Eddie Awad's Blog
msgbartop
News, views, tips and tricks on Oracle and other fun stuff
msgbarbottom

Oracle Security Podcast With Pete Finnigan

I have just finished listening to a very interesting podcast interview with Pete Finnigan (via SearchOracle.com). Pete discusses the problems with Oracle PL/SQL wrapping and hopes that Oracle releases all the built-in PL/SQL packages unwrapped as clear text, as in open source, so that everyone can help with finding bugs. Pete also advises DBAs to think like hackers in order to improve the security of the database.

Listen to the podcast.

1 Comment | Filed in Oracle, Security | Tags: ,

Top ten tips for better password management

password.jpg

There is an article on Silicon.com about how companies can manage their passwords. The author offers the following tips for fostering a culture of secure and more effective password management:

  1. Passwords must not be written down.
  2. Passwords must be set. When the password is “ChangeMe”, then change it.
  3. Require as few passwords as possible. Balance how much password protection you need with how many passwords can reasonably be managed.
  4. Staff must change their passwords regularly. This limits the likelihood of old passwords, shared between colleagues in less-secure times, coming back to haunt you.
  5. Make new passwords new. Old password = “Rowanda1″. New password = “Rowanda2″. Not good.
  6. Avoid obvious words. Passwords must be more complex than a single word which can be hacked with a dictionary attack.
  7. Think long – but not too long. A password which consists of at least eight characters with a mix of upper case, lower case and numbers is a good start.
  8. Automate password changes. The process of making staff reset and choose secure passwords must also be automated.
  9. Educate staff. Ensure password policy is written into employment contracts and that all staff understand why and what that entails.
  10. Look at long-term solutions which will eventually replace passwords – such as biometrics.

I believe that most of the above applies to individuals as well. In fact, tip number 10 is already a reality for the average consumer like you and me. Search Google for “biometric password manager” to see what I mean.

Personally, I have tens of passwords I need to keep track of. Since I avoid writing passwords down and it is impossible for me to remember them all, I rely primarily on my password manager software and sometimes on my memory when I am faced with “Please enter your user name and password”. Maybe I should try this new APC Biometric Password Manager, or something similar.

8 Comments | Filed in Security, Technology | Tags: , ,

And you thought your patched Oracle database was secure

The latest quarterly Critical Patch Update for Oracle 10gR2 does not plug a hole that allows published attack code to run.

The recent Oracle exploit posted to Bugtraq (http://www.securityfocus.com/archive/1/431353) is actually an 0day and has no patch. The patch for 10g Release 2 for April 2006 Critical Patch Update does _not_ contain a fix for the specific flaw that the exploit takes advantage of. As it happens – this specific flaw was reported to Oracle on the 19th of February 2006.

This is according to David Litchfield.

Ok! Now what?

(via digg)

Comments Off | Filed in Oracle | Tags: ,

I use Oracle Database 10g Express Edition to …

I like Oracle DB XE, not only because it is free and has all the power of an Oracle database, but also because it comes with Application Express, or APEX (formerly HTMLDB). I plan to learn APEX and use it as an ad hoc application builder for such applications that can be shared among team members or on the company’s Intranet.

I installed the demo Web Services application that comes with APEX. For testing purposes, I wanted to allow my coworkers access to this demo application on my Oracle DB XE instance on my PC. Not a big deal, I just gave them the URL to the application, something like this: http://10.10.2.132:8080/apex/f?p=100. But, they could not connect to the application.

Well, I discovered that there was a setting called “Manage HTTP Access” under the Administration section of APEX. By default, this setting was set to “Available only from local server”. I switched it to “Available from local server and remote clients”. Now anyone who is on the same network as my PC, is able to access the application.

Of course, if you are exposing access to the whole Internet, you may think twice before doing this. But since I’m sharing the application only among my team members and only inside the company’s firewall, I was not paranoid about security.

Another thing I find useful is to use my Oracle DB XE instance as a tool to load CSV or XML data to another non-XE database (or even XE) through database links.

Assuming you have a non-XE Oracle database instance called ENTORA, and you have a table in a schema in the ENTORA database that you want to populate from data in a CSV file. There are many ways to do that, here is one way to do it using your local Oracle XE instance.

First, in XE, you create a database link to ENTORA. Something like:

create database link ENTORA
  connect to <username> identified by <password>
  using '(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
    (HOST=ENTORA_db)(PORT=1521))(CONNECT_DATA=(SID=ENTORA)))'
/

Then, using APEX, you load the CSV file into either a new table or an exiting table. Loading the data into an Oracle XE user table is just a few clicks away.

Once you have the data loaded in the table, you could do this (connected to user@XE):

insert into t@ENTORA select * from t;
commit;

I’m assuming that both t@ENTORA and t@XE have the same structure and DB users have the right privileges.

Poof! Your CSV file is loaded into a table on your non-XE Oracle database.

For more Oracle DB XE benefits, check out Lewis Cunningham’s article on OTN: Oracle Database 10g Express Edition: Not Just for Learners.

If you have downloaded and installed Oracle DB XE, what do you use it, or plan to use it, for?

5 Comments | Filed in Oracle, Tips | Tags: , , ,

Oracle Rootkit

What is a rootkit?

According to Symantec’s definition:

A rootkit is a component that uses stealth to maintain a persistent and undetectable presence on the machine. Actions performed by a rootkit, such as installation and any form of code execution, are done without end user consent or knowledge.

Rootkits do not infect machines by themselves like viruses or worms, but rather, seek to provide an undetectable environment for malicious code to execute. Attackers will typically leverage vulnerabilities in the target machine, or use social engineering techniques, to manually install rootkits. Or, in some cases, rootkits can be installed automatically upon execution of a virus or worm or simply even by browsing to a malicious website.

Once installed, an attacker can perform virtually any function on the system to include remote access, eavesdropping, as well as hide processes, files, registry keys and communication channels.

Does a rootkit exist for Oracle?

Yes. In fact, Alexander Kornbrust, of Red Database Security GmbH, is developing Version 2.0 of a rootkit program he first unveiled in April 2005.

Why has Alex created a rootkit?

Alex claims his rootkits are not hacking tools but are designed to underscore weaknesses in databases from Oracle, Microsoft and others that make it easy to hide malicious activity.

What is the difference between the first version of Alex’s rootkit and the newer version?

The new version of the database rootkit will modify the computer memory used to run Oracle. Administrators could detect the first version of the rootkit by noting changes in the size of the data dictionaries that had been modified. The new version will allow attackers to disguise malicious elements without modifying the database views.

This is what I learned from reading this eWeek.com article. I had never heard about rootkits until I read the article. I believe that more DBA’s should be educated about this kind of stuff (if they are not already). Better yet, create a new position within your organization, a DBSA. Guess what the “S” stands for?

3 Comments | Filed in Oracle, Technology | Tags: ,

Password Overload

I have a password overload. Everywhere I go on the Net, I have to login. That means I have to memorize dozens of user name and password combinations.

I could just use the same user name and password on all sites, but this is not only insecure but also most of the time not possible because different sites have different requirements for user name and password size and complexity.

Just to give you a taste of what I deal with on a routine basis and what requires me to provide my user name and password: Continue reading…

11 Comments | Filed in Personal, Technology | Tags: , , ,

Oracle Strengthens Security Offerings

Oracle announced two “security” acquisitions today: Thor Technologies and OctetString. Here is part of the e-mail which I received a few minutes ago from Thomas Kurian, Senior Vice President, Oracle Server Technologies and Hasan Rizvi, Vice President, Oracle Security & Identity Management: Continue reading…

1 Comment | Filed in Oracle | Tags: , ,

Oracle Responds to the Password Hashing Algorithm Paper

In response to the recent publication by Joshua Wright and Carlos Cid, entitled “An Assessment of the Oracle Password Hashing Algorithm“, Oracle has just sent out the following e-mail to its customers (I got it a few minutes ago): Continue reading…

Comments Off | Filed in Oracle | Tags: ,

Advice regarding the so-called Oracle Voyager Worm

This morning when I was checking my work e-mail from home, I found this e-mail from “Oracle Global Product Security” in my in-box: Continue reading…

Comments Off | Filed in Oracle | Tags: ,

Strong Encryption in ColdFusion MX 7

The encrypt and decrypt functions have been enhanced in CFMX7 to accept optional arguments that are not in the ColdFusion MX 7 documentation.

The arguments to the encrypt and decrypt functions are changed as follows:

Encrypt(string, key, [algorithm ,encoding ,IVorSalt ,iterations])

Decrypt(string, key, [algorithm ,encoding ,IVorSalt ,iterations])

Read the complete ColdFusion technote here.

Comments Off | Filed in ColdFusion | Tags: ,

« Previous Posts
Next Posts »
sidebartop

Recent Articles

sidebarbottom
sidebartop

Tags

10g 11g acquisition aggregator apex blog book concepts database dbms_scheduler Documentation EBS extension feed Firefox function funny Google gotcha join microsoft odtug OpenWorld openworld07 openworld08 oraclecommunity password performance pl/sql plugin programming search Security software sql sql-developer sqlplus tool twitter undocumented video wiki WordPress xe xml
sidebarbottom
sidebartop

Topics

sidebarbottom
sidebartop

Archives

sidebarbottom
sidebartop

Recent Comments

sidebarbottom
sidebartop

On Twitter

sidebarbottom
sidebartop
sidebarbottom
sidebartop

My Camera+ Photos

sidebarbottom
sidebartop

About This Blog

sidebarbottom
sidebartop

Feeds

RSS Feed RSS - Posts

RSS Feed RSS - Comments

sidebarbottom
             © Eddie Awad's Blog / Design: Smashing Wordpress Themes