Take a look!
Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Take a look!
If you would like to book my how to perform a security audit of an Oracle database training class at your site, please drop me an email (see my contacts page), it is very popular at present and providing benefits to a lot of people on both public classes and also private classes. We do fixed prices for up to 2 people, up to 4 people and up to 8 people. We can of course accomodate more people but this is unusual for private classes but not for public ones.
I was emailed by Mike Smithers last week to let me know about his very nice article about SQL injection posted to his blog and titled "Self-Inflicted SQL Injection â€" donâ€™t quote me !". Mike kindly let me know but I have had little time to read it until i finally did so this lunch time. The article is very nice and concentrates on the issue of objects created in the database that are themselves injection payloads. This can be an object or a user (which of course is still an object in the dictionary). This idea has been around for quite a while but its nice to see a paper on it.
Also David released a new idea on exploiting Java at Blackhat which included a 0-Day exploit against Oracle. The exploit is shown in Sumit Siddarths blog in a post titled "Hacking Oracle 11g" which also includes a link to Davids blackhat presentation video. Paul has written a short paper titled "Securing Java in Oracle" that gives some details of the vulnerability and also some ideas on securing against in in the absense of a patch. Its nice to see that Paul has included some of the ideas on checking in depth (i.e. packages that use packages ect and ad-infinitum) that i have been talking about in presentations for a few years at places such as the UKOUG and also in my training classes. I will also be covering these ideas and more in two webinars for Sentrigo in a few weeks time (see the links on my home page to register for the talks. One is on European time and one on US time. Nice paper Paul!
I am speaking in Germany on Thursday the 4th February at the IT-Defense 2010 conference in Cologne Germany. The link is on the PeteFinnigan.com Limited sites home page.
We are also one week away from our two day Oracle security training here in York, England. If anyone wants to make a last minute registration thats fine we will be able to accomodate you.
I have also updated our public training dates page to include the registration details for the new public class in Utrecht to be held on the 26th and 27th of May 2010. I would love to see people there as well!
Finally the new Oak Table book, Expert Oracle Practices is out. I had my copy waiting for me when i returned from Turkey and I am looking forward now to read the other authors chapters. I wrote two chapters; the first about user security and the second about data security. I found that one of my co-authors Charles Hooper has written an excellent summary of the book on his blog in a post titled - "Expert Oracle Practices: Oracle Database Administration from the Oak Tableâ€ť Book"