening guides and assume our "data" is secured. This is because Oracle is complex and part of implementing is for the implementor to add their own designs (tables, views, data, screens and of course security and management) This is not Oracle's job its the customers. We also have to consider the data itself, know where it is, who can access and then plan how we will create strategic and technical solutions to protect the data.

Simple issues make data insecure or in the case of this article a companies systems themselves and even emails being accessed. These simple issues include passwords; if you don't protect passwords, enforce strong passwords and ensure accountability is in place - Audit or DAM or ... then its easy to break in.

This article is an interesting read and should waken up those who need to secure their data. The techniques used were not rocket science but also at one level were clever. Hacking an email system and then emailing the sys admin to get access to a server whilst pretending through email to be someone else is clever but not technically difficult. This is why security is difficult; because we must consider all aspects of data loss and therefore data security.

March 2011

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives

Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

Atom 0.3 FEED
Powered by gm-rss 2.0.0

Valid XHTML 1.0!