Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Use of Windows login details - single sign on for web applications"] [Next entry: "tracing inside a PL/SQL procedure"]

Google hacking and reverse engineering Java



I ordered Johnny Long's book "Google Hacking for penetration testers" from Amazon.co.uk on Monday and it just arrived today. Thank god the rain was not too hard as our postman left the package behind our garage - not a very clever plan! - and it was quite wet when I got home at tea-time. Luckily the books were not damaged.

Obviously I have not had the time to read the book yet but I have had a quick flick through. The subject of Google hacking is very relevant to all companies who expose anything at all via a web site or via computer systems that are exposed to the Internet. If you run an Oracle database or Oracle tools such as iSQL*Plus and they are exposed to the net then it is easy to find your site in Google and if sites found can be matched with known exploits you could become the victim of a scripted attack. This is an exciting new way to hack or rather reconnoitre attacks.

The book seems very thorough in its discussions of Google and hacking. There is only a short mention of Oracle specifically near the end of the book in discussions about SQL Injection. That said there is plenty for those with an interest in Oracle security. Johnny starts the book with a look at how to use Google and then a look at the advanced features or rather operators. He then talks about hacking basics and pre-assesment. Then network mapping, locating exploits and finding targets. he then looks at some standard searches and also shows how to find things like web servers, passwords et al. Johnny then talks about protecting your own site from Google hackers and also automating searches.

I am looking forward to reading this book, its quite long at almost 500 pages so it may take me some time. I need a link on learning how to speed read I guess. I have quite a backlog of books to read at the moment..:-(

Whilst I was ordering Johnny Longs book I noticed by chance another book "Covert Java: Techniques for Decompiling, Patching and Reverse Engineering" by Alex Kalinovsky, so i ordered this book at the same time. I am not an expert Java programmer - I have dabbled a bit. I know C++ better and C much much better. I like to follow some of the Java posts on the net and Java is quite an important technology in Oracle circles. The Java procedures in the database are not as much written about as PL/SQL and there is not a huge amount out there on securing Java in an Oracle context. I also follow the posts of the JDeveloper programmers on http://www.orablogs.com - (broken link) OraBlogs. I have always been sceptical of using Java in the database as there are many tools out there to decompile the bytecode and turn it back into source code so firstly it can be read (trade secrets divulged?) or hacked (Trojans) or many other issues. So when I saw this book it looked like an ideal opportunity to understand the issues of reverse engineering Java and how it works, how we can protect against it and how real the issue is. Again I have not read the book yet (of course) but when I have I will report back and also pen some details on the security of Java in the database with respect to the issues I have mentioned. Looks like an interesting read though.