Pete Finnigan's Oracle Security Weblog
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
"June 21, 2006 (Computerworld) -- Faulty hardware, not hackers, caused most of the unplanned downtime experienced by Oracle Corp. databases in the past year, according to the results of a recent survey by the Independent Oracle Users Group (IOUG)."
"JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees."
"Customizing Oracle E-Business Suite applications can be a very risky venture for developers who fail to follow some simple and straightforward best practices, experts say."
"So, you want to set up a secured database infrastructure?
You are not alone. With the proliferation of threats from all sources — identity thefts to corporate espionage cases — and with increased legislative pressures designed to protect and serve consumer privacy, security has a taken on a new meaning and purpose. Part of the security infrastructure of an organization falls right into your lap as a DBA, since it’s your responsibility to secure the database servers from malicious entities and curious insiders."
I knew about these previously, as quoted by Eddie in his post. Also read my comment at the end of his post as I actually tested the INTERFACE C pragma back in August 2001, this is documented in the Expoliting and protecting Oracle paper. My comment is here:
"A couple of comments. Normally FIPS stands for Federal Information Processing Standards, I don’t know but maybe its related?
Also on the Pragma interface C, if you read further in my first big Oracle paper (Expoliting and protecting Oracle) you will see that i tried to use the syntax myself but if fails with an ORA-6509 - ICD vector Processing error. I assumed at the time that Oracle implements a function call table. Like a table of structs that includes details for each function implemented as a pragma interface C call. This table or linked list would include function pointers for each C function, hence you cannot simply call your own C directly from PL/SQL unless you can update this table to add the address of the function you add. This is a great interface for calling C directly without the extproc overheads if only we coluld find a way to make it work..:-)"
Good post Eddie!
So now that its working much faster I have added in the feeds from blogs.oracle.com (although, I have noticed that this doesn't include all feeds listed on the site), Brian Duff's Orablogs and also Eddie's excellent oraNA :: Oracle News Aggregator. Adding these feeds has caused some duplication of entries. I will see how that goes for now.