Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Mark Rittman talks about Fine Grained Access Control

I just saw a nice post on Mark Rittman's weblog about Fine Grained Access Control titled "Applying Fine Grained Access Control To Analytic Workspaces" that discusses using VPD (Virtual Private databases) within analytical workspaces. Mark found a good post on OTN that details how to use VPD in this situation. Mark has reproduced the relevant parts of the post from OTN OLAP forum in his post. This post includes some nice examples including even FGA at the end.

I also wrote a two part paper about row level security in Oracle for Security Focus some time back. There are links to parts 1 and 2 of this paper on my Oracle security white papers page.

NCipher have made product updates

I just saw a news article on InformationWeek about NCipher who make the SecureDB product. The article was written by Martin J. Garvey and is titled "NCipher's Security System Supports More Databases". The article talks about the risks to data held in databases and the fact that serious thieves and hackers go after the data held in your databases. Martin suggests that there is a continuing market for third party add-on security products for databases including Oracle. nCipher's SecureDB product which current supports Oracle will also support DB2 and Microsoft SQL Server from next week. SecureDB is a hardware and software product that sits next to the database watching for intrusions. The product can also help decide what data should be encrypted and what should remain un-encrypted. It can also help with enforcing security policies.

I have just added a link to this tool on my Oracle Security tools page in the commercial section as I was not aware of this product. It looks like a useful product, have a look at the news article and also at the product page for SecureDB.

How the secret service decodes encrypted evidence

I was emailed by Sean Hull to let me know about a link on slashdot that talks about how the US secret service cracks very strongly encrypted data held on criminals seized computers. The link on slashdot is http://hardware.slashdot.org/article.pl?sid=05/03/28/2026226&tid=172&tid=198&tid=103 but this points to and summarizes an article on the Washington Post website titled "DNA Key to Decoding Human Factor - Secret Service's Distributed Computing Project Aimed at Decoding Encrypted Evidence". This is a very interesting article describing the issues law enforcement officers have decrypting data held on criminal computers that has been encrypted with strong / long encryption keys. The normal problem is that the sun would burn out before any computer on the planet could try and brute force the keys. The U.S. Secret service instead is using clever techniques taking lessons from the search for E.T. They are tying together all staffs desktop computers to crack passwords but are using a special technique of creating custom dictionaries to use in the cracking effort. The system (DNA) searches the criminals hard drive and gets all plain text words and phrases from all clear text files and also from web sites that the cache and browser logs know about.

The technique works because people are sloppy and do not choose strong alpha numeric passwords but instead choose weak ones based on existing knowledge. Quite often a suspectís password can consist of words based on their interests and coincidentally these words can be found on special interest sites they have visited.

This is an excellent article that describes the U.S. Secret Services efforts. I suppose the lesson to be drawn from this is to choose very strong alphanumeric passwords and use the strongest encryption that is practical for the purpose it is being used for. Do not use words from hobbies, interests or from words you may repeat in other documents or emails. This is not just a lesson for criminals but also for businesses that use encryption. If you want to use encryption successfully they use strong passwords. If you are not a criminal then the U.S. Secret Service is not going to be cracking your encryption keys anyway but competitors might, hackers might or even curious employees might. They might not have access to a network of PC's like this article though.

A Cuckoo's egg

I have been reading Kevin Mitnik and William Simons new book "Art of Intrusion: True Stories of Corporate Break-Ins Straight from the Criminals" since I bought it a few days ago and have managed to progress to chapter 4 when I have had chance to read it. In Chapter 3 they talk about Matt and Costa's exploits in breaking into Boeing and other sites. The interesting thing for me was the discussion of how Don tracked the hackerís movements. This reminded me immediately about the book "A cuckoo's egg" by Clifford Stoll. I read this book a few years ago and was impressed by it. It describes a real investigation by Cliff Stoll into hackers breaking into systems here there and everywhere back in the late 80's before the current Internet era. The methods used by Cliff and the descriptions of the detail, the commitment and the people involved are worth reading for anyone interested in computer security. This book despite its age is still fresh and current for the lessons it teaches. Take a look if you have a chance and want a good read.

Before I forget, some bloggers have been talking about Oblix / Oracle as well

Last post on this subject :), personally I found it very interesting that Oracle take security seriously enough to purchase a security company that can enhance its own product set. Taken on the back of the improvements to the advisories and patch fixing information it does show that Oracle and moving in the right direction with security in mind.

I was surfing Brian Duff's orablogs site and found that a few of the Oracle bloggers who get listed there have also spoken about this purchase. I found Chris Cemper's post titled "Oracle buys Oblix" and also Frank Nimphius's post "J2EE Security: Oblix Joins Oracle" and finally Depu Panda's post "Oracle acquires ID management company Oblix". Enjoy reading other bloggers views and reports.

Some news reports about Oracle's purchase of Oblix

I was surfing this evening and found some news stories about Oracle's recent purchase of Oblix. The first I found is a report on InformationWeek, the authors name is not listed (unless I missed it). The news item is titled "Oracle Acquires Oblix, Expanding Oracle's Integrated Security and Identity Management Capability" and makes mention of the fact that Oblix is one of the leaders in identity management software that includes web access via Single Sign On (SSO), identity administration and user provisioning. The article suggests a strong fit between Oracle and Oblix for application server functions and features.

The second news article I found is on the UK security news site The Register and is by John Oates and is titled "Oracle snaps up security firm". This article states that Oblix's existing products, COREid, SHAREid and COREsv will still be available separately but the technology will end up in Oracle's stack. He also quotes about the Oracle acquisition "The Oblix acquisition is a remarkably good fit for those gaps in the Oracle strategy".

The final news story I found on this acquisition is on ComputerWorld and is written by Stacy Cowley and is titled "Oracle buys security developer Oblix Identity management vendor acquired for undisclosed sum".

Oracle buys oblix

Oracle has on Monday purchased an independent security company called Oblix based in Cupertino, California. This is an interesting purchase for Oracle in its current purchasing spree; it doesn't for instance fall into the same category as PeopleSoft. Why has Oracle purchased Oblix? Probably because Oblix has an identity management program that Oracle could well integrate into its own product suite. I am sure we will hear the real reasons. I found out about Oblix from a News.com news item titled "Oracle adds security firm to shopping basket" written by Alorie Gilbert on March 28.

Ben talks about 10g flashback

I just saw Ben Rumings blog post on orablogs titled "A Flashback Database" that i found interesting. Ben had been on a two day course in Australia given by Oracle with Howard Rogers as the instructor. In the course Howard talked about Flashback which is why I was interested in Bens post. Flashback, although limited in how long you have to look at the historic data due to sizing is a great idea. I am interested from a forensics point of view.

Forensics investigation of Oracle databases is something that I get asked to do from time to time by clients of mine to look at why something happened or when or who did something. The usual methods involve looking at logs, archivelogs, redo and other tell tale factors in the data dictionary to try and find out what happened and when and possibly by who. Flashback is a useful addition to the Oracle forensics toolkit as well as all of its other uses. Ben includes some simple examples in his post. Howard has also talked about Flashback in posts on his site titled "Alternatives to Point-in-Time Recovery", "New Features in Oracle 10g" and "Data Pump". Anyway Bens post provides food for thought.

Amis blog talks about logging data in the same table

I saw an interesting post on the Amis Blog today written by Andre Crone titled "Create logging data in the same table" where Andre talks about the problem of logging every update on a table but storing the results in the same table. As Andre points out this cannot be done with one trigger as the mutating table problem rears its head. He goes on to discuss how the problem can be solved with three triggers and a package. Andre gives some example code as well including a sample test to show that it works.

This is a useful post for those wishing to consider alternate auditing methods for monitoring application data but be aware of some of the issues. Trying to put the audit records in the same table can cause complexities. There is also a couple of interesting comment on the Amis blog for this post, the first that suggests that DBMS_WM.ENABLE_VERSION might be an alternative and another commenter suggests that Andres solution is complex.

An interesting post and idea. Holding audit with the data can have good points and bad points. It really depends on the implementation, application, and quantity of data and how often it is amended to make a good qualative decision. Of course Fine Grained Audit is a better solution option in 10g where it now supports update, insert and delete as well as the select statements supported in 9i. Logging and auditing are important aspects of any application design nowadays especially with the regulations that now exist.

Kevin Mitnik: New book "The art of intrusion"

I was in the town center (York) on Thursday and had a chance to see if the new Kevin Mitnik book was out. His new book "Art of Intrusion: True Stories of Corporate Break-Ins Straight from the Criminals" written with William Simon was due for publication 14 March 2005 so I wasn't sure I would find it yet. I read Kevinís first book "The Art of Deception: Controlling the Human Element of Security" also written with William Simon was an excellent read. It concentrated on the art of social engineering. This is the methods that hackers use to trick an unsuspecting person to divulge information they might otherwise not do. A good example is a hacker ringing up and pretending to be writing a critical report for a senior manager but his password need to be reset or he needs the number of the modem, you know the score!! This is a very well written book that thoroughly covers the subject.

I have looked forwards to this new book for some time. I heard about it from kevin_story mailing list that I sometimes follow. I heard about Kevinís call to hackers to supply the best and most successful real world hacks. Kevin and William have interviewed a lot of potentials and selected 10 of the best for publication. This is an excellent book. The stories are good from many angles, for the security professions, the hacker, the security manager, the company who might think their software is secure and for the person who likes a good caper story.

I have only read the first chapter so far that talks about three guys who reverse engineered video poker machines to beat the casinos in Vegas and elsewhere. This in some places sounds a little far fetched and also is similar in goal to the book "The Eudaemonic Pie" written by Thomas Bass about a group of people who use relativity and computer built into shoes to defeat the roulette wheels. This is the story of Doyne Farmer (who is famous now for chaos theory) and his friends. I didn't read The Eudaemonic Pie published in 2000 but I did read the first version of this book called "The Newtonian Casino" also by Bass published in 1990. The Eudaemonic Pie is mentioned in Mitniks book in the first chapter.

In the introduction Kevin talks about the problems of hackers trying to get one over on his by supplying a false story about a hack for inclusion in this book. This would be a good social engineering hack he says. He and William Simon are confident that the stories are true.

I think this is a great book and anyone who is responsible for the security of Oracle databases and computer systems in general should read it. This should be where it is at in terms of real cutting edge hacking.

A new free Java based Oracle password management tool

Stephane Faroult who posts regularly to the Oracle-l mailing list emailed me earlier in the week to let me know about a free Java tool written by Noel Talard. A thread on Oracle-l titled "password and dblink mgmt tool" asked if anyone has a tool to manage database schema passwords and database link passwords. This is because for Sarbanes Oxley all apps passwords have to be rotated every six months at least. The poster also said that any copied database to test or dev also needs passwords to be rotated. Stephane posted a nice small Java tool written by Noel Talard to the original thread author that can be used for this purpose.

Stephane and Noel thought that this tool would be useful for many other people so they kindly agreed to let me host it on my Oracle Security Tools page in the free tools section. It is called ChgPwd.

The tool performs a number of basic checks (at least 6 characters, at least one digit, different from username, different from previous password). I have not had chance to test the tool myself yet but it is there if anyone would like it.

Jonathan Lewis on Row Level Security - part 2

I talked about a week ago about the first part of a multi-part paper I found by Jonathan when I was looking for something else on Google. The post was titled "Jonathan Lewis on Row Level Security" and was the first part of Jonathans paper. I was looking a day or so ago for the second part and beyond but found that the domain name for dbazine had expired according to the page I was given. Today I checked back again and the DBAZine site seems to be back again. The first part of Jonathans paper is also on his own site if the glitch should occur again.

I found the second part of this paper titled "Row Level Security Ė Part 2: Security Policies" on DBAZine. This is a good paper and well worth reading for anyone interested in Oracle security. Jonathan gives some great examples and covers requirements, security policies, preparing Row Level Security, some problems and a conclusion where Jonathan makes a good statement that says "For relatively simple requirements Iím not convinced that you really need to go any further than the deliberate creation of views described in the first article in this series." - This is refreshing in articles about specific functionality to remind the reader that it is not always necessary to embrace all new features and functions just for the sake of it.

The JHeadstart blog talks about J2EE authentication and authorization with JHeadstart

I saw an interesting post on the JHeadstart teams blog about 10 days ago posted by Sandra Muller. The blog entry is called "J2EE Authentication and Authorization with JHeadstart". Sandra announced a new document called How To Add J2EE Authentication and Authorization to a JHeadstart Application that explains how to set up J2EE authentication and authorization with JHeadstart using as much of (in Sandra's words) OC4J, Struts, ADF BC and JHeadstart. Sandra also tells us that a new article will be published soon describing how to do authorisation and authentication with your own user/role tables. I will watch out for it.

Mark Woan's GUI .NET password check tool updated link

Mark Woan has emailed me to let me know that he has updated the link to his .NET based GUI tool for checking Oracle default passwords. Mark has updated the content management system for his website and this has caused the previous link to not work anymore. I talked about this new tool here about a week ago in a post called "A GUI default password checking tool"

I have updated my Oracle Security tools page to reflect this new link.

A GUI default password checking tool

I was emailed by Mark Woan a week or two ago who told me about a GUI .NET tool that he has written to check Oracle default passwords. It uses the Oracle default password list from my site. I also have a default password checking tool available from my site.

Marks tool is a GUI tool and has the following features quoted to me in an email:



  • Automated password list updating

  • Default user/password checking

  • TNS Listener Security settings retrieval

  • Noddy password checking e.g. test/test

  • Logging




This looks like a useful tool and it is available from Marks website. I have also updated my Oracle Security Tools page to include this tool in the free tools section.

Sean Hulls weblog site is back up

I mentioned Sean Hull's new web log here a few days ago in a post titled "Sean Hull has started a web log based around Oracle and open source". Unfortunately Seanís web server has had some troubles almost since i posted about his new blog on Open Source and Oracle.

This looks like a promising web log for anyone interested in open source projects and products and tools especially related to Oracle.

Sean emailed me yesterday to let me know that the troubles with his blog Oracle + Open Source are hopefully over and the site is back fully functional.

Jonathan Lewis on Row Level Security

I was searching on google for something the other day and by accident I came across a paper by Jonathan Lewis about row level security. I had not seen this paper before so i saved it in an open window to look at later. I have just had time to read it now. The paper is titled "Row Level Security Ė Part 1" and you might expect from Jonathan is very well written. I am not sure when it was written but judging by the mention of 9.2.0.3 in the first paragraph it was a while ago. It is still quite relevant though.

The paper is the first in a series. I will get the others and have a look in a day or so. I am a bit busy at present. This paper starts off with some history and some examples of how it used to be done with a table, a trigger and a view. This is an excellent example that talks about performance issues and the appearance of sys_context() and its displacement of userenv().

Jonathan then goes on to detail contexts and gives examples showing how the previous example can be improved. He talks about and explains contexts in detail. This is an excellent article. I will track down the other parts and get back to you on those soon as well.

Google desktop search

I saw on orablogs tonight two posts about the new google desktop search. The first is Google Desktop Search Goes 1.0 by Steve Muench and the second More On Google Desktop by Ben Ruming. I was interested in this as a few readers would guess from a security aspect.

I bought Johnny Longs book Google Hacking for penetration testers and I have also talked in the past about google hacking and also about the security concerns raised about having the google desktop search engine as it can find vulnerabilities and security risks on your own machine. I made some posts here about this recently, these include "Google hacking and reverse engineering Java", "Google hacking search string database", "Google hacking is on the up!" and "Bruce Schneier talks about google desktop search security"

Oracle have made some big updates to alert #68

Oracle have made some big updates to the alert #68 advisory. The update is dated 2nd of March. The advisory available from Oracles Critical Patch Updates and Security Alerts page. The advisory is titled "Oracle Security Update Alert #68, Rev 4, 2 March 2005". The main change made for this revision is that Oracle have now detailed out each vulnerability that has been fixed and each has been given an identifier number such as DB20, these numbers are similar to the more recent CPU Jan 2005 advisory. The numbers in alert #68 do not relate to the newer advisory. Oracle have also added a risk matrix for each vulnerability and identified each one with a number, the component - e.g. dictionary, extproc, the require access (protocol), authorisation needed, and then the risk broken down into confidentiality, integrity and availability. The matrix also includes the earliest supported release and also the last affected patch set.

There is also a second section called required conditions which details the conditions needed to exploit the issue. There is also a workarounds section but this only includes a fix for bug DB21.

There is a new matrix for the database and the Oracle application server where there are relevant bugs in each.


This level of information now matches that released in the recent first quarterly patch scheduled release CPU Jan 2005. This level of information for alert #68 is great and I guess will be well received. The pity is that this information was not available at the time of the initial release of the advisory. It would have been more useful then with more customers crying out for detailed information to assist in assessing whether to apply the patches for this advisory.

Well done to Oracle for backdating this information and releasing it. It does show that Oracle is listening to criticisms regarding bugs and fixes in the area of releasing more information to assist customers.

Frank has an example on simple J2EE form based authentication

I just saw Frank Nimphius's post to his blog on orablogs that is titled "ADF UIX: JDeveloper 10.1.2 version of "Simple J2EE Form based authentication example" released". In it Frank talks about his December post where he released a simple UIX authentication example. He has ported the example to JDeveloper 10.1.2 and now it doesn't work. He is investigating but in the meantime his post give a link to a new example that does authentication in UIX that works in 10.1.2.

Nice listener.log error parsing script

I saw a good post on the Oracle-l list last night where the poster in a thread titled "tcl script for listener alert" asked if anyone had a TCL script to parse the listener.log file for error messages. He said that OEM came with a handy alert check for the alert log in the event library.

Dave posted a reply to the same thread where he tells us that he also couldn't find a TCL version so he wrote a Korn Shell script to parse the listener.log file. He says he has not had time to modify the script to deal with the listener being down for an extended time and a few other bits. Dave kindly included the source code for his KSH log parser.

This is a useful post that is worth reading and also to get the source code. I have not tried it yet purely due to time constraints.

Howard Rogers has started a new Oracle forum

I saw in the last few days that Howard Rogers has started a new Oracle forum. I have not joined yet but will do so to keep an eye on whatís going on there and to try and contribute. There seems to be a few Oracle security related posts already in there that took my eye and the quality of postings seems not bad. The posts that caught my eye are "Username=Password", "password", "Granting rights to user connecting through a dblink", "sql-injection in insert statement" and "Secure Application Roles".

Keep an eye on Howardís forum, looks like its worth a visit now and then to see whatís been posted or I would definitely recommend joining and taking part as the discussions seem technical and friendly enough.

Alex has a new presentation on hardening Oracle client PC's

I got an email from my good friend Alex Kornbrust a day or so ago to tell me a few bits of news (more on the other news tomorrow..:-) ). He also sent me an English version of the presentation that he has just made on Friday about hardening DBA workstations. This is an excellent presentation and covers some very interesting ground. One area of his presentation I want talk about again tomorrow in more details as it is something I have also looked into and written about in the past. Alex has updated his "Whitepaper and Presentations" page to include a German and English versions of this presentation. The English version is titled "Hardening Oracle DBA Workstations" and the German one "Absicherung von Oracle Administrations- bzw Entwicklerarbeitsplatzen" - sorry the umlaut character is written as "a" here.

Jared Still has a new site

Sean Hull made me aware of Jared Still's web site in an email the other day. Jared is the author, along with Andy Duncan of the book Perl for Oracle DBAs published by O'Reilly. This is an excellent book by the way. I was aware of Jaredís old site at cybcon.com for a few years. This old site now forwards to the new home page of JaredStill.com which is a new site Jared has put up. I recognise quite a bit of the content but Jared's site is well worthy of a visit. He has written some excellent articles and there is some material there for us Oracle security types. Particularly Jaredís paper on Encryption in Oracle Databases - Data Obfuscation and Encryption is well worth reading.

Also Jared has used a sitebuilder software called minisitebuilder from Lazarus Internet Development which looks quite interesting. I will be taking a closer look as i am still on the look out for a good content manager for this site. I talked about this on new years day in an entry called "Oracle security and content management".

Anyway Jareds site is a worth a visit in my opinion.

Sean Hull has started a weblog based around Oracle and open source

I got an interesting email yesterday morning from Sean Hull, the author, with Andy Duncan of Oracle & Open Source published by O'Reilly. Sean and I email from time to time discussing web sites, Oracle and CMS systems.

Sean has let me know that he has just started a new Oracle blog called Oracle and Open Source. I took a look last night and whilst there is nothing specifically about Oracle security there yet it is still an interesting blog for me as I am always interested in open source tools especially related to Oracle. There are a number of Oracle security tools that are free and I am sure there will be more. Open source is a great way to develop new tools for Oracle and it will find particular uses in security.

I will be keeping an eye on Seans blog and needless to say, if he talks specifically about security and Oracle I will let you know here. Take a look at his new blog.

Amis Blog has an interesting entry on multiple listeners

I just came across the Amin Blogs post "Registering non-default XMLDB HTTP/WebDAV and FTP ports on a non-default Oracle Listener port" on orablogs. This post by Marco Gralike talks in details about setting up two listeners on a server that is pretty busy. He talks about having two different version listeners running on the same machine. Marco gives some technical details and examples of how to setup and start two listeners. I find this a good example as people ask me from time to time about setting up two listeners for one database with the intention that one of those listeners is specifically to run extproc from. This is so that even if the listener is compromised via extproc that the server is in less danger from hackers as the account they would have captured should have no server privileges or access.

Marco starts his short article with some discussion of creating and setting up two listeners and shows some examples. He works through the set up and shows how to start both and how to check that they are running. He then talks in detail about registering the database with the correct listener. Then Marco talks about the use of the LOCAL_LISTENER parameter in the init.ora in 10g so that the 10g database will register itself with the correct listener. This is an interesting discussion that goes on to talk about the XMLDB daemons. Marco then talks about registering the FTP and WebDAV and HTTP on different ports showing examples and details of how to do this including alerting the ports.

Comments, spam and statistics spiders

I was taking a break from my mad workathon this evening and decided to surf orablogs and saw Brian's post Ugh Comment Spam which I found very interesting as I have seen a massive increase in email spam recently. It has coincided with me having to work longer hours so has been very unwelcome as I had to devote quite a bit of time to cleaning up my email about two to three weeks ago. I am told by my ISP that I received tens of thousands of emails one evening about three weeks ago that crashed their email server. why me? - probably because my name is known all over the net and so is my email address.

I also had problems with comment spam some time back. I talked about it in a post here called "Comments have been disabled from my weblog" where someone was systematically posting rubbish to my blog in an attempt to add backlinks.

It seems that the spam world is getting cleverer. I run stats for my site that are private and not accessible to the general public which includes a list of referrers. I noticed a short while ago that there are starting to be a few referrers from filthy type sites and some advertising sites. I checked my logs and they are all posted from a number of IP Addresses with different referrer strings advertising some site or other. I also checked whois and found that all the IP Addresses i checked are blacklisted. I have a public stats page that only includes the totals of visits and hits per month / day etc. No referrers are included. My guess was that these people are using google to find all sites that have stats pages named with a consistent name and then spamming them. My guess also, unlike Duncans blog "Blog Log Spam!" is that they are targeting backlinks in stats pages rather than blog referrer lists. Anyway my public stats page doesn't include a referrer list so they are wasting their time, their clients money and my bandwidth. Duncan also points to an interesting wired article "When the Spam Hits the Blogs" that is quite an interesting read.

It seems to me that spam is no longer a problem just for email, its blog comments and also attempts to get backlinks in statistics pages. I recon I will need to remove my stats page soon to try and prevent these people.