Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "interesting thread on how to secure a third party application"] [Next entry: "Brian Duff talks about connecting to Oracle servers with ssh"]

massive data theft from a database in California

I found this news item today posted on Network World Fusion and written by Paul Roberts. It was published a few days ago but is still relevant. The state of California has announced that a massive theft of personal data has taken place from a database at the University of California, Berkeley.

The database contained up to 1.4 million records of a personal nature such as social security numbers, birth dates, names and addresses etc. According to a spokesman:

"investigators know a malicious hacker exploited a vulnerability in "commercially available database software" and compromised the computer, but they don't know if the attack was targeted, speculating that malicious hackers possibly discovered the system by scanning for machines running vulnerable versions of the database software."

We do not know if this database is an Oracle database or an MS SQL database or another database. It more than likely wasn't but it doesn't really matter to the rest of us. This item should be a warning to all those who run Oracle databases, even if this issue was not involving Oracle. Any database that is exposed to the Internet or even a wide area network and if that database has not been patched then it is vulnerable to this sort of attack.

Hackers are out there writing scripts to find vulnerable databases with known vulnerabilities. Do not let them get yours.