|There are 54 visitors online|
We provide expert Oracle Security training classes world wide to many customers privately and also at public events; either as in person classes where the instructor travels to you or via webex where the instructor teaches the classes remotely. We are based in the UK and we have successfully taught our classes via webex to clients both in the far East and Australia and also clients in the USA on the West Coast, East Coast, Mid-West USA and also South America.
We have also taught in person classes all across the UK, EEC, Balkans, Middle East, Asia, South America and more.
We are happy to provide either form of teaching experience for customers. The classes are taught by Pete Finnigan who is well known and very experienced in providing the same services for clients world wide.
We have just made some small changes to our 4 existing Oracle Security training class flyers / leaflets and re-uploaded these to our site. These flyers are available for download here and detail our training courses:
[2 Day] - How to Perform a Security Audit of an Oracle Database
[1 Day] - Secure Coding in PL/SQL
[1 Day] - Designing Practical Audit Trails for Oracle Databases
[1 Day] - Hardening and Securing Oracle
The first class is a 2 day class and the other three are all one day classes. We have just added a new one day class to our portfolio:
[1 Day] - An Appreciation of Oracle Security
This is also a one day class and it draws from all of the other classes and aims to give students a good overview of security of data, secure coding, audit trails, forensics and also solutions to secure your databases and data.
We have a small number of public classes at the moment arranged with Oracle University:
5 Days training in Reading, UK, September 26th to 30th, 2016. This is the 4 classes listed above and is a rare opportunity to attend all classes back to back in one sitting over 5 days. Details to book here.
classes with Oracle
2 days with Oracle University in Vienna, Austria, November 29th and 30th 2016. Here I will teach my two one day classes, Secure Coding in PL/SQL and Securing and Locking Down Oracle. I don't have a registration link for both classes yet, so please contact Oracle University or email me and I will pass on details.
2 or 3 days with Oracle University in November 2016 in The Netherlands. No details yet but keep an eye on my website.
All of our classes are available as private trainings for your company; please contact me Pete Finnigan to arrange a class to suit you. Our fees are structured and aimed at being very cost effective even more so as you add more students. As me for details.
Finally we are also planning to run another 3 day class in York, UK in the October / November 2016 timeframe. No dates set yet. The event will be the two day class "How to perform a security audit of an Oracle database" and the one day class "Hardening and securing Oracle". We have done this combination many times now at public trainings and also at private clients very successfully. If you are interested in a York class then please contact me as above.
I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website is in danger and that I should remove the file Oracle Default Passwords as its a danger. Another person sent me short dump from this page and a third sent me a typed up report that this looks like an SQL dump from my website. The second reason its interesting is that this is not a dump from my website and is part of a free tool written by Marcel-Jan Krigsman to analyse for default passwords in an Oracle database. My website does not use an Oracle database and this is not a user/password dump from my website of course but anyone reading this will know that. Also the OSP code that marcel-Jan created from my default password list is old and is not the best way to analyse default passwords anymore; a password cracker and my much bigger default list is a better approach now BUT the tool is still valid.
When I perform detailed security audits of customers Oracle databases I also look for data that sits outside of the database (a similar analogy to this) and especially where that data includes passwords. So I understand the background to looking for passwords. Someone who emailed me also advised that I reset all of these passwords; again a valid thing to say BUT this is a free tool not passwords for my website.
Why the focus now to find passwords on my site? - well its not a targeting of my site per-se I guess. One person told me that they found me at the top of the listings with a Google search of "ext:sql intext:username intext:password" - So this search must be doing the rounds - but google searches do not distinguish between real data leakage and data that may contain passwords but is not a leakage - In my case it's a free tool. Some investigation should be done even after finding what looks like a gold mine.
Is it wrong to look for this data; it depends on your intentions of course. I also use Google (and other searches and sites) to look for anything leaked from a customer to the wider internet so there is nothing wrong with this if intentions are good
Should you check the relevance of what you have found before going further, maybe. In this case without any Oracle knowledge it would be hard to know if this was a password dump of my website or part of a tool. A quick query of the website itself would have located the rest of the Oracle default password tool.
Am I bothered that three people emailed me to tell me to remove this page? - one anonymously and two others not -NO of course not; I am not bothered, I am actually quite impressed that three people took the time to tell me that my website is in danger and that I should remove this file. Of course I am not going to remove it as its not actually a danger but I am heartened that people took the time to tell me that I may have an issue.
I have added a comment to the top of the SQL page that says its a tool and not a password dump from my website but if someone else emails me to say its a danger I will still thank them!!
Kamil Stawiarski who runs Database Whisperers sp. z o. o. sp. k., an Oracle specialist consulting company in Poland and whose company is also a reseller for our Oracle database security scanner PFCLScan in Poland has invited me to speak at the up-coming 1st International Conference in Poland but due to other commitments I cannot make it this year. Kamil and the guys already have some good speakers and I wish I could be there. Please have a look at the link above and come along to what promises to be a very good event in Poland!!
I also got a speaking slot at Oracle Open World but unfortunately due to a critical work commitment have had to decline the slot. This is a great pity as I have never attended Oracle Open World and I would really have liked to spoken there this year. I have however agreed to still write a paper with Oracle on the subject of the proposed talk "In the mind of a database hacker" so watch out for news of that over the coming period as its created and published.
I am also going to be teaching 5 in-depth days of my Oracle security classes with Oracle in Reading, UK from September 26th to 30th. I am looking forward to this as its a rare opportunity to attend all 5 days of my Oracle security classes in one session. If you would like to attend then please register your place with Oracle.
Over the last week or so I have also received notice from the UKOUG that I have two slots at the Tech 16 Conference in Birmingham, UK this year from December 5th to 7th at the ICC. I am hosting an Oracle Security round table and also will present on what to do if you do not have (or cannot have if you are on SE, SE1, SE2) Database Vault and would still like to have some or all of the features. Hope to see you at the UKOUG in December!!
I am also teaching two one day classes on the 29th and 30th November 2016 in Vienna, Austria with Oracle University. These are "Secure Coding in PL/SQL" and "Lock down and secure your Oracle Database".
OK, that's all for now, please come and hear me speak.
I am happy to announce that I will be teaching a five day Oracle Security expert seminar class with Oracle University at Oracle offices in Reading, UK from September 26th to September 30th 2016.
This is a 5 days expert class where I will teach all five days of my Oracle security classes back to back. This is a rare opportunity to attend all my classes in one session in the UK.
. The training starts on day 1 and 2 from the premise of reviewing your Oracle database to understand its security posture and then walking through a complete sample audit. On day 3 we discuss secure coding in PL/SQL and on day 3 how to design audit trails for your Oracle database and finally on day 5 we start to pull everything together; We attack a sample database and understand its weaknesses and spend most of the day locking down and protecting the data and database and finally at the end of the day attack the database again to show whether the lockdown has worked or not.
This is in-depth training and each attendee gets to take away hundreds of free scripts and tools developed by me over many years of performing security work for my clients.
I hope to see you there. You can book your place by visiting this link and clicking the fourth tab
I will be teaching 5 days on my Oracle security classes in Paris from 20th June to 24th June with Oracle University at their offices and training suite.
Details of the Oracle Security Event and how to register on Oracles website
The whole week is expert class room based training taught by myself and including a large number of live demos. This is a rare chance to sit down and have 5 days training in one go. I do not do these whole week blocks often so please take the opportunity to register with Oracle and come along. The five days include:
2 days - How to perform a security audit of an Oracle database
1 day - secure coding in PL/SQL
1 day - designing practical audit trails in the database
1 day - locking down and protecting Oracle.
The whole week is structured and we start off by looking at why your databases may have been designed and implemented insecurely. We use the vehicle of a security audit to walk us through the how and why and because it is a security audit we are also covering data access issues, least privilege, user designs, hardening and patching and more. We then have one day on secure coding. Even if you do not code then this day is very valuable as it shows you why and how PL/SQL can become insecure so you can use this information as part of an audit, as a manager to advise others or as a developer to code better. The fourth day is all about audit trails, firewalls and intrusion detection. We cover the whole process of designing and exploring audit trails in the database and as with coding these ideas and designs have benefits not matter what your specific job role is. The final day is the most exciting as we take all of the knowledge learned over the previous four days and use my sample database with two applications as a target to secure. We start by hacking the applications and database and show how and why it is insecure. We then lock down and secure the database including all elements of hardening of the OS, the network and database. We also look in depth to secure all accounts in the database and strive towards least privilege as well as changing the design of the database applications and we also explore context based security and breakglass and at the end of the day we look at the now severely locked down database and try and hack it again and assess the results. As part of the lock down we also bring in audit trail design and implement a comprehensive audit trail and also look at simple ways to solve secure coding issues.
As part of the class attendance you will get from me hundreds of free tools and scripts that includes thousands of lines of code.
To register and get more details please click this link
I will be at the Amis conference next Friday in Leiden not far from Amsterdam in Holland. The conference is held over two days, June 2nd and 3rd But I will be there just on the Friday due to other commitments. I will be doing a one hour and forty minute master class on Database Vault and also what you can do to get similar protections if you do not have Database Vault. I don't mean simply trying to replicate the functionality of Database Vault BUT what can we do with standard controls and good design to achieve similar effects. I will also cover the simple fact that you must also decide and design what to do with Database Vault as its just another application in the database and it must be deployed securely and you also must secure your database first with good design, data access controls and user designs and more. The Amis conference is Next week and details in this link.
I spoke yesterday about compartmentalising Oracle Security and one element that comes out of this is the need to consider what you are trying to achieve; secure actual data and also secure the platform. In general applying security patches will not secure specific data from attack by someone who gains access via a logged on account or by abusing an applications source code (SQL Injection for instance). Hardening a database also will not make specific data any more secure from the same vectors. Hardening and patching are important but in general they will not secure data anymore that it already is secured because that is controlled by object permissions, object owner and system ANY type privileges. Also factor into this the account used to connect end users via an application.
I subscribe to Bruce Schneier's mailing list and in the most recent newsletter he replays an article that he wrote on xconomy.com about the fact that credential stealing is a more important attack vector than a zero day exploit or finding un-patched systems. The article is called Credential Stealing as Attack Vector. I teach the same idea in my two day class - How to Perform a security audit of an Oracle database as I cover simple ways that people attack databases and for me its obvious that if you can steal credentials or find credentials or even guess credentials because of weak passwords then that's a simpler and more effective way to steal data than a pure skilled exploited attack. Also because its simpler you need less skills in some senses to carry out the attack. Clearly we must focus on credentials, password management, storage of hashes, context based access to the database (network restrictions at the net level or database level) and more. A two page flyer for my class is also available to download.
If you would like training then please email me at pete at petefinnigan dot com for more details.
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Home and Archives
Other useful blogs
Syndication - Feeds