Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Data Loss

Quite obviously (well its obvious to me!) one of the areas I am very interested in is data loss / data theft / data security and of course specifically Oracle security. We spend a lot of time looking at customers Oracle databases, designs and policies and code and help them resolve issues that would make it easy for someone to breach their databases or worse steal or damage data.

Data is pervasive; I always like the example that you are trying to protect data not Oracle; of course you must use Oracle to protect your data but the goal is to protect your data. In order to protect that data you must understand where that data is (in motion and at rest) so the whole process must include protecting data everywhere and not just in the database. If data is loaded by end users and stored in the database but also reports are produced or parts of the data are exposed in reports / papers/ websites / documents then they also must be protected. It may be necessary to involve network security, server security, desktop security and even physical security (i.e. where is that printer and who has access to it; where are the paper reports kept and who sees them...). I would always still start with the Oracle database; what data should be secured and protected; where is it stored; how is it accessed; basically create a flow of that data from user to storage and back out again. Track the data both at rest and also in flow. We need to understand how the data leaves the database and to where - backups, reports, paper or what ever. The core idea is to assess whether it should leave the database and how secure it is when it does; can it be obfuscated or masked, is it necessary anyway to remove the data?

Once we know where the data is and how it works then we can assess and design the best controls and solutions to secure the data both in the database and also outside of it. We use various tools in these assignments including PFCLScan our Security scanner for Oracle databases. This is a very cost effective tool and very useful for securing data.

What if the data is given away or made public? This is a problem if the data is exposed internally to a small group or larger group or worse to the public (Internet) as anyone can read it and copy it and more. This data can then be replicated anywhere. Once its copied it is no longer under your security controls. The only way to protect this copied data is to not let it be copied in the first place.

Once data has been read it cannot be "unread"!!

I had a good example of this public data loss last week. Someone emailed me and asked me a question about one of the many Oracle Security presentations I have made available on my site over the years. This question stood out because of the URL he sent me which was to my MS PPT (saved as a pdf) on scribd.com and not on my site. This was not the question askers problem and he was not to blame. I publish my MS PPTs and other papers and I expect people to read them on my site and download and read on their PC / device. I do not expect (or indeed want) anyone to re-publish my papers to anywhere else. The account on scribd.com that had this particular paper also published literally hundreds of papers from others as well; I cannot say for sure now but I would say almost all of what this person posted he did not own the copyright. My MS PPTs do include a page with legalese that states in simple terms that these PDFs cannot be re-hosted/published or whatever anywhere else - so this was ignored. I did a quick search and found 6 of my papers and even a screen dump of one page of my website published to scribd.com - This was a simple search and indeed there could be more if I searched with more keywords. Each person with an account on scribd who published mine had also published other peoples work as well in contradiction to copyright or individual licenses such as the one I have included on my paper. Scribd took down my papers within a few hours but that's not the point. I am not allowed to complain to scribd by a DMCA request that I found other papers I wrote that have copyright owned by someone else (i.e. others paid me to write them). They will not take down anything unless you are the copyright owner. I have not searched elsewhere as I am sure this is not just an issue with scribd as I simply do not have the time to do detailed searches (not a good excuse!).

Data once put out there is hard to control. This is a fact. To control and protect data you MUST know where it is and control all access to all of the data and understand the risks of it leaving the database in the first place. My papers of course were not in an Oracle database but were about Oracle Security.

Oracle Security Training

We provide expert Oracle Security training classes world wide to many customers privately and also at public events; either as in person classes where the instructor travels to you or via webex where the instructor teaches the classes remotely. We are based in the UK and we have successfully taught our classes via webex to clients both in the far East and Australia and also clients in the USA on the West Coast, East Coast, Mid-West USA and also South America.

We have also taught in person classes all across the UK, EEC, Balkans, Middle East, Asia, South America and more.

We are happy to provide either form of teaching experience for customers. The classes are taught by Pete Finnigan who is well known and very experienced in providing the same services for clients world wide.

We have just made some small changes to our 4 existing Oracle Security training class flyers / leaflets and re-uploaded these to our site. These flyers are available for download here and detail our training courses:

[2 Day] - How to Perform a Security Audit of an Oracle Database
[1 Day] - Secure Coding in PL/SQL
[1 Day] - Designing Practical Audit Trails for Oracle Databases
[1 Day] - Hardening and Securing Oracle

The first class is a 2 day class and the other three are all one day classes. We have just added a new one day class to our portfolio:

[1 Day] - An Appreciation of Oracle Security

This is also a one day class and it draws from all of the other classes and aims to give students a good overview of security of data, secure coding, audit trails, forensics and also solutions to secure your databases and data.

We have a small number of public classes at the moment arranged with Oracle University:

5 Days training in Reading, UK, September 26th to 30th, 2016. This is the 4 classes listed above and is a rare opportunity to attend all classes back to back in one sitting over 5 days. Details to book here.
classes with Oracle
2 days with Oracle University in Vienna, Austria, November 29th and 30th 2016. Here I will teach my two one day classes, Secure Coding in PL/SQL and Securing and Locking Down Oracle. I don't have a registration link for both classes yet, so please contact Oracle University or email me and I will pass on details.

2 or 3 days with Oracle University in November 2016 in The Netherlands. No details yet but keep an eye on my website.

All of our classes are available as private trainings for your company; please contact me Pete Finnigan to arrange a class to suit you. Our fees are structured and aimed at being very cost effective even more so as you add more students. As me for details.

Finally we are also planning to run another 3 day class in York, UK in the October / November 2016 timeframe. No dates set yet. The event will be the two day class "How to perform a security audit of an Oracle database" and the one day class "Hardening and securing Oracle". We have done this combination many times now at public trainings and also at private clients very successfully. If you are interested in a York class then please contact me as above.

Data Exposure, leakage and Reporting

I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website is in danger and that I should remove the file Oracle Default Passwords as its a danger. Another person sent me short dump from this page and a third sent me a typed up report that this looks like an SQL dump from my website. The second reason its interesting is that this is not a dump from my website and is part of a free tool written by Marcel-Jan Krigsman to analyse for default passwords in an Oracle database. My website does not use an Oracle database and this is not a user/password dump from my website of course but anyone reading this will know that. Also the OSP code that marcel-Jan created from my default password list is old and is not the best way to analyse default passwords anymore; a password cracker and my much bigger default list is a better approach now BUT the tool is still valid.

When I perform detailed security audits of customers Oracle databases I also look for data that sits outside of the database (a similar analogy to this) and especially where that data includes passwords. So I understand the background to looking for passwords. Someone who emailed me also advised that I reset all of these passwords; again a valid thing to say BUT this is a free tool not passwords for my website.

Why the focus now to find passwords on my site? - well its not a targeting of my site per-se I guess. One person told me that they found me at the top of the listings with a Google search of "ext:sql intext:username intext:password" - So this search must be doing the rounds - but google searches do not distinguish between real data leakage and data that may contain passwords but is not a leakage - In my case it's a free tool. Some investigation should be done even after finding what looks like a gold mine.

Is it wrong to look for this data; it depends on your intentions of course. I also use Google (and other searches and sites) to look for anything leaked from a customer to the wider internet so there is nothing wrong with this if intentions are good

Should you check the relevance of what you have found before going further, maybe. In this case without any Oracle knowledge it would be hard to know if this was a password dump of my website or part of a tool. A quick query of the website itself would have located the rest of the Oracle default password tool.

Am I bothered that three people emailed me to tell me to remove this page? - one anonymously and two others not -NO of course not; I am not bothered, I am actually quite impressed that three people took the time to tell me that my website is in danger and that I should remove this file. Of course I am not going to remove it as its not actually a danger but I am heartened that people took the time to tell me that I may have an issue.

I have added a comment to the top of the SQL page that says its a tool and not a password dump from my website but if someone else emails me to say its a danger I will still thank them!!

Oracle Security Talks, Training and Conferences

Kamil Stawiarski who runs Database Whisperers sp. z o. o. sp. k., an Oracle specialist consulting company in Poland and whose company is also a reseller for our Oracle database security scanner PFCLScan in Poland has invited me to speak at the up-coming http://poug.org/en/ - (broken link) 1st International Conference in Poland but due to other commitments I cannot make it this year. Kamil and the guys already have some good speakers and I wish I could be there. Please have a look at the link above and come along to what promises to be a very good event in Poland!!

I also got a speaking slot at Oracle Open World but unfortunately due to a critical work commitment have had to decline the slot. This is a great pity as I have never attended Oracle Open World and I would really have liked to spoken there this year. I have however agreed to still write a paper with Oracle on the subject of the proposed talk "In the mind of a database hacker" so watch out for news of that over the coming period as its created and published.

I am also going to be teaching 5 in-depth days of my Oracle security classes with Oracle in Reading, UK from September 26th to 30th. I am looking forward to this as its a rare opportunity to attend all 5 days of my Oracle security classes in one session. If you would like to attend then please register your place with Oracle.

Over the last week or so I have also received notice from the UKOUG that I have two slots at the Tech 16 Conference in Birmingham, UK this year from December 5th to 7th at the ICC. I am hosting an Oracle Security round table and also will present on what to do if you do not have (or cannot have if you are on SE, SE1, SE2) Database Vault and would still like to have some or all of the features. Hope to see you at the UKOUG in December!!

I am also teaching two one day classes on the 29th and 30th November 2016 in Vienna, Austria with Oracle University. These are "Secure Coding in PL/SQL" and "Lock down and secure your Oracle Database".

OK, that's all for now, please come and hear me speak.