Sid is doing his popular course,┬áThe Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here.
Definitely highly recommended.

This looks like an interesting feature of Oracle 12c. I’m still not sure about the security implications but it does say interesting things about pure network monitoring security tools. Now, more than ever, what you see on the network can be something completely different than what runs on the database. So, you can see a statement like ‘select * from dual’ on the network but in the database it will be translated to ‘select * from credit_cards’…

Again, it’s early days of Oracle 12c and we all need to process a lot to understand the security implications of new features as well as the new shiny security features Oracle 12c offers.

It’s hard to believe that another year has passed from last RSA. But, indeed, time flies when you’re busy, I guess.

So, for the second year in a row, McAfee wins the SC magazine award for best database security solution. I’m so proud!

Turns out that Tanel has an artist hidden deep down inside!

These are some amazing statistics

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if everyone went ahead and deployed DB security protection – activity monitoring, vulnerability assessment, encryption where possible, etc.

If you were a hacker, what would you do?

I have to say that I don’t believe in silver bullets and perfect tools so whatever the enterprise deploys, it will have holes. But, as a hacker, knowing that there is constant monitoring and prevention on every access to the database, I’d probably be very careful and maybe take a different route to the data (file servers, end-point machines, …).

What do you think?

I’m sure we all did something similar once or twice in our DBA lives. I had to create a simple script to perform regular expression based data discovery for Oracle. This script will be used as a check in our McAfee Database Vulnerability Manager. We do support data discovery directly in the tool but the advantage of such a script is that all the data is processed directly in the database without pulling it over the network to the discovery tool.

First, we need to create the tables to hold the discovered data:

CREATE SEQUENCE seq_data_discovery MAXVALUE 9999999999 CYCLE
CREATE TABLE data_discovery
 id NUMBER(10),
 owner VARCHAR2(30),
 table_name VARCHAR2(30),
 column_name VARCHAR2(30),
 CONSTRAINT data_discovery_pk PRIMARY KEY (id)
CREATE TABLE data_discovery_rows
 id NUMBER(10),
 row_id VARCHAR2(20),
 val VARCHAR2(4000),
 CONSTRAINT data_discovery_rows_fk FOREIGN KEY (id) REFERENCES data_discovery(id)

Next, comes the stored procedure to populate the data using simple PL/SQL.

CREATE OR REPLACE procedure discover_data(p_regex IN VARCHAR2, p_owner IN VARCHAR2 := '%',
    p_table_name IN VARCHAR2 := '%', p_limit IN NUMBER := NULL)
-- Discover data based on the given parameters.
-- We iterate on relevant column types for the given owners and tables and match
-- the contents to the given regex returning data into a table to the specified limit
    l_stmt VARCHAR2(32760);
    l_id NUMBER(10);
    -- Might want to handle varios XML types as well
    FOR r_col IN (
        SELECT tc.owner, tc.table_name, tc.column_name, tc.data_type
        FROM all_tab_columns tc, all_tables t
        WHERE tc.owner LIKE p_owner AND
            tc.table_name LIKE p_table_name AND
            tc.table_name NOT LIKE 'DATA_DISCOVERY%' AND
            tc.owner = t.owner AND
            tc.table_name = t.table_name AND
            tc.data_type IN ('VARCHAR2', 'NVARCHAR2', 'NUMBER', 'CHAR', 'NCHAR', 'CLOB', 'NCLOB')
        ORDER BY owner, table_name, column_id) LOOP
        -- Insert the header
        INSERT INTO data_discovery
        VALUES (seq_data_discovery.nextval, r_col.owner, r_col.table_name, r_col.column_name)
        RETURNING id INTO l_id;
        l_stmt := 'INSERT INTO data_discovery_rows SELECT ' || TO_CHAR(l_id) || ', rowid, $col FROM "' ||
            r_col.owner || '"."' || r_col.table_name ||
            '" WHERE REGEXP_LIKE($col, :1, ''i'')';
        IF p_limit IS NOT NULL
            l_stmt := l_stmt || ' AND rownum <= :2';
        END IF;
        IF r_col.data_type IN ('VARCHAR2', 'NVARCHAR2', 'CHAR', 'NCHAR')
            l_stmt := REPLACE(l_stmt, '$col', '"' || r_col.column_name || '"');
        ELSIF r_col.data_type IN ('CLOB', 'NCLOB')
            l_stmt := REPLACE(l_stmt, '$col', 'dbms_lob.substr("' || r_col.column_name || '", 4000)');
        ELSIF r_col.data_type = 'NUMBER'
            l_stmt := REPLACE(l_stmt, '$col', 'TO_CHAR("' || r_col.column_name || '")');
        END IF;
        IF p_limit IS NOT NULL
            EXECUTE IMMEDIATE l_stmt USING p_regex, p_limit;
            EXECUTE IMMEDIATE l_stmt USING p_regex;
        END IF;

I’m sure this can be improved in many ways but I basically had 30 minutes to hack this together and connect it to the scan tool.

An article Raj Samani and I wrote was published in infosecurity magazine.

Just published a blog entry on my McAfee official blog. It talks about some of the trends of database security as we see them from the global McAfee Threat Report.

Just today I reviewed Verizon’s Intellectual Property Theft and it has a large section about databases, privileged users and compromised assets.

The one figure that caught my eye is this:

Compromised assets by percent of breaches involving Intellectual Property theft

I’ve attended BlackHat Vegas last week and of course went to see David Litchfield’s presentation. It started rather slow with vulnerabilities I was already familiar with but he saved the best for last. Another Oracle 0day – and I’ve got the pictures to prove it!

Slide image



And this:

An example of Oracle 0day


As you can see above, creating a table with a specially crafted blob column, creating an ODCI (Oracle Data Cartridge Interface) index on it, gathering statistics and then dropping the table triggers a dynamic statement with the column name not properly escaped.

Nice one, David – although we had to scramble and quickly protect against it with our McAfee vPatch solution.

Next Page »