Alexander Kornbrust of Red-Database-Security has started a new Oracle security blog (just added to OraNa.info). He also posted new Oracle security videos, 10 as of today.

Oracle Applications 11i Encrypted Password String Disclosure (PDF): An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications’ user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user’s password or the Oracle […]

Integrigy has just published an updated version of the white paper on the Oracle database listener security.

From the introduction:

The Oracle Database Listener is the database server software component that manages the network traffic between the Oracle Database and the client. The Oracle Database Listener listens on a specific network port (default 1521) and […]

Johan Louwers published an Oracle Applications passwords decryption vulnerability that allows a malicious user to expose the passwords of any Oracle Applications user. In Oracle E-Business Suite, usernames and their encrypted passwords are stored in the table fnd_user:

SQL> desc fnd_user; Name […]

David Litchfield published a paper demonstrating how an unclosed or dangling cursor created and used by DBMS_SQL can lead to a security hole.

I ran his proof of this vulnerability on my Oracle Database 10g Express Edition database.

Connected as SYS:

SQL> CREATE OR REPLACE PROCEDURE pwd_compare(p_user VARCHAR) IS 2 cursor_name INTEGER; 3 […]

SearchOracle.com has just published a couple of interesting podcasts.

The first, titled Expert says PL/SQL change needed in Oracle 11g, is an interview with Steven Feuerstein.

In the interview, Steven answers the following questions:

Considering how big OpenWorld has become, should there be a separate conference for PL/SQL developers? Your session at the conference was entitled “Ten things you […]

I have just finished listening to a very interesting podcast interview with Pete Finnigan (via SearchOracle.com). Pete discusses the problems with Oracle PL/SQL wrapping and hopes that Oracle releases all the built-in PL/SQL packages unwrapped as clear text, as in open source, so that everyone can help with finding bugs. Pete also advises DBAs to […]

That’s what Mary Ann Davidson, chief security officer at Oracle said according to this InfoWorld article.

Her first response to the Oracle database being “unbreakable” was “What idiot dreamed this up?”. She also said that if civil engineers built bridges in the same fashion in which software developers write code, people would face the “blue bridge […]

As soon as you connect your computer to the Internet, or even when you install new software, you risk being hacked and infected with viruses. But you already know that.

You also know that in order to protect your computer, you need at least three things: a firewall, an antivirus and an antispyware. But did you […]

There is an article on Silicon.com about how companies can manage their passwords. The author offers the following tips for fostering a culture of secure and more effective password management:

Passwords must not be written down. Passwords must be set. When the password is “ChangeMe”, then change it. Require as few passwords as possible. Balance how much password […]