Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Techa Kucha In York

I have been asked to come and be one of the speakers at the first Techa Kucha event in York organised for next week February 2nd at 6pm at York University in Springboard first floor, in the Ron Cooke Hub in Heslington east campus. its a free event and to reserve a place you can contact Erica Thorpe on INOV1_at_YORK.AC.UK to register an interest or also to volunteer to speak next time. This should be fun as its a good event to meet local people and like minded people and mingle / chat. The process is Japanese and ist designed around presentations that have 20 slides each moving on automatically after 20 seconds so my talk will be just over 6 minutes.

If you are in the area come along; entry is free.

Latest Oracle Security Critical Patch Update is out

The most recent patch Tuesday happened yesterday for Oracle. The sizes of the patches are increasing but that is due solely to the recent aquisition of Sun. The database security patches are the area where I have an interest and the size of the number of fixes is definately dropping in the database. I have to say also that for a long time now patches are not the topic of conversation with customers or at conferences anymore. The major focies seem to be around hardening, core security controls and audit trails. Companies seem to have become aware to the true issues over the last couple of years. Security patches are obviously important and should be installed but they are not the crux of the issue of securing data in an Oracle database. The biggest issues often are a lack of accountability and insufficient controls and excessive privileges and a lack of segregation of duties. Often most of these issues are a remnant of not including security as part of the original design. We can ask Oracle to fix security bugs but we cannot ask them to fix our designs where security is concerned; thats our job!

The January 2011 Oracle critical patch update includes 7 database server issues; one in Audit Vault with a CVSS score of 10, one in Oracle secure backup and 5 in the database. All three areas have remotely exploitable bugs without the need for username and password.

Oracle Security Training, Home For Christmas and a belated happy new year

I started to write this blog post more than two weeks ago when I returned home for Christmas after travelling and working away for most of the last 3 months or so teaching training classes, doing security audits and also working on data security designs for clients. But then I got really ill with the flu before christmas and its taken nearly two weeks to get well to start to work again..:-(

Happy belated new year to all my readers; I hope that you all have a very happy and successful new year in 2011.

I had been thinking whilst sitting day dreaming on many many flights over the last few months that it would be nice to write a new book but its hard work of course.

I keep getting asked by people more and more either in person whne teaching or via email etc why I don't do an update of the Oracle security step-by-step guide I did for SANS a long time ago; well two things, SANS dont publish books anymore and also they own the copyright so I couldn't update that book even if i wanted to. Also I don't think I would want to do a simple update anyway as my views on securing data (note I said data and not Oracle) are more focused on three areas not just simple hardening as only covered by the SANS step-by-step; my three areas are:

1) The security patches - small percentage of the whole as at the end of the day from a security auditors point of view you either apply the current patch or you dont. Dont worry I fully get all the financial/time issues around info/regression testing/ downtime ......

2) core hardening - This is what the SANS book focused on. changing well know settings such as utl_file_dir, os_authent_prefix, roles, privileges, default users and more to secure settings

3) The most important part (IMHO) is the bit that should have been done as part of design and implementation; that is to include security of the data and users as part of the application design. Its my experience that mostly this is not done or if it is done its not done any detail or to any depth at all or not very well. This is the area of user design, privilege design, data access design, security design within the database.

The first item accounts logically for a small percentage of security issues within the database when viewed from effort/cost not exploitation (at the end of the day you can apply a patch or not - its that simple BUT not from a cost time factor, i appreciate) - its debatable from exploitation angles as well whether this is also true because there are also other limiting factors such as "who" can make direct connections to the database to exploit a public issue. The general hardening accounts for a bigger percentage but certainly not all of the work needed to secure data - the biggest problem with general hardening is that; its general - the hardening guides and books known nothing otu your data or your design.

I would say point 3 the design work and the security that "you as the customer" should have implemented is the bigger part of securing your database. This is probably 60% - 70% of the whole of the work to secure your data. Anyway this is why I think a hardening book like the step-by-step has less value these days. I believe to make data secure the whole approach must be considered.

I said in a recent blog post that I have a back log of items to post about - indeed i have collected these into a list and i hope to find time to talk about a few of these over the coming months but i am already booked out quite a lot of my time on training and consulting into the middle of the year and I am also supporting our product PFCLScan so blogging is going to be fun toi fit in BUT i am determined to do so. I want to try and get back to writing like i did a few years ago with papers like the "exploiting and protecting Oracle" paper i did for Pentest. I liked to write in that style and i have a good list of subjects!

I have just updated the training page and added in the registration links for the class I am going to teach on "how to perform a security audit of an Oracle database" with Opitz Consulting in Thalwil in Switzerland in February. If you can make it there for the class it would be great to meet you there. I have not taught in Switzerland before so I am looking forwards to being there. The Opitz registration page is here please take a look.