Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Transparent Data Encryption (TDE) certified for Apps 11i"] [Next entry: "Download some free chapters from the Oracle Hackers Handbook"]

Oracle Hackers Handbook

I just received a preview copy of the new book by David Litchfield, "Oracle Hackers Handbook" - ISBN 978-0-470-08022-1. I have skimmed through all pages and now I will start and read it cover to cover. It is a good book and one that should be on the shelf of anyone interested in how hackers can break the security of an Oracle database. Its a short book, some 140 pages of content not including the appendix of default passwords and also not including first chapter which is a primer on Oracle architecture. The book includes details on the Oracle network architecture. David talked about an aspect of this recently in a full disclosure post and I talked about this here in a post "Stealing Oracle passwords from the wire". He goes on to cover attacking the listener, the dispatcher, the authentication process and a lot of detail around PL/SQL, unwrapping, SQL Injection, privileges, triggers, indirect privilege escalation,defeating VPD, Oracle web apps, how to run OS commands, the file system and attacking the network.

This is a good book and anyone serious about securing their Oracle databases should read it.