Joxean Koret, a hacker we’ve worked with in the past, has just released a 0day following Oracle’s April 2012 CPU. As far as I understand, Joxean believed that the CPU fixed the issue as his name was mentioned and this was the feedback he got from both Oracle and the company he sold the hack to.

But, to his surprise, it turns out that Oracle did not really fix the issue. Oracle’s response was that the issue will be fixed in the next version. This is really confusing because Oracle’s customers expect the CPU to mention only fixed vulnerabilities.

All in all, a very solid work by Joxean!

UPDATE: official word from Oracle

It’s always funny to hear yourself speak 🙂

Earlier today, a company I recently joined as a board member (and in the interests of full disclosure, an investor as well) announced their first product. The company is called ‘enlocked’ and they are addressing a problem that I’ve felt has been unnecessarily ignored for many years. That is:

While we almost all use email as our primary communications vehicle today, there are still some things that we must reserve for voice (by phone or in person), hardcopy, or even fax.

Being a security minded person, I cringe whenever my accountant, banker or co-worker asks for some sensitive information over email. I usually break my routine, pick up the phone, and pass the information verbally if I can. Since I’m in the security industry (and running Linux), I have had PGP keys for a long time now and Thunderbird supports PGP nicely using Enigmail. But, most people I communicate with use Windows, don’t have PGP keys and don’t know how to install and generate any of the above. Even if I find someone with a PGP key, the exchange is cumbersome and I cannot read their secure emails on my iPhone, iPad and Kindle Fire.

We all understand the security issues with email. Usually, it is sent entirely in the clear as it goes from your server to the recipients server, open for anyone to read along the way. Another issue is that when an email account is compromised or a device is lost, all emails in the account can be read and your sensitive information is exposed. Never mind that the administrators on those servers could be reading any inbound or outbound message, without you knowing it.

Now, some of you are probably thinking: hey, if I really wanted to use email to send this private information, I could just buy some encryption software, exchange keys with the recipient, and I’m all set. As I said earlier, for those of us who deal with a lot of sensitive data, the complexity (and cost) of doing this is worth it. But, for the average user out there who just wants to send someone a quick message, there is a huge adoption hurdle. These tools aren’t getting used, and people are either interrupting their normal email channel and calling with these details, or they are relying on ‘security by obscurity’ in the hope that their message doesn’t get eavesdropped.

The magic of enlocked is that they’ve figured out how to do this in a truly simple way for the sender, without needing to even contact the recipient in advance, let alone install compatible software. By building simple plug-ins and mobile apps, they can leverage your existing authentication to your email server, connect to a cloud service they’ve built, and take care of all the ugliness. You just hit a “send secured” button. The receiver gets their first enlocked message, and is directed to the site to get a plug in for their device / browser. They authenticate themselves to their email server, and the message is readable. Now that they’ve installed it, future messages (from you or anyone else) require no special handling, they just display automatically. And they can send their own secure email as well.

The best way to really see how well this has been done, is just to try it. The downloads and the service are completely free, so head on over to enlocked and send someone a secret message.

Well, that was fun. I had a great time at UKOUG at Birmingham. Met friends, enjoyed the parties and gave a SQL Injection security presentation. All in all, I think it went well – no demos crashing, etc.

It’s pretty much the same presentation I gave at in the hacking exposed series so you can download it here with all the scripts and the demo app.

Presentation Attendies

Presentation Attendies

Another year, another Oracle Open World has passed.
Great times –

  • Meeting friends – lot’s of friends from Israel this year
  • Attending some interesting presentations – especially the less official ones like Tanel’s Exadata internals
  • Seeing the drama – Salesforce, Larry – the soap opera continues
  • The icing on the cake – Sting and Tom Petty concert – was amazing
I really like this conference as it is close to home and very well attended.
A couple of pictures from the event using my crappy iPhone4 camera…


Tom Petty

Tom Petty

Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder. It also includes a few scripts I used for blind SQL injection and worm infection.

Tell me what you think…


McAfee just posted a threat brief we created regarding the LizaMoon attack spreading through vulnerable web sites. Thanks to Vadim and our red team for providing the material and Andy for doing the proofing and adding his words of wisdom. As always, the simple way to solve SQL injection is to use bind variables.

On another topic, I’m presenting another “Hacking Exposed” session with McAfee tomorrow (4/14/2011) at 11am PDT. This session is going to demonstrate many techniques used by hackers to exploit SQL injection (with focus on Oracle) including some new blind time-based SQL injection options. Please register, it’s free!

I guess this is somewhat ironical. At least it was nothing simple as in-band SQL Injection via errors or directly. It just goes to show you that any site can be vulnerable to attacks, even guys that write DB engines for a living. On the other hand, I’m sure that the sites were not created by the same guys who work on the database.

The answer to SQL Injection is very simple – use BIND VARIABLES, for Pete’s sake. It will cover 99% of your use-cases and for the other 1%, consider the security implications!

After OEMing our products for 6 months, it seems McAfee agrees that we are doing something important and they want a bigger part of it.  Actually, they want all of it.

As a founder, this is an exciting time for me. It’s a mixed feeling of pride, joy and a bit of sadness. Somewhat similar to your baby leaving home for college (I’d imagine, did not experience it yet). We’ve put huge amounts of time and effort into making what we think is a great product that will help a lot of people.  Now we have the opportunity not only to bring database activity monitoring to more people, but to make the product even better.

I’d like to thank the wonderful Sentrigo employees who made this a reality due to their hard work and dedication. We will continue and build bigger, better solutions for database security!

On a personal note, at least my commute will not change. I can see the McAfee building from my office window just across 101 🙂

A blog entry I’ve written is published here.

« Previous PageNext Page »