Entries tagged with “security”.
Did you find what you wanted?
Sun 7 Mar 2010
Posted by Slavik under Oracle, security
[3] Comments
As you can see here, the Python code handles a specific case of Oracle TNS layer requesting a RESEND of the last packet. I’ve noticed that no matter what client I’m trying to connect with, Oracle is always requesting a RESEND after the initial CONNECT request as you can see here (removed various ACK packets, etc.):
1. Using SQL*Plus
Packet number 13:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 63055
Dst port: 1521
Packet Type: Connect
Version: 01 3a
SDU/TDU: 8192 / 32512
SERVICE_NAME: db11200
SID: <N/A>
HOST: slavik-laptop
PROGRAM: sqlplus
USER: slavik
Payload (216 bytes):
00000 00 d8 00 00 01 00 00 00 01 3a 01 2c 0c 41 20 00 .........:.,.A .
00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 08 00 ...........:....
00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA..............
00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR
00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_
00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA
00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID=
00112 28 50 52 4f 47 52 41 4d 3d 73 71 6c 70 6c 75 73 (PROGRAM=sqlplus
00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la
00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi
00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR
00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST
00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT
00208 3d 31 35 32 31 29 29 29 =1521)))
Packet number 15:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 1521
Dst port: 63055
Packet Type: Resend
Payload (8 bytes):
00000 00 08 00 00 0b 00 00 00 ........
Packet number 17:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 63055
Dst port: 1521
Packet Type: Connect
Version: 01 3a
SDU/TDU: 8192 / 32512
SERVICE_NAME: db11200
SID: <N/A>
HOST: slavik-laptop
PROGRAM: sqlplus
USER: slavik
Payload (216 bytes):
00000 00 d8 00 00 01 00 00 00 01 3a 01 2c 0c 41 20 00 .........:.,.A .
00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 08 00 ...........:....
00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA..............
00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR
00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_
00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA
00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID=
00112 28 50 52 4f 47 52 41 4d 3d 73 71 6c 70 6c 75 73 (PROGRAM=sqlplus
00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la
00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi
00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR
00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST
00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT
00208 3d 31 35 32 31 29 29 29 =1521)))
Packet number 19:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 1521
Dst port: 63055
Packet Type: Accept
Accepted: Yes
Payload (32 bytes):
00000 00 20 00 00 02 00 00 00 01 3a 0c 41 20 00 7f ff . .......:.A ...
00016 01 00 00 00 00 20 41 41 00 00 00 00 00 00 00 00 ..... AA........
2. Using JDBC Type 4
Packet number 4:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 49699
Dst port: 1521
Packet Type: Connect
Version: 01 36
SDU/TDU: 8192 / 32512
SERVICE_NAME: <N/A>
SID: db11200
HOST: __jdbc__
PROGRAM: JDBC Thin Client
USER: slavik
Payload (211 bytes):
00000 00 d3 00 00 01 00 00 00 01 36 01 2c 0e 41 20 00 .........6.,.A .
00016 7f ff 4f 98 00 00 00 01 00 99 00 3a 00 00 00 00 ..O........:....
00032 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR
00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_
00080 44 41 54 41 3d 28 53 49 44 3d 64 62 31 31 32 30 DATA=(SID=db1120
00096 30 29 28 43 49 44 3d 28 50 52 4f 47 52 41 4d 3d 0)(CID=(PROGRAM=
00112 4a 44 42 43 20 54 68 69 6e 20 43 6c 69 65 6e 74 JDBC Thin Client
00128 29 28 48 4f 53 54 3d 5f 5f 6a 64 62 63 5f 5f 29 )(HOST=__jdbc__)
00144 28 55 53 45 52 3d 73 6c 61 76 69 6b 29 29 29 28 (USER=slavik)))(
00160 41 44 44 52 45 53 53 3d 28 50 52 4f 54 4f 43 4f ADDRESS=(PROTOCO
00176 4c 3d 74 63 70 29 28 48 4f 53 54 3d 6c 6f 63 61 L=tcp)(HOST=loca
00192 6c 68 6f 73 74 29 28 50 4f 52 54 3d 31 35 32 31 lhost)(PORT=1521
00208 29 29 29 )))
Packet number 6:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 1521
Dst port: 49699
Packet Type: Resend
Payload (8 bytes):
00000 00 08 00 00 0b 00 00 00 ........
Packet number 8:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 49699
Dst port: 1521
Packet Type: Connect
Version: 01 36
SDU/TDU: 8192 / 32512
SERVICE_NAME: <N/A>
SID: db11200
HOST: __jdbc__
PROGRAM: JDBC Thin Client
USER: slavik
Payload (211 bytes):
00000 00 d3 00 00 01 00 00 00 01 36 01 2c 0e 41 20 00 .........6.,.A .
00016 7f ff 4f 98 00 00 00 01 00 99 00 3a 00 00 00 00 ..O........:....
00032 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR
00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_
00080 44 41 54 41 3d 28 53 49 44 3d 64 62 31 31 32 30 DATA=(SID=db1120
00096 30 29 28 43 49 44 3d 28 50 52 4f 47 52 41 4d 3d 0)(CID=(PROGRAM=
00112 4a 44 42 43 20 54 68 69 6e 20 43 6c 69 65 6e 74 JDBC Thin Client
00128 29 28 48 4f 53 54 3d 5f 5f 6a 64 62 63 5f 5f 29 )(HOST=__jdbc__)
00144 28 55 53 45 52 3d 73 6c 61 76 69 6b 29 29 29 28 (USER=slavik)))(
00160 41 44 44 52 45 53 53 3d 28 50 52 4f 54 4f 43 4f ADDRESS=(PROTOCO
00176 4c 3d 74 63 70 29 28 48 4f 53 54 3d 6c 6f 63 61 L=tcp)(HOST=loca
00192 6c 68 6f 73 74 29 28 50 4f 52 54 3d 31 35 32 31 lhost)(PORT=1521
00208 29 29 29 )))
Packet number 10:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 1521
Dst port: 49699
Packet Type: Accept
Accepted: Yes
Payload (32 bytes):
00000 00 20 00 00 02 00 00 00 01 36 0e 41 20 00 7f ff . .......6.A ...
00016 01 00 00 00 00 20 41 01 00 00 00 00 00 00 00 00 ..... A.........
3. Using an OCI with 10g client
Packet number 4:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 40196
Dst port: 1521
Packet Type: Connect
Version: 01 39
SDU/TDU: 2048 / 32512
SERVICE_NAME: db11200
SID: <N/A>
HOST: slavik-laptop
PROGRAM: ocitest
USER: slavik
Payload (216 bytes):
00000 00 d8 00 00 01 00 00 00 01 39 01 2c 0c 01 08 00 .........9.,....
00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 02 00 ...........:....
00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA..............
00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR
00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_
00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA
00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID=
00112 28 50 52 4f 47 52 41 4d 3d 6f 63 69 74 65 73 74 (PROGRAM=ocitest
00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la
00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi
00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR
00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST
00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT
00208 3d 31 35 32 31 29 29 29 =1521)))
Packet number 6:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 1521
Dst port: 40196
Packet Type: Resend
Payload (8 bytes):
00000 00 08 00 00 0b 00 00 00 ........
Packet number 8:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 40196
Dst port: 1521
Packet Type: Connect
Version: 01 39
SDU/TDU: 2048 / 32512
SERVICE_NAME: db11200
SID: <N/A>
HOST: slavik-laptop
PROGRAM: ocitest
USER: slavik
Payload (216 bytes):
00000 00 d8 00 00 01 00 00 00 01 39 01 2c 0c 01 08 00 .........9.,....
00016 7f ff 7f 08 00 00 01 00 00 9e 00 3a 00 00 02 00 ...........:....
00032 41 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 AA..............
00048 00 00 00 00 00 00 00 00 00 00 28 44 45 53 43 52 ..........(DESCR
00064 49 50 54 49 4f 4e 3d 28 43 4f 4e 4e 45 43 54 5f IPTION=(CONNECT_
00080 44 41 54 41 3d 28 53 45 52 56 49 43 45 5f 4e 41 DATA=(SERVICE_NA
00096 4d 45 3d 64 62 31 31 32 30 30 29 28 43 49 44 3d ME=db11200)(CID=
00112 28 50 52 4f 47 52 41 4d 3d 6f 63 69 74 65 73 74 (PROGRAM=ocitest
00128 29 28 48 4f 53 54 3d 73 6c 61 76 69 6b 2d 6c 61 )(HOST=slavik-la
00144 70 74 6f 70 29 28 55 53 45 52 3d 73 6c 61 76 69 ptop)(USER=slavi
00160 6b 29 29 29 28 41 44 44 52 45 53 53 3d 28 50 52 k)))(ADDRESS=(PR
00176 4f 54 4f 43 4f 4c 3d 54 43 50 29 28 48 4f 53 54 OTOCOL=TCP)(HOST
00192 3d 31 32 37 2e 30 2e 30 2e 31 29 28 50 4f 52 54 =127.0.0.1)(PORT
00208 3d 31 35 32 31 29 29 29 =1521)))
Packet number 10:
From: 127.0.0.1
To: 127.0.0.1
Protocol: TCP
Src port: 1521
Dst port: 40196
Packet Type: Accept
Accepted: Yes
Payload (32 bytes):
00000 00 20 00 00 02 00 00 00 01 39 0c 01 08 00 7f ff . .......9......
00016 01 00 00 00 00 20 41 41 00 00 00 00 00 00 00 00 ..... AA........
This is using an Oracle server 11gR2 (11.2.0.1) 64bit.
So, my question is – why? Is this a clumsy attempt to thwart discovery tools? Some sort of a defense mechanism?
I would appreciate any insights here. I’m sure that there are knowledgeable people out there who know the answer.
Fri 26 Feb 2010
Posted by Slavik under Oracle, security
[2] Comments
As promised, here is a small Python script to allow you to enumerate and find Oracle SIDs.
Of course, the usual caveats apply – if it breaks something, I’m not responsible
Use at your own risk. I’m using the sidlist.txt file from David’s OAK but there are plenty of available resources with common SID lists.
Update: Alex graciously let me know that he was the one that originally created the SID list and also granted me permission to use his latest version with the script.
Here are some usage details:
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py
Usage: osid-guess.py [options]
osid-guess.py: error: You must provide the host of the listener
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -h
Usage: osid-guess.py [options]
Try to find the Oracle SID iterating a list of potential SIDs from a file or from stdin
Options:
--version show program's version number and exit
-h, --help show this help message and exit
Target options: Specify the location of the listener
-t HOST, --host=HOST The host running the listener
-p PORT, --port=PORT The port of the listener [1521]
-s SIDLIST, --sidlist=SIDLIST The filename containing the sids to try [stdin if missing]
End user details: Specify end user details to send to the listener
-u USER, --user=USER The user to provide to the listener [SCOTT]
-a PROGRAM, --program=PROGRAM The program name to provide to the listner [sqlplus]
-m MACHINE, --machine=MACHINE The name of the machine to provide to the listener [localhost]
General options: General options to control verbose output, etc.
-q, --quiet don't print status messages to stdout [output progress to stdout by default]
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t
localhost
Receiving service names from stdout
Opening connection to localhost:1521
test
Trying SERVICE_NAME - test
Trying SID - test
aaa
Trying SERVICE_NAME - aaa
Trying SID - aaa
db11200
Trying SERVICE_NAME - db11200
Listener supports service db11200
Trying SID - db11200
Listener supports sid db11200
On *nix, you need to press Ctrl-D between names
slavik@slavik-laptop:~/Oracle/Security/osid-enum$ ./osid-guess.py -t
localhost -s sid.txt -q
Listener supports service DB11200
Listener supports sid DB11200
So, that’s it. A very simple utility that does not have any pre-requisites (except Python, of course).
I’d love to hear some feedback…
Mon 22 Feb 2010
Sumit Siddarth (Sid) has published an excellent whitepaper talking about hacking Oracle from the web. It shows many types and techniques of SQL injection and how to use an SQL injection vulnerability as a jumping point to extract data, take control of the database and even escape the database to the OS.
Security folks and DBAs out there, this is a must read!
Fri 19 Feb 2010
I had a great time at RMOUG this year. Did one of my usual presentation about attack vectors on the database and how to defend against them. I think the presentation was well received and the attendees loved the demos – I mostly just demonstrate instead of going through slides.
One of my favorite demos is what I call “from nothing to DBA in 5 simple steps”.
Basically, I start with finding databases (using tools like nmap), guessing the SID, enumerating the usernames, attacking the password and then running one of the privilege escalation attacks. Of course, there are many other options, including attacking the listener instead or sniffing the network but I find that this demo usually sets the right mood for the rest of the presentation.
In some of my next posts, I’m going to publish some of the scripts I wrote for the above demo starting with a nice little script to enumerate and guess Oracle service names.
A picture of people arriving before the presentation (click to see the full picture)…

People arriving to my presentation
Sat 6 Feb 2010
As part of my continued crusade to get rid of all database errors returned from the application to the user, one of our developers sent me the following error message coming from Salesforce.com:
So, what can we learn from the error?
- SF uses Java as a backend
- SF uses Oracle as the database
- The application is programmed using stored program units – in this case package sLead with procedure update_leads
- Checks are performed at the PL/SQL level and custom exceptions are being thrown – ORA-20096
- The Java application uses bind variables to call into the PL/SQL layer – good for them!
- My guess is that the username/schema for this particular SF account is SNEEZY and it contains Oracle types with the names CUSER and SLEAD
All in all, I’d say that SF did a good, secure job in implementing the application (bind variables, etc.) but missed the “never return DB errors to the customer” part.
So, what will it take to educate developers not to display errors? Thoughts?
Wed 3 Feb 2010
Yesterday at Black Hat, David released information on his latest find, a pretty serious batch of vulnerabilities in Oracle 11g which allows any user to escalate privileges to gain complete access & control of the database.
What’s interesting here is not so much that there is yet another vulnerability (for those of you who are running Hedgehog and getting vPatch updates, you are already protected!), but more how this demonstrates the very tricky relationship that often exists between ethical security researchers and the database vendors.
David has been contributing to the Oracle DB security research community for many years, and certainly has the process down pretty well for notifying Oracle and giving them time to make the fix before going public. But, this time around, things didn’t go as planned. After notifying Oracle in November, he apparently wasn’t satisfied with their response, and decided it was best to announce the vulnerability now. The good news is he also provided recommendations on how to protect systems from being exploited.
We know how he feels. In 6 out of the last 7 Oracle CPUs, one or more Sentrigo employees has been credited for contributions. Pretty impressive for our size, and a testament to the work of our Red Team. In all of those cases, we’ve been pretty satisfied with the pace of Oracle fixes, and have simply built protection into our products from our day-zero discovery and waited for Oracle to release a patch.
But, for those of you who have been reading this blog for a while, you’ll recall the incident last September, when after a year of prodding Microsoft to fix a flaw in SQL Server, we too reached a point of frustration and announced it. Also, with a fix of course. But, the decision to do this is not an easy one. The very vendors you are hoping to have an excellent working relationship with, are not likely to be happy. In this case, Microsoft tried to argue that it was not very serious… but as security researchers we simply didn’t agree (nor did most of the public based on comments we received). I’m sure David felt the same way about this recent vulnerability. You can’t simply leave it there for other (less ethical) people to find and exploit.
So, we’ll see how this one plays out… I’m guessing Oracle will eventually provide a patch. But, it does raise the question of what the white hats of the world are supposed to do, when a vendor simply doesn’t get it. I’d be interested in your thoughts…
Fri 29 Jan 2010
Posted by Slavik under Oracle, security
No Comments
Dennis wrote an interesting blog entry about an experiment he conducted.
He found that out of roughly every 69,000 randomly scanned IP addresses, there is one open Oracle TNS Listener. That’s interesting because we all know that there are numerous attacks on (even fully patched) listeners that do not require any authentication.
Looking at the listener versions, you can see that many of the versions are not even getting patches from Oracle any more. This is like leaving your door wide open and putting up a big sign inviting hackers to come in, especially in light of many working exploits out there.
I didn’t try it, but I’d bet that many of these listeners do not even require a password. Come on people, at least keep your database behind a firewall!
Wed 6 Jan 2010
I’ve talked about displaying errors from the database on the user screen a while ago. In my opinion, this is definitely a big no-no and a security problem just waiting to happen.
As some of you know, I have an iPhone (and I like it a lot, but that’s another story). I’ve installed a nice little game called Tap Tap Revenge from Tapulous, a fairly known company and game in the iPhone scene. Immediately after installation, it required me to register or login.
Here is the error I got trying to click on a email link trying to reclaim my username (I changed the error a bit):
Warning: mysql_connect() [function.mysql-connect]: Too many connections in /var/www/html/tapservices/v1/lib/tapsql.php on line 49
Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /var/www/html/tapservices/v1/lib/tapsql.php on line 50
Warning: mysql_query(): supplied argument is not a valid MySQL-Link resource in /var/www/html/tapservices/v1/lib/tapsql.php on line 94
INSERT INTO tapulous.devices (user_id, device_id, time) VALUES (‘xxxx’, ‘yyyy’, NOW()) ON DUPLICATE KEY UPDATE user_id=’xxxx’, time=NOW()
Too many connections
Hmmm…
Let’s count how many details we can get from the error message:
- They are using PHP
- They are using MySQL
- They probably use Apache on Linux or some other *nix variant
- We know the directory structure (and also that it’s v1)
- They have the SQL code separated in a file called tapsql.php
- The MySQL server is not configured correctly with regards to the number of connections (or the connection pool is not configured correctly)
- The database for Tapolous data is called tapolous (shocking, I know)
- The table for the devices is called devices (another shock)
- I did not post the link I clicked but if we examine the link and the INSERT statement in the error, it’s easy to see that user input is directly concatenated into the query – this one is really shocking – SQL Injection, anyone???
I’m sure that if you think a bit, you can find even more details in the error message but the last one is the most important one. I would have thought that in this day and age everybody is using bind variables. The first try to SQL Inject the link succeeded, of course. This is a popular application (and site) with a lot of registered users (including me) and having our details out there in the database does not inspire confidence.
I, of course, notified Tapulous immediately and received an email saying that the problem was fixed. Otherwise, I would not have written anything.
Oh, and looking at the original link and the SQL command being executed, I believe it’s very easy to write a small script (shell, Python, just choose your favorite) to iterate on all users and associate all the usernames with your own device…
I’d love to hear your thoughts.
Wed 23 Dec 2009
As another year comes to a close, it’s time for both new year’s resolutions as well as predictions.
On the resolutions front, I hope to be much more active on my blog next year. As we grow as a company, I seem to have less time for my musings, as I spend more time with customers and those we hope will become customers. Overall, it’s a good problem to have…
As far as predictions go, this is always dangerous ground. A year from now, someone will undoubtedly come back and point out that I really missed some major new trend, or called one that never came to be. But, these are simply best guesses based on what I’m seeing out there, and I’d be happy to hear from those who have additional trends of their own. You can also read all about it here and here.
Hackers are getting better tools
This one will increase the frequency of attacks, based on several factors:
- Automation will let good hackers move faster
- Less skilled hackers will now be able to use more sophisticated attacks
- Lesser known sites will see more “random” attacks as the tools look for vulnerabilities instead of the hackers targeting specific companies and finding a way in
More attacks will be based on outsiders turned insider
As the perimeter defenses become better, most companies have continued to neglect the risk of the privileged insider. So, the easy money may go to alternative approaches to getting insider access. Bribery and even extortion come to mind, but so does getting hired as a consultant or even an employee, mainly to get at the data.
I also put drive-by malware attacks in this category, as the unsuspecting user simply browsing a site lets malware in that attacks from the inside.
Organizations will focus on minimizing surface area of attack
The less content you have, the easier it is to lock it down. Just as the e-Discovery era brought about email retention policies, we’re beginning to see people deleting sensitive records as soon as they are no longer needed, reducing the information at risk. At the same time, tools like tokenization will limit the number of databases with actual information to just one, while apps only store pointers. By securing the one live repository (I’d recommend Sentrigo for this of course!), you’re now protected.
Databases finally make it to the cloud
There’s been much noise about the cloud, but so far I haven’t seen many customers putting business critical apps, with sensitive data, in the cloud. One reason has certainly been concern about data security (and compliance). With solutions like Hedgehog, you can deploy a small sensor that gets installed whenever and wherever the cloud provider puts your database, and it is just as secure as in your own datacenter. And you can monitor the admins at the provider as well. As companies get comfortable with these technologies, critical databases will move to the cloud.
Compliance will remain a “bare minimum” effort
Not so much a new trend, but I expect in the continuing difficult economy, we will still see most companies investing the least amount possible to comply with regulations, rather than taking an approach of what they consider best practices to secure data. Thus, we’ll still see breaches of “compliant” companies, and as a result there will be pressure on auditors to enforce more strictly, and pressure on regulators to update standards to fill commonly exploited gaps. To stay on top of this, flexibility will be required.
So, here they are. I’d love to hear your thoughts…
Tue 27 Oct 2009
Posted by Slavik under Oracle, security
No Comments
Paul Wright has written an excellent paper on an interesting way to attack Oracle using external tables.
It just goes to show that any permission can be abused in the right circumstances. I’m still amazed that UTL_FILE is still granted to PUBLIC by default.
Anyways, great work, Paul!