Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

SQL Injection Attack

Marcel-Jan emailed me an article on arstechnica a few days ago and has now written a forum post titled "How Anonymous hacked HBGary".

This is intersting reading and shows that simple techniques can be used to abuse systems. If anyone has heard me speak at conferences and also in training then they will know I like to propogate the idea that simple things let companies down data security wise. A good example would be a mythical company who had spent a lot of money implementing data security within the database including controls, audit, encryption, VPD, Label, even DAM but then leave key data available in other places such as on paper, email systems, development systems, test systems and more. The security of an Oracle database does not depend on the Oracle software; i.e. we cannot simply apply security patches and assume that the database is secured, neither can we simply follow know hardening guides and assume our "data" is secured. This is because Oracle is complex and part of implementing is for the implementor to add their own designs (tables, views, data, screens and of course security and management) This is not Oracle's job its the customers. We also have to consider the data itself, know where it is, who can access and then plan how we will create strategic and technical solutions to protect the data.

Simple issues make data insecure or in the case of this article a companies systems themselves and even emails being accessed. These simple issues include passwords; if you don't protect passwords, enforce strong passwords and ensure accountability is in place - Audit or DAM or ... then its easy to break in.

This article is an interesting read and should waken up those who need to secure their data. The techniques used were not rocket science but also at one level were clever. Hacking an email system and then emailing the sys admin to get access to a server whilst pretending through email to be someone else is clever but not technically difficult. This is why security is difficult; because we must consider all aspects of data loss and therefore data security.

Oracle Security Training in the UK

I have been asked by a couple of people over the last week or so for one-to-one training on my course "How to perform a security audit of an Oracle database" which covers cradle to grave securing all of the data within your Oracle estate using the "vehicle" of a security audit to guide us through the process.

To try and reduce the individual cost and also make it more interesting by having more people involved I am going to open this up to be a public training event. The class will potentially run in York, England on May 3rd and 4th in one of the large hotels in York. The price per person for the two day class will be £995 + VAT (GBP), this will include the course, printed notes, a download of the notes, tools and scripts used and tea/coffee and lunch time meal on the two days. Travel, accomodation etc will need to be covered and organised by potential students themselves although we will be able to get a student rate at the hotel used for the class.

If anyone is interested to attend then please email me at to register an interest to attend or to ask for more details. We are looking for around 5 people to make this viable as a public class so please let me know. Places will not be limited to 5 persons though.