Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Protect Your APEX Application PL/SQL Source Code

Oracle Application Express is a great rapid application development tool where you can write your applications functionality in PL/SQL and create the interface easily in the APEX UI using all of the tools available to create forms and reports and much more directly with a point and click tool. You can style your apps with CSS and also use JQuery to add front end functionality. All of the point and click, CSS, JavaScript, JQuery and more are about styling and look but the business functionality is ideally written in PL/SQL and ideally interfaced in seperate packages.

Like most companies you probably want to protect your PL/SQL code in terms of protecting loss of IPR or knowledge of how you have created your logic and also in terms of protecting your application from someone running it when it is not supposed to be run. When you deploy an APEX application to a customers database you lose control of the code; it is in someone elses database therefore it makes sense to protect that code before it is deployed in terms of obfuscating it and also by adding license type features to control when its allowed to run.

Our product PFCLObfuscate can be used to protect PL/SQL applications. We also announced the ability to add license type features to your PL/SQL last year in a post titled "PFCLObfuscate - Protect your PL/SQL"

We were approached by someone a few months ago to ask if we could at that time protect PL/SQL APEX applications. We are not APEX experts (yet! - if ever!) so we had a look at a sample exported APEX application provided to us and thought.... "It's just a SQL*Plus script with a bunch of anonymous blocks" ..... PFCLObfuscate should work as we could obfuscate any PL/SQL code and also SQL*Plus scripts containing anonymous blocks.

That was a few months ago and after some testing and playing around at that time it sort of worked and sort of didn't. There were some APEX specifics to overcome and we left it for a while due to other development committments. Just recently we have been able to work on APEX support in PFCLObfuscate again and learn enough APEX to build our own simple applications to test with. Now we have a working version of PFCLObfuscate protecting APEX PL/SQL. All our existing customers will receive a download link to get the new version in the next week or so as we finalise the changes and update the manual but I wanted to show you today that PFCLObfuscate can protect Oracle APEX Applications.

We have created a simple application - it is really simple - but good enough as a test bed to show obfuscation and protection works. Here is a view of the application:





Simple APEX Application to Protect





The two red boxes show where we access business logoc written in PL/SQL packages that are also deployed.

Protecting this APEX application is simple and requires a few simple steps. First set up the license.txt settings file to allow the application to work and to be licensed for 30 days:

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>type license.txt
expire_days=30
expire_date=15-AUG-2015
start_date=15-JUL-2015
license_type=trial

Now we must remove the existing PL/SQL from the database as we are going to replace it with obfuscated and protected PL/SQL where the identifiers will change. There is no point to leave the original clear PL/SQL in the database and install a protected version along side. This removal is not shown here to save space and is not critical to the understanding of this protection process. Next export the APEX application. I did this from the APEX UI and this is simple and a file f114.sql is saved to my desktop.

Now we must obfuscate the PL/SQL that is part of the application. This is simple and we use shipped configurations and policies that come with PFCLObfuscate. I had to make no configuration changes at all but Your Mileage May Vary depending on whether your PL/SQL interfaces also need to be used via other PL/SQL code or other interfaces; if so you may also need to specifiy which interfaces should be omitted from the obfuscation process. Here is the obfuscation of my applications PL/SQL:

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>obs -v -c ob_l.conf -i obs_p.sql -o obs_p.opf

PFCLObfuscate: Release 2.0.412.1254 - Production on Tue Jul 21 12:53:09 2015

Copyright (c) 2015 PeteFinnigan.com Limited. All rights reserved.

[2015 Jul 21 11:53:09] obs: Starting PFCLObfuscate...
[2015 Jul 21 11:53:09] obs: Pre-Load Keywords from [key.txt]
[2015 Jul 21 11:53:09] obs: Pre-Load Omit words from [omit.txt]
[2015 Jul 21 11:53:09] obs: Pre-Load StringOmit words from [string.txt]
[2015 Jul 21 11:53:09] obs: Pre-Load Reserved words from [reserved.txt]
[2015 Jul 21 11:53:09] obs: Pre-Load force words from [force.txt]
[2015 Jul 21 11:53:09] obs: Pre-Load function file list from [functionfile.txt]
[2015 Jul 21 11:53:09] obs: Pre-Load map file list from [map.txt]
[2015 Jul 21 11:53:09] obs: Initialise the string file list...
[2015 Jul 21 11:53:09] obs: Version 2.0 Initialisation...
[2015 Jul 21 11:53:09] obs: Initialise the file list...
[2015 Jul 21 11:53:09] obs: Initialise the Depth Stack...
[2015 Jul 21 11:53:09] obs: Initialise the FWD Function list...
[2015 Jul 21 11:53:09] obs: Initialise the FUNC function list...
[2015 Jul 21 11:53:09] obs: Initialise the NEW function list...
[2015 Jul 21 11:53:09] obs: Running PFCLObfuscate PL/SQL Obfuscator
[2015 Jul 21 11:53:09] obs: Obfuscating PL/SQL Input File [ obs_p.sql ]
[2015 Jul 21 11:53:09] obs: Save the transposed variables
[2015 Jul 21 11:53:09] obs: Process intermediate file...
[2015 Jul 21 11:53:09] obs: Closing Down PFCLObfuscate

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>obs -v -c ob.conf -i pfclob_sample_h.sql -o pfclob_sample_h.opf

PFCLObfuscate: Release 2.0.412.1254 - Production on Tue Jul 21 12:53:35 2015

Copyright (c) 2015 PeteFinnigan.com Limited. All rights reserved.

[2015 Jul 21 11:53:35] obs: Starting PFCLObfuscate...
[2015 Jul 21 11:53:35] obs: Pre-Load Keywords from [key.txt]
[2015 Jul 21 11:53:35] obs: Pre-Load Omit words from [omit.txt]
[2015 Jul 21 11:53:35] obs: Pre-Load StringOmit words from [string.txt]
[2015 Jul 21 11:53:35] obs: Pre-Load Reserved words from [reserved.txt]
[2015 Jul 21 11:53:35] obs: Pre-Load force words from [force.txt]
[2015 Jul 21 11:53:35] obs: Pre-Load function file list from [(null)]
[2015 Jul 21 11:53:35] obs: Pre-Load map file list from [map.txt]
[2015 Jul 21 11:53:35] obs: Initialise the string file list...
[2015 Jul 21 11:53:35] obs: Version 2.0 Initialisation...
[2015 Jul 21 11:53:35] obs: Initialise the file list...
[2015 Jul 21 11:53:35] obs: Initialise the Depth Stack...
[2015 Jul 21 11:53:35] obs: Initialise the FWD Function list...
[2015 Jul 21 11:53:35] obs: Initialise the FUNC function list...
[2015 Jul 21 11:53:35] obs: Initialise the NEW function list...
[2015 Jul 21 11:53:35] obs: Running PFCLObfuscate PL/SQL Obfuscator
[2015 Jul 21 11:53:35] obs: Obfuscating PL/SQL Input File [ pfclob_sample_h.sql ]
[2015 Jul 21 11:53:35] obs: Save the transposed variables
[2015 Jul 21 11:53:35] obs: Closing Down PFCLObfuscate

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>obs -v -c ob.conf -i pfclob_sample_b.sql -o pfclob_sample_b.opf

PFCLObfuscate: Release 2.0.412.1254 - Production on Tue Jul 21 12:53:53 2015

Copyright (c) 2015 PeteFinnigan.com Limited. All rights reserved.

[2015 Jul 21 11:53:53] obs: Starting PFCLObfuscate...
[2015 Jul 21 11:53:53] obs: Pre-Load Keywords from [key.txt]
[2015 Jul 21 11:53:53] obs: Pre-Load Omit words from [omit.txt]
[2015 Jul 21 11:53:53] obs: Pre-Load StringOmit words from [string.txt]
[2015 Jul 21 11:53:53] obs: Pre-Load Reserved words from [reserved.txt]
[2015 Jul 21 11:53:53] obs: Pre-Load force words from [force.txt]
[2015 Jul 21 11:53:53] obs: Pre-Load function file list from [(null)]
[2015 Jul 21 11:53:53] obs: Pre-Load map file list from [map.txt]
[2015 Jul 21 11:53:53] obs: Initialise the string file list...
[2015 Jul 21 11:53:53] obs: Version 2.0 Initialisation...
[2015 Jul 21 11:53:53] obs: Initialise the file list...
[2015 Jul 21 11:53:53] obs: Initialise the Depth Stack...
[2015 Jul 21 11:53:53] obs: Initialise the FWD Function list...
[2015 Jul 21 11:53:53] obs: Initialise the FUNC function list...
[2015 Jul 21 11:53:53] obs: Initialise the NEW function list...
[2015 Jul 21 11:53:53] obs: Running PFCLObfuscate PL/SQL Obfuscator
[2015 Jul 21 11:53:53] obs: Obfuscating PL/SQL Input File [ pfclob_sample_b.sql ]
[2015 Jul 21 11:53:53] obs: Save the transposed variables
[2015 Jul 21 11:53:53] obs: Closing Down PFCLObfuscate

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>

Next I needed to re-install this now protected supporting PL/SQL logic into my database:

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>sqlplus /nolog

SQL*Plus: Release 11.1.0.7.0 - Production on Tue Jul 21 12:54:53 2015

Copyright (c) 1982, 2008, Oracle. All rights reserved.

SQL> connect pfclob/pfclob@//192.168.1.56:1521/xe
Connected.
SQL> @obs_p.opf

Procedure created.

SQL> @pfclob_sample_h.opf

Package created.

SQL> @pfclob_sample_b.opf

Package body created.

SQL>

Finally I need to obfuscate the f{nnn}.sql APEX application export file. This is done simply:

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>obs -v -c ob_a.conf -i f114.sql -o f114.opf

PFCLObfuscate: Release 2.0.412.1254 - Production on Tue Jul 21 12:56:45 2015

Copyright (c) 2015 PeteFinnigan.com Limited. All rights reserved.

[2015 Jul 21 11:56:45] obs: Starting PFCLObfuscate...
[2015 Jul 21 11:56:45] obs: Pre-Load Keywords from [key.txt]
[2015 Jul 21 11:56:45] obs: Pre-Load Omit words from [omit.txt]
[2015 Jul 21 11:56:45] obs: Pre-Load StringOmit words from [string.txt]
[2015 Jul 21 11:56:45] obs: Pre-Load Reserved words from [reserved.txt]
[2015 Jul 21 11:56:45] obs: Pre-Load force words from [force.txt]
[2015 Jul 21 11:56:45] obs: Pre-Load function file list from [functionfile_apex.txt]
[2015 Jul 21 11:56:45] obs: Pre-Load map file list from [map.txt]
[2015 Jul 21 11:56:45] obs: Initialise the string file list...
[2015 Jul 21 11:56:45] obs: Version 2.0 Initialisation...
[2015 Jul 21 11:56:45] obs: Initialise the file list...
[2015 Jul 21 11:56:45] obs: Initialise the Depth Stack...
[2015 Jul 21 11:56:45] obs: Initialise the FWD Function list...
[2015 Jul 21 11:56:45] obs: Initialise the FUNC function list...
[2015 Jul 21 11:56:45] obs: Initialise the NEW function list...
[2015 Jul 21 11:56:45] obs: Running PFCLObfuscate PL/SQL Obfuscator
[2015 Jul 21 11:56:45] obs: Obfuscating PL/SQL Input File [ f114.sql ]
[2015 Jul 21 11:56:46] obs: Save the transposed variables
[2015 Jul 21 11:56:46] obs: Closing Down PFCLObfuscate

I can now install the APEX application back into the database - I used SQL*Plus but I could also import via the APEX UI - Both are fine. Here is the install (import):

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>sqlplus /nolog

SQL*Plus: Release 11.1.0.7.0 - Production on Tue Jul 21 12:57:08 2015

Copyright (c) 1982, 2008, Oracle. All rights reserved.

SQL> connect pfclob/pfclob@//192.168.1.56:1521/xe
Connected.
SQL> @f114.opf
APPLICATION 114 - PL_SQL_TEST
Set Credentials...
Check Compatibility...
Set Application ID...
...ui types
...user interfaces
...plug-in settings
...authorization schemes
...navigation bar entries
...application processes
...application items
...application level computations
...Application Tabs
...Application Parent Tabs
...Shared Lists of values
...Application Trees
...page groups
...comments: requires application express 2.2 or higher
...PAGE 1: Home
...PAGE 101: Login
...lists
...breadcrumbs
...page templates for application: 114
......Page template 2444509838750589
......Page template 2444720058750591
......Page template 2445321588750592
......Page template 2446015795750592
......Page template 2446521648750592
......Page template 2447126178750592
......Page template 2448016511750593
......Page template 2448814831750593
......Page template 2449707396750593
......Page template 2450426942750594
......Page template 2451200886750594
......Page template 2452020192750594
......Page template 2452206544750594
......Page template 2452708960750595
......Page template 2453518835750595
......Page template 2454425259750595
......Page template 2455108378750596
...button templates
......Button Template 2461305145750605
......Button Template 2461429858750605
......Button Template 2461526415750605
......Button Template 2461623966750605
......Button Template 2461709378750605
......Button Template 2461828655750605
...region templates
......region template 2455904650750596
......region template 2456031894750598
......region template 2456102194750598
......region template 2456219643750598
......region template 2456331358750599
......region template 2456413590750599
......region template 2456507428750599
......region template 2456614037750599
......region template 2456706521750599
......region template 2456916249750599
......region template 2457001076750599
......region template 2457110951750599
......region template 2457221859750599
......region template 2457429853750599
......region template 2457521360750599
......region template 2457609558750600
......region template 2457915937750600
......region template 2458013206750600
...List Templates
......list template 2459225586750602
......list template 2459318717750603
......list template 2459412831750603
......list template 2459503553750603
......list template 2459616117750603
......list template 2459725191750603
......list template 2459821337750603
......list template 2459927817750603
......list template 2460021392750603
......list template 2460115486750603
......list template 2460224935750603
......list template 2460320173750603
......list template 2460430663750604
......list template 2460527214750604
...report templates
......report template 2458124779750600
......report template 2458228510750601
......report template 2458313434750601
......report template 2458421120750601
......report template 2458508972750601
......report template 2458603257750601
......report template 2458732441750601
......report template 2458827252750602
......report template 2458903732750602
......report template 2459021463750602
......report template 2459106695750602
...label templates
......label template 2460616201750604
......label template 2460720568750604
......label template 2460801712750604
......label template 2460912394750604
......label template 2461023377750604
......label template 2461124440750604
......label template 2461201226750604
...breadcrumb templates
......template 2461908766750605
...popup list of values templates
......template 2462127354750607
...calendar templates
......template 2462030356750606
...application themes
......theme 2462206002750612
...theme styles
...theme display points
...build options
...Language Maps for Application 114
...text messages
...dynamic translations
...Shortcuts
...web services (9iR2 or better)
...shared queries
...report layouts
...authentication schemes
......authentication 2462510987750625
...ui types
...plugins
...data loading
...post import process
...done
SQL>

Now I can attempt to use the application and see if it works:





Simple APEX Application Protected with PFCLObfuscate





Everything in the simple application works fine still BUT its enabled for use for 30 days and also the code is obfuscated. So let's prove that by editing the license so that it has expired already; re-protecting PL/SQL and re-installing:

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>type license.txt
expire_days=30
expire_date=15-JUL-2015
start_date=15-JUN-2015
license_type=trial
C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>

-- re-obfuscate

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>obs -v -c ob_l.conf -i obs_p.sql -o obs_p.opf

PFCLObfuscate: Release 2.0.412.1254 - Production on Tue Jul 21 13:01:19 2015

Copyright (c) 2015 PeteFinnigan.com Limited. All rights reserved.

[2015 Jul 21 12:01:19] obs: Starting PFCLObfuscate...
[2015 Jul 21 12:01:19] obs: Pre-Load Keywords from [key.txt]
[2015 Jul 21 12:01:19] obs: Pre-Load Omit words from [omit.txt]
[2015 Jul 21 12:01:19] obs: Pre-Load StringOmit words from [string.txt]
[2015 Jul 21 12:01:19] obs: Pre-Load Reserved words from [reserved.txt]
[2015 Jul 21 12:01:19] obs: Pre-Load force words from [force.txt]
[2015 Jul 21 12:01:19] obs: Pre-Load function file list from [functionfile.txt]
[2015 Jul 21 12:01:19] obs: Pre-Load map file list from [map.txt]
[2015 Jul 21 12:01:19] obs: Initialise the string file list...
[2015 Jul 21 12:01:19] obs: Version 2.0 Initialisation...
[2015 Jul 21 12:01:19] obs: Initialise the file list...
[2015 Jul 21 12:01:19] obs: Initialise the Depth Stack...
[2015 Jul 21 12:01:19] obs: Initialise the FWD Function list...
[2015 Jul 21 12:01:19] obs: Initialise the FUNC function list...
[2015 Jul 21 12:01:19] obs: Initialise the NEW function list...
[2015 Jul 21 12:01:19] obs: Running PFCLObfuscate PL/SQL Obfuscator
[2015 Jul 21 12:01:19] obs: Obfuscating PL/SQL Input File [ obs_p.sql ]
[2015 Jul 21 12:01:19] obs: Save the transposed variables
[2015 Jul 21 12:01:19] obs: Process intermediate file...
[2015 Jul 21 12:01:19] obs: Closing Down PFCLObfuscate

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>

-- re-isnatll to the database

C:\Users\Pete\AppData\Local\PeteFinnigan.com Limited\PFCLObfuscate>sqlplus /nolog

SQL*Plus: Release 11.1.0.7.0 - Production on Tue Jul 21 13:02:39 2015

Copyright (c) 1982, 2008, Oracle. All rights reserved.

SQL> connect pfclob/pfclob@//192.168.1.56:1521/xe
Connected.
SQL> @obs_p.opf

Procedure created.

SQL>

Now if I run the application again the login fails with a license exception:





Simple APEX Application Protected with PFCLObfuscate showing license works





The red box shows the license exception thrown by the protection. The advantage of PFCLObfuscate is that you can worry about the protection after the development is complete and apply it automatically to your code (supporting PL/SQL and also the application export file - the f{nnn}.sql file)

So thats it; if you would like more details about our product PFCLObfuscate or to buy a license then please email me at "pete at petefinnigan dot com". Thanks for listening!

Oracle Security and Electronics

How does Oracle Security and Electronic mix together? - Well I started my working life in 1979 as an apprentice electrician in a factory here in York, England where I live. The factory designed and built trains for the national railways here in the UK and also sometimes for other countries.

When I left school at 16 I already had an interest in electronics and whilst learning to be an electrician we also did some small elements of electronics as part of the work. We had clean rooms and we had electronics people who mended the circuit boards on trains and also electronics in machines used in the factory. I loved my time there and also at the training school where we also did some electronics.

In and around 1980 - 1981 when I was 16-17 years old I had already done some simple projects and then I built my own multi-meter (it has gone years ago and I cannot find any pictures of it) and some other bits and bobs and then I decided to build an Oscilloscope from scratch including the chassis and case. This was a big project at the time and getting all of the parts needed was a faff as there was no online ordering in 1981. You needed to ring electronics shops or order from magazines or catalogs.

I still have the oscilloscope. It is not in good condition and I would never be fool hardy enough to try and power it up now but I can assure you that it worked at the time and I even loaned it to an exhibition. Some switches are missing and some knobs from switches missing also and the chassis is rusty now but i was proud of it at the time. Here are a few pictures that I took yesterday:



Oscilloscope from the Front



Above is my Oscilloscope from the front with the case on. Next:



Oscilloscope from the Front other side



Above is from the front but the other side. Next is a picture of the back with the case on:



Oscilloscope from the back



Next is a picture of the inside from the left with the case off and the picture shows the rust on the chassis that i built myself 34 - 35 years ago. Here it is:



Oscilloscope inside left with case off



Next is from the insider but the right hand side top:



Oscilloscope inside top right hand side



Here is another view from the top:



Oscilloscope top view



And finally a view of the underside and the HV (High voltage) and LV (Low Voltage) transformers. A tool like an oscilloscope requires very high voltage to drive the cathode ray tube hence its dangerous to play with the insides of this when its turnd on. Here is the underside:



Oscilloscope underside



Around the same time I built the oscilloscope I also built a 6502 computer with very limited RAM and ROM and no keyboard; I had to use buttons for input but i did provide composite to output to a TV. I do not have that first computer that I made anymore (pity) and also do not have any pictures of it.

I continued to be interested in electronics into the middle 1980's and then lost interest as other things came along. Then in the late 80s, very early 90s I learned to program in C and Assembler and got into low level DOS and that was it.

In recent times I was re-kindled with the desire to play with electronics as I bought a Raspberry Pi to use as a basis for an Asterisk server. I wanted a simple small computer that would run silent, generate little heat but be able to connect to the phone system via an adaptor and run Asterisk. I was also interested to create a GSM gateway to allow asterisk to be used to connect the land line to mobiles and also VOIP mainly to allow me to take calls anywhere no matter how the call originates. This is not complete yet. As part of that I made a mobile phone but using an Ardiuno and a GSM900 chip and a simple LCD. This was to test the GSM card and AT commands and also to interface with an LCD and Arduino. The Arduino is programmed in C so thats good.

This mobile was taken apart and I have now got a GSM800 chip / card which is much smaller and I am going to make another mobile phone with that shortly that will be used in my Asterisk server. In playing with the GSM -> Arduino this lead me into breadboarding and building an Arduino from the Atmel chip so I looked around for a simple project and built a Digital clock with 4 seven segment displays, 5 shift registers, a DS1307 real time clock and an Arduino from chip and components. I am now tempted to build this now onto vero board and solder it or possibly make a PCB. I was looking in Maplin last weekend at a starter kit to make a PCB by etching. This brings me back to when i was 16 - 17 and working in the clean room at the factory making new PCBs from scratch.

Electronics has changed. It is now more commoditised; In the old days its was more about descrete components and no programming unless you built a computer and then it was about 74 series TTL for a computer that you built. Now its more common to use microcontrollers and small hardware glue but also software glue and instructions. Modern day applications can also take on the customised feel by this approach or by using CPLD's or FPGA's. These are programmable logic where you can essentially go full circle. A big company may use an ASIC (A burned chip that implements custom logic) but we can use FPGA, CPLD etc to create our custom hardware but also with software. Its not uncommon to implement a CPU now in an FPGA. So you could create an Arduino (an Atmel 328 for instance) in an FPGA, so hardware programmed with software simulating hardware that runs software!!

Hardware and software are very interlinked nowadays. What has all of this got to do with Oracle security. In one sense nothing but in another sense everything. I was asked recently at a clients site how could they test the validity of password rules they have set up in the database with password management and also password verify functions. There are a number of possible points to this unfortunately:

1) If the rules (password management) are added to an existing account and its password not changed then a password could be weak and then forced to be strong at the next change. i.e. it is still weak.
2) If the rules are not complete then it is possible to enforce (sarcastically in this case) strong passwords via a veryify function but then not set a lifetime so the password is never forced to expire so is never forced to be changed, so never forced to be strong; again a weak password can ensue
3) you could verify passwords via the verify function as they are changed - good.
4) If the system needs to be tested now then there is no way to prove a password is strong other than by knowing that password - i.e. you can read it somewhere (not strong to do that anyway, i.e. it is thenm known) or you can work it out by cracking the password.

If a password is long enough then cracking it may not reveal the password in a useful time frame and therefore not prove its strength. For instance if i set a password to welcomewelcome its 14 characters long so it has a good attribute but because its 14 characters long we cannot brute force it to verify it using a cracker on a PC BUT the password is weak as its a doubled simple password. That is the password is too long for a software cracker to crack the password fast enough to verify its strong but in this case we know its weak.

We could take a different view and say; with this hardware I have, this software I have and these rules I make up (check defaults, simple words, known passwords, too short (small length)) then if we don't crack it it is good enough? There is a problem with this though as a test of this type on a laptop such as the one i am using now is not good enough (read not fast enough) to test thoroughly. This laptop takes too long to verify if a password is 8 characters is enough or not. The reason this is valid to say is that other methods exist that could be used by a hacker. I.e. he could use a 6 or 8 core CPU or multiple 6 or 8 core CPUs or Dennis Yurichevs SSE2 cracker is software and very fast and can do tens of millions of hashes a second on reasonably new hardware. But on this laptop the speed doubles or perhaps trebles which is still not enough.

Dennis also built an FPGA cracker for Oracle in 2009. Interestingly I mentioned using an FPGA as an Oracle cracker in 2007 in a post called Using Field Programmable Gate Arrays (FPGA) to crack passwords. Dennis post on his 60 million password hashes/second Oracle password cracker available is linked here.

The problem is that electronics has become easier in one sense for people to make things at home and its got smaller and more powerful. the electronics maker market has exploded into being in the last few years so its not infeasable that someone can build hardware crackers. The board that Dennis used is not available anymore but you can buy FPGAs for tens of dollars and even boards at cheap prices.

So to test your databases passwords for 8 characters length you could do it now with custom hardware and it should not be vastly expensive. With more money longer passwords could be tested reasonably thoroughly with FPGA based hardware or software and arrays of fast PCs.

Of course its simpler and cheaper to expire every password and to ensure profiles are added to every account and that they are enforced - i.e if a profile is changed or dropped or removed from an account the password must be expired. In this way with good design of the profile and verify function we can enforce long and strong passwords that can be tested (the password is known at change time) where its not practical to brute force. i.e. if you enforce a 15 character password brute force takes way too long so you can never verify easily after its set that a password is strong BUT with good profile design we can.

We also should ensure that password hashes are not available to anyone; user$, userhistyr$, other views, exports, strings on the data files, backups...... if the hashes are not available then its harder to crack passwords.

Also you should use case sensitive passwords and set the SQL*Net settings to enforce only the later protocols. This means that a hackers character space for brute forcing passwords has increased to include Capital letters and also symbols making it harder to crack passwords. Therefore we also must use case sensitive passwords and symbols to prevent simple cracking

So we should be aware of hardware options and tools and even software crackers but we should design our passwords and enforce them at setting time and also protect hashes and also use the lastest features and remove the older hashes.

Anyway I ordered an FPGA development board to have a play with it. It uses a Spartan-6 chip and I plan to have a play an understand how easy it is to program an FPGA nowadays and make something with software in hardware that runs software!!!

New Conference Speaking Dates Added

In the last few years I have not done as many conference speaking dates as I used to. This is simply because when offered they usually clashed with pre-booked work. I spoke for the UKOUG in Dublin last year and I also spoke at the main UKOUG connference last year. I also spoke at DOAG for the first time last year. I did not submit a paper for DOAG but was there for the whole event on my German reseller for PFCLScan stand (LoopBack.org) where we were reselling PFCLScan or database security scanner for Oracle. Loopback.org did a great job looking after me in Nuremberg and we also did a lot of demonstrations of PFCLScan to potential customers. If you want more details of PFCLScan in Germany and Austria or indeed to speak about it in German then please contact the guys at Lookback.org directly.

Whilst at the DOAG conference I decided to drop an email to the organisers to see if they had any free speaking slots where someone had dropped out and great news; they had. I got a slot on the last day at the first slot of the day (the night after the conference party!) and was really encouraged to see that the room was full and some standing. It was a good talk and some good feedback and questions and i enjoyed it greatly.

More recently I have submitted some papers for this years UKOUG conference so lets see if anything is accepted. As usual these are new papers from me. I also was asked to submit a paper for the ISACA conference in Dublin later this year so again lets see if i get accepted.

I also have been asked to speak at the UKOUG Database Server SIG on September 15th in London and i will present about http://www.ukoug.org/events/ukoug-database-sig-sept/ - (broken link) Designing Practical Audit Trails in Oracle. Next week on July 15th I have been asked to speak at the YoDB#2 meet up in Leeds and I will speak about "Locking Down Oracle". This should be fun as it is a local event for me and also the second meet of this group. Also I am planning to do what I did in Dublin last year and speak with no slides and just hands on demos. I have done this a few times over the last couple of years and its fun but harder to do with no slides to prompt you. I am going to do some hacking and then some demos of locking down my database and show that the hacking is blocked. There will of course be lots of talking about what I am doing, why the hacks are possible, what the problems are and what solutions may work - should be fun. If you are in Leeds then come along!!

I have updated my sites home page with links and dates to speaking events.

If I get a slot at the UKOUG (Birmingham in December) and ISACA (Dublin in October) I will of course update you here.

Happy 10th Belated Birthday to My Oracle Security Blog

Make a Sad Face..:-( I seemed to have missed my blogs tenth which happened on the 20th September 2014. My last post last year and until very recently was on July 23rd 2014; so actually its been a big gap in blog posts until recently - I have not checked but I suspect it was the biggest gap I have had so far.

My first ever blog post was posted on the 20th September 2004 and was titled - A new Oracle Security based weblog, which introduced the blog. Actually I had been blogging of sorts for about 6 months before that with the individual single articles on their own pages in the Ramblings section of my site but the official first blog was the one quoted above.

So I missed the tenth aniversary by about nine months, so the blog is now about 10 years and 9 months old, so if we factor in the first Ramblings posts mentioned above then I have missed the 11th aniversary as well..:-(

So how well have I posted over the years?, lets have a look in two ways; First number of posts per year and also number of posts per blog year. So how many posts in 2004, 2005, etc and the how many posts from start to first anniversary, to second aniversary.... I will put them together in a table

Post per calendar year:

Year Number Posts
----- ---------------
2004 189
2005 495
2006 296
2007 161
2008 87
2009 78
2010 39
2011 13
2012 6
2013 16
2014 4
2015 3

And posts per blog year:

Blog Year Number Posts
---------- --------------
To Sep 2005 558
To Sep 2006 354
To Sep 2007 184
To Sep 2008 107
To Sep 2009 59
To Sep 2010 72
To Sep 2011 17
To Sep 2012 8
To Sep 2013 14
To Sep 2014 6
To Sep 2015 3

Obviously 2015 is work in progress in both tables. There has been a total of 1383 posts (actually 1386 as three posts have been removed for various reasons). The curves in both tables are different as it peaks in 2005 on pure year and tails off slowley after that. In blog years it peaks in the first year and tails off after that, again slowley. In the first year of blogging I was managing on average almost 1.5 posts per day and in the second year still almost one post per day. As the years roll by the number of blog posts has dropped to almost nothing and in fact the biggest gap in actual posts BUT the number of visits to my companies site continues to grow - more on site stats in a minute.

I recorded the birthdays of my blog from its first birthday until the 5th and then never again until now!. These are here as links:

The First blog birthday
The second blog birthday
The third blog birthday
The fourth blog birthday in
2008

The fifth blog birthday in 2009

And then its this blog post. I do not have a proper historic record of the sites visits since the start but have some snippits in the birthday blogs so here is a summary.

In the first year the number of visits (not hits) went from around 10,000 a month to around 64,000 a month and approximately 0.5 million visits a year. In the second year that grew to around 1.2 million visits a year, in the third year about 1.5 Million visits a year and in the fourth 1.6 Million visits a year and around 4.2 million page views per year. We are now running at around 2.2 million visitors a year, 6.1 million page views a year and an average of around 6,200 visitors per day sometimes peaking around 10,000 visitors in one day.

So it is indeed interesting to see site visits rise while blog posting drops. This is probably due to collateral on the site and partly traction in google although a lot of visits do not eminate from Google so we do have some immunity from Googles fickle rankings.

The stats also show me the most popular pages now and these are in order:

1) How to Grant all Privileges in Oracle
2) Hacking Oracle 12c Common Users
3) which special characters can be used in Oracle database passwords
4) Allowing a user read-only access to stored procedure source code

This is interesting as we have a mix of modern - 12c and older core issues and even a post from the original blog (pre-blog!).

Whats happened in the years between birthdays, 5th and now? well we now have 4 training classes, ranging from auditing Oracle databases, secure coding in PL/SQL, designing audit trails for Oracle and locking down Oracle. All of these classes will be taught from September 21st to 25th here in York at the Holiday Inn, Tadcaster road, York; being taught back to back.

Also in these intervening years we have been busy creating two software products; PFCLScan a useful tool to help you perform a security audit of an Oracle database and PFCLObfuscate, a tool that can be used to protect and lock PL/SQL that you deploy to a database.

Contact us if you would like a demo of either product or to buy a license!