Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Updated internals and Oracle applications security page"] [Next entry: "default passwords and Oracle default passwords"]

Brian talks about site registration



I was browsing http://www.orablogs.com - (broken link) orablogs as one of my usual ports of call and saw Brian Duff's post titled http://www.orablogs.com/duffblog/archives/000838.html - (broken link)Why do I have to register? posted a couple of days ago.

I read this post with interest as I found empathy with Brian's views on registering with sites. I agree that in this day and age its hard work to keep up with a huge pile of usernames and passwords that we all tend to keep on top of reading what we want. Whilst not getting into the views / arguments about why sites collect user’s names and email addresses, Brian points out that it’s obvious why, I wanted to talk about Brian’s post here because it got me thinking about an aspect of Security that is not often discussed.

Brian mentioned that the site he was discussing has broken a major tenet of usability by including actions that the user has to d that help the site owner and not the user. This is of course security. This is an interesting thought, security getting in the way of usability. Whilst it is of the utmost importance to secure websites, applications and of course Oracle databases we should always consider usability and accessibility when implementing security or defining security policies that have to be implemented by someone. This is a key issue I come across all the time but I usually get involved after the design stage because I am auditing an existing live production Oracle database for security issues. I find problems, settings and configurations, design choices etc that can make an Oracle based application vulnerable. I suggest solutions to fix the holes but quite often there are discussions based around usability and cost effectiveness of applying security after the fact.

This is why security should be designed in from the start not just added at a later date, perhaps as a result of an Oracle security audit I have performed or perhaps because the site or database was hacked or abused by someone.

We should always consider usability when recommending security policies and solutions. Don't skimp on security but if there is a way to keep the application or site still fast and usable so it. This also benefits us security people as if users and admin staff are not inconvenienced by security they are more likely to think about security themselves and embrace it.

Just quickly back to Brian's post. I liked the idea of a single sign on for websites around the world where authentication is necessary. This would be a useful move forwards but could we trust the single sign on sites (who would collect huge databases of details on us)?

Also remember that all of these websites demand usernames and passwords. How many of use the same username and password again and again. I try to avoid doing this, although to be honest I am like Brian and do my best to avoid sites that require me to register.

Think about this, a DBA holds passwords for all your production databases. These passwords are for privileged accounts. He might register for maybe 5, 10, 15 websites for various reasons, support, news, simply entertainment. Does he reuse the same passwords he has used in your organisation?

What if a hacker were attack the DBA's home PC and steal his website passwords, would the hacker then be able to attack your company’s servers? - There would be no tell tale signatures on the companies network that indicated stealing passwords. Maybe wide acceptance of sites that require registration are also a security risk to the private users employers. Maybe companies should include in their site password policies that employees should not re-use passwords in their own time. Is this overkill or paranoia? - Maybe, maybe not. It never hurts to be over cautious when security is thought about, hang on though are getting into he usability issue again..:-)

One last thought. I posted a couple of weeks or so here about a security tool call http://www.oxid.it/cain.html - (broken link) Cain and Abel in a post titled "Great tool for security checking a PC" that is a useful read (and tool) if you have forgotten a password for a website you have subscribed to and saved it. Also it is worth checking out a tool like this to see what passwords are easily available from your own PC.