June 29th, 2006 by Pete
I was surfing my
Oracle blogs aggregator this evening and saw Stephens post on his blog titled "
Does Oracle cache the SYSDBA password?". This post if true is quite interesting and for someone with a devious mind may prove to be useful in a security / hacking context. If Oracle is caching the password file (This should be testable - is that a word? - with truss) than there could be a way to abuse that fact. Interesting post nonetheless.
June 28th, 2006 by Pete
Survey: Hardware, not hackers, usually causes Oracle database downtime - Despite stricter service-level agreements, few DBAs use grid, clustering systems - by Eric Lai
"June 21, 2006 (Computerworld) -- Faulty hardware, not hackers, caused most of the unplanned downtime experienced by Oracle Corp. databases in the past year, according to the results of a recent survey by the Independent Oracle Users Group (IOUG)."
June 20th, 2006 by Pete
Social Engineering, the USB Way "JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees."
June 19th, 2006 by Pete
Five best practices for Oracle applications developers - By Mark Brunelli
"Customizing Oracle E-Business Suite applications can be a very risky venture for developers who fail to follow some simple and straightforward best practices, experts say."
June 19th, 2006 by Pete
DB2 Security Glitch Makes IBM Whine - A post on Lewis Cunningham's Oracle blog. This is about an E-Week article "
DB2 Crack Let's in Attackers Without Database Credentials". This is a good article by Lisa Vaas and its also worth reading Lewis's take on it and also the comments.
June 13th, 2006 by Pete
I was browsing this evening and found a blog by Steve Karam that has just two entries on it but both are about Oracle security, quite long and quite interesting. The first post is titled "
Are You Secure? Get the most out of Oracle's security features" and the second is titled "
Are you secure? Securing the Oracle Network". Quite good posts both.
June 13th, 2006 by Pete
I was just browsing my
Oracle blogs aggregator and came across Nishant Kaushik's blog entry titled "
Phil Becker identifies the top 5 Identity Fallacies". This is a blog entry about Phil Beckers's 5 article series about identities. Nice post.
June 12th, 2006 by Pete
Building a Simple Firewall Using Oracle Net - by Arup Nanda
"So, you want to set up a secured database infrastructure?
You are not alone. With the proliferation of threats from all sources — identity thefts to corporate espionage cases — and with increased legislative pressures designed to protect and serve consumer privacy, security has a taken on a new meaning and purpose. Part of the security infrastructure of an organization falls right into your lap as a DBA, since it’s your responsibility to secure the database servers from malicious entities and curious insiders."Excellent paper.
June 12th, 2006 by Pete
I saw at the weekend that the DTI's security breach survey for 2006 had been released in April. This is an interesting survey produced by PWC for the DTI (Department of Trade and Industry). The "
DTI Information Security Breaches Survey 2006 – full survey results" details links to the executive summary and also to the full report. I have read the "
executive summary" which makes interesting reading on a number of levels. First is that at a high level there seems to be improvement since last time the survey was done in 2004. At a lower level though the figures tell a different story and it seems to be about expenditure and budget. A shocking 14% of companies do not spend any of their budgets on security! and 18% of big companies admitted they had discovered users sharing ID's and performing unathorised access to systems. It makes interesting reading.
June 8th, 2006 by Pete
An Expert's Perspective on the VA Data Theft - Government security expert Bruce Brody shares his thoughts on the data theft from the VA. - This is an interesting news item about data theft and specifically about identity theft. This is real world news that onyone who is in charge of the storage of personal details should heed. This is a good example of a public theft of data, a large amount of data. How many more have gone un-detected or un-reported? - I am not just talking about government or Oracle here. Everyone needs to be aware that private personal data is now a target.
June 6th, 2006 by Pete
I saw with interest this evening a post on Matt Penny's blog titled "
9.2.0.8 - "terminal release"". He refers to a metalink
note 189908.1.
June 5th, 2006 by Pete
I saw a post by Laurent over a week ago with a simple example of how to use mod_plsql and the Apache web server. Laurent's post is titled "
mod_plsql". This is fantastic technology, I run a website and install and configure software. I write software in many languages when i get any chance to do so, I appreciate how easy it is to create a web based application with Oracle. This is so easy that its scary, the problem for me is the security risks. If you can expose a database to a network and create nice browser based applications this easily there have to be risks. Take a look at laurents post, its interesting reading. Look for the obvious security problem.
June 3rd, 2006 by Pete
I was surfing this evening and found a great post on the TaoSecurity Blog titled "
Risk-Based Security is the Emperor's New Clothes". This is an excellent post about a recent published article in the ISSA Journal. Worth a read.
June 2nd, 2006 by Pete
I came across Eddie's post this evening about three undocumented pragma's that are used the the SYS.STANDARD package. These are BUILTIN, FIPSFLAG and INTERFACE. Like Eddie I am always interested in undocumented Oracle. I like undocumented features, we should not use them of course in production databases but they give clues to the internal workings of the database and for people like they also give clues as to how you can break Oracle. Eddie's post is titled "
About the BUILTIN, FIPSFLAG and INTERFACE pragmas in Oracle".
I knew about these previously, as quoted by Eddie in his post. Also read my comment at the end of his post as I actually tested the INTERFACE C pragma back in August 2001, this is documented in the Expoliting and protecting Oracle paper. My comment is here:
"A couple of comments. Normally FIPS stands for Federal Information Processing Standards, I don’t know but maybe its related?
Also on the Pragma interface C, if you read further in my first big Oracle paper (Expoliting and protecting Oracle) you will see that i tried to use the syntax myself but if fails with an ORA-6509 - ICD vector Processing error. I assumed at the time that Oracle implements a function call table. Like a table of structs that includes details for each function implemented as a pragma interface C call. This table or linked list would include function pointers for each C function, hence you cannot simply call your own C directly from PL/SQL unless you can update this table to add the address of the function you add. This is a great interface for calling C directly without the extproc overheads if only we coluld find a way to make it work..:-)"Good post Eddie!
June 2nd, 2006 by Pete
I have seen some severe performance issues with my
oracle blogs aggregator recently which I have finally tracked down last night and made some changes for this evening. I use the
lilina RSS feed aggregator for my Oracle blogs aggregator, it uses in turn the MagpieRSS code which includes cache features. I found the issue was that the cache was not being honoured. I have set the cache refresh time to one hour, I may extend it out further and fixed the core issue and now the page reloads much faster. it is even faster in the default configuration of 24 hours. If you choose week from the top menu then it still takes a little longer to load but no where near as bad as it was.
So now that its working much faster I have added in the feeds from
blogs.oracle.com (although, I have noticed that this doesn't include all feeds listed on the site), Brian Duff's
Orablogs and also Eddie's excellent
oraNA :: Oracle News Aggregator. Adding these feeds has caused some duplication of entries. I will see how that goes for now.
June 1st, 2006 by Pete
I found a new paper about Oracle security this evening titled "
Oracle database security" by Nathan Aaron. This is quite a good high level paper on Oracle and database security in general.
June 1st, 2006 by Pete
Oracle, vis-a-vis Mary Ann Davidson, attacks poor coding practices - Quite good comments from C.J. Kelly's blog
