February 2nd, 2010 by Pete
I was away most of last week to teach my class How to perform a security audit of an Oracle database in Istanbul, Turkey including the travel out and back. It was a good class, very well attended and some good discussions and questions from the attendees. The weather was the biggest surprise as it was cold, very cold, minus 8 and also snow everywhere. I had expected that the weather would have been warmer there than in the UK, but it wasn't.
I am speaking in Germany on Thursday the 4th February at the IT-Defense 2010 conference in Cologne Germany. The link is on the
PeteFinnigan.com Limited sites home page.
We are also one week away from our two day
Oracle security training here in York, England. If anyone wants to make a last minute registration thats fine we will be able to accomodate you.
I have also updated our
public training dates page to include the registration details for the new public class in Utrecht to be held on the 26th and 27th of May 2010. I would love to see people there as well!
Finally the new Oak Table book,
Expert Oracle Practices is out. I had my copy waiting for me when i returned from Turkey and I am looking forward now to read the other authors chapters. I wrote two chapters; the first about user security and the second about data security. I found that one of my co-authors Charles Hooper has written an excellent summary of the book on his blog in a post titled - "
Expert Oracle Practices: Oracle Database Administration from the Oak Table” Book"
[
No Comments]
February 1st, 2010 by Pete
There has been a thread on my forum for a couple of years discussing the Oracle listener password algorithm. The thread is titled "
Key and algo for encrypting the listener password". This thread discussed the issue of being able in some versions of Oracle to pass the hash to log in. This is a technique used by security people to discover weaknesses in authentication mechanisms and was evident in the listener because the listener in 9i and lower supported two authentication mechanisms where one was to test the password that was added in clear text to the listener.ora file. This had a flaw as the hashed password could also be used. The listener password algorithm in 9i and lower was the same as the database password algorithm except that the listener doesnt use a username so an arbitrary user was used instead. The listener is authenticated via local authentication in 10g and 11g but its still possible to enable a password for remote authentication although not recommended. The password authentication mechanism is different in 10g and 11g. I was aware of how it worked but usefully now Marcell Major has now released a short paper describing the algorithm. This is in a paper titled "
Oracle listener password encryption". There is also a
demo program written in python available to download.
[
No Comments]
January 20th, 2010 by Pete
Dennis has made two great posts about Oracle rootkits on his blog. The first is about creating a backdoor into the Oracle binaries and logon process/function by replacing the C library function kziaia() so that if the user presented is "root" - this is meant to be a database username not the Unix user root. Dennis has modified kziaia() so that if "root" is the username you get logged in as SYSDBA by setting the SYSDBA bit in the PGA (Tanel showed how to do this quite some time ago with a debugger) and also importantly the user does not need a password and even more importantly there is little or no evidence that the connection has been made. Also testing for this root kit becomes harder as its traditional modified binaries.
This root kit idea is much more in the style of old school root kits rather than something like modifiying data dictionary views to hide the user.
The first post is titled "
My Oracle rootkit experiment" and is a great read.
Today Dennis has posted a second installment on his blog titled "
My Oracle TNS Listener rootkit experiment.". This post looks at this time modifying the TNS listener binary by intercepting the function snttread() which is like a wrapper around recv() on Unix. This time the magic word is not the username "root" but the string for the command "/bin/sh" - the borne shell. The packet shoulkd include the "magic word" and then the shell is launched instead!!
To exploit this Dennis simply used netcat to connect to the listener port number and he immediately had a shell!, again very interestingly there is nothing written to the log files except that a TNS-12502 is written. This is not totally uncommon so analysing whether this root kit is installed via this error is difficult. Also because if you are clever enough to implement these modifications you can very easily change the C and make it harder to detect. These are traditional rootkit techniques and traditional methods to detect them are needed.
Remember these are backdoors not exploits, you need access to modify the libraries in the first place.
Also its nice to see that Dennis has automated some of the install with pythin scripts. Great posts Dennis!!
[
No Comments]
January 19th, 2010 by Pete
It has been a very busy last few months; lots of travelling, teaching and consulting. We have also spent time working with our new partners and also working to set up new country partners. PFCLScan has also taken some of my time in terms of development of checks/policies and reports and we have done a couple of really successful demonstrations over the last month or so to get first customers on board.
This is going to be a fairly short blog entry but quite a bit of news. I am going to be teaching my two day
Oracle security class next week in Istanbul, Turkey and the week after I will be in Cologne, Germany to speak at the
IT-Defense 2010 conference - thats a long awaited engagement for me as I was due to speak at the 2009 event in Potsdam, Berlin but had to cancel at the last minute due to breaking my hand last christmas. This year I am looking forward to speaking there.
I have also just agreed a new public training date in conjunction with
Miracle Benelux to be held in Utrecht, Holland onm May 26th and 27th. I have added a link to my
Oracle Security public trainings list and will add the registration page link when it becomes available from Miracle Benelux.
I am also going to be doing two webinars with Sentrigo on March 9th at 10am UK time and also March 11th at 6pm UK time. I have added links to my
companies home page and will add registration links there when I have them and will also add them hear. Webinars are a good way to hear me speak on the subject of Oracle security without travelling.
[
No Comments]
January 5th, 2010 by Pete
I have added the registration page for the upcoming Oracle security training -
how to perform a security audit of an Oracle database to be held in York on February the 9th and 10th in England. The registration page gives details of the class. Places are limited and in demand so please hurry to register if you want to get one of the remaining places.
I want to also take an oppertunity to remind people about the two day training coming up in Washington DC on March 25th and 26th. The registration page is
here.
The astute readers will also notice that we have removed the google ads from this site and instead added our own banner ads. This is to promote our own public training classes which will increase in number as we take on more partners around the world to help run and promote our training but also to resell our Oracle database security audit services and our Oracle security software products. We now have
partners in the states and are in discussions with potential partners in a number of other countries. The removal of the ads is also to allow us to sell very selective ad space to discerning customers and also to help us promote our own partner events as discussed above - this is an advantage to becoming a partner.
If you are interested in renting ad space please
contact me in the first instance for terms, pricing and details. We will only be allowing ad space in very limited quantities so that ads are shown on enough page impressions for each customer and yet still allow promotion of our own partner events. We are also only offering ad space in very specific circumstances that will benefit the ad space buyer but will not compete with us or our partners; again for details if you are interested contact me in the first instance.
[
No Comments]
January 4th, 2010 by Pete
There was a good blog post titled "
The need to ensure that hashed password values are safe" picked up via my
Oracle blogs aggregator that discusses Dennis's FPGA cracker and also the importance of not letting the password hashes out of your site.
Laszlo also emailed me today to let me know about
Marcell Major's new brute force password cracker for databases that uses the CUDA framework for NVIDIA GPU's to implement the SHA1 algorithm for Oracle 11g database passwords and also SQL Server passwords. The cracker allows a password file to be used and also implements session handling so it can be easily used on security audits of databases. The
cudadbcracker page is here and the
cudadbcracker binary is here and the
cudadbcracker course code released under GPLv3 is here.
[
No Comments]
December 29th, 2009 by Pete
Well it has been a while since my last blog entry - almost two weeks in fact, xmas added onto heavy work loads all gets in the way of blogging...:-)
I still have a backlog of things to blog about so watch out for these in the new year, i cannot promise to blog much between now and next week as I have a lot of work to fit in as well as the new years celebrations!!
I just saw Marcel-Jan's post on my
Oracle Security Forum titled "
Twitter banned passwords" and it piqued my interest. It is not Oracle security related but it is relevant and not because I also use
twitter but because its a good idea. When setting a new password the system should stop you from setting stupid passwords no matter the system. The Oracle database can also do this for you BUT you need to do the work to set it up. The check can be added as part of the password management in profiles; specifically by defining a password verification or complexity function that includes rules to stop weak passwords being set. The standard function supplied by Oracle includes a simple if(password==bad val1 or password==bad val2.... type code.
I usually recommend my clients to create a more
proper complexity function that matches the password policies defined in their own access and use policies. This would normally include length, character set, change requirements, lack of simple passwords etc. One of the things we do is to build a table in the database containing all the weak passwords and then the password complexity function checks that any new password does not exist in this table. This allows a much much bigger list of passwords to check against that should not be used.
This is one of the problems with the Oracle database; this stuff is not turned on by default. Simply, you need to do the work. This is a recurring factor of Oracle security; Oracle security is not simply about following checklists or applying CPU's (Critical Patch Updates), it's a lot more. Securing a database is much more about the detail and the configuration. The other problem is that in databases a
solution is often not simple. A weak password is a good example. It sounds simple; set it to a strong value but its more than that, you also need to define strong and then enforce strong, you should also limit the chance of abuse and also record abuse attempts. This means setting password management, complexity, fixing the password, audit and more. Complex but complete solutions are needed. Back to the post by Marcel-Jan; this post shows good advice from Twitter, you should use the same ideas in your Oracle databases but remember you need to do the work. That doesn't mean that you cannot
steal the material from twitter's article
, why not take the list of common passwords for twitter. Just because they are common for twitter doesnt mean that they are not common for all other platforms. People are people, are people; and they choose passwords not the software they are used on; this is where we come in and make the software help choose or rather stop some choices from being made. The article Marcel-Jan references is titled "
370 Passwords You Shouldn’t (And Can’t) Use On Twitter" and
the password list is here.
[
No Comments]
