Oracle Security papers
The following list of links aims to bring together a collection of some of the white papers, articles and presentations out there on the internet about database security and Oracle security in particular. The lists below include papers written by Pete Finnigan for other websites, for this website and for many conferences world wide. This page also includes many papers and presentations written by many other people.
If anyone has any good links or papers about Oracle security in particular that I have not found myself yet, please let me know the URL and I will add them to the list below. Please email pete@petefinnigan.com.
Page two of the Oracle Security papers can be found here.
Oracle Security papers written by Pete Finnigan
The following are papers written by Pete Finnigan for various web sites.
Paper Title | Description |
Protect your Database with SQL Firewall in 23c |
This is the second presentation I did at the UKOUG 2023 conference in Reading, UK. This was a walk through of the new SQL Firewall in 23c and how it works and a live demo of setting it up and using it. |
Oracle Database Vault in Real Life |
I gave this presentation at the UKOUG 2023 conference in Reading, UK. This is a discussion focused on securing data in an Oracle database and placing Oracle Database Vault into that process. |
User Least Privilege |
This is a presentation I did at the UKOUG in Liverpool in 2018 about least rights in an Oracle database. |
Appreciation of auditing and securing Oracle |
I did this speach at the ISACA event at Croke Park in Dublin in 2018. I was one of the keynote speakers and spoke after the Irish ICO. This was a great event. |
Oracle Database Password Security |
This is the presentation I gave in Slovenia in 2021. This discusses passwords security in the Oracle database and the need for strong database passwords. |
Secure Coding in PL/SQL |
This is the presentation I gave at the UKOUG in 2020. This presentation discusses the issues to focus on to solve secure coding issues in your PL/SQL |
Good Audit Design |
This is the presentation I gave at the UKOUG in 2020. This presentation discusses the elements needed to make a good audit trail design in your database. |
ERP Security |
This is the presentation I gave at the UKOUG in 2020. This presentation covers the issues that apply to customers running an Oracle database to support an ERP system. |
Incident Response and Forensics |
This is the presentation I gave at the UKOUG in 2021. This talk is about how to respond to a breach to your Oracle database and covers the three main areas of breach response, live response and forensic analysis of the Oracle database. |
Database Vault without Database Vault |
This is a short presentation that I gave in Slovenia in 2022. This discusses what Database Vault is and what it does and how we can have similar results without it |
Create Onion Layers of Security |
This is the presentation I gave at the UKOUG in 2022. This discusses the layers of security that can be created around data in an Oracle database. |
Adaptive Audit and Adaptive Security |
This is the presentation I gave in early 2023 in Slovenia. This discusses creating adaptive audit trails as well as adaptive security in the Oracle database. |
Securing Data in Oracle |
This is the presentation I did at the UKOUG security day a couple of years back where I did the keynote speach. This is an updated version of that talk that was given at another even online more recently. |
GDPR for the Oracle DBA |
This is the presentation I did at the UKOUG Northern Technology Summit at the Park Plaza in Leeds, UK on May 16th. This was an enhanced version of the talk i did to a packed room at the UKOUG conference in Birmingham in December 2017. This talk went down really well again in Leeds and the thrust of the talk was to discuss how GDPR affects the Oracle DBA and what elements of GDPR may involve the DBA. |
Audit The Oracle Database - PFCLATK Toolkit |
I did a 30 minutes live talk on Thursday 5th April 2018 at a PALSIT conference in Ljubljana, Slolvenia. I appeared by webex in the room and spoke about audit trails in the Oracle database that are aimed at the database engine itself. In other words an audit trail that looks for abuse of the database rather than just the aplications layer. The talk focused on hacking two web applications and reviewing what audit trail records were created by the standard audit provided by Oracle in the database - the settings usually associated with the AuditVault agent settings. The hacks (quite a few) went undetected. I then presented a PL/SQL and SQL based toolkit that I have created to enable simple policy based audit trails in the database. The toolkit was overviewed and then deployed to my test database. Some of the SQL Injectionhacks were then done again and the audit trails inspected to see how the new audit trail performed. This now captures attacks and records meaningful audit trails. |
https://www.hpe.com/us/en/insights/articles/nontraditional-pathways-to-a-cybersecurity-career-1801.html - (broken link) News Article That Interviewed Pete Finnigan | At the end of 2017/beginning of 2018 Lisa Vaas interviewed me about how I got into Oracle security for the article she wrote on HPE. The article covers me and a few others and Lisa asked us how we got into security and what we wished we knew when we started. |
http://www.prohuddle.com/webinars/petefinnigan/oracle-database-vault.php - (broken link) Oracle Database Vault Security |
I gave this presentation for ProHuddle on the 23rd of January 2018. This is the live recording of my presentation on ProHuddle. |
Oracle Database Vault Security |
I gave this presentation for ProHuddle on the 23rd of January 2018. This was a paper that focused on database vault and what it is and what it does and how it should be used and secured. The second half of the talk posed the question; what if you don't have Database Vault or you cannot afford it or you simply cannot use it because maybe you are running Standard Edition and installing Database Vault is not possible. |
https://www.delphix.com/resources/white-paper/securing-oracle-non-production-data - (broken link) Oracle Security Paper With Delphix |
This is the second paper that I wrote for Delphix after reviewing their product technically by testing it in depth. My focus was to see how Delphix can help someone secure their databases. The first paper in the link below focused on database masking but this paper focuses on the issue of consistent database security and also the problem of securing many databases such as non-production. Please have a read of the paper to get my findings. |
https://www.delphix.com/resources/white-paper/mask-or-not-mask-why-we-dont-mask-our-data - (broken link) Oracle Security And Delphix Paper |
This is the paper I wrote for Delphix in 2016 that was based on a technical review I did of their product to see how it can benefit security of data in an Oracle database. I this paper I looked at data masking, what is it, what possible solutions exist and how does Delphix support masking. I also explored some of the reasons people do not mask their data in non-production databases. I tested the Delphix product in depth and this paper and also a webinar that I did discussed these details. |
Oracle Security Design |
This is the presentation that I did at the UKOUG conference at the ICC in Birmingham on the 7th December 2015. The room was well attended and I got some good questions and interactions. The paper is all around the core ideas that you must design applications in the database with least privilege in mind and unless you seperate data from function and even function from function there can be no privileges to manage. |
Oracle Database Password Security |
This is the presentation that I did at the UKOUG conference at the ICC in Birmingham on the 9th December 2015. Again we had a good turn out and some good interactions. The talk was all about password design, what algorithms the database provides and how to ensure that the most secure ones are used. We also explored password cracking and security of password hashes as well as password safe software. |
Building Practical Audit Trails |
This is the presentation that I did at the UKOUG Database SIG in Oracles London office on Septmember 15th 2015. This was a good event with a good turnout and some good speakers. My paper attached received some good feedback and also some good questions on the day. It is a high level look at designing audit trails, whats available in the database and some detailed discussions on some elements. The paper also compares free solutions (the database technologies) and commercial. |
https://www.sans.org/reading-room/whitepapers/analyst/protecting-access-data-privilege-oracle-database-vault-35712 - (broken link) Protecting Access to Data and Privilege with Oracle Database Vaulthttps://www.sans.org/reading-room/whitepapers/analyst/protecting-access-data-privilege-oracle-database-vault-35712 |
This is the detailed paper that I wrote for SANS and sponsored by Oracle about implementing and using database vault in 12c. This is a detailed walk through of the product and showing by example how it may be used in the real world. |
Secure PL/SQL coding |
This is the talk i did a couple of times last year (2012) for the UK Oracle User Group; once in London and once in Edinburgh. The talk is all about PL/SQL and coding issues that can make the PL/SQL code exploitable. I did a live demo showing how a vulnerable Peice of PL/SQL code in a schema can allow an attacker to execute any PL/SQL code in that same schema or access any data in that schema where he would not normally have access. The talk looked at SQL Injection, finding bugs, securing PL/SQL, license features, tamperproofing and more. |
Identify Yourself In The Oracle Database |
I gave this talk at the conference last year for the UKOUG and then subsequently at one SIG and also a conference in Norway and also for an OWASP chapter meeting in Leeds. I held back on adding the slides to my site in case i did the talk again but the time has come to add them now. The talk covers identity and accountability in the database looking at what values that identify a person are captured in the session via various means and also what values that may identify a person are then transfered over to the audit trail. We also looked at "what is identity" and "what is identity at the database level" and discussed accountability in the database. The two are linked, you cannot be accountable if you cannot be identified. I also looked at spoofing details of identity in the database. This is a serious issue if you use core audit or if you rely on identifiers for security products such as VPD or FGA or system triggers. I finished off the talk with a discussion about detecting spoofing and preventing spoofing/identity theft in the Oracle database. |
We Must Secure Data not Software |
I gave a talk at the UKOUG security day at Bletchely Park on September 13th. This was about the problem of understanding that you must secure data and not the software itself. This should be obvious but it doesn't seem to be to most people. I also covered the process of securing that data. |
Securing Oracle - Part 1 (0.2 Meg) Securing Oracle - Part 2 (0.1 Meg) Securing Oracle Demos Notes(0.07 Meg) |
I gave a two part talk to the UKOUG Unix SIG in Thames Valley park on September 8th 2010. The talks were really focusing on the issue of securing the
data not the database software. There were plenty of demos (6 in all) that ranged from a simple downloadable exploit to a much more stealthy
attack. The main idea was to show the risk to the data and where it really is, who can access it and how they might avoid your security.
I have included the pdf's of the slides from the two talks and also I have written down the steps I took during the demos as when I have done demos previously people have emailed asking for videos etc. The steps are the best i can do! |
Logica Guru4Pro Presentation(0.4 Meg) |
This is the presentation I have on June 2nd at Logica on the outskirts of Den Haag. This was a great presentation, well attended and also some great questions and discussions. The focus of the presentation is how easy it is to steal data and what should the first steps be in protecting that data. |
Paper reviewing Sentrigo Hedgehog Enterprise(2.3 Meg) |
This is a paper i have written to review the setup and use of Sentrigo HedgeHog Enterprise Edition. The paper focuses on how to use Hedgehog and covers the two major rule sets that are available, vPatch and custom rules. the papers gives 3 detailed examples for each rule set and shows how to set up and use them and also shows demo exploitation of the database to show that Sentrigo Hedgehog is alerting on the rules set up to capture the inappropriate traffic. |
The right method to secure an Oracle database (Webinar with Sentrigo, March 9th and 11th 2010) (0.6 Meg) The right method to secure an Oracle database - 6 Slides (Webinar with Sentrigo, March 9th and 11th 2010) (0.3 Meg) |
This is the webinar I did in conjunction with Sentrigo on March 9th and 11th 2010. The talk covers the process of securing an Oracle deatabase but with a proper focus to the task rather than simply following a checklist. A checklist is fine for general hardening but not for securing data as there is no method to ensure that the data that must be protected has indeed been protected. This is based on the same talk given at the UKOUG and is modified slightly from that. So this is now the latest version. |
The right method to secure an Oracle database (UKOUG Birmingham, Nov 30th 2009) (0.6 Meg) The right method to secure an Oracle database (UKOUG Birmingham, Nov 30th 2009) (0.3 Meg) |
These are the slides from my presentation at the UKOUG conference in Birmingham for 2009. The talk is closely based on the same talk done previously at the northern server tech day and also at the inaugural OWASP meeting in Leeds. This is now the latest copy of these slides and I probbaly will not give the same talk again or update them again. |
The right method to secure an Oracle database (OWASP Leeds, Oct 14th 2009) (0.6 Meg) The right method to secure an Oracle database (OWASP Leeds, Oct 14th 2009) (0.3 Meg) |
This is the presentation i gave at the inaugural OWASP Northern chapter (soon to be, he he), currently Leeds chapter. This was a good meeting, the first of many I hope; a good crowd and myself and Justin Clarke speaking. This is the paper I gave in York earlier in the year but its been modified quite a bit and I also had one hour this time so the discussions went a bit deeper than York. |
The right method to secure an Oracle database (Webinar with Sentrigo, July 22nd 2009) (0.9 Meg) The right method to secure an Oracle database - 6 Slides (Webinar with Sentrigo, July 22nd 2009) (0.6 Meg) |
This is the webinar I did in conjunction with Sentrigo on July 22nd 2009. The talk covers the process of securing an Oracle deatabase but with a proper focus to the task rather than simply following a checklist. A checklist is fine for general hardening but not for securing data as there is no method to ensure that the data that must be protected has indeed been protected. |
The right method to secure an Oracle database (UKOUG UNIX SIG, Wolverhampton, May 20th 2009) (0.9 Meg) The right method to secure an Oracle database - 6 Slides (UKOUG UNIX SIG, Wolverhampton, May 20th 2009) (0.6 Meg) |
This is my presentation from the UNIX SIG organised by the UKOUG. This is the same talk I did recently in York so see the description there. The slides have been updated slightly though so this is the latest version of them. |
Oracle Security Masterclass (OUGF, Helsinki, Finland, May 14th 2009) (1.7 Meg) Oracle Security Masterclass - 6 slides(OUGF, Helsinki, Finland, May 14th 2009) (1.1 Meg) |
This is the Oracle security masterclass slides I presented in Helsinki, Finland to the OUGF on May 14th. The slides are based on the masterclass presented at the UKOUG last December in Birmingham, UK. The slides have been modified slightly so this is the lastest version available. The bulk of the talk was live demonstrations so even though there are 70 slides you really needed to be there to get the full effect! |
The right method to secure an Oracle database (UKOUG Northern Server Tech Day, York, April 28th 2009) (0.9 Meg) The right method to secure an Oracle database - 6 Slides (UKOUG Northern Server Tech Day, York, April 28th 2009) (0.6 Meg) |
This is my presentation from the third northern server technology day organised by the UKOUG. This time it was held in my home city of York, so that was fun. The talk is slightly based on one small part of the master class I did last year at the UKOUG conference. The focus of the talk was on one idea alone; this is to start with the data not start with a checklist. Checklists still have value but they are not specific enough to your own organisation so we need to focus specifically on the data first. |
Using Oracle VPD in the real world (UKOUG DBMS SIG, Slough, March 17th 2009) (0.5 Meg) Using Oracle VPD in the real world 6 Slides(UKOUG DBMS SIG, Slough, March 17th 2009) (0.2 Meg) |
This is the paper I gave at the UKOUG DBMS SIG held in the Baylis hotel in Slough on the 17th March 2009. The paper is an update of the one I did a year or so ago. The focus is not around the nitty gritty of how to use VPD (Virtual Private Database), (FGAC)Fine Grained Access Control, (RLS) Row Level Security, wow so many names for one technology but on the security implications of using a security technology. VPD provides additional controls on the access to data at the level of the data but the implementation of this technology in your database must also be considered and protected. It is also important to consider the data and the possibilities to bypass the controls in VPD. So the focus of this paper is really around making sure that you implement it securely. The code from the talk is also available as a file called vpd2.sql. |
Oracle Security Masterclass (UKOUG Birmingham, December 5th 2008) (1.7 Meg) Oracle Security Masterclass 6 Slides (UKOUG Birmingham, December 5th 2008) (1.1 Meg) |
This is the second paper I gave this year at the UKOUG conference. The masterclass is becoming a bit of a tradition. This is the third one that I have given and this years is a completely new presentation. I had intended to refresh and update last years but decided on a complete new one. This year I also departed from the previous years and included a lot of demos and also decided to cover a small number of issues in depth. This year I covered how easy it is to steal from an Oracle database and also how to audit in depth user accounts, access to credit card data and also issues around accessing the operating system. The focus is on depth and not trivial checks of access. |
Oracle Security Basics (UKOUG Birmingham, December 1st 2008) (0.9 Meg) Oracle Security Basics 6 Slides (UKOUG Birmingham, December 1st 2008) (0.3 Meg) |
This is the first paper I gave this year at the UK Oracle User Group conference in Birmingham. The papes title is derived from the "back to basics" day we had with the UKOUG back in February. This was a successful event and it was good to give this paper again. The basics is not meant to mean absolute basics but is intended for a DBA who is experienced but is perhaps not experienced in security. Therefore this paper's aim was to highlight the core security issues that he/she should look at first. This is based on the February paper given in London but is not the same. The talk back in February was for one hour but this time I had just 45 minutes so its cut down a bit; the paper is also updated in quite a few places with some new and modified slides. |
Oracle Security Masterclass (White-hats London, September 26th 2008) (1.2 Meg) Oracle Security Masterclass 6 Slides (White-hats London, September 26th 2008) (0.6 Meg) |
This is the Oracle Security Masterclass that I did for the White-Hats group at the Institute of directors in London on the 26th Septemeber 2008. The talk went very well and was well attended. The masterclass is based around previous talks at RISK and also the Webinar done recently. I used a similar demonstration of hacking an Oracle database to steal credit cards as I did for the recent webinar. The focus of this talk is also based around the issues, i.e. why does an Oracle database become insecure and also focusing on the key issues in the database. The core of the talk discusses how to plan and conduct a security audit of an Oracle database. |
Oracle Security Masterclass (Webinar with Sentrigo, September 23rd 2008) (0.4 Meg) Oracle Security Masterclass 6 Slides (Webinar with Sentrigo September 23rd 2008) (0.1 Meg) |
This is the webinar session that i did with Sentrigo on September 23rd 2008. This was a good session where I did a ten minute demo of hacking and stealing credit cards from the database. I then discussed some of the core issues that are normally wrong with a database. |
Oracle Security Masterclass (Skrr Fall Conference, Reykjavik, Iceland 12th Sept 2008) (1.9 Meg) Oracle Security Masterclass 6 Slides (Skrr Fall Conference, Reykjavik, Iceland 12th Sept 2008) (1.0 Meg) |
This is my two hour Oracle Security masterclass that I gave at the Skrr Fall Conference in Rekyjavik, Iceland on September 12th 2008. The masterclass is aimed at getting everyone up to speed on why an Oracle Security audit is needed and how it fits into the whole process of securing an Oracle database. An audit is the important first step in securing an Oracle database. The results flow into process of fixing a database, testing and rolling out to all databases. The bulk of the talk focused on what the issues are and how a database can be attacked and then how to perform an audit at a high level. |
Archive And Purging In A Security Context (UKOUG Archive And Purge Special event) (0.7 Meg) Archive And Purging In A Security Context (UKOUG Archive And Purge Special event) - 6 slides per page (0.4 Meg) |
This is my presentation I gave at the UKOUG Archive and purge special event in London at the SAS Raddison, Portman Square on the 15th July 2008. This is a completely new paper aimed specifically at the archive and purge special event but with a firm focus on the security aspects of archive and purge. I concentrated on two things, the archiving and purging of security data, such as audit and also on the security aspects of the normal business processes involved in archiving and purging business data. |
Oracle Security Tools (UKOUG Northern Server Day) (0.8 Meg) Oracle Security Tools (UKOUG Northern Server Day) - 6 slides per page (0.5 Meg) |
This is my presentation I gave at the UKOUG Northern Server Technology Day in Newcastle on the 19th June 2008. The paper is based on that below given at the Management and Infrastructure SIG. The paper was originally given at the 2007 conference in Birmingham but has changed slightly. |
Oracle Security Tools (UKOUG Man & Inf SIG) (0.8 Meg) Oracle Security Tools (UKOUG Man & Inf SIG) - 6 slides per page (0.5 Meg) |
This is my presentation I gave at the UKOUG Management and infrastructure SIG at the Oracle city office in London on the 17th June 2008. This paper is based on the same one given at the UKOUG conference in Birmingham last year but has some changes made to it. |
Oracle Forensics (OUG Scotland) (0.6 Meg) Oracle Forensics (OUG Scotland) - 6 slides per page (0.3 Meg) |
This is my presentation I gave at the Oracle User Group Scotland DBA SIG in Edinburgh on April 30th 2008. The presentation is based on the one I did for the UKOUG conference in Birmingham last year but has had quite a few edits done to it since. So its worth downloading the latest copy this time. |
Oracle Security Basics (OUGN) (0.8 Meg) Oracle Security Basics (OUGN) - 6 slides per page (0.3 Meg) |
This is my presentation I gave at the Oracle User Group Norway in Oslo, Norway on the evening of the 22nd of May. The slides are based on the earlier Oracle security basics presentation done for the UKOUG in london in February and subsequently updated for the UK Northern Security Group below. These slides were updated again for the talk in Norway so are changed slightly from the version below so for anyone interested in this talk its worth getting the latest version here. |
Oracle Security Tools (OUGN) (0.8 Meg) Oracle Security Tools (OUGN) - 6 slides per page (0.3 Meg) |
This is my presentation I gave at the Oracle User Group Norway in Oslo, Norway on the evening of the 22nd of May. The slides are based on the earlier Oracle security tools presentation done for the UKOUG conference in Birmingham last year. These slides were updated slightly for the talk in Norway so are changed slightly from the version below so for anyone interested in this talk its worth getting the latest version here. |
Oracle Security Audit (RISK 2008) (1 Meg) Oracle Security Audit (RISK 2008) - 6 slides per page (0.5 Meg) |
This is my presentation I gave at the RISK 2008 conference in Oslo, Norway on the 23rd of May. The slides are based on the earlier Oracle security masterclass presentation i did for the main UKOUG conference last year in Birmingham. That talk was 2 hours long. This talk is a subset of some of the slides and condensed to one hour. The content was also changed in places and a number of new slides were added so it's bu no means the same talk as Birmingham. |
Oracle Security Masterclass (0.8 Meg) Oracle Security MasterClass - 6 slides per page (0.3 Meg) |
This is my presentation I gave at the Northern UK Security Group on the evening of 14th April 2008 in Leeds. This is a cut down version of the masterclass and the back to basics presentation. Its mostly the same as the previous basics paper but a number of the slides were tweaked, so its worth downloading this updated version. |
Oracle Security Webinar (0.4 Meg) Oracle Security Webinar - 6 slides per page (0.15 Meg) |
This is my presentation from the presentation I gave live via a webinar on March 28th 2008 over the internet. this paper is based on my Oracle security masterclass but also included a 15 minute demonstration of hacking an Oracle database and locating and stealing credit card data. |
Oracle Security Basics (0.8 Meg) Oracle Security Basics - 6 slides per page (0.5 Meg) |
This is my presentation from the UKOUG Back to basics event held in London on February 28th. This was a first of a kind special event that included Tom Kyte, Pete Finnigan, Jonathan Lewis and Julian Dyke. Each presenter attempted to reduce their skill area to more basic tenets to allow people will less experience (perhaps after completing Oracle training) to go to the next level. The event was well subscribed and of course I spoke about getting the Oracle security basics sorted and right. |
Using Oracle VPD in the real world (0.7 Meg) Using Oracle VPD in the real world - 6 slides per page (0.3 Meg) |
This is my presentation from the UKOUG Unix SIG held in London on January 22nd. the presentation is about using VPD in the real world and as would be expected from me it targets the issues around securing VPD itself. It puts VPD in perspective in that it is not a holistic solution but should be part of an overall security solution and itself should be hardened otherwise it can be easily bypassed. |
Oracle Security Masterclass (4.1 Meg) Oracle Security Masterclass (1.2 Meg) |
This is my two hour Oracle Security master class from this years UKOUG conference in Birmingham delivered on December the 6th. The paper starts by looking at why someone may want to hack an Oracle database, the types of attacks and some background. The bulk of the presentation concentrates on how to perform a security audit on an Oracle database. Finally the paper rounds up with a brief look at the next steps to take after the audit is completed. |
Oracle Forensics (1.4 Meg) Oracle Forensics (0.4 Meg) |
This is my presentation from the UKOUG conference in Birmingham 2007 on December the 5th. The paper is covering the farely new subject of Oracle Forensics. The interest in this area has grown over the last few years mostly due to the issues of data theft and identity theft growing vastly. The paper looks at what Oracle forensics is, where to find out information, what research is going on. It then looks at where its possible to find forensics information and then launches into some examples of how to mine for data and clues. |
Oracle Security Tools (1.6 Meg) Oracle Security Tools (0.6 Meg) |
This is my presentation from the UKOUG conference in Birmingham 2007 on December the 4th. This is a paper that looks at what Oracle security tools are available both commercial and also mostly free. The paper attempted to review all the types, look at classifications and also tested whether Oracle had provided anything and also discussed some of the key issues with deploying Oracle security tools and then went on to demo a lot of the tools that are available. |
Oracle 11g Security (1.2 Meg) Oracle 11g Security (0.2 Meg) |
This is my presentation from the UKOUG DBMS SIG held at Chesford Grange (Le Meridien Warwick) on November 7th 2007. This paper explores the new features added to Oracle 11g that are specifically added to enhance security. I also covered some of the key security risks with an Oracle database and showed how 11g has made great strides towards improving the protection against those issues. I also covered some of the more subtle additions added to 11g that improve security but are not publicised as such. The talk then goes into some details around some of the core new security features. |
Oracle Security On Windows (1.8 Meg) Oracle Security On Windows (0.6 Meg) |
This is my presentation from the UKOUG Windows SIG held at Blythe Valley park on September 25th 2007. This paper explores the security of Oracle databases on Windows. I have investigated what is available information wise and also what specific bugs and exploits have been found for Oracle on Windows. The paper also looks at common security issues and investigates how to perform a security audit at a high level. |
How to unwrap Oracle PL/SQL | This is my presentation slides from BlackHat Las Vegas 2006. In this talk I show how it is possible to unwrap PL/SQL that has been wrapped with a 9i or lower wrap utility and in the process show how the wrapping mechanism works internally. I also discuss the changes in the 10g wrapping algorithm. |
Pete Finnigan Podcast about PL/SQL wrapping | This is a podcast I did with Mark Brunelli after my talk at BlackHat. I discussed the issues around the PL/SQL wrapping mechanism used and why its weak. |
Hacking and Securing Oracle | This paper was presented to the UKOUG Northern Server technology day in Leeds in April 2007. The paper discussed some of the issues and problems that can lead to an insecure Oracle database being deployed. The paper includes many practical examples as well as advice on how to secure an Oracle database. |
Encrypting data, is it possible to prevent access? | This is a paper that I presented at the UKOUG conference in Birmigham in November 2006. I investigate and explore all of the options to encrypt data as it flows through an application that uses an Oracle database as its data store. I look at the free and commercial options available to prevent data theft on the network, the operating system and also within the database. I look at the built-in packages, the problems of key management and also at the viability of solutions to secure data within the database. |
Does VPD, FGA or audit really cause performance issues? | This is a presentation that I gave at the UKOUG conference in Birmingham in November 2006. This paper explores the common myth or perception that adding audit to a database is a surefire way to kill the database performance. Pete has real world experience building audit trails in big databases and he looks at database audit technologies, VPD and FGA and shows that by carefully planned designs and implementations its possible to use these technolgies effectively without killing the performance. |
An Oracle Security Masterclass | This is the 2 hour Oracle Security master class that I gave at the November 2006 UKOUG conference in Birmingham. This paper discusses where to find information about Oracle security, what tools are available and much more. The paper explores all of the different types of epxloit that can occur, it includes many exploit examples and finishes with an overview of how to secure an Oracle database |
How to Secure Oracle in 20 Minutes | This is a short paper that I gave at the InfoSecurity conference in London in 2006. The paper gives a seat of the pants ride into Oracle security and shows why its better to secure an Oracle database in advance of an attack, rather than to attempt to defend it whilst an attack is occuring. Also despite the common sense view that securing in advance is better, the paper does give some hints on things that may work quickly if you are under attack. |
Many ways to become DBA | This is a pdf of the presentation that I made fisrt at the OUG Scotland conference in Glasgow on October 4th 2005 and then subsequently at a number of other conferences around the world during the last two years until around the middle of 2006. The paper evolved over time and was updated for each presentation. The link included is to the latest version of the presentation. The paper talks about the problems encountered with the security of an Oracle database. I cover where to find information, what the main problems are, some example exploits and problems. I talk about how to audit the database for issues and also then some ideas on how to secure them. Bear in mind that this is a 45 minute presentation and I have tried to give a feeling for the whole area of Oracle security in the database. |
Oracle Row Level Security: Part 2 | This is the second part of a two part paper that has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This second part follows on closely after the first part and now explores how to review what row level security settings have been implemented and also discovers how to find out if row level security has been used and whether the real SQL with new predicate can be found. This is done using trace files and the use of dictionary views. Various issues with implementing row level security are discussed along with suggestions on how to protect the implementation. |
Oracle Row Level Security: Part 1 | This is the first part of a two part paper that has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper gives a thorough overview of implementing row level security in an Oracle database. An example implementation is shown along with test cases to show how the functionality works. The paper then goes on to discuss some of the issues with row level security and also shows what information relating to a row level security implementation can be extracted from the database with various different methods. various examples are given. |
Detecting SQL Injection in Oracle | This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper shows some of the places within Oracle where information in the form of trace files, audit logs or by looking into the data dictionary can be used to detect SQL injection. It keeps its feet on the ground and explores a good set of ideas to simply show what is logged and stored by the system when an abuse occurs. It gives advice on which are viable methods and which are not. Read this paper to get a good idea of the wealth of information Oracle keeps about what users do. |
An introduction to simple Oracle auditing | This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. This paper describes a basic overview of Oracles built in audit features and then goes straight into some simple examples based around auditing user account access to the database. Pete shows how to use some simple SQL queries to find a number of types of abuse such as attempts to guess usernames and passwords, sharing database accounts and access at strange times of the day. This paper should be invaluable to any organisation who wants to see real benefits from using Oracle's audit by showing how basic abuse types can be easily translated into an audit trail and how to check that trail for those abuses. |
SQL Injection and Oracle - 1 | This paper has been written by Pete Finnigan for www.securityfocus.com as part of the infocus series of articles. The paper describes the issues of SQL injection against Oracle databases and uses a simple PL/SQL procedure to demonstrate which parts of the technique are possible. The first part of this paper explores the subject and presents examples. |
SQL Injection and Oracle - 2 | This is the second part of the SQL injection and Oracle paper written by Pete for security focus and follows on from the first part by showing some techniques to find out what privileges the user being injected from has. The paper goes on to discuss detecting SQL injection and some simple ideas to protect against this type of attack. |
A simple Oracle security scanner | This paper describes some of the common security issues associated with an Oracle database installation and was written for security focus. The paper is based around a simple SQL script that checks for a small number of common security issues with Oracle databases. |
http://www.pentest.co.uk/documents/oracle-security.pdf - (broken link) Exploiting and protecting Oracle |
This was the major paper i wrote for a previous employer about Oracle security written with an attackers viewpoint in mind.
I wanted, with this paper to explore some of the main areas of Oracle and question where there could be security issues.
The paper proved very popular.
URL updated to point at the original of the file at Pentest LTD. The file on Security Focus has been removed. |
Revealing clear text passwords from the SGA | This is a posting I made to securityfocus to the pen-test mailing list to describe a situation whereby it is possible with some default privileges to dump the library cache and then read it using the standard package UTL_FILE and if any Oracle database users passwords have changed then read those passwords in clear text. |
http://tisc-insight.com/newsletters/323.html - (broken link) Exploiting and protecting Oracle - The Internet Security Conference Insight Newsletter | This is a newsletter article I wrote for TISC to introduce the paper I wrote for a previous employer. This insight paper details some of the issues in securing an Oracle database. To access the paper go to the link above and search for Pete Finnigan and clink on the link. |
Default password list for Oracle |
This is the password list I created for a previous employer. I don't maintain that list anymore. Any list of Oracle default users and passwords
is relatively easy to create by searching through the installation directories of Oracle softare, the HTML documentation and also
from various web sites on the Internet. I have additional usernames and passwords that I will make available soon from here.
NOTE :- This link is unfortunately now dead, a new link to a good list of Oracle default passwords has been added at the end of this page. Search with CTRL-F with "Oracle default password list" in this page. |
http://www.dba-village.com/dba/village/dvp_papers.ReturnBlob?PprIdA=222 - (broken link) Investigation of default Oracle Accounts | This is the first paper i did for a previous employer listing Oracle default accounts and their known passwords. I included this list in the large Oracle security paper "exploiting and protecting Oracle" that I wrote. A free login is required for this site. |
Oracle Security checklists
This section brings some major Oracle security checklists recently published on the Internet. Both lists are based on the SANS book "Oracle security step-by-step - A survival guide for Oracle security" written by Pete Finnigan and published in January 2003 by the SANS Institute.
The following are major Oracle security checklists
Paper Title | Description |
http://www.cisecurity.org/bench_oracle.html - (broken link) Oracle database security benchmark |
This document is produced by the center for Internet security
and is one document in a series of benchmark documents. Each document aims to provide a minimun standard
with which to secure a particular piece of software to. In this case it is the Oracle database. The document
is based in part on the SANS step-by-step guide on the same subject by Pete Finnigan. A scoring tool is also in development
to accompany the benchmark.
This document has been updated to version 1.1. If you download just the benchmark you do not get the change history for the document but if you download the scoring tool the benchmark and change history are included. Quite a few changes have been made to the paper. Also as indicated the scoring tool is also now available from the same URL. |
http://www.sans.org/score/oraclechecklist.php - (broken link) Oracle database checklist |
UPDATED 23-Sep-2004 This document has just been updated to version 2.0 to reflect the changes made in the new version 2.0
printing of the SANS Oracle security step-step-guide. Check out the changes.
This document was produced for the S.C.O.R.E initiative on the SANS website. This document written by Pete Finnigan and is based on the SANS book "Oracle security step-by-step". This document is meant as a checklist to be used when auditing an Oracle database installation. It is not a how to document and doesn't inclued detailed SQL or operating system commands but provides a comprehensive security check list for Oracle. The paper is available as a MS Word document or pdf file. http://www.sans.org/score/checklists/Oracle_Database_Checklist.doc - (broken link) Word version and http://www.sans.org/score/checklists/Oracle_Database_Checklist.pdf - (broken link) PDF version |
http://www.littlecatz.com/standards/oracle/oracle.html - (broken link) Oracle Database Management System Security Standard |
ADDED 3-Sep-2005
I found this checklist by chance whilst searching for something else. This is a checklist dated 12 March 2003 so is a couple of years out of date. The contents are not the best I have seen for an Oracle Security checklist but are not a bad starting point for someone needing a checklist. The SCORE and CIS lists are much better and much more complete but don't dismiss a smaller list such as this. It has some mistakes in it and is clearly out of date but the structure is quite good. |
http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf - (broken link) Oracle database hardening |
ADDED 19-Nov-2005
I found this Oracle security checklist recently whilst searching google. This is an Oracle written paper and is quite good as a starting point to secure Oracle. The list is quite good in its scope and coverage. The security items covered are included in other lists and some are known for some years but this is a good list and a very good starting point for anyone wanting to secure an Oracle installation. |
Oracle Security papers written by Other authors
The following papers and articles on Oracle database security were written by other authors for various web sites. I am including URL's to the papers here to try and bring together the best Oracle security papers available on the Internet into one place.
Paper Title | Written for | Written by | Description |
http://www.appsecinc.com/presentations/Protecting_Oracle_Databases_White_Paper.pdf - (broken link) Protecting Oracle databases | http://www.appsecinc.com - (broken link) www.appsecinc.com | Aaron Newman | This is a good paper giving an overview of some of the issues and vulnerabilities surrounding Oracle database security. It covers many of the key areas and discusses some ideas for protecting Oracle. |
http://www.appsecinc.com/presentations/oracle_security.pdf - (broken link) Protecting Oracle databases presentation | http://www.appsecinc.com - (broken link) www.appsecinc.com | Aaron Newman | This is a presentation Aaron has given a few times dicussing Oracle security and protecting against vulnerabilities. The presentation is based around the above paper. |
Hackproofing Oracle Application Server | www.ngssoftware.com | David Litchfield | This is Davids excellent paper covering some of the important database server security issues and also including great coverage of Oracle Application Server issues. The paper also includes a very comprehensive default user password list. |
http://otn.oracle.com/deploy/security/pdf/oow00/orahack.pdf - (broken link) Hackproofing Oracle | www.oracle.com | Howard Smith | Howards paper is an excellent start to securing the RDBMS against attacks. The paper describes Oracle's Own internal efforts with ethical hacking. |
http://www.dbspecialists.com/presentations/net8_security.html - (broken link) Securing Oracle Network Traffic | http://www.dbspecialists.com - (broken link) www.dbspecialists.com | Roger Schrag | Excellent paper covering many aspects of securing Oracle Net8. The paper covers securing the listener to refuse or accept requests from specific IP addresses. Also covered is using ssh (Secure Shell Protocol) to make Net8 more secure and also Roger talks about optionally tunnelling through firewalls. |
Oracle's Latest Security Patches May Attract Hackers | www3.gartner.com | John Pescatore | News report about the latest slew of Oracle security alerts. |
http://www.appsecinc.com/presentations/HackProofing_Oracle_App_Server.pdf - (broken link) Hackproofing Oracle 9iAS | http://www.appsecinc.com - (broken link) www.appsecinc.com | Aaron Newman | This paper is a presentation given by Aaron. The paper coversa good overview of 9iAS security issues. |
http://www.idefense.com/papers.html (broken link) - Best Practices for Securing Oracle | http://www.idefense.com - (broken link) www.idefense.com | This is a good overview paper on how to secure Oracle databases. This paper can be downloaded by filling in the form on the above URL and then the paper will be emailed to you. | |
http://www.oreilly.com/catalog/orasec/chapter/ch07.html - (broken link) Developing a database security plan | www.oreilly.com | Marlene Theriault, William Heney | This is the sample chapter from the excellent book "Oracle security". This was the first major book on the subject and has only fairly recently been joined by another work by Marlene and Aaron and more recently the SANS step-by-step guide. |
http://www.geocities.com/ckempster/wpapers/oracle/databasesecurity101.pdf - (broken link) Database Security 101 | Richard D Newallis, SPRINT | Good Oracle security strategy introduction document describing various threats and levels of protection. Detailed Oracle security is not covered to any depth as the bulk of the paper could be applied to any database implementation. But, this is a very good paper overall. | |
http://www.doug.org/presentations/DOUGMay99pres.PDF - (broken link) Oracle database Security: Tips and Tricks | http://www.dbcorp.com - (broken link) DBCORP Information Systems Inc | Simon Pane | These are the presentation notes for an Oracle security talk made for DBCORP. The paper covers a good overview of the basic Oracle security issues and gives a top 10 best practice tips for Oracle security. The paper also covers a multitude of other good Oracle security settings and tips. This presentation can be used as an excellent Oracle security check list. |
Hacker Proofing Your database | www.osborne.com | Marlene Theriault, Aaron C Newman | Sample chapter from the Book Oracle Security Handbook. |
http://www.sans.org/rr/appsec/oracle.php - (broken link) An overview of Oracle database security features | www.sans.org | Lorraina Hazel, CNE | Good overview paper of the Oracle security features in the Oracle RDBMS. |
Oracle Idiosyncrasies | Yong Huang | Good small artilces page including a security issue with the listener. The rest are worth reading as well. | |
http://www.stormloader.com/yonghuang/computer/oraclebin.html - (broken link) Oracle Executables | Yong Huang | Not really security but it is useful to have a list in one place of what some of those files are in the bin directory. This list can be useful in deciding what can be secured and / or deleted. | |
http://www.stormloader.com/yonghuang/computer/x$table.html - (broken link) Speculation of X$ Table Names | Yong Huang | Again not really security but it is useful to have a list in one place of what some of the x$ tables are and what they are used for. | |
Conducting a Security Audit of an Oracle Database | www.sans.org | Egil Andresen | Quite a good overview paper written to describe how to audit an Oracle database. Quite wordy in the beginning describing the technicalities of auditing before getting into some Oracle specifics. Overall covers quite a bit of ground and very well worth the time to read it. |
http://www.interealm.com/technotes/roby/encrypt.html - (broken link) Implementing Data Encryption | http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | Excellent paper covering data encryption within the Oracle database. Covers some of the poular myths surrounding encryption. Also includes some performance tests using encrypted examples. |
Introduction Oracle database Security | http://cellworks.washington.edu | Scottie Swenson | Reasonable presentation paper on Oracle security. |
http://www.interealm.com/roby/technotes/8i-rls.html - (broken link) Internet Security With Oracle Row-Level Security | http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | Excellent paper covering Oracles Row Level Security including simple examples. |
http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf - (broken link) A security checklist for Oracle 9i | www.oracle.com | Rajiv Sinha | Good starter paper on how to secure Oracle 9ifrom the Oracle security team themselves. You will need a free logon to read this paper, simply go and register on the site. |
http://www.orafaq.com/faqdbase.htm - (broken link) Oracle Security FAQ | www.orafaq.com | Frank Naude | Good range of "how to" facts and snippits. |
http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf - (broken link) A security checklist for Oracle 9iR2 | www.oracle.com | Unknown | Good starter paper on how to secure Oracle 9iR2 from the Oracle security team themselves. This is an updated version of the paper above. You will need a free logon to read this paper, simply go and register on the site. |
http://www.interealm.com/technotes/roby/fga.html - (broken link) Implementing Data-Level Monitoring With Oracle Fine-Grained Auditing | http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | Paper showing good simple examples of fine grained auditing. This paper shows in simple terms how to use this new audit feature. |
Dissassembling the oracle redo log | www.orafaq.com | Graham Thornton | Excellent paper detaing how to read Oracle redo logs from the trace files. This is a useful paper when contemplating forensics after an intrusion. If audit was not used then this could be one method to find out what has happended. later versions of Oracle bring LogMiner to help in this area. |
General Security Controls within Oracle | Diane Wynne | Very basic review document used as a general checklist for Oracle security issues. More comprehensive lists are available but this could be used as a basic starting point. | |
Oracle Database Audit Program | www.auditnet.org | Plusnina, Svetlana | Oracle security review checklist. Quite basic in terms of background information but quite useful otherwise. |
http://www.palslib.com/Oracle/Security.html - (broken link) Pal's Linux RDBMS Library | http://www.palslib.com - (broken link) www.palslib.com | This website contains a list of Oracle security papers and links amongst other things. I think most of the Oracle security links are covered here also but this good site is worth keeping an eye on for new links. | |
Oracle Security Alert Page | otn.oracle.com | This is the main page where new security alerts are released by Oracle. It is possible to subscribe to receive news of new alerts as they happen. A free login is required to access this page. | |
http://www.interealm.com/roby/technotes/resman.html - (broken link) Implementing the Database Resource Manager | http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | This is a detailed paper giving an overview of the resource manager functionality. Whilst not specifically security related this article could be useful in a security context as controlling resources could be used to prevent denial of service attacks. |
Encryption of data at rest | www.appsecinc.com | Aaron Newman | This is an excellent paper detailing issues with encrypting data held within a database. It also covers quite well issues with hiding the encryption keys. |
http://www.dba-village.com/dba/village/dvp_papers.PaperDetails?PprIdA=42 - (broken link) Ensuring 100% security in e-commerce applications | www.dba-village.com | Geert De Paep | This is a presentation given by Geert at the EOUG conference in Copenhagen in 1999. This paper describes how to implement row level security, aka fine grained access control in Oracle 8i. A free login is required for this site. |
http://www.dba-village.com/dba/village/dvp_papers.PaperDetails?PprIdA=103 - (broken link) The integration of internets LDAP with Oracle 8i | www.dba-village.com | Danny Gielen | This fine paper discusses the integration of LDAP into Oracle 8iR2. The paper discusses the advantages of using LDAP with Oracle. A free login is required for this site. |
http://www.dba-village.com/dba/village/dvp_papers.PaperDetails?PprIdA=69 - (broken link) Changing the apps database password in Applications Release 10.7 | www.dba-village.com | Henk Van't Net | This short paper discusses how to change the apps database password in 10.7. A free login is required for this site. |
http://www.interealm.com/technotes/roby/9isecurity.html - (broken link) A Major Oracle 9.0.x Security Hole (unbreakable my foot...) | http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | Short paper describing how the ansi join syntax bug works in Oracle 9i. |
Calling Java from PL/SQL | http://www.unix.org.ua - (broken link) www.unix.org.ua | Extract from the O'Reilly book "Guide to Oracle 8i Features". This extract shows how to call Java from PL/SQL. This is important to know if you wish to protect your Java enabled database from misuse!. | |
http://otn.oracle.com/products/ias/ias_utilities.html - (broken link) Utilities for Oracle9iAS | otn.oracle.com | Link to a set of seven utilities provided free of charge from Oracle. The main two of interest from a security perspective are: "Interactive Log File Viewer for Oracle9iAS" and "Infrastructure DB Randomized Password Retriever". The former is a menu driven tool to look at all of the log files generated by 9iAS. This can be useful from a security perspective and the latter is a tool to retrieve the underlying infrastructure database randomized passwords. I will leave it to you to figure out what that can be used for!!. | |
http://otn.oracle.com/products/oracle9i/daily/oct03.html - (broken link) Fine-Grained Auditing | otn.oracle.com | Very short introduction paper on Oracle fines grained audit in the Oracle 9i database daily feature section. A free login is required to access this site. | |
http://www.interealm.com/technotes/roby/symlinks.html - (broken link) Symbolic Link Inconsistency and Behavioral Change in 9i
http://web.archive.org/web/20040216042624/http://www.interealm.com/technotes/roby/symlinks.html - (broken link) Alternate Link |
http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | Short paper describing how the symbolic link behaviour has changed in Oracle9i. |
http://otn.oracle.com/deploy/security/oracle9iAS/pdf/securingias.pdf - (broken link) Securing Oracle 9iAS 1.0.2.x | otn.oracle.com | Stephen Comstock | Superb paper on securing the application server from Oracle themselves. Quite a long and thourough paper. A free login is required to access this paper. |
http://asktom.oracle.com/~tkyte/article2/index.html - (broken link) Fine Grained Access Control | asktom.oracle.com | Tom Kyte | Excellent paper discussing fine grained access control and giving examples of the row level security PL/SQL package. This paper was part of a series of articles by Tom on the new 8i features. |
http://technet.oracle.com/docs/products/oracle8i/doc_library/817_doc/server.817/a76965/c25acces.htm - (broken link) Controlling Database Access | technet.oracle.com | Online documentation from Oracle explaining how to control access to an Oracle database. | |
http://technet.oracle.com/doc/network.815/a67766/toc.htm - (broken link) Oracle Advanced Security | technet.oracle.com | Online documentation from Oracle explaining the feature set of Oracle advance security. | |
http://technet.oracle.com/deploy/security/pdf/oow99/dbswp86.pdf - (broken link) Database Security in Oracle 8i | technet.oracle.com | Overview paper describing the major security features in Oracle 8i and how they work. Good paper to read to get an idea of what does what in Oracle security wise. | |
http://asktom.oracle.com/~tkyte/autonomous/index.html - (broken link) Autonomous Transactions | asktom.oracle.com | Tom Kyte | Another paper in the new 8i feature series explaining autonomous transactions. This feature can be particularly useful in auditing based on database triggers. |
http://asktom.oracle.com/~tkyte/Misc/su.html - (broken link) How to become another user in SQL*Plus | asktom.oracle.com | Tom Kyte | Short paper from AskTom that shows the very well un-documented feature of the values command in the alter user syntax to become another database user without knowing that users password. |
Creating Virtual Private Databases with Oracle8i - Part 1 | www.oracle.com | Mary Ann Davidson | Good paper from Mary Ann Davidson who works in Oracles security division. This is a good overview paper on the new (in 8i) Row Level Security features. Very well written. |
Creating Virtual Private Databases with Oracle8i: Part 2 | www.oracle.com | Mary Ann Davidson | Second part of the above paper. |
http://asktom.oracle.com/~tkyte/Misc/Random.html - (broken link) How to generate random numbers in PL/SQL | asktom.oracle.com | Tom Kyte | Short paper from AskTom that shows how to generate random numbers from PL/SQL. It should be noted that there are security concerns with using DBMS_RANDOM as part of any cryptography - See the SANS guide for details. |
http://www.sans.org/reading_room/whitepapers/application/database_the_final_firewall_11 - (broken link) Database - The Final Firewall | www.sans.org | S. Brian Suddeth | Good paper describing the many layers that can be used in "defense in depth" when applied to an Oracle database. The paper goes on to describe many areas of Oracle secuity and recomend many configurations and settings. |
Protecting Your Database | www.oracle.com | Kevin Loney | Short paper written for Oracle publishing and detaing 6 tips for securing an Oracle database. Good basic starting point for Oracle security. |
http://chinaunix.net/forum/viewtopic.php?t=21835&highlight=virtual - (broken link) Virtual Private Databases | chinaunix.net | Example code showing how to implement VPD within Oracle.Ignore that fact that it tries to load in chinese, the text of the example is in fact in English. | |
http://asktom.oracle.com/~tkyte/Misc/Passwords.html - (broken link) How to store a password | asktom.oracle.com | Tom Kyte | Short paper from AskTom that shows how to encrypt a password in the database or rather hash the username and password. This is for version 8.1.5 and also solutions are suggested for 8.1.6 and after with DBMS_OBFUSCATION_TOOLKIT. |
DAIS: A Real time data attack isolation system for commercial applications | Department of Information systems, UMBC , baltimore | Peng Liu | Excellent paper describing how to detect changes and reads in an Oracle database with view to dececting hacker access. This is a very technical paper. |
http://www.sans.org/rr/appsec/database.php - (broken link) Securing Databases | www.sans.org | Paul Carmichael | Good overview paper discussing database security. Quite well structured, although trying to be general it is mostly about Oracle. The paper covers a good range of issues. |
http://www.sans.org/rr/appsec/db_sec.php - (broken link) Database Security in High Risk Environments | www.sans.org | Joaquin A. Trinanes | High level paper not restricted to just Oracle discussing how and why to secure databases. |
http://www.oracledbaexpert.com/oracle/oracleSecurity.html - (broken link) Database Driven Oracle Security | http://www.oracledbaexpert.com - (broken link) www.oracledbaexpert.com | Basic paper to show how to build security between users and Oracle. | |
http://www.praetoriate.com/oracle_tips_security_audit.htm - (broken link) Write a simple security audit script for Oracle | http://www.praetoriate.com - (broken link) www.praetoriate.com | Donald K Burleson | Basic page that gives some small pieces of SQL to check the data dictionary for excessive privileges and privileges granted with the admin option. There are just 4 tips but useful all the same. |
http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf - (broken link) Oracle database listener security guide: March 2003 | www.integrigy.com | Integrigy | This is a superb paper going through the issues with listener security and good tips and steps on how to protect and tighten up a listener installation. Excellent paper, one of the better Oracle security papers around. Read it!. |
http://searchoracle.techtarget.com/originalContent/0,289142,sid41_gci914696,00.html - (broken link) Expert offers tips on securing Oracle databases | www.searchoracle.com | Robert Westervelt, SearchOracle.com News Writer | This is a news item on searchoracle that covers an interview with Donald Burleson where he discusses Oracle security issues and solutions. It is not a bad news item and discusses some of the basic issues. Published 15 july 2003 |
http://www.dbasupport.com/oracle/ora9i/OLS01.shtml (broken link) - Oracle Label Security, Part 1: Overview | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | This is the first part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. Jims set of papers cover the basics, an excellent example and flows through a sample implementation sucessfully. Well worth reading. |
http://www.dbasupport.com/oracle/ora9i/OLS2_1.shtml - (broken link) Oracle Label Security, Part 2: Implementation, page 1 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | > This is the second part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 2 page 1. |
http://www.dbasupport.com/oracle/ora9i/OLS2_2.shtml - (broken link) Oracle Label Security, Part 2: Implementation, page 2 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | This is the second part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 2 page 2. |
http://www.dbasupport.com/oracle/ora9i/OLS3_1.shtml - (broken link) Oracle Label Security, Part 3: Administration, page 1 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | This is the third part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 3 page 1. |
http://www.dbasupport.com/oracle/ora9i/OLS3_2.shtml - (broken link) Oracle Label Security, Part 3: Administration, page 2 | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | This is the third part of an excellent series of papers covering Oracles new label security implementation. The new Oracle Label Security (OLS) functionality is built on top of Oracles Virtual Private Database technology. This is part 3 page 2. |
How to write an Oracle security plan | www.dbasupport.com | Marlene Theriault and William Heney | This paper is based on chapter seven of the O'Reilly Oracle security book. This paper is a very good discussion of how to write an Oracle security plan. |
http://www.dbazine.com/hordila10.shtml - (broken link) Automated Data Encryption Management | www.dbazine.com | Mike Hordila | Excellent recent paper that discusses encryption within the Oracle database and provides a PL/SQL library for encrypting data using an automated solution. Well worth the read! |
http://searchoracle.techtarget.com/originalContent/0,289142,sid41_gci927299,00.html - (broken link) Even pros struggle with Oracle security | www.searchoracle.com | By Ellen O'Brien, SearchOracle.com News Editor | Recent news item published on 11 September 2003 covering. This news article talks about the issues of public privileges in Oracle. Mary Ann Davidson, Oracles security chief is interviewed in discussion with Aaron Newman. |
How to connect 2 ... n SSH Tunnels | www.akadia.com | An excellent short paper showing how to use ssh tunnels to connect SQL*Plus to an Oracle database. Thanks to Jared Still for bringing this one to my attention. | |
> http://www.evdbt.com/UnravelingTheSweater1.pdf - (broken link) Unraveling the sweater - Oracle security part 1 | www.evdbt.com | Tim Gorman | First part of an excellent two part paper examining Oracle and hackers. This was printed in the winter 2003 RMOUG newsletter. This part talks about loopholes and user authentication. A shell script tool is provided to illustrate the issues. A link to this tool is available on our tools page. |
http://www.evdbt.com/UnravelingTheSweater2.pdf - (broken link) Unraveling the sweater - Oracle security part 2 | www.evdbt.com | Tim Gorman | Second part of an excellent two part paper examining Oracle and hackers. This was printed in the spring 2003 RMOUG newsletter. This part talks about the network and the TNS listener. A shell script tool is provided to illustrate the issues. A link to this tool is available on our tools page. |
http://www.evdbt.com/VPD.pps - (broken link) Oracle8i Virtual Private Databases | www.evdbt.com | Tim Gorman | This is a presentation given at the DBA SIG of the UTOUG on 14 February 2001 by Tim. This presentation gives an overview of row level security and comes with a brief example using the scott user. |
http://www.evdbt.com/2003_paper_536.doc - (broken link) Using Oracle8i and Oracle9i Log Miner | www.evdbt.com | Tim Gorman | This is Tims paper providing a road map of the development and use of the Log Miner tool. Whilst this is not a true security paper, it is still useful to the security practitioner as Log Miner can find a use in the forensics area particularly when auditing is not enabled. |
http://www.evdbt.com/2003_presentation_536.ppt - (broken link) Using Oracle8i and Oracle9i Log Miner | www.evdbt.com | Tim Gorman | This is Tims powerpoint presentation on the same subject as the paper above. |
http://www.evdbt.com/2003_paper_536.zip - (broken link) Using Oracle8i and Oracle9i Log Miner | www.evdbt.com | Tim Gorman | This is the presentation and word doc together as a zip file. |
http://www.interealm.com/technotes/roby/xdb_ports.html - (broken link) Oracle 9i Rel 2 - XDB Port Nightmares | http://www.interealm.com - (broken link) www.interealm.com | Roby Sherman | Nice paper showing various methods of changing and removing xdb ports. |
Oracle password decrypt - Toplink Mapping workbench | www.planet-source-code.com | super_jecht | Short paper posted 26 Jan 2004 to Planet source code showing how to encrypt the password that is normally encrypted by the Oracle toplink mapping workbench tool. Even though decryption is not shown this is easy to implement from this algorithm. See http://otn.oracle.com/products/ias/toplink/datasheet.html - (broken Link) OTN Datasheet for details of the use of this tool. |
http://otn.oracle.com/tech/java/oc4j/pdf/j2ee-cmp-with-vpd.pdf - (broken link) Leveraging Oracle database security with J2EE container managed persistence | http://otn.oracle.com |
Matt Piermarini and David C Knox |
This recent paper by Oracle - written by David Knox and matt Piermarini explores the issues of security when using J2EE application development and Container Managed persistence (CMP). This model is great for storing and managing data effectively and for creating rapid application development opportunities but it can also render the databases security features ineffective. This paper explores this issue and in particular shows how to use the CMP model for J2EE whilst still ensuring effective database security. |
Oracle default password list | www.cirt.net | This is a very good list of default Oracle users and known passwords. Use this list to audit your database. There is also a list available with the code from the SANS step by step book, see here | |
http://www.dbasupport.com/oracle/ora9i/OLS4.shtml - (broken link) Oracle Label Security, Part 4: Conclusion | www.dbasupport.com | Jim Czuprynski, jczuprynski@zerodefectcomputing.com | This is the fourth and final part of this excellent article series covering the subject of Oracle label security (OLS). This set of papers compliments and extends the Oracle documentation on the subject of Oracle label security. This final paper talks about using OLS and also about extending the audit trail to cover changes made to the OLS security policies. Jim also covers modifying and removing OLS from your database. |