Call: +44 (0)7759 277220 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

David Litchfield announces Open Software Database forensics toolkit

Owning database forensics -

"Call it the bank-robber principle: if you can't stop them getting in, catch them on the way out.

Internationally renowned database security expert David Litchfield is turning his attention away from vulnerability research to build a forensics suite for compromised database systems."

David has announced that he will be working on an open source toolkit to help people forensically examine and gather data from potentially compromised databases. He is calling this forensics tool FEDS - the Forensic Examiners' Database Scalpel - should be interesting!

Software should defend itself: Oracle CSO

Software should defend itself: Oracle CSO By Munir Kotadia

"Applications will have to defend themselves from attack in the future, according to Oracle's chief security officer Mary Ann Davidson.

At the opening keynote of the AusCERT 2007 conference last week, Davidson said applications should be more like US Marines.

"Every Marine fights--whether you are a clerk or a medic, every Marine is first and foremost a Marine, which means they know how to defend themselves. This is an ethos I really think we are going to need in this new world."

I don't get this, software applications cannot defend itself otherwise they would not be the applications originally written in the first place. i.e. if Oracle SSO is a single sign on software would it then also have to be an application IDS? - I beleive that software should be written to standards also to secure coding standards and ideally be well tested and as bug free as possible. Thats a goal, it doesnt mean that it defends itself. each to their own view though..:-)

New paper on Oracle native authentication in 9i and 10g

Laszlo Toth has released a new paper on the details of the changes between 8i, 9i and 10g Oracle native authentication including detailing some of the weaknesses and also including some proof of concept code. The paper shows that the authentication in all three versions of the protocol is subject to brute force or easy decryption of the password if a session can be sniffed and the AUTH_SESSION and AUTH_PASSWORD can be grabbed. The paper is titled "Oracle native authentication version 9i and 10g" and is available from Laszlo's site and is worth reading.

A new Oracle security blog in English and German and some Oracle security videos

Alex has started two Oracle security blogs. The first in in English, the blog is titled "Oracle Security Blog" the second is a translation (actually its more than likely that the English is a translation of the German blog) and is in German and is titled "Oracle security blog (dt.) - Blog zum Thema Oracle Sicherheit". Both blogs have been added to my Oracle blogs aggregator so watch out for them there as well.

One of the posts is about the new Oracle security videos that Alex has added to his site. These videos include using nmap against an application server, some password cracking, Oracles default password tool, a demo of MatrixAy (which is excellent BTW) and more...

These are excellent videos and worth a look.

A new database security blog talks about propogating middle tier and application user identities

Slavik Markovich has a new database security blog called "Musings on Database Security". I have added this to my Oracle news / blogs aggregator as well. A new post by Slavik that promises to be a three part entry looks very interesting and aims to solve the issue of propogating users identities from applications and middle tier to the database layer. Slavik has given us some example Java code that uses the thin driver and that sets the client identifier and then he launches into an example that uses the newer end to end metrics Java API to set the module, action and client identifier. The PL/SQL built-in package DBMS_APPLICATION_INFO can also be used to set these same client identifiers of course. Slaviks post is titled "Propagating Middle-Tier and Application Users to the DBMS (Part 1 of 3)"

Security guru blasts Oracle's patching policies

Security guru blasts Oracle's patching policies - By Mark Brunelli,

"Oracle could issue a million new security features when it debuts Oracle Database 11g later this year, but it wouldn't change the fact that Oracle's patching problems still need to be addressed, according to Oracle Security Handbook author Aaron Newman.

Newman, who is also the co-founder and chief technology officer of Application Security Inc., spends his days helping clients lock down their databases so that sensitive customer data doesn't get stolen. He says that new security features are certainly nice, but getting security holes fixed faster and porting those fixes back to older versions of the Oracle Database should be Oracle's top priority."

UKOUG Unix Sig - Hacking and Securing Oracle

I willbe heading down to Wolverhampton tomorrow morning to speak at the UKOUG Unix SIG being held there tomorrow. I will be giving my presentation "Hacking and securing Oracle" that I gave at the recent UKOUG Northern Server Technology Day in Leeds. The presentation there went down very well and was very well attended. Carl is also speaking about TDE which I will be going along to listen to again. The day has a slight security twist to it.

I was asked by Rachel of the UKOUG to give a mention to the main UKOUG conference in Birmingah later this year to tell of my experiences of speaking and attending the conference. I see a few others have done the same so I wont labour on the subject but will say that this is one of the best conferences I have ever attended. The attendance is superb. The array of speakers is one of the best in the world on Oracle subjects. This conference attracts the best people in the world to speak about Oracle and also a lot of unknown people (soon to be know i wager) who bring real world experience and knowledge to the table. The conference for an attendee is great, for me I always struggle to decide who or what to listen to next as there are always lots of great talks to listen to. I had a discussion recently with Carl and he made me realise what great value the UKOUG is in terms of training. For a speaker its great, if you have never tried speaking dont be afraid, its not as daunting as you think it will be, this year if you want training on how to speak the UKOUG can organise that for you as well. I think that the best value is hearing people tell their own stories and experiences.

15 free SQL Injection scanners

I came across a post on the Security Hacks site last night and made a note to mention it here. The post is titled "Top 15 free SQL Injection Scanners" and is a good list of free SQL Injection testing tools. SQL Injection is a common way to hack web sites backed by databases. The post lists 15 tools that can be used to automatically scan your web sites for SQl Injection vulnerabilities that can then be fixed!

Oracle forensics part 4 - live response

David sent me an email today to let me know that he has released part 4 in his Oracle forensics series. The paper is titled "Oracle Forensics Part 4: Live Response". This is a good paper taking you through the steps of live response in an Oracle database. This is really about how to read the structure/state/config of the database and also to gather evidence of what the database was doing when the incident occured without affecting the state of the database all with the purpose of being able to assure the state of the data for potential use in court.

There are useful lists of what to gather, system related, files, and then database queries including previously executed SQL queries. Also how to get logons, users, privileges, objects including checksumming of objects.

The most interesting sentence is that David announces that a commercial unwrapper is available for sale.

Oracle BI Suite and Row Level Security

I saw a nice peice on Mark's blog the other day titled "OBIEE and Row-Level Security" and made a note to have a look. I dont normally read all the BI stuff as its out of scope so to speak for me living in an Oracle database security world but i was intruiged by the row level security moniker. Quite an interesting article and also because it mentions Oracle SSO and Oracle OID. The interesting comment made by Mark at the end is that the row level security works in a similar way to the Oracle database VPD.

Getting started with Oracle security

I got an email from Lisa Dobson about a week ago but what with the new baby and all I have not had alot of time for surfing or writing blog entries. Lisa emailed me about a page on Oracle's website called Getting Started: Security to ask my opinion on its content. I had a look and its not a bad place to start but its not complete or well structured. Its also quite clearly based around Oracle's available products rather than getting a newbie started on securing their database. The first two links start off well by pointing the reader at quite a nice paper titled "Database Security (Common-sense Principles)" by Blake Wiedman. Then the page points the reader at the Oracle database security checklist. Then it gets a bit silly. Encryption is good but TDE is not for beginners, its also an extra cost option with ASO, then we get a link to Oracle Label Security, this is again an extra cost option on top of the enterprise edition and is also mainly only seen in highly secure environments and governments. Then we get VPD, role based security via application roles and FGA. Whilst these last three are more commonly seen I would not say that they common. Its not really a place to start for someone new to Oracle or database security. Whilst the material is useful its probably not that useful to a beginner who actually wants to secure an existing database or data. A better place to start would be to visit some of the common checklists found on my Oracle security white papers page and the best starter paper I have seen is Arup Nanda's Project Lockdown which I am amazed is not included in the Oracle security for beginners page. I guess its more about what a beginner wants to acheive; to secure their data or to learn the Oracleproduct stack. Don't dismiss the page but remember for Oracle security there are also external options to Oracles page even if that is links back into Oracles site such as project lockdown.

Oracle audit vault is available for trial download

Oracle audit vault is available for free download as Audit Vault version This is a great looking product. Its aim is to transparently collect and consolidate audit data in a secure central repository. There are policies, reports, monitors and adaptors to bring audit data in from9iR2, 10gR1, 10gR2 and in the future other data sources. There are some fact sheets, data sheets, white papers and lots of other information available from the main page but the main thing is to download and try it for yourself. I first heard about database vault and audit vault when Steve Enevold spoke about it at the PSOUG conference in Seattle last year. These look like great products.