Pete Finnigan's Oracle Security Weblog

I mentioned a couple of weeks ago in a post titled "Oracle Application Server 10g ORA_DAV basic authentication bypass" that i subscribe to the bugtraq mailing list over at Security Focus and that I recommend everyone else to do the same to keep up to date with security in general, bugs and exploits and also to be abreast of Oracle security exploits when they occur; or rather are released.

I made a note of a post to this mailing list a couple of weeks ago to go and read the article. The post is An account of the Estonian Internet War and I printed the article referenced in it out and took it to read on our familly holiday to North Wales last week along with the new second edition of Kris Kaspersky's "Hacker Dissassembly Uncovered" which I have to say is much better than the first edition. I will talk about that book again when I have finished reading it although now I am back at work reading time will diminish considerably.

Gadi Evron also wrote an article on the Estonian internet war. This is titled Battling Botnets and online mobs - Estonia's defense efforts during the internet war and is fascinating reading. Its not a deeply technical read but the content and implications are frightening. Whats it got to do with Oracle Security? - not sure at the moment. I think this is a new phenomenon and it will happen again. The article states quite clearly that NATO issued a swift response, George W Bush spoke to the Estonian president and the pentegon sent people there and NATO agreed to establish research facilities to understand how to counter these sorts of attacks. Whats the risk to Oracle databases? - who knows at present. The issue for me is that the number of sites that are creating applications that use Oracle databases as the data store and also expose the application to a wider intranet or even the internet are potentially in the direct firing line of these sorts of attack. The paper talks about key infrastructure being controlled by the net in Estonia such as banking, voting and even parent/teacher relationships. Any application exposed directly or indirectly to the internet could be attacked and if they are backed by an Oracle database my experience of Oracle database security audits shows that an Oracle database in general is a good target!!!