Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Security Talks, Training and Conferences"] [Next entry: "Oracle Security Training"]

Data Exposure, leakage and Reporting

I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website is in danger and that I should remove the file Oracle Default Passwords as its a danger. Another person sent me short dump from this page and a third sent me a typed up report that this looks like an SQL dump from my website. The second reason its interesting is that this is not a dump from my website and is part of a free tool written by Marcel-Jan Krigsman to analyse for default passwords in an Oracle database. My website does not use an Oracle database and this is not a user/password dump from my website of course but anyone reading this will know that. Also the OSP code that marcel-Jan created from my default password list is old and is not the best way to analyse default passwords anymore; a password cracker and my much bigger default list is a better approach now BUT the tool is still valid.

When I perform detailed security audits of customers Oracle databases I also look for data that sits outside of the database (a similar analogy to this) and especially where that data includes passwords. So I understand the background to looking for passwords. Someone who emailed me also advised that I reset all of these passwords; again a valid thing to say BUT this is a free tool not passwords for my website.

Why the focus now to find passwords on my site? - well its not a targeting of my site per-se I guess. One person told me that they found me at the top of the listings with a Google search of "ext:sql intext:username intext:password" - So this search must be doing the rounds - but google searches do not distinguish between real data leakage and data that may contain passwords but is not a leakage - In my case it's a free tool. Some investigation should be done even after finding what looks like a gold mine.

Is it wrong to look for this data; it depends on your intentions of course. I also use Google (and other searches and sites) to look for anything leaked from a customer to the wider internet so there is nothing wrong with this if intentions are good

Should you check the relevance of what you have found before going further, maybe. In this case without any Oracle knowledge it would be hard to know if this was a password dump of my website or part of a tool. A quick query of the website itself would have located the rest of the Oracle default password tool.

Am I bothered that three people emailed me to tell me to remove this page? - one anonymously and two others not -NO of course not; I am not bothered, I am actually quite impressed that three people took the time to tell me that my website is in danger and that I should remove this file. Of course I am not going to remove it as its not actually a danger but I am heartened that people took the time to tell me that I may have an issue.

I have added a comment to the top of the SQL page that says its a tool and not a password dump from my website but if someone else emails me to say its a danger I will still thank them!!

There has been 2 Comments posted on this article

August 10th, 2016 at 12:53 pm

Pete Finnigan says:

Oh man, the Oracle Default Password list. I believe that list is ten years old now. At least. And of course it has only <= 10g hashes.

But the fact that people report it is actually a good thing. I agree, even if they don't know it's origins.

August 11th, 2016 at 09:28 am

Pete Finnigan says:

Thanks Marcel-Jan for your comment. My list of unique Oracle default passwords is around 1600 now; if we include every username=password then its over 8800. I simply use the 1600 list now in a password cracker as that's a better way to test it.

But, yes reporting it even if its not an issue is a good thing.