Call: +44 (0)1904 557620 Call
003 Limited Oracle Security Newsletter Issue 003

Hi Everyone,

Welcome to the October 2008 newsletter. It has been about two months since the last one (issues 002 is also now on line at Newsletter 002 on my website) but it is not five years like the last gap. In the last newsletter I promised ) (well OK, promised is a bit strong) to get the next one out in 2 to 4 weeks..:-), perhaps I should refrain from promises and just get a newsletter out as soon as I can.

Newsletter Format

Well, as you know the last newsletter took around 5 years to get out, well five years since the previous one; when i decided it was time to get a newsletter out I had a problem that i described last time, the old list of subscribers was stored in a backup of an obsolete news/email program and I had many issues with software to send, dedicated server based (where my site is hosted), desktop based software, ISP SMTP issues and bulk email. Anyway; to cut to the chase I have now got a much more stable platform this time, the plan is that this will help me manage the newsletter and also get it out easier and more often. I promise I won't talk about this again going forward, I promise, back to Oracle security after this. One last point is that I have decided that the newsletter will be simply text based as most people can handle this. After the last newsletter I got a number of complaints from people around HTML/Text format and I have decided that text is the best overall solution that suites most people.

Oracle Security Training News

I have a number of dates booked for my 2 day training class (taught be Pete Finnigan) on how to perform a security audit of an Oracle database. I have taught this class quite a number of times over the last year and it has become very popular with all types of delegates; from developers, DBA's, designers, security testers, auditors, managers... The class is not all things for all men and is clearly based around the whole process of performing a security audit of an Oracle database, from cradle to grave (planning wot write up), there is a lot of material, fast paced, lots of demos and a huge amount of useful information for anyone planning an audit, hiring someone in or actually wanting to do the audit themselves.

Details can be found here: - Oracle Database Security Audit Training - including an agenda and also dates for the classes. I am teaching the class on October 28th and 29th in Edinburgh, then in Holland on November 3rd and 4th and Sweden on November 19th and 20th. In December I am also teaching it in Germany (9th and 10th December) and Norway (15h and 16th December).

Registration details can be found on the page above, i would love to see any of you there, the course is always well received and popular.

USA Based Training

I am currently working with a US based company to organise my training class in the states early next year on multiple dates/locations. Please let me know if you are interested, I will also post more details when we have worked them out.

Speaking Eents

I have spoken a number of times over the last couple of months on the subject of Oracle security in London, Reykjavik and also on a webinar organised by Sentrigo. The webinar was recorded by Sentrigo through the gotomeeting software. I downloaded and watched it and the recording is quite good, so much so that I am now considering recording my training class in a similar manner to offer it as self study distance learning (It is early days yet on this, but if anyone is interested please let me know as that would spur me to get it sorted and available quicker. I have had a few enquiries around this possibility already).

Back to the webinar, this is worth downloading or streaming as you can get a chance to hear me speak about Oracle security without leaving your desk / laptop. In the talk I start with a live "real life" demo of how to hack an Oracle database and how to find and steal credit cards.

Lastly on the subject of speaking events, I have also lined up three slots at the UKOUG in December in Birmingham, the first is my "back to basics" talk. The talk is not intended for beginners but is more of a "I am an accomplished DBA now, what do I do first with security". This talk went down really well last time I gave it, so its worth turning up for. I also have a two hour masterclass slot on the last day (I havent completed it yet, its based loosely on last years but with substantial updates, if there is anything you would like including now is your chance!!). Finally I have also landed an Oracle security round table slot (for the third year running) and this year we have some great guest pannelists, myself, Paul Wright, Slavik Markovich and also the special guest Duncan Harris of Oracle who runs the CPU process amongst other things.

Oracle Security News

The highlights this month have been the release of my Oracle Password cracker written completely in PL/SQL. I have created a page dedicated to it - Oracle Password Cracker in PL/SQL - that includes details of why I wrote it, how it works and also download links.

This is a great tool for anyone to use as it doesn't have any dependencies and can be run as a SQl script through SQL*Plus or any other Oracle client. The whole idea behind releasing this tool was to encourage people to test the strength of their database passwords and to fix the weak ones. Most clients I talk to do not test password strength or have audit enabled or have password profiles. Most obviously have weak passwords; whilst they accept that passwords should be checked there is often a backlash against using binary based tools such as woraauthbf. This is a shame but I can see the issues with binary based tools. Hence I decided a SQL*Plus script would be good to encourage people to test passwords. Its not as fast as woraauthbf but it catches the key issues fast such as username=password, password=default, password=dictionary word or for short passwords, hence its a great tool for everyone to resolve the issue. If you need more proof, take a look at the recording of my webinar session above where I show very graphically how this is one of the core issues that allow "real attacks" against Oracle databases to succeed.

October 14th CPU (Critical Patch Update)

I was credited in Oracles advisory for the October 2008 CPU. This will be accompanied by an advisory from me over the next few days but in the meantime I can let you know what it was I reported to be fixed. The APEX (Oracle Application Express; was HTML DB; was Porject Marvel) has users/schemas installed in the database that have excessive privileges, and I mean really exessive. I reported this to Oracle and they have turned around pretty quick to work on fixing the privileges to reduce them. This is commendable from Oracle as in the past they have not judged excessive privileges as a security bug as such because there is not a direct attack vector. I applaud the change and actions on this.....

Happy 4th birthday to my blog

My blog had its 4th anniversary last month and I created a post to briefly summarise the history of the blog - Happy 4th birthday, Pete Finnigan's blog

Finishing Up

OK, that is it for this newsletter, I am not making any rash promises but I will hope to get another one out pretty soon. Thanks for listening and I hope you are around for the next one.

[You have received this email newsletter because at sometime between July 2003 and now you have subscribed to the Limited newsletter by sending an email to - if for any reason you do not wish to continue receiving this email newsletter then please send an email to and we will remove you from our mailing list subscriber list. For our legal and privacy statement please read the link contents]