Pete Finnigan's Oracle security weblog

More oradebug

Sat, 24 Dec 2011 09:27:11 +0000

Alex commented on my post about " oradebug " about the select statement on x$ksmfsv which holds a list of all fixed variables amongst other things and joined it to x$ksmmem to get the absolute address in the SGA to....[Read More]

Posted by Pete On 21/09/11 At 07:26 PM

oradebug

Sat, 24 Dec 2011 09:27:11 +0000

Laszlo has published his slides from Hacktivity in Budapest last weekend where he shows how the Oracle undocumented oradebug command can be used to exploit the database; covering turning off authentication, turning off audit and more. His slides are here....[Read More]

Posted by Pete On 21/09/11 At 12:54 PM

UKOUG Oracle Data Security Day presentation slides available

Sat, 24 Dec 2011 09:27:11 +0000

I spoke at the UKOUG special security day event last week at Bletchley Park just outside of Milton Keynes. We had a great agenda for the day which was focused on Data Security. We had Ian Glover of CREST and....[Read More]

Posted by Pete On 19/09/11 At 04:07 PM

Oracle Security Training in Denver, USA

Sat, 24 Dec 2011 09:27:11 +0000

Ron Reidy will be teaching my 2 day class " how to perform a security audit of an Oracle database " in Denver, CO, USA on November 10th and November 11th 2011. The class is a public course so if....[Read More]

Posted by Pete On 06/09/11 At 09:49 AM

Cursor variable and global cursors security issues

Sat, 24 Dec 2011 09:27:11 +0000

I noticed a few days ago that David Litchfield had posted two new short papers on Oracle security; one is related to global cursors declared in PL/SQL packages, the other about cursor variable type SYS_REFCURSOR being passed out of functions/procedures....[Read More]

Posted by Pete On 06/07/11 At 01:20 PM

Training, twitter, Oracle security products

Sat, 24 Dec 2011 09:27:11 +0000

Time flies by so fast..:-), its been two months since my last blog post but it only seems like yesterday...:-(, Times are very busy for me so blogging has become harder to fit in. Just writing a blog post seems....[Read More]

Posted by Pete On 24/06/11 At 11:29 AM

New Oracle security papers and Oracle forensics tool

Sat, 24 Dec 2011 09:27:11 +0000

David has released four new papers on Oracle security topics a few days ago. Two of the papers seem to be from his ill fated book on Oracle Forensics as they are labelled " chapter 3 - How attackers break....[Read More]

Posted by Pete On 20/04/11 At 09:50 AM

SQL Injection Attack

Sat, 24 Dec 2011 09:27:11 +0000

Marcel-Jan emailed me an article on arstechnica a few days ago and has now written a forum post titled " How Anonymous hacked HBGary ". This is intersting reading and shows that simple techniques can be used to abuse systems....[Read More]

Posted by Pete On 03/03/11 At 02:14 PM