Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Interesting news post about Mary Ann Davidsons comments on security education

First of all I must apologise for my lack of posts over the last couple of weeks. Things are very busy at the moment with work and I am having to spend all my time working to complete a piece of work for a client over the last couple of weeks and the next couple of weeks. Normal service on this blog will resume in a couple of weeks time.

I saw an interesting news post a few days ago titled http://news.com.com/Software+firms+fault+colleges+security+education/2100-1002_3-5579014.html - (broken link) Software firms fault colleges' security education where Robert Lemos talks about a two hour panel session at the Secure Software Forum where Mary Ann Davidson (Chief Security Officer of Oracle) was one of the panel members. The panel was trying to analyse where flawed software is still the norm in the industry. The discussion focused on the lack of good security training in colleges for students.

Quite an interesting read and worth taking a look.

Alex Kornbrust has updated his upcoming security alerts page

I was browsing Alex's site a few days ago and noticed that he has updated his forthcoming security alerts page to include another 16 security bugs that he has found. 4 are in Quest products, TOAD and SQL Navigator, 3 in Embarcadero and 9 in Oracle. I previously talked about this page on Alex's site in a post here called "Alexander Korbrusts upcoming Oracle security bugs" where I discussed the sheer number of bugs Alex has found in various products, mostly Oracle that have not been fixed yet. Alex is not the only one doing this as the links at the bottom of his pages shows.

Alex Kornbrusts Hardending Oracle Application Server presentation is now in English

I made a post the other day in this blog titled "Alex has presentation notes available and a forthcoming paper" about Alex's presentation notes and said that the paper was in German but an English version would follow soon.

I got a quick email from Alex Kornbrust yesteray to tell me that the English version of his presentation slides "Hardening Oracle Application Server" are now available from his site.

This is a very worthwhile read for anyone with an interest in securing Oracle written by one of the foremost Oracle security bug hunters.

Alex has presentation notes available and a forthcoming paper

I got an email from my good friend Alex Kornbrust a couple of days ago telling me that he is adding some presentation notes for a conference he did and also he will release a paper soon about SQL Injection.

Alex gave a presentation for the German Oracle User Group last November and the notes are currently on his site in German. The paper is called "Presentation DOAG 2004" and the slides are currently as I said in German. Alex sent me an English version and said he would put the English version on his site in a day or so.

Also Alex will be adding a new paper about SQL Injection in Oracle Forms very soon - watch this page on his site. I will also let you know here when it is out.

I have not had a chance to read the English version of Alex's presentation slides in English as I have had a large deluge of spam emails sent my way over the last 4 or 5 days. A problem of my email address being available on the net and in many newsgroup postings I guess. This has caused me to change the way emails are delivered to my desktop and I have not yet fathomed how to read attachments that the virus / firewall and email client have deemed dangerous to open in the new client software..:-) Otherwise I could comment further on Alex's presentation.

tracing inside a PL/SQL procedure

I found an interesting thread on the Oracle-l mailing list a few days ago titled "How to trace what is happening inside the stored procedure". This thread asked if its possible to trace what is going on inside a PL/SQL procedure. This generated a few interesting comments from a few posters. The thread index is here.

I also wrote a paper about the many ways to set trace in Oracle for the current session or another session and also how to set the different levels of trace. This paper is called "many ways to set Oracle trace for your session, others sessions and at instance level".

The post of interest to me in the oracle-l thread was one by Tanel Poder where he goes into great detail about how X$ tables work and how the MODULE and ACTION data for each session are accessed through the X$ tables. For those amongst you who like internals details. This thread is a must read. The thread by Tanel is here.

Google hacking and reverse engineering Java

I ordered Johnny Long's book "Google Hacking for penetration testers" from Amazon.co.uk on Monday and it just arrived today. Thank god the rain was not too hard as our postman left the package behind our garage - not a very clever plan! - and it was quite wet when I got home at tea-time. Luckily the books were not damaged.

Obviously I have not had the time to read the book yet but I have had a quick flick through. The subject of Google hacking is very relevant to all companies who expose anything at all via a web site or via computer systems that are exposed to the Internet. If you run an Oracle database or Oracle tools such as iSQL*Plus and they are exposed to the net then it is easy to find your site in Google and if sites found can be matched with known exploits you could become the victim of a scripted attack. This is an exciting new way to hack or rather reconnoitre attacks.

The book seems very thorough in its discussions of Google and hacking. There is only a short mention of Oracle specifically near the end of the book in discussions about SQL Injection. That said there is plenty for those with an interest in Oracle security. Johnny starts the book with a look at how to use Google and then a look at the advanced features or rather operators. He then talks about hacking basics and pre-assesment. Then network mapping, locating exploits and finding targets. he then looks at some standard searches and also shows how to find things like web servers, passwords et al. Johnny then talks about protecting your own site from Google hackers and also automating searches.

I am looking forward to reading this book, its quite long at almost 500 pages so it may take me some time. I need a link on learning how to speed read I guess. I have quite a backlog of books to read at the moment..:-(

Whilst I was ordering Johnny Longs book I noticed by chance another book "Covert Java: Techniques for Decompiling, Patching and Reverse Engineering" by Alex Kalinovsky, so i ordered this book at the same time. I am not an expert Java programmer - I have dabbled a bit. I know C++ better and C much much better. I like to follow some of the Java posts on the net and Java is quite an important technology in Oracle circles. The Java procedures in the database are not as much written about as PL/SQL and there is not a huge amount out there on securing Java in an Oracle context. I also follow the posts of the JDeveloper programmers on http://www.orablogs.com - (broken link) OraBlogs. I have always been sceptical of using Java in the database as there are many tools out there to decompile the bytecode and turn it back into source code so firstly it can be read (trade secrets divulged?) or hacked (Trojans) or many other issues. So when I saw this book it looked like an ideal opportunity to understand the issues of reverse engineering Java and how it works, how we can protect against it and how real the issue is. Again I have not read the book yet (of course) but when I have I will report back and also pen some details on the security of Java in the database with respect to the issues I have mentioned. Looks like an interesting read though.

Use of Windows login details - single sign on for web applications

I saw an interesting post in the Amis blog tonight. The post was made a few weeks ago and is titled "Single Sign On for Web Applications - Use of Windows Login details". In this post Lucas Jellema talks about a post by Matt Raible titled "JCIFS and jWebUnit" which talks about JCIFS to achieved single sign on with Windows Login for web applications. Lucas said he has not had time to play with this yet and he says it could be a good solution where full blown Portal based SSO is not reasonable or practical. Lucas also points us at a good paper about "Single Sign on" using the Windows login. Again Lucas's post is here.

Further advice on catpatch.sql

I made a post here yesterday titled "Ed has another post in the catpatch.sql series" about Edward Stanglers comments in his blog about running catpatch.sql after upgrades. His latest post talked about the need to run catpatch.sql after creating a database with the DBCA. This was because the seed database files are created for 9iR2 at least with 9.2.0.1 rather than 9.2.0.3.

I got an email from Paul this morning making some comments on my post. Paul said that he always creates a database from scratch. He said that this gives him a warm fuzzy feeling as he then knows that the installed binaries and patches are in good shape. He follows, that he knows he doesn't need to re-patch or run catpatch.sql and also it puts the hardware through its paces. He also said he is not against cloning in general but he just doesn't start on a new database server.

I liked the title of Paul’s email to me "catpatch and rm -rf /opt/oracle/product/10.1.0/db_1/assistants/dbca/templates/*.dfb" - It is good advice to delete the templates for many reasons that include space or security of the files as they can contain sensitive data.

Thanks for the email Paul and the good insights.

Ed Has another post in the catpatch.sql series

I just saw Edward Stanglers new post titled "New databases may require catpatch" on http://www.orablogs.com - (broken link) orablogs. Ed mentions his catpatch.sql series of posts made to his blog a while back. I also mentioned them here. This new post is interesting as what Ed is saying is that if you create a database with the DBCA and use the pre-created database you may need to run catpatch.sql on a new database as the pre-created database files were made with 9.2.0.1 not 9.2.0.3 or later.

Also of interest is the fact as Ed points out that the database template files are simply zip files but with a different file extension (.dfj). This is a useful bit of trivia for anyone interested in internals and undocumented facts about Oracle.

From a security / versioning point of view this is an interesting post from Ed that includes links to other posts of Ed's on similar subjects.

Oracle Security Tools page updated

I was emailed the other day by Dave to tell me that I had incorrectly named the http://www.trantechnologies.com/pass_cracker.zip - (broken link) Russian password cracker for Oracle written by Tran Technologies. I said it was written by Bead Dang but in fact it was written by Bear Dang. Sorry to the authors for this mistake. I have updated my Oracle Security Tools page to correct this error.

This is a useful tool for auditing passwords in an Oracle database. It is a PL/SQL program and source code is included. It does a brute force check to find passwords that users have specified. There is a downside in that it should really be used in a separate database to prevent resource hogging issues in the database where the users passwords are to be checked. Because its PL/SQL based and uses ALTER USER commands its quite slow but still useful.

Also remember to check for default Oracle users with default passwords still set as well as auditing users passwords.

port 1521 and redirection

I saw an interesting post last week on the Oracle-L list titled "ye olde 1521" where the poster asked if the well held assumption about the way communications with Oracle are true. This is where a user connects via port 1521 (or any other port used by the listener) and when a connection is established an Oracle background process is spawned and communication is then handed off to the spawned process. This spawned process then establishes communication on a new random port with the client. The poster using RedHat AS3 sniffed the net packets and found that this is not true, all communications took place using port 1521. He used a dedicated server connection.

This is a very interesting issue for those interested in Oracle security. There are a few reasons why, firewalls for one, having random ports opened by the shadow processes makes it difficult to control access to and from the database through a firewall. The other main reason we should be interested in this is in the understanding of how Oracle works especially in the area of network connections and data flows.

Amit replied and said that this is only the case for Windows using the winsock API and for Unix all communications go through port 1521. This is because the listener forks and the socket remains intact over the fork process - Tanel will clarify this in a minute.

Wolfgang chipped in that it depends on platform and some IP configuration parameters and confirms that the reasons for the change are due to the Internet and firewalls and the need to not punch lots of holes through the firewall.

Tanel finally came in with a superb post describing the whole situation. Basically its called direct handoff and either the listener could spawn a new process and that process would continue the communication with the client. This is called hand-off. Or the listener would reply to the client with an IP address and port number of where the new server process was for the client to continue its communications. The main problem, Tanel confirms was firewalls that Oracle customers needed to use had to be SQL*Net compliant and use the Oracle proxy code to sniff the new port and open it.

An interesting point made by Tanel is that fork() is not used for the direct handoff as the listener and oracle binaries are based on different executable images.

Also a great snippet of information is the quote about the listener.ora parameter DIRECT_HANDOFF_TTC_{listener_name} which can be set to ON or OFF that can be used to turn on or off direct handoff. Also Tanel suggests that direct handoff should work with shared servers.

This is great information.

Another undocumented parameter in use (_ash_enable)

I saw a good post on the oracle-l list last week some time by Paul Drake that was titled "ASH droppings in bdump - 10.1.0.3 / win32". Paul asked about the fact his Windows server running Oracle 10.1.0.3 was generating hundreds of small trace files due to Active Session History (ASH). He said he is not using ASH and wanted to know how to turn off the trace file generation. The first response suggested that the old Oracle trace facility controlled by the parameter epc_disabled had gone and a new trace facility was now supplanted by a new trace controlled by a parameter called trace_enabled that if set to false will prevent trace file generation. John also supplied an interesting post to the thread that suggested using the hidden parameter _ash_enable to turn off Active Session History. John gave a useful piece of SQL that lists hidden parameters starting with _ash. Of course you should not usually use hidden parameters in production databases. But as usual I am interested in this post because of the undocumented element. Any use or confirmation of what an undocumented parameter does is always useful information in the security world. If during an audit you come across undocumented parameters being used its good to know potentially why.

Niall made a final post to the thread with an interesting answer that the only way to avoid the licensing issues in this case in a supported fashion is to set STATISTICS_LEVEL=BASIC as TYPICAL will enabled all the extra cost options.

Interesting thread!

A password repository for Oracle

I came across an interesting piece of software on sourceforge last night called OPR (Oracle Password Repository). This is software that is intended to be able to replace the hard coding of Oracle usernames and passwords in SQL or shell or perl (or any other type ... of scripts). The software uses a repository to store information about database instances, usernames, os username, password etc. Then when calling a tool such as SQL*Plus from a script you instead call OPR to get the users password to enable a login to the database.

The repository is owned by the owner of the Oracle software (or any other user you choose) and only this user can read and write the repository. It is possible to grant other OS users access to read and write the repository as well if required. It is also possible to grant specific database users the right to get another databases users password. Also control can be made at the os user level so that the person calling OPR must be logged in as the correct OS user.

The software can also sync itself with the database so that users and passwords are aligned. This is done by OPR attempting a login to the relevant database. It is possible to change database passwords using OPR so that they remain in sync.

The repository has the setuid bit enabled so that all users can execute the tool.

The Oracle Password Repository (OPR) home page is here and the OPR software can be downloaded from here.

I also talked about the same issue recently in a post titled "A script to call SQL*Plus without hard coding passwords" and I have also updated the free section of my Oracle security tools page to include OPR.

I know that the repository is owned by the software owner or some other designated user but thee could be major problems with this solution. The first is that there would be one file containing all relevant usernames and passwords. The file is suitably protected BUT, if it were obtained then the usernames and passwords, database instances etc could be obtained and hacked. There would also be a tendency for users of OPR to add usernames and passwords just in case. There are many known ways to read and write files owned by the oracle software owner from within the database. This would mean that the supposed protection of only the software owner being able to read the file would be invalid, in fact worse than having the passwords stored in a file owned by root for instance. A hacker could remotely attack the repository and get all the users details including passwords.

That said, this is still useful software that solves a particular problem - password leakage from scripts, either on the command line or via reading the scripts. If OPR is used then the absolute minimum number of usernames and passwords must be added to it. Ideally one user. The privileges of users in this repository should be held at the minimum - least privilege principle. The database must be secured. See the checklists on my Oracle security papers page. All avenues of reading OS files from within the database must be closed. Ideally the owner of the OPR repository should not be the owner of the Oracle software or the owner of the running Oracle instance. This should help prevent access to the repository from within the database. Also consider the use of an external account but only locally for scripts and batches. This again should follow the least privilege principle.

New paper from Aaron Newman - Search Engines used to attack the database

I was emailed by Aaron last night to make me aware of a new paper called http://www.appsecinc.com/techdocs/whitepapers/research.html - (broken link) Search Engines Used to Attack Databases (A pdf is available on this page) on the recent new technique of using search engines to attack databases. This is a technique I have talked about quite a bit lately, the so called google hacking technique. The idea is that a hacker looks for insecure databases and web application fronted databases then specifically searches for those sites that have known vulnerabilities or configuration issues or even Oracle web based tools such as iSQL*Plus. This means that the hacker can do his information and reconnaissance phase almost completely without accessing the sites that he going to attack. This makes it very difficult for a hacker to leave a trail before the actual attack. The attackers will also tend to cherry pick the easiest sites from their search engine results pages.

All of this means that DBA's and site security managers need to take database security seriously and also learn the techniques of google hacking and apply them against their own Oracle databases so that they do not fall prey to one of the newest database (and in general) hacking techniques.

Aaron’s paper is excellent and covers the subject very well. Aaron starts off by talking about database security in general and the sad fact that a lot of companies do not protect the data at source but instead use perimeter security techniques such as firewalls. he then talks about search engine hacking and moves on to talk in detail about how to find Oracle databases exposed to the Internet. Aaron goes through some examples of how to use google to search for the web based version of SQL*Plus, iSQL*Plus showing some sample results from a google search and also a Yahoo! search.

He then details how iSQL*Plus can be used to hack a 9.2.0.5 database patched for alert #68 by using a common default username and password DBSNMP/DBSNMP. Aaron gives a link to the CIRT Oracle default password list but I should point out that the Oracle default password list is much larger than the CIRT list and my list contains 600 default usernames and passwords. I also have an Oracle default password check script on my site. Aaron then goes on to show how a list of usernames and password hashes can be obtained for offline cracking.

Aaron then goes on to talk about looking for web pages that are vulnerable to SQL Injection attempts (I have written a three part paper on SQL Injection in Oracle a while ago). Aaron shows some results and then goes on to show an actual attack. He then talks about SQL Buffer overflows and JDBC as well as error strings. The paper moves on to talk about directory listings being revealed and closes with thoughts on how to militate against the issue.

This is a superb paper introducing the subject of google hacking and search engine hacking in general to the Oracle community and in particular to those interested in securing their data. All DBA's owe it to themselves to read this paper and learn about how simply exposing files to the Internet can have disastrous results. The paper "Search Engines Used to Attack Databases is here".

Google hacking search string database

I talked about a good paper about google hacking the other day in a post titled "Google hacking is on the up!" that talked about Nitesh Dhanjani's paper on google hacking. The paper mentioned a link to a great web site on the subject of google hacking called Johnny, I hack Stuff's website. This site includes a forum on the subject, some downloads for some tools and also a database of over 1000 search strings that can be used for hacking with google search. Nitesh's paper at the end includes a sample tool that can be used to run multiple queries against google to test your own site (or someone else’s) for any search strings that show up data and URL's that could be a security risk. The Johnny behind the site is Johnny Long and he has also written a book published by Syngress (ISBN:1931836361) and published 1 December 2004. The book "Google Hacking for Penetration Testers" is available from Amazon amongst others.

The book has good reviews and sounds very thorough. I plan to buy it at the weekend in Borders or Waterstones if they have it in, if not from Amazon - I will let you know what I think after I get it and read it.

The website contains also a database of search strings - the database is called http://johnny.ihackstuff.com/index.php?module=prodreviews - (broken link) Google Hacking Database (GHDB)!. This is a great list broken down into categories such as advisories and vulnerabilities, error messages, files containing passwords, files containing juicy info, pages containing login portals, sensitive directories, vulnerable files and many more.

There are of course many Oracle security search strings in the database but there doesn't seem to be a search box for the database to isolate the all of the Oracle search strings or anyway to download all of a particular group of searches such as the Oracle ones.

There is also a list of "signatures" that were part of Nitesh's article that may be useful but again they are not Oracle specific.

Alternate URL for Yong's site

I talked about Yong Huang's website the other day here in a post titled "Yong Huang's web site is excellent". Yong emailed me to tell me that the URL I gave for his site on stormloader was not totally correct. Yong has had his site on stormloader for a few years but it was unreliable about one year ago crashing and going down quite often. Yong moved the complete website to rootshell.be and now promotes this URL instead. The URL for his Oracle page (The same content as stormloader) is http://rootshell.be/~yong321/computer.html. Yong does keep both sites in sync but the rootshell.be one is the main one so if anyone bookmarked the link in my last post then please change it to the one above.

A very good paper about weaknesses in password security

I mentioned the Security paper repository website SecurityDocs.com last night in my post "A repository of security papers - SecurityDocs.com". I was searching the site a bit last night and found a good paper written by Paul Gurgul on 16 Nov 2004 called "Exploits & Weaknesses in Password Security" so I downloaded the paper and read through it.

This is a very thorough look at passwords, their use, hacking, cracking and auditing. It even covers social engineering, Trojan horses, and network sniffing, even electromagnetic eves dropping. It then goes onto discuss ideas for improving reusable passwords, the authentication using authentication servers covering third party authentication and then a primer on cryptography with quite an in depth look at Kerberos then to X509 certificates.

The paper winds up with one time passwords instead of reusable passwords and a discussion on strong authentication, one time passwords and one time pads, two factor authentication and ACE servers. The paper ends with a discussion or challenge response authentication to make I&A stronger and also the need for Intrusion Detection and also Biometrics.

This is a superb paper and very very thorough. It is well worth reading even though its not Oracle specific it talks about issues and features used by Oracle authentication and password management and also covers some of the ASO features and functions such as kerberos and X509. Great paper!

Tom talks about encrypting passwords in the database

I saw an interesting thread on Tom Kyte's site last night. I found the post via VS Babu's Oracle feed of feeds, which is an excellent site BTW. The thread on Tom's site is called "storing passwords in the database" and is quite old in origin, the original question was posted 2 May 2000 and most recently yesterday. A long running thread but covering a good range of issues around encryption, hashing and application based password encryption / hashing and storage.

The thread starts of by showing some sample code that hashes usernames and passwords into a hash and displays them. This sort of function can be used to hash application user’s passwords and the results can be stored in a database table. The same algorithm can then be used to authenticate application users by again hashing their usernames and passwords and checking that the same value is returned. This is a common method to implement application based authentication whereby a common database user is used in the background by all users then their application user and password are authenticated by the application source code. There is also a sample function given to compare hashed passwords that could be used in an application.

Tom then explains the hash space and the issue of collisions. Tom also talks about the problem of Oracle changing the algorithm for the hash code in DBMS_UTILITY.GET_HASH_VALUE. Tom also gives some great guidance about passwords being transmitted in clear text. Also check out my posts Passwords in clear text for ALTER USER in SQL*Net and Issues with bypassing password protected roles for a discussion about password leakage on the network.

Tom also discusses the DBMS_OBFUSCATION_TOOLKIT MD5 functions and why they are better than DBMS_UTILITY.GET_HASH_VALUE. There is also an interesting section about a quite often used technique whereby an application users password is obfuscated in the background before its used to access the database. This is so the user does not know the real database password and cannot therefore use it to directly access the database via SQL*Plus or similar tool instead of the applications. Somehow this idea is flawed as access to the code or network sniffing can reveal the real password being returned to the user. See my Oracle Security Tools page for some tools to grab the Oracle SQL text from the OCI API or JDBC API.

Tom also mentions that the 10g DBMS_CRYPTO supports more algorithms and that it supports better hashing algorithms than MD5 such as SHA-1. If you do not have 10g then a poster also provides a simple Java database procedure to implement SHA-! in versions before 10g - Java is needed of course.

A good thread, worth reading for the ideas used in some applications to authenticate users. A much better solution than the common database user and hand built authentication is to use Oracle features such as connection pooling and proxy users or single sign on in ASO or LDAP.

A repository of security papers - SecurityDocs.com

I was emailed this evening by Mitchell Rowton who runs the SecurityDocs website. I had not been to this website before so I have had a quick look. The site is a repository of information security papers and articles. There are 2548 papers and the About SecurityDocs page says:

"SecurityDocs is the largest repository of information security resources anywhere on the web."

This is a great site as it allows you to search for security papers based on many different criteria such as category, description, rating, author etc. The site is free and doesn't require registration - Brian would approve..:-). There are lots of different categories such as Application security, encryption, firewalls, hacking, IDSW, law, security policies, tools, wireless security and so on.

As I said I only found out about this site tonight so I have not had time to browse far yet... But I will. SecurityDocs looks like a fine resource for anyone interested in securing their servers, applications, network and data.

Yong Huang's web site is excellent

I have known about Yong Huang's web site for some time now as we have exchanged emails in the past on internals and undocumented details. Yong is a great guy who knows a lot about Oracle. He has a great web site dedicated to (mostly) Oracle information, articles, tips and newsgroup postings he has made. I was searching for a piece of information last night for the SANS Oracle security training course I am working on and saw a link to Yong’s site and I opened the page in a window to remind me to take a good look again and see what has been added and changed.

http://www.stormloader.com/yonghuang/computer.html - (broken link) Yong's site, well the Oracle pages are superb. http://www.stormloader.com/yonghuang/index.html - (broken link) His homepage also details some of his other interests. Yong started out as a PhD graduate and became an Oracle DBA in 1999 and his previous experience was as a web programmer. The site contains details on this.

I will return to Yong’s site in future blog posts as there is a huge amount of content, some internals, some undocumented stuff and also some Oracle security information / bugs etc. I want to talk about some of the individual pages again later. I have already three links for quite a long time to Yongs site on my Oracle Security white papers page. These are to Yong’s Oracle Idiosyncrasies page, his http://www.stormloader.com/yonghuang/computer/oraclebin.html - (broken link) Oracle Executables page and his http://www.stormloader.com/yonghuang/computer/x$table.html - (broken link) Speculation of X$ Table Names page. These pages include some great research into Oracle internals. http://www.stormloader.com/yonghuang/computer.html - (broken link) Yongs Oracle page first includes a section of freeware that includes pstats for Windows, pio and topio for Solaris and Windows and Windows oerr for Oracle. His Oracle database section includes Q&A tips, Oracle idiosyncrasies, an under construction section that includes investigations into tracing Oracle processes on Windows and Unix. Pages on Miscellaneous Oracle Notes, X$ tables, Oracle binaries, Oracle and Perl and much much more. Yong also has a miscellaneous section and a web programming section.

This is a great site for a browse and worth taking a look. I will talk again in later posts about some of Yong’s findings.

Google hacking is on the up!

I saw Franks post to his blog last night titled http://www.orablogs.com/fnimphius/archives/000846.html - (broken link) Google Your site for Security Vulnerabilities and read it with interest as I have also talked a few times about google hacking here recently.

Basically Franks post points us at an article on the O'Reilly web site titled "Google Your Site For Security Vulnerabilities" written by Nitesh Dhanjani in either July or October 2004 (depends on whether American dates or UK dates are used.)

This is a superb article that provokes plenty of thought on this subject. Basically the premise goes, any page on your website that google can index will be found and indexed. This could include forms servers, reports servers, listener.logs, alert.logs, application code, you name it, google could find it unless you make sure its not accessible and also make sure that google cannot index it.

The article starts by talking about default resources - pages installed on web servers by default, then directory listings or how to find them on google, next error messages that includes an Oracle example for ORA-00921, then a search for remote services and even vulnerabilities reports for popular tools such as Nessus that may have been run against your servers.

The paper goes on to present a PHP script that can be run to automate checks against google for a list of known problems. It goes on to present an example execution which doesn't show much as all the data returned has been removed. The article finishes with some comments on the script and lessons learned.

This is an excellent article and well worth reading. All DBA's and security managers should read this paper and should run some tests to see what information and services that are part of their Oracle database and oracle based applications are exposed to google and other search engine indexes.

I cover this new idea in the new 6 day hands on Oracle security training course that I have just written for the SANS Institute that will be taught first in April 2005 in San Diego.

I also, as i have said talked about google hacking recently here as well in a few Oracle Security weblog posts. There include "Bruce Schneier talks about google desktop search security", "Information leakage and goole hacking" and a post about information leakage titled "An interesting example of information leakage posted to my blog entry".

This is becoming a more and more talked about area of security and will undoubtedly become a tool more often used by hackers to gain information about your databases, applications and servers. Be warned!