Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Week of Oracle bugs axed--for now?

http://news.com.com/2061-10789_3-6139420.html - (broken link) Week of Oracle bugs axed--for now? - by Joris Evers

"The bug hunters at Argeniss have put their plans for a "Week of Oracle Database Bugs" on ice.

Due to "many problems" the initiative has been "suspended," according to a posting on the Argeniss Web site. The company provides no additional details. "


This is good news for anyone runnng an Oracle database in production especially if its exposed. There is no real detail as to why its been cancelled or what pressure or influences caused them to cancel but its good news all the same.

Carelessness Runs Amuck With Zero Day Vulnerabilities

Carelessness Runs Amuck With Zero Day Vulnerabilities - Mark Joseph Edwards

"It's no secret that some hackers, predominantly wearing either black or grey hats, discover vulnerabilities and then proceed to sit on those vulnerabilities for some variable amount of time. The motives for not informing the affected vendors appear to vary from entirely self-centered reasons to the need for leverage against a given vendor who might claim to be improving security, but just not fast enough for the satisfaction of some people. Sometimes the latter explanation turns out to be more of a ruse than fact. "

Judging by the amount of articles on this planned week of Oracle 0-days by Argeniss in the press and the fact that none of them are positive or in agreement with it, it looks like most of the Oracle speaking world agrees that its not a good plan. I have had a lot of conversations this week with interested parties, users and customers of Oracle and no one thinks its a good idea to release 0-days to make a point.

The real point is that Oracle are getting better at security, we should give them a chance to prove themselves and also there is no value in making a large amount of databases immediately vulnerable to attack.

Week of Oracle zero-days planned

http://weblog.infoworld.com/techwatch/archives/008988.html - (broken link) Week of Oracle zero-days planned

"Database security researcher Cesar Cerrudo is taking a page out of the MetaSploit Project playbook, annoucing that his company, Argeniss Information Security, will publish a previously unknown (zero-day) vulnerability for Oracle databases each day for the first week in December, according to a message posted on the Argeniss Web site."

Oracle in the Crosshairs for Week of Exploits

Oracle in the Crosshairs for Week of Exploits - By Sean Michael Kerner

"Oracle database users take heed: December may be a tough month. A security researcher is warning of a week of Oracle database bugs.

The revelation comes after Oracle's recent quarterly patch cycle for its namesake database. It typically yields double-digits' worth of fixes for security flaws. For example, Oracle released an update at the end of October for some 63 flaws in Oracle databases. But even more flaws are lurking that have not yet been disclosed, according to Cesar Cerrudo, founder and CEO of the Argeniss Security Research Team. Now, he's taking up the cause."

Oracle Security Patch Causes Insecurity

http://weblog.infoworld.com/gripeline/archives/2006/11/oracle_security.html - (broken link) Oracle Security Patch Causes Insecurity

"To patch or not to patch - that is the question for many software customers. And it's particularly tricky one to answer when the software company won't say what the patch is for, as one reader discovered with a recent Critical Patch Update released by Oracle for PeopleSoft."

Pete Finnigan's presentation from UKOUG 2006 in Biringham on Encryption

I was at the ukoug last week and spoke a number of times there. My first presentation was titled "Encrypting data, is it possible to prevent access?" and is an overview of the commercial and free options available to anyone wanting to encrypt data in and around the Oracle database. The presentation also covers some of the issues around securing data from the dba and whether its possible to do this. I also include a few hacks and tricks.

Argeniss are to release an Oracle 0-Day exploit every day for a week

I was made aware of the page The Week of Oracle Database Bugs on Argeniss site today. They have announced that for one week on December (the actual date is not shown on the site) they will release a 0-Day exploit every day for the Oracle database server.

For those people who do not know what a 0-Day exploit is, I will explain. This is a bug that has not been fixed by the vendor and is not known publicly. A hacker or researcher releases the exploit and immediately anyone using the software is at risk of being attacked. They say they are doing this to show the current security state of the software.

In my opinion Oracle have been getting much better in recent times towards security. They have been fixing a lot of bugs in the main code line (The current release) quite quickly, the advisories are getting much better and we are also told by Mary Ann (and I have been told by insiders the same) that Oracle are now committed to training their developers on how to code against security bugs. I beleive them, I know Oracle is a big monster and we should not expect it to turn like a formula one car but like a 100 ton truck pulling 17 trailors. This is to be expected. The view last week at the UKOUG talking to quite a few people is that Oracle are getting on top of the bugs and should close out most PL/SQL injection type bugs within a year. Lets hope its true.

I just want to quote CERT, they say that 95% of all intrusions are made using known vulnerabilities. Therefore if you patch and secure your configuration you should be reasonably secure. If the bugs are not public then they are not as common or easy to find as some would have you beleive.

I don't agree with Argeniss planned 0-Day week against Oracle it will just make life more difficult for many hard working DBA's and security managers. I don't see that it will prove or highlight anything that has not been said over the last year or so in the press, Oracle are getting better at fixing bugs, give them a chance and don't make further un-necessary risks to customers.

Securent Could Be a Fine Addition for Oracle

http://www.internetnews.com/bus-news/article.php/3644726 - (broken link) Securent Could Be a Fine Addition for Oracle - by Clint Boulton

"As a journalist in the high-tech space, every now and then I get to hear things that make me think two companies would be a perfect marriage.

Not that I'm advocating that companies land on other companies and absorb them, even though it gives us more to talk, pontificate and write about.

But sometimes two companies seem destined to be intertwined, either in a partnership or in an acquisition. "

UKOUG starts tomorrow

I will ne heading for the UKOUG tomorrow in Birmingham for the full 4 days. I will be speaking tomorrow about whether its possible to hied data in the database with encryption. On Wednesday Ill be hosting a round table session on Oracle security and also speaking about the performance issues associated with VPD, FGA and audit and finally I will be doinga two hour master class on Oracle security on Friday. Throughout the week I will also chair 4 other sessions and be at the bloggers get together tomorrow night. Come and say hello!

10gR2 and failed_login_attempts

There was a nice post on the pythian group today about the fact that Oracle since 10.2.0.2 has set a value for the failed_login_attempts parameter of the DEFAULT profile. This caused an issue for Alex Gorbachev. Its an interesting conflict between adding security to Oracle and causing problems with existing systems and migrations. Also note my comments on defining specific values for profiles for different groups of users. The post is titled http://www.pythian.com/blogs/284/oracle-102-migrations-%e2%80%93-account-lockedtimed-and-failed_login_attempts - (broken link) Oracle 10.2 Migrations – Account LOCKED(TIMED) and FAILED_LOGIN_ATTEMPTS

Oracle password crackers

Whilst we are on the subject of Oracle password crackers its worth mentioning the other available options (apart from the commercial ones of course). There are other tools with built in Oracle password crackers. Alex paper from my post "checkpwd Oracle password cracker now supports multi-core CPU's" has a nice performance comparison for various crackers.

Two other possible crackers are "John the Ripper" that has a module available for the Oracle password algorithm. This I mentioned in a post titled "Full disclosure list: Summary of the password algorithm and a C code plug-in for John The Ripper password cracker" over a year ago.

The other tool worth a mention is http://www.oxid.it/cain.html - (broken link) Cain and Abel which I also mentioned almost two years ago in a post titled "Great tool for security checking a PC". Version 3.3 also includes an Oracle password module. This is a good security tool and it should be in every DBA's toolkit.

Of course the final option ofr creating a great Oracle password cracker for your own use is to write your own. The algorithm is public now and the coed for John the Ripper above shows how to implement it. If you want a password cracker to work to your own rules or styles then write it in C. This book is The Bible for C.

There is a newer version of the orabf Oracle password cracker available

I have been looking at password crackers this week and found that there is a new version of the orabf Oracle password cracker available, this is version 0.7.6. Its a small upgrade from the last time i reported anew vesion here. The site was working yesterday but it seems flakey tonight so keep trying if you dont get through. This is a good password cracker and worth using in conjunction with Alex's checkpwd. Checkpwd doesnt do brute force but 0rm's orabf does. orabf is very fast. I like Alex's checkpwd for the reason that it also can connect to the database and get the usernames and hashes directly. If we could combine the two it would be great!

checkpwd Oracle password cracker now supports multi-core CPU's

I was chatting to Alex this evening and he let me know that his password cracker checkpwd for Oracle now supports multi-core CPU's and multi-CPu machines. This now makes checkpwd one of the fastest Oracle password crackers for a PC and fro dictionary mode. 0rm's orabf is still the king of brute force speed though - maybe because checkpwd doesnt support brute force - who knows, we need to see a brute force version of checkpwd to compare.

Alex has released a short paper of the results of his performance testing of Oracle password crackers. Its titled "Benchmark Oracle Password Cracker - V1.00"