Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

New Online Oracle Security PUBLIC Training Dates Including USA Time Zones

We have just agreed three new online classes to be taught in June and July. These are for my two day class How to perform a security audit of an Oracle database. The classes are two day events and will be taught online via the webex platform. For the first time after having requests for public classes in the USA many times Pete Finnigan will teach this two day class on USA time zones so that it is aimed at USA (Canada, Mexico) attendees. One of the planned two day classes is on EST time zone from 8am to 4pm New York time and one on PST time zone 8am to 4pm Los Angeles time zone. The final sitting is UK/EU time zone from 9am to 5pm.

For details of the classes please see the online Oracle Security class page. A list of all the public training dates is also available.

Please send an email to info@petefinnigan.com to register your place.
[No Comments]

PeteFinnigan.com In The Top 60 Oracle Database Blogs

I got a couple of emails over the last couple of weeks from Anuj at FeedSpot to tell me that my blog (This Oracle Security blog) has been listed in the top 60 Oracle Database blogs on the Feedspot website. This means I have been awarded a gold badge to display here on this blog:



According to the list I am currently number 15!!!. Currently comments are still broken in this blog since I upgraded GreyMatter (this blogs engine) to a custom version I am calling version 1.9. The last released version was 1.8.2 and I offered 1.8.3 to the community some years back with a major new feature to allow posts with linked names rather than numbers. I have recently been adding categories and tags to Greymatter and this will be visible here soon but i seem to also have broken comments as well...

Please connect to me via Social Media:

Twitter or Facebook or Linked In. I am always happy to accept new connections and you can reach me for comments there until the blog is fixed.
[No Comments]

Oracle Security Training Manuals For Sale

I had a reason today to go to our company storage for something today and whilst moving other things around to find what I needed I discovered two A4 boxes with printed manuals for some of our recent training classes. We normally print the exact number of books for each days training but for some classes where a last minute student may come or not we get extra copies. These class books are professionally printed here in York and as we continually make changes to the course MS PPT slides we cannot reuse ones that were not given out. Often the changes are not major so these books are still useful to someone and rather than throw them away I am now offering them for sale here to the first people who say that they would like them. Here are some pictures and details and prices; I will cover postage and VAT at the end; sorry the photos are not brilliant I only had an iPhone to hand to take them and I had to reduce the size of the images to make then reasonable to add to the site:

How to Perform a Security Audit Class notes - Two books


Above is a picture of the course notes for the two days class - How to perform a security audit of an Oracle database - These are printed in two A5 books, one for Day 1 and one for Day 2. They contain approximately 500 MS PPT slides printed one per page and back to back. The printing is Black and White. These were printed in 2010 but the class has not changed drastically in structure so most of the content is still valid. I have 3 copies of two books for sale and they are £20 GBP + Postage + VAT.

Secure and Lock Down Oracle


Above is a picture of the one day class course notes for the Securing and Locking Down Oracle class. These course notes are printed in colour and there are approximately 230 MS PPT slides printed two slides per page in an A4 bound book. These manuals were printed in May 2016. I have two copies of this manual and I will accept £40 GBP + Postage + VAT per copy.

Secure coding in PL/SQL


Above are the course notes for my one day class - Secure Coding in PL/SQL - and they are A4 with two slides per page and there are approximately 230 MS PPT slides. The manuals are printed in Black and white and I have two copies and they were printed in mid 2015. I will accept £30 GBP + Postage + VAT for each copy.

Secure and lock down Oracle


Above is a picture of the class manual for the - secure and lock down Oracle - class. This is an A4 bound manual, Black and White and there are again approximately 230 MS PPT slides. These were printed in mid 2015 and I have two copies. I will accept £30 GBP + Postage + VAT for each copy.

Designing Practical Audit Trails in Oracle


Above is a picture of the class manual for the - Designing Practical Audit Trails in the Oracle Database - class. This is an A4 bound manual, Black and White and there are again approximately 230 MS PPT slides. These were printed in mid 2015 and I have two copies. I will accept £30 GBP + Postage + VAT for each copy.

How to perform a security audit of an Oracle database


Above is a picture of the class manual for the - How to perform a security audit of an Oracle database - class. This is an A4 bound manual, Black and White and there are again approximately 610 MS PPT slides. These were printed in mid 2015 and I have two copies. I will accept £50 GBP + Postage + VAT for each copy.

Please email me on info@petefinnigan.com if you are interested to purchase one of these course books that we have for sale. Please also let me know your postal address and I will get an accurate postage price from the post office. Also as we are registered for UK VAT then we may need to also add VAT dependant on where you are. Please get in touch if you would like to purchase one of these course manuals but hurry we don't have many and we will not be repeating this.
[No Comments]

How to Perform a Security Audit of an Oracle Database Training in Athens, Greece

I will be teaching my two days class How to Perform a Security Audit of an Oracle Database in Athens, Greece on May 16th and 17th 2017 organised by Oracle University.

This is a great class that helps you understand why the data in your Oracle database can become insecure and why design decisions that you make can make this worse. We discuss the background first and set the scene of where Oracle security fits, what does it mean for you, what is hacking, how can someone compromise your database and what tools and options are available to you.

We then layout the steps needed to perform a security audit, what tools do we need, what systems / databases should we audit and where does the audit "fit" into the whole realm of securing all of the data held in your Oracle databases. The bulk of the class is a walk-through of a complete example security audit. I perform many examples, use and demonstrate many free tools and explain as we go what to do if we find an issue. The class completes with a look at what to do next; how to review all databases in your organisation, how to create a database security policy and how you may go about locking down all databases.

This is a great class held over 2 days in Athens, Greece and you can register your place by following the link in our Public Training dates page. Sorry, GreyMatter breaks Oracle provided links so I cannot post it directly here in the blog..:-(

Keep an eye on our Public Training dates page for more up-coming public Oracle Security classes taught by Pete Finnigan.
[No Comments]

Is SQL Injection A WebSite Problem?

I saw a post on RobLockards Facebook page this week where he said some people have suggested that his SQL Injection talk only shows calling a procedure from SQLCl and not a web page and he suggests that he may make a web page to satisfy those that want to see SQL Injection via a web-page.

I am not sure that you will be able to see Robs post on his Facebook; I am connected to him so I see it but its unclear if its findable without a connection but connect to Rob if you want to see it. The list is what i have said above anyway. Rob also has his site Oracle Wizard.

It is a good point; should SQL Injection in Oracle demos be made in SQLCl or SQL*Plus or from a webpage? - I have been at both ends of this spectrum for many years. I wrote what i think were the some of the first Oracle SQL Injection papers 15 years ago in 2002 for Security Focus (Now Symantec). These are:

SQL Injection and Oracle Part 1
Sql Injection and Oracle Part 2
Detecting SQL Injection in Oracle

These papers were written a long time ago - 14 - 15 years ago in fact but they are still mostly relevant in the principles. The formatting on the Symantec website is not good for some of the content but they are readable.

I also wrote the first big paper by anyone on Oracle Security in 2001 - which is available on the Pentest Website to read still. This is old but some of the thought patterns are still good and I mention SQL Injection against Oracle in that paper as well.

Whats the point of these references; well back in 2001 not many people were doing SQL Injection or most likely had even heard of it. Certainly the Oracle community (DBA, Devs, etc) most likely did not consider the risk of SQL Injection in Oracle databases. The DBMS_ASSERT package did not exist until 2004 but probably not in wide use until 2005/2006. The large slew of PL/SQL injections in built in packages had not started in 2001 / 2002. The alerts program was only just getting going in 2001 and these were the only security patches released on an "as-when" basis. The CPU security patch regime did not start until 2005 (If i remember correctly). The large onslaught of built in packages with Sql injection or PL/SQL injection came in the middle of this period.

If anyone had heard of SQL Injection back in 2001 / 2002 they mostly associated it with websites and MySQL as that was what Rain Forrest Puppy (the person credited with coming up with this technique) talked about in the first posts on SQL Injection I the late 90s. When I first started to think about SQL Injection in Oracle back in 2001 and then wrote the papers for Security Focus I wanted to make one very big point; That is SQL Injection is not a web thing; it is a script engine thing where the input can be manipulated by an outsider or end user beyond what was intended by the writer of the code. i.e. the script engine (SQL, PL/SQL, PHP, Javascript....) executes dynamic code; actually the code may not be intended to be dynamic in nature its just ended up being written in pieces and stuck together with + signs or || signs or concat or whatever the host language likes to use. This is the problem; a piece of code can be modified by injecting additional code instead of data.

At the time in 2001 I wanted to write my papers and make a point to the reader that this is a code problem not a web problem. Hence I used SQL*Plus as the vehicle to deliver the injection examples to the database and to show how SQL Injection works. I wanted people to realise that they still have a problem if some code is vulnerable to injection even if there is no website to access the code from.

I teach about SQL Injection still in my OracleSecurity classes ; in fact I cover SQL Injection in depth in the secure coding in PL/SQL class and also in the secure and lock down Oracle class and its covered also in the Audit trail design class and also the 2 days class on how to perform a security audit of an Oracle database. SQL Injection has not gone away.

Nowadays I do what Rob is talking about; I have two web applications; one is Worpress 2.0 ported to use Oracle as its database and not MySQL and the other is my own web based application written in PHP (actually its written in PL/SQL as the PL/SQL packages I have written generate PHP for me). This application I call BOF - "Back OfFice" and it was described in a blog post called BOF: A Sample Application For Testing Oracle Security about a year ago. I demonstrate quite a lot of hacking against the PHP websites and show SQL injection, injecting PL/SQL into SQL and also DDL injection. In fact I cover all sorts of stuff from adding users, showing code, adding back-doors, changing passwords, removing audit settings and much more. This is always great for the participants, they love it, they get mesmerised, sit on the edges off their seats and get really excited - Its fun to do BUT does it get across the message that this is a scripting language issue (PL/SQL in this case) in the database and not a website issue. In fact in some of my demos I go 5 layers deep; I inject DDL into dynamic PL/SQL that is itself injected into dynamic PL/SQL that is injected into a SQL in a PL/SQL function that was injected into the SQL statement in the PHP layer. Why so many layers well this was necessary to inject DDL into this particular application (Wordpress). Also i injected IDS evasion techniques to get around the security protections in the PHP in Wordpress as well. This is exciting and fun BUT people don't get this complexity to achieve something. Also the statements I inject are pre-designed. If i walked up to this Wordpress application blind (which I actually did when i wrote the samples) then it takes literally thousands of requests to get something that works - you cannot demonstrate that part and some people question - How did you know how to send such a complex attack string? - then i have to explain and the magic wears off a little.

This is why I also demonstrate attacks using SQL*Plus and this fits nicely. I show four levels of attack;

1) Attacking the website logon form and also search form as a non-authenticated user (no logon on the site, no logon on the database)
2) Attacking the website as an authenticated (website authenticated) user by exploiting the wordpress post, page, comment,...etc pages (no database password)
3) Attacking the database via SQL*Plus as a low level user - CREATE SESSION only
4) Attacking the database via SQL*Plus as a powerful user - CREATE SESSION and DBA roles.

This covers both worlds, it shows the excitement of hacking a website and shows how to avoid security layers in the application and also how to do various injections, SQL into SQL, PL/SQL into SQL, PL/SQL into PL/SQL and DDL into PL/SQL into SQL BUT it also shows the problem at the most simplistic layer; i.e. as close to the problem as possible; executing a PL/SQL procedure and exploiting it.

My view, do both but focus on the SQL*Plus examples as its easier to see whats happening and it illustrates that its not a web problem but a code problem.
[No Comments]

Can You Say That An Oracle Database is nn% secure?

I often get this type of question from customers and also from people I speak to and even a few times by email. The question is "can you tell us how secure our database is?", is it 10% secure, is it 50% secure, is it 100% secure?. Often these people also want to know how their security of Oracle compares across all of their databases in their estates or how their security compares across their market channel or to competitors.

The latter is harder to answer and perhaps unethical as most people do not want to broadcast how secure their database is anyway. The first part is more interesting. We cannot say a specific database is 18% secure or 19% or 60% as the answer will always be qualified by the database itself, how its managed, how it can be accessed and also lots of other related factors, such as other company security, network security, the applications that access the database and much more.

For example if we have an account ORABLOG and its password is very secure, 30 characters long even; profiles are enabled demanding the password to be changed every thirty days, verify functions enforce the rules of the strong password and much more. If we also employ a number of other tools, perhaps a log on trigger that ensures that ORABLOG can only use used from a particular IP Address where the application is deployed or maybe we also use ip chains and valid node checking and much more. We can say that the account is secure BUT this does not prevent SQL Injection attempts from the application to the database or someone taking over the application server and "pretending" to be ORABLOG (and the application). Is the database secure? - is the issue the application?, is it server security? is it application security? - This is hard to assess in a particular case with particular circumstances let along generally as a principle. Should be detach nn% secure database from the surrounding elements (applications, network, people, admin users...). We can never say for sure a database is 60% secure or 17% secure or whatever because we need context and further details.

BUT, if we have a security standard for our company for Oracle databases then we could state whether a particular Oracle database is nn% secure against that policy. This is then defined and measurable. If there are for instance 30 checks, some high severity and some lower then we can also add more weight to the checks that are higher severity and less weight to the lower ones. This can then scale the percentage. The true measure is the number of checks that are failed against those that are not.

We have added this feature to PFCLScan in the latest version. We had an average score previously but that score was a range from 1 - 4 so much less scientific. That previous score was also embedded into the report tool - i.e. the calculation was written into the tool. In the latest version 1.7 we have added the ability to do the calculation in the report template itself. The old way simply had one variable you placed in your template that gave a score now you do the calculation using PFCLScan report variables. This is much better as you can now change the calculation if you wish by changing the variables used or change the weights applied or whatever you wish.

The score is shown here in a report I have ran after scanning an 11.2.0.4 Oracle Database

PFCLScan Report Showing Percentage Secure


The average score (per check) is 59%. This means that 59% of the checks are secure in this database. If I fix something in this database and run the scan again and generate a new report then that percentage would increase. If I undid some of the security work then the percentage would go down. This percentage is a relative score against a standard -In this case the checks that are ran against the database. You can change this score to match your own security policy easily by calculating it only against checks that match your security standard. You can then re-scan the database regularly and graph the changes easily in score against the standard.

Remember this is a score based on whats checks but that is valuable to allow us to check compliance against each database and compare them and also to allow a single database to be scored over time as security work is done.

What to know more then ask us about PFCLScan.
[No Comments]

PFCLScan - A Security Scanner For Oracle Databases - New Website

Our software product PFCLScan can be used to assess your Oracle databases for security issues that could make your data vulnerable to loss or attack. PFCLScan initially had its own website, PFCLScan.com but since the restyle and redesign of our main company site PeteFinnigan.com we decided to bring all of the existing PFCLScan website materials back into PeteFinnigan.com. This was mainly because we want a consistent website with all our offerings in one place and not spread across multiple websites. We also have PFCLObfuscate our product used to protect the IPR (Intellectual Property) in PL/SQL, which also will be brought to PeteFinnigan.com from its existing own website in the next few days.

There is now a hub on PeteFinnigan.com for PFCLScan which is referenced from every page - simply click on the insect or PFCLScan on every page to take you to the PFCLScan Home. We have brought across the Features page, Resellers Page, Licensing details page and create an articles page. The articles are the blog entries from PFCLScan.com and whilst some are a little out of date they are still useful posts. Also note some of the pictures are of the older styled interface.

Any new blog posts about PFCLScan will be posted on the main PeteFinnigan.com Blog Page. We may also add some new articles to the article section where a post may be a little longer than a normal blog post.

Please have a look and learn some more about PFCLScan. If you would like to see an online demo please contact me

We are also looking for resellers particularly for PFCLScan, our training and consulting. If you feel you can offer PFCLScan to your customers then please contact me to discuss. We offer commission on sales and also renewals. Resellers of PFCLScan also can offer up-sell opportunities to their customers such as helping to rectify insecure databases or to help design and create custom PFCLScan policies or reports for customers to check compliance of their databases against their own standards. We are also always interested in any companies who would like to partner with us to resell and host our training courses; again please speak to me if you feel that this would be useful to your company.
[No Comments]