Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Mary Ann Davidson fields security questions at Open World"] [Next entry: "A new Oracle Security book.... or three!"]

Cold remedies and Oracle Security

OK, it is a strange title for the blog post but bear with me there is a reason for it.

In the UK and I am sure in many other so called developed countries there is a norm or accepted idea that there is no known proper cure for the common cold. The reality of this is somewhat muddied as various very large companies and equally as many smaller companies and individuals all produce all sorts of cold remedies by the bucket load and sell them to us from the shelves of large supermarkets and pharmacies.

I have had colds throughout my life and tried various lemon drinks with Paracetemol, cough mixtures and nose drops, medicines.... but none ever really cure you so I have always been in the camp of believing the UK doctors that there is no proper cure. In fact if you have a cold (very bad cold) and you go to the doctors here in the UK they won't give you anything; except that sometimes, maybe, sometimes they may give in and give you stronger cough mixtures which also inevitably don't work.

Then you can mention the "anti-biotic" word and the doctors say "no, you cannot have them and they wont work, blah, blah, blah........ its a virus, viri do not get killed off by anti-biotics....." - so you end up feeling ill for weeks on end. I personally remember having a very bad cough when speaking at the UKOUG conference a few years ago; after some 5 weeks of coughing the doctor finally prescribed anti-biotics and low and behold I was better in 2 days (should i be putting my medical details in print considering my recent post "Health Data Theft" - BTW, Frank emailed me from DC to say that my fears where right, you cannot view the TV program on-line from outside the UK).

In my case anti-biotics worked at that time which made me slightly suspicious as to why they would not work all the time.

Then we can take the flip side; if you live in the former Soviet Union or various other countries in eastern europe then you can get cold cures and they work; these are not hocus-pocus but cures available from pharmacies properly packaged by drug companies often also without prescription. I know for instance of "biseptol" - I may have the name slightly wrong as i am going from memory - a course of tablets that cures a cold dead. These tablets "obviously" amongst other things include anti-biotics; people in the former Soviet Union are fixed quickly. They even sell smaller dose tablets for children if i remember correctly.

Whats the point of this discussion? well hard and fast rules in one place are not hard and fast rules in another. What works in one country WILL work in another just because the solution is not available or it doesnt conform to the way of thinking or laws doesnt mean its not valid. It's like the time when the world was flat, everyone beleived it was flat until proven otherwise.

Is the Soviet solution a sledghammer to crack a peanut solution? - I don't know I am not a doctor or pharmacist but the main point is that just because the rules of the UK say that there is no cure doesnt mean that there isn't even if you cannot buy these solutions here (I didnt check but i am guessing not - legally of course).

Why did I start to think about this? - well I was remembering one thing Mary Ann said on her interview in the OTN lounge at Oracle Open World and it made me think about it. She said - paraphrased - "wouldnt it be great if the database could protect itself, if it could detect an attack and prevent it it would be great". I am not convinced this is completely acheivable simply because the set of attacks is huge and when combining layered attacks its hard to develop some automated builtin solution. Imagine that Mrs Jones wants to change her own salary; the screen she uses allows her to increase her salary but not approve the change, her manager Mrs Smith must do this. There are roles and responsibilities, segregation of duties implemented and more. Normal changes of salary done to procedure are not detected as suspicious BUT if she (Mrs Jones) Simply makes the change, queues it for approval and jumps on Mrs Smiths terminal and approves it how would it be detected. Instead, imagine she is a ninja hacker and she takes a different approach and decides to create the salary update and queue it but instead intercept Mrs Smiths communications with the server and modify the screens she sees in real time. She could alter the approval to look like another and get Mrs Smith to do it. The point is how would the database detect this? - it cannot, it's application layer. I guess Mary Ann meant database layer bad news such as a SQL injection in progress? - fine but how do you detect a SQL Injection from a genuine dynamic SQL (just because its bad doesnt mean people wont do it - think UK and Soviet cold remedies) again its not always possible because we must go up to the application layer to categorise issues.

OK, argue differently, maybe a bug is detected, a PL/SQL injection in DBMS_METADATA - doesnt matter which procedure, it's just an example. It's reported to Oracle and fixed in a CPU. It would seem that Mary Ann's solution may work by detecting SQL injections on this particular package or even detecting SQL Injection exploits that have been published on internet sites. But again what if an application used this package for its legitimate business purposes AND it used dynamic SQL or PL/SQL as part of this; would it be an attack - maybe, maybe not? - again intelligence is needed from another layer.

It was a really interesting point that Mary Ann made and there is some mileage in it but i think further intelligence and knowledge is required in the solution for it to be effective.

What about the comparison again to cold cures? - well for some there is no cure, for others there is, which group is which is fluid and flipping. The fact remains that if a cure exists then it should work for all whether they or their peers beleive or not. I again had a reason for saying this. The thing I often get asked by my clients is why does Oracle portray itself as a "security company" but the security features are often not there by default or you have to pay more for them. Some I can appreciate they should be cost options such as identity and access management but what about encryption for the network or within the database, what about the features of DV, great idea, Label Security, great idea, Advanced Security, nice solid technology, i like the concepts but they are not free and most sites I work with dont use them; pity. Things like settings are recommended in Oracles own security guide but not implemented in the database; "do as I say, not as I do" seems to spring to mind; why is this so? well because its hard to do as stated.

There has been 2 Comments posted on this article

October 26th, 2009 at 08:19 pm

Pete Finnigan says:

I do not believe in "magical solutions": they simply do not exists. IMHO, it's great to have this kind of products (some sort of IDS/IPS) integrated in a database system _just_ from a marketing perspective.

You can develop an integrated IDS/IPs and it will, perhaps, catch some non skilled attackers. Well, it is great as you're catching some attackers but, as with any other "automagic detection system" (IDS/IPS) they will be bypassable in a number of ways and, if the software contain flaws they will be exploited.

IMHO, again smile, the unique solution to have a secure system is to develop software securely and to audit it as part of the development and QA processes.

October 27th, 2009 at 08:26 am

Pete Finnigan says:

Hi Joxean,

Thanks for your comment. You are saying the same as me, I also don't beleive some magical solution exists... Thats what I tried to say by showing examples that cannot be solved auto-magically as you suggest.

Also as you suggest though, some "background - noise" could be protected against BUT what is the point. Its like the argument to revoke the PUBLIC execute privilege from UTL_FILE, whats the point; there are too many other ways to get to the file system.

I think your best point is that you **could** protect against non-skilled attackers in some cases. if it were free and part of the software (see the rest of my article for why I think this would no0t happen!) then its a selling point, its nmopt perfect and never will be BUT its a selling point.

Thanks for your comment