|There are 57 visitors online|
Quite obviously (well its obvious to me!) one of the areas I am very interested in is data loss / data theft / data security and of course specifically Oracle security. We spend a lot of time looking at customers Oracle databases, designs and policies and code and help them resolve issues that would make it easy for someone to breach their databases or worse steal or damage data.
Data is pervasive; I always like the example that you are trying to protect data not Oracle; of course you must use Oracle to protect your data but the goal is to protect your data. In order to protect that data you must understand where that data is (in motion and at rest) so the whole process must include protecting data everywhere and not just in the database. If data is loaded by end users and stored in the database but also reports are produced or parts of the data are exposed in reports / papers/ websites / documents then they also must be protected. It may be necessary to involve network security, server security, desktop security and even physical security (i.e. where is that printer and who has access to it; where are the paper reports kept and who sees them...). I would always still start with the Oracle database; what data should be secured and protected; where is it stored; how is it accessed; basically create a flow of that data from user to storage and back out again. Track the data both at rest and also in flow. We need to understand how the data leaves the database and to where - backups, reports, paper or what ever. The core idea is to assess whether it should leave the database and how secure it is when it does; can it be obfuscated or masked, is it necessary anyway to remove the data?
Once we know where the data is and how it works then we can assess and design the best controls and solutions to secure the data both in the database and also outside of it. We use various tools in these assignments including PFCLScan our Security scanner for Oracle databases. This is a very cost effective tool and very useful for securing data.
What if the data is given away or made public? This is a problem if the data is exposed internally to a small group or larger group or worse to the public (Internet) as anyone can read it and copy it and more. This data can then be replicated anywhere. Once its copied it is no longer under your security controls. The only way to protect this copied data is to not let it be copied in the first place.
Once data has been read it cannot be "unread"!!
I had a good example of this public data loss last week. Someone emailed me and asked me a question about one of the many Oracle Security presentations I have made available on my site over the years. This question stood out because of the URL he sent me which was to my MS PPT (saved as a pdf) on scribd.com and not on my site. This was not the question askers problem and he was not to blame. I publish my MS PPTs and other papers and I expect people to read them on my site and download and read on their PC / device. I do not expect (or indeed want) anyone to re-publish my papers to anywhere else. The account on scribd.com that had this particular paper also published literally hundreds of papers from others as well; I cannot say for sure now but I would say almost all of what this person posted he did not own the copyright. My MS PPTs do include a page with legalese that states in simple terms that these PDFs cannot be re-hosted/published or whatever anywhere else - so this was ignored. I did a quick search and found 6 of my papers and even a screen dump of one page of my website published to scribd.com - This was a simple search and indeed there could be more if I searched with more keywords. Each person with an account on scribd who published mine had also published other peoples work as well in contradiction to copyright or individual licenses such as the one I have included on my paper. Scribd took down my papers within a few hours but that's not the point. I am not allowed to complain to scribd by a DMCA request that I found other papers I wrote that have copyright owned by someone else (i.e. others paid me to write them). They will not take down anything unless you are the copyright owner. I have not searched elsewhere as I am sure this is not just an issue with scribd as I simply do not have the time to do detailed searches (not a good excuse!).
Data once put out there is hard to control. This is a fact. To control and protect data you MUST know where it is and control all access to all of the data and understand the risks of it leaving the database in the first place. My papers of course were not in an Oracle database but were about Oracle Security.
We provide expert Oracle Security training classes world wide to many customers privately and also at public events; either as in person classes where the instructor travels to you or via webex where the instructor teaches the classes remotely. We are based in the UK and we have successfully taught our classes via webex to clients both in the far East and Australia and also clients in the USA on the West Coast, East Coast, Mid-West USA and also South America.
We have also taught in person classes all across the UK, EEC, Balkans, Middle East, Asia, South America and more.
We are happy to provide either form of teaching experience for customers. The classes are taught by Pete Finnigan who is well known and very experienced in providing the same services for clients world wide.
We have just made some small changes to our 4 existing Oracle Security training class flyers / leaflets and re-uploaded these to our site. These flyers are available for download here and detail our training courses:
[2 Day] - How to Perform a Security Audit of an Oracle Database
[1 Day] - Secure Coding in PL/SQL
[1 Day] - Designing Practical Audit Trails for Oracle Databases
[1 Day] - Hardening and Securing Oracle
The first class is a 2 day class and the other three are all one day classes. We have just added a new one day class to our portfolio:
[1 Day] - An Appreciation of Oracle Security
This is also a one day class and it draws from all of the other classes and aims to give students a good overview of security of data, secure coding, audit trails, forensics and also solutions to secure your databases and data.
We have a small number of public classes at the moment arranged with Oracle University:
5 Days training in Reading, UK, September 26th to 30th, 2016. This is the 4 classes listed above and is a rare opportunity to attend all classes back to back in one sitting over 5 days. Details to book here.
classes with Oracle
2 days with Oracle University in Vienna, Austria, November 29th and 30th 2016. Here I will teach my two one day classes, Secure Coding in PL/SQL and Securing and Locking Down Oracle. I don't have a registration link for both classes yet, so please contact Oracle University or email me and I will pass on details.
2 or 3 days with Oracle University in November 2016 in The Netherlands. No details yet but keep an eye on my website.
All of our classes are available as private trainings for your company; please contact me Pete Finnigan to arrange a class to suit you. Our fees are structured and aimed at being very cost effective even more so as you add more students. As me for details.
Finally we are also planning to run another 3 day class in York, UK in the October / November 2016 timeframe. No dates set yet. The event will be the two day class "How to perform a security audit of an Oracle database" and the one day class "Hardening and securing Oracle". We have done this combination many times now at public trainings and also at private clients very successfully. If you are interested in a York class then please contact me as above.
I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website is in danger and that I should remove the file Oracle Default Passwords as its a danger. Another person sent me short dump from this page and a third sent me a typed up report that this looks like an SQL dump from my website. The second reason its interesting is that this is not a dump from my website and is part of a free tool written by Marcel-Jan Krigsman to analyse for default passwords in an Oracle database. My website does not use an Oracle database and this is not a user/password dump from my website of course but anyone reading this will know that. Also the OSP code that marcel-Jan created from my default password list is old and is not the best way to analyse default passwords anymore; a password cracker and my much bigger default list is a better approach now BUT the tool is still valid.
When I perform detailed security audits of customers Oracle databases I also look for data that sits outside of the database (a similar analogy to this) and especially where that data includes passwords. So I understand the background to looking for passwords. Someone who emailed me also advised that I reset all of these passwords; again a valid thing to say BUT this is a free tool not passwords for my website.
Why the focus now to find passwords on my site? - well its not a targeting of my site per-se I guess. One person told me that they found me at the top of the listings with a Google search of "ext:sql intext:username intext:password" - So this search must be doing the rounds - but google searches do not distinguish between real data leakage and data that may contain passwords but is not a leakage - In my case it's a free tool. Some investigation should be done even after finding what looks like a gold mine.
Is it wrong to look for this data; it depends on your intentions of course. I also use Google (and other searches and sites) to look for anything leaked from a customer to the wider internet so there is nothing wrong with this if intentions are good
Should you check the relevance of what you have found before going further, maybe. In this case without any Oracle knowledge it would be hard to know if this was a password dump of my website or part of a tool. A quick query of the website itself would have located the rest of the Oracle default password tool.
Am I bothered that three people emailed me to tell me to remove this page? - one anonymously and two others not -NO of course not; I am not bothered, I am actually quite impressed that three people took the time to tell me that my website is in danger and that I should remove this file. Of course I am not going to remove it as its not actually a danger but I am heartened that people took the time to tell me that I may have an issue.
I have added a comment to the top of the SQL page that says its a tool and not a password dump from my website but if someone else emails me to say its a danger I will still thank them!!
Kamil Stawiarski who runs Database Whisperers sp. z o. o. sp. k., an Oracle specialist consulting company in Poland and whose company is also a reseller for our Oracle database security scanner PFCLScan in Poland has invited me to speak at the up-coming 1st International Conference in Poland but due to other commitments I cannot make it this year. Kamil and the guys already have some good speakers and I wish I could be there. Please have a look at the link above and come along to what promises to be a very good event in Poland!!
I also got a speaking slot at Oracle Open World but unfortunately due to a critical work commitment have had to decline the slot. This is a great pity as I have never attended Oracle Open World and I would really have liked to spoken there this year. I have however agreed to still write a paper with Oracle on the subject of the proposed talk "In the mind of a database hacker" so watch out for news of that over the coming period as its created and published.
I am also going to be teaching 5 in-depth days of my Oracle security classes with Oracle in Reading, UK from September 26th to 30th. I am looking forward to this as its a rare opportunity to attend all 5 days of my Oracle security classes in one session. If you would like to attend then please register your place with Oracle.
Over the last week or so I have also received notice from the UKOUG that I have two slots at the Tech 16 Conference in Birmingham, UK this year from December 5th to 7th at the ICC. I am hosting an Oracle Security round table and also will present on what to do if you do not have (or cannot have if you are on SE, SE1, SE2) Database Vault and would still like to have some or all of the features. Hope to see you at the UKOUG in December!!
I am also teaching two one day classes on the 29th and 30th November 2016 in Vienna, Austria with Oracle University. These are "Secure Coding in PL/SQL" and "Lock down and secure your Oracle Database".
OK, that's all for now, please come and hear me speak.
I am happy to announce that I will be teaching a five day Oracle Security expert seminar class with Oracle University at Oracle offices in Reading, UK from September 26th to September 30th 2016.
This is a 5 days expert class where I will teach all five days of my Oracle security classes back to back. This is a rare opportunity to attend all my classes in one session in the UK.
. The training starts on day 1 and 2 from the premise of reviewing your Oracle database to understand its security posture and then walking through a complete sample audit. On day 3 we discuss secure coding in PL/SQL and on day 3 how to design audit trails for your Oracle database and finally on day 5 we start to pull everything together; We attack a sample database and understand its weaknesses and spend most of the day locking down and protecting the data and database and finally at the end of the day attack the database again to show whether the lockdown has worked or not.
This is in-depth training and each attendee gets to take away hundreds of free scripts and tools developed by me over many years of performing security work for my clients.
I hope to see you there. You can book your place by visiting this link and clicking the fourth tab
I will be teaching 5 days on my Oracle security classes in Paris from 20th June to 24th June with Oracle University at their offices and training suite.
Details of the Oracle Security Event and how to register on Oracles website
The whole week is expert class room based training taught by myself and including a large number of live demos. This is a rare chance to sit down and have 5 days training in one go. I do not do these whole week blocks often so please take the opportunity to register with Oracle and come along. The five days include:
2 days - How to perform a security audit of an Oracle database
1 day - secure coding in PL/SQL
1 day - designing practical audit trails in the database
1 day - locking down and protecting Oracle.
The whole week is structured and we start off by looking at why your databases may have been designed and implemented insecurely. We use the vehicle of a security audit to walk us through the how and why and because it is a security audit we are also covering data access issues, least privilege, user designs, hardening and patching and more. We then have one day on secure coding. Even if you do not code then this day is very valuable as it shows you why and how PL/SQL can become insecure so you can use this information as part of an audit, as a manager to advise others or as a developer to code better. The fourth day is all about audit trails, firewalls and intrusion detection. We cover the whole process of designing and exploring audit trails in the database and as with coding these ideas and designs have benefits not matter what your specific job role is. The final day is the most exciting as we take all of the knowledge learned over the previous four days and use my sample database with two applications as a target to secure. We start by hacking the applications and database and show how and why it is insecure. We then lock down and secure the database including all elements of hardening of the OS, the network and database. We also look in depth to secure all accounts in the database and strive towards least privilege as well as changing the design of the database applications and we also explore context based security and breakglass and at the end of the day we look at the now severely locked down database and try and hack it again and assess the results. As part of the lock down we also bring in audit trail design and implement a comprehensive audit trail and also look at simple ways to solve secure coding issues.
As part of the class attendance you will get from me hundreds of free tools and scripts that includes thousands of lines of code.
To register and get more details please click this link
I will be at the Amis conference next Friday in Leiden not far from Amsterdam in Holland. The conference is held over two days, June 2nd and 3rd But I will be there just on the Friday due to other commitments. I will be doing a one hour and forty minute master class on Database Vault and also what you can do to get similar protections if you do not have Database Vault. I don't mean simply trying to replicate the functionality of Database Vault BUT what can we do with standard controls and good design to achieve similar effects. I will also cover the simple fact that you must also decide and design what to do with Database Vault as its just another application in the database and it must be deployed securely and you also must secure your database first with good design, data access controls and user designs and more. The Amis conference is Next week and details in this link.
This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.
Home and Archives
Other useful blogs
Syndication - Feeds