Call: +44 (0)1904 557620 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Snow, Woe and Oracle Security!

Well it has been a while since my last blog. Things have been mad for the last months with delivering training, consulting and performing security audits, no time to stop and breath sometimes. I should not complain of course it puts food on our table!

I was due to be at the UKOUG this week to present at the conference on "Identity in the database" and also to chair the Oracle Security round table but the bad weather put paid to that. We had really bad snow most days this week with the worse so far yesterday. I measured 8 inches of snow fell yesterday in one snow storm. Its a real pity and i felt annoyed to not be going but it was not safe to try and drive down. I normally go down each day to the UKOUG conference as its not too far from York and its usually cost effective to simply drive or take the train.

So i now have a brand new presentation written by me for me to present at the UKOUG conference. I already had a request to use it, so that lessens the blow slightly. Also I have not missed the conference for 9 or 10 years so its hard to not go there and catch up with people. it cannot be helped I suppose; next year i hope it goes better!

I have also agreed some new trainings recently. I will be teaching my class "how to perform a security audit of an Oracle database" next week in Ljubljana (snow permitting I guess as we still have a lot of bad weather), then in February with Opitz Consulting in Switzerland, then in March in Edinburgh with PiSec and also in March in Athens, Greece. Finally I will also be teaching in Croatia in May next year. Finally, Finally I will also be creating a new one day class to be split over either 2 or 3 days and taught over the internet; watch out for more news on this soon. These are all public classes and of course we would love to see at some of them.

I have a big back list of things to talk about here and I hope to find some time to do just that.

A few quick notes; David has released his new tool v3rity as an alpha version from his new companies website. The company and the product are called http://www.v3rity.com/v3rity.php - (broken link) V3rity. The product is a tool that can be used for breach investigations when a suspected breach occurs. Its also currently free so download and have a look. Its able to read data files, redo logs, audit trails and server memory.

I have also been looking at links, proxy, secure app roles, identity spoofing and created a spoof client that allows you to use SET commands to set the values such as USER, PROGRAM, MODULE etc when its possible. This was all part of the investigation for my UKOUG paper but also my research into areas of Oracle security and accountability went further. More on this soon; i promise.