Entries tagged with “security”.

Sid is doing his popular course, The Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here.
Definitely highly recommended.

These are some amazing statistics

Just published a blog entry on my McAfee official blog. It talks about some of the trends of database security as we see them from the global McAfee Threat Report.

Just today I reviewed Verizon’s Intellectual Property Theft and it has a large section about databases, privileged users and compromised assets.

The one figure that caught my eye is this:

Compromised assets by percent of breaches involving Intellectual Property theft

I’ve attended BlackHat Vegas last week and of course went to see David Litchfield’s presentation. It started rather slow with vulnerabilities I was already familiar with but he saved the best for last. Another Oracle 0day – and I’ve got the pictures to prove it!

Slide image



And this:

An example of Oracle 0day


As you can see above, creating a table with a specially crafted blob column, creating an ODCI (Oracle Data Cartridge Interface) index on it, gathering statistics and then dropping the table triggers a dynamic statement with the column name not properly escaped.

Nice one, David – although we had to scramble and quickly protect against it with our McAfee vPatch solution.

It’s always funny to hear yourself speak 🙂


Well, that was fun. I had a great time at UKOUG at Birmingham. Met friends, enjoyed the parties and gave a SQL Injection security presentation. All in all, I think it went well – no demos crashing, etc.

It’s pretty much the same presentation I gave at in the hacking exposed series so you can download it here with all the scripts and the demo app.

Presentation Attendies

Presentation Attendies

Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder. It also includes a few scripts I used for blind SQL injection and worm infection.

Tell me what you think…


A blog entry I’ve written is published here.

As you can see from my previous posts, I hate it when a site has a revealing error message displayed directly to the customer. This time, I got the following when trying to pay my PGE bill:

Message from the NSAPI plugin:

No backend server available for connection: timed out after 10 seconds or idempotent set to OFF.

Build date/time: Dec 7 2006 04:08:43

Change Number: 871803

Hmmm… What can we learn from this? Let’s hear your opinions.

So, we all know that Oracle used to be non-case sensitive when it came to user names and passwords. We also know that since 11g this is not the case and Oracle, by default, is case sensitive.

The one thing I wanted to point out is that even if you are using sec_case_sensitive_logon=false and ignore the case of passwords for backward compatibility, Oracle will still compute the spare4 field (hash) just in case you will turn the parameter to true.

This means that when you choose passwords, you should actually choose a mixed-case password even if it does not matter right now because if an attacker will get access to your hashes, mixing the case will make them harder to break. One has to remember that calculating the hash is much faster than the older algorithm (the password field) so an attacker will probably try the spare4 field first.

How many of you are actually using a mixed case password for Oracle accounts?