Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

10g Release 2 PL/SQL and SQL new features

I was browsing the Amis blog this evening and saw a post describing some of the new PL/SQL and SQL features in the upcoming Oracle 10g R2 database (tomorrow if we are to believe Niall's source). I talked about new features in 10gR2 found in Arup Nanda's paper the other day. I was interested to see Lucas's post as it talks about the same paper by Arup that I had already read. Lucas gives some good annotations and examples on the Error logging clause, Conditional PL/SQL compilation (This one is a great addition to the PL/SQL language), DBMS_OUTPUT restrictions finally removed and the standard way to search through XML. Good post.

A security issue with OPR version 1.1.7

Jasper and Jan-Marten Spit have just emailed me to say that they have removed the new version 1.1.7 from They ran into a serious security issue that they found after reading the article I posted to my blog titled "Installing Oracle Password Repository (OPR) - a walk through" which was sent to me by Mike Thomas and describes an installation session of OPR. Jasper and Jan-Marten felt the issue serious enough to pull 1.1.7 and they tell me that a new version 1.1.8 will be made available very soon - I will let you know here when it is out. I think this is a very responsible attitude to security of their software.

Protecting network based storage

I came across an interesting news story on computer World a couple of days ago and made a note to take a look. This paper is titled "Moving ahead with data security" and is written by Mario Apicella. This article talks about storage based security mechanisms rather than application based security. Host based protection works well in mainframe environments but in SAN based storage this becomes much harder to implement. The author goes on to talk about how complicated host based security is to achieve in modern architectures. Mario also talks about Symantec's purchase of Veritas although he finds out that even though Veritas staff think there will be a security based Veritas product no one else seems to be officially be talking about it. He sites Network Appliance's purchase of Decru as further evidence of secure storage in data storage companies. Mario goes on to discuss the security aspects of the NetApp aliance. Mario then talks about Seagates new vertical storage (bits stored vertically on the media - this sounds amazing!) and also their new hardware based encryption hard disk. As Mario says this new drive will protect data from cradle to grave without OS intervention. This is significant and will protect data from being taken from stolen disks. This is a very interesting three part paper / article.

A new version of OPR is released

Jasper Spit, one of the Oracle Password Repository (OPR) authors has emailed me today to let me know that this very useful piece of software has been updated to version 1.1.7. The new version has been posted to SourceForge. Jasper emailed me a list of the following changes that have been made to the software:

Changes from the previous release:

15-06-2005 1.1.7 J.Spit

* Oracle client libraries are now dynamically opened/closed only for those operations that require them.
This goes for all platforms. This means you can use OPR on systems without an Oracle installation to
e.g. list, retrieve and delete passwords from the repository.
* added -f flag to forcibly add a password entry without verification on the database
* bugfix: ocisessionend function was not initialized
* bugfix: when retrieving a password, schemaname was case sensitive.
* currently database is converted to uppercase, and schemaname to lowercase. OSuser is left
* raised max. repository entries from 1024 to 4096
* minor cosmetic changes

17-06-2005 1.1.7 J.M.Spit

* Removed possible buffer overflow in askPassword.

As Jasper said, enjoy!

Installing Oracle Password Repository (OPR) - a walk through

I got an email from Mike Thomas over the weekend to let me know that he had installed OPR as he had seen it in my blog. He kept detailed installation notes and output from his installation and he has kindly offered to let me publish those here in the hope that they will be useful to others who might be interested in using OPR or are about to install it. Here is Mike's output in its entirety:-

Example to create OPR Repository for 10g on RHEL3 LINUX.
These are the notes we used to install OPR on multiple 10g hosts.
Brian analyzed and resolved the error while loading shared libraries:
After testing and reviewing potential risks I chose the approach to
create a symbolic library link in /usr/lib rather than create a statically
compliled OPR. You must test for Oracle library version conflicts.

-- Setup OPR on host
login oracle @minke

-- Create opr LINUX account
su - root
groupadd oprinstall # group owner of OPR files
useradd -c "Oracle Password Recovery" -g oprinstall opr
passwd opr
useradd -m (create home directory) -g (initial group) -G (supplementary groups)

-- Test accounts
su - root
groups opr
id opr
id oracle
[root@minke root]# groups opr
opr : oprinstall
[root@minke opr]# id opr
uid=605(opr) gid=605(oprinstall) groups=605(oprinstall)
[root@minke opr]# id oracle
uid=600(oracle) gid=600(oinstall) groups=600(oinstall),601(dba)

-- shell
login opr @minke
vi .bash_profile
set | grep -i ora
Note: see below for example profile

-- Install OPR
login opr @minke

-- (1) directory
cd /home/opr
rm -rf /home/opr/data
rm -rf /home/opr/prog
mkdir /home/opr/data
mkdir /home/opr/prog
chmod 700 /home/opr/data
chmod 700 /home/opr/prog
ls -al

-- (2) program
cd /home/opr/prog
ftp opr-1.1.6beta.tar.gz to /home/opr/prog
tar zxvf opr-1.1.6beta.tar.gz
cd /home/opr/prog/opr
strip src/opr
cp /home/opr/prog/opr/src/opr /home/opr
cd /home/opr
opr -c
chmod 755 /home/opr
chmod 511 /home/opr/opr
chmod u+s /home/opr/opr
ls -al /home/opr/opr
chmod 555 /home/opr/
chmod u+s /home/opr/
ls -al /home/opr/
Note: In RAC cluster put the repository on drive shared by all nodes.
This supports one OPR repository per database concept.

-- (3) script
login opr @minke

vi /home/opr/
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
opr ${1} ${2} ${3} ${4}

[opr@minke opr]$ ls -l $OPRREPOS
-rw------- 1 opr oprinstall 352 Jun 24 16:08 /home/opr/data/repos.opr
[opr@minke opr]$ ls -al /home/opr/opr
-r-s--x--x 1 opr oprinstall 20240 Jun 24 16:07 /home/opr/opr
[opr@minke prog]$ ls -al /home/opr/
-r-sr-xr-x 1 opr oprinstall 74 Jun 24 16:11 /home/opr/

-- (4) library /u01/app/oracle/product/10.1.0/db_1/lib/
su - root
ls -al /usr/lib/*
ln -s /u01/app/oracle/product/10.1.0/db_1/lib/ /usr/lib/
chown oracle.oinstall /usr/lib/
ls -al /usr/lib/*
Note: This works for Oracle 10g only. Hosts with multiple oracle versions
may require another strategy like statically compiled opr because of the
risk of library version conflicts. Test thoroughly before implementing.
Some of the risks of adding library to /usr/lib ( are at:
E.g. The problem is that if an attacker can control the underlying libraries used by a program, the attacker can completely control the program. For example, imagine that the attacker could run /usr/bin/passwd (a privileged program that lets you change your password), but uses the environment variables to change the libraries used by the program. An attacker could write their own version of crypt(3), the password encryption function, and when the privileged program tries to call the library, the attacker can make the program do anything -- including allowing permanent, unlimited control over the system. Today's loaders counter this problem by detecting if the program is setuid/setgid, and if it is, they ignore environment variables such as LD_PRELOAD and LD_LIBRARY_PATH .

-- (5) oracle .bash_profile modification
ORACLE_BASE=/u01/app/oracle;export ORACLE_BASE
OPR_BASE=/home/opr;export OPR_BASE
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME

Notes: There are a couple bugs in the source.
(1) Typo shows lack of Solaris testing -
[opr@minke src]$ grep unload *
opr.c: unloadOraLibs();
>> Fix should be:
opr.c: unLoadOraLibs();
(2) The error is caused by setuid limiting dynamically loaded
libraries to those under /usr/lib ( and excluding LD_LIBRARY_PATH libs.
One solution to this problem is to copy and chmod to /usr/lib/
E.g. Typical error from oracle unix account
[oracle@minke oracle]$ opr -r cald sys
opr: error while loading shared libraries: cannot open shared object file: No such file or directory
(3) In RAC cluster put the repository on drive shared by all nodes.
This supports one OPR repository per database concept.

-- Configure commands OPR repository
Note: One OPR repository per database, which holds all/any accounts for one database
login opr @minke

-- minke
opr -a calprec calgb oracle
-- orca (cluster)
opr -a calp calgb oracle
-- narwhal (cluster)
opr -a calp calgb oracle {should fail as duplicate entry}
-- pilot
opr -a cald calgb oracle
Note: opr -a

-- Test OPR examples
login oracle @minke
sqlplus "calgb/` -r CALPREC calgb`@cald"
login oracle @orca
sqlplus "calgb/` -r CALP calgb`@calp"
login oracle @narwhal
sqlplus "calgb/` -r CALP calgb`@calp"
login oracle @pilot
sqlplus "calgb/` -r CALD calgb`@cald"
Note: All the databases are used in CAPS even though entered as lowercase.

vi .bash_profile
# .bash_profile

# Get the aliases and functions
if [ -f ~/.bashrc ]; then
. ~/.bashrc

# Login Sequence - Check if behaviour unclear
# /etc/passwd
# /etc/shadow
# /etc/group
# /etc/profile
# /etc/profile.d/*.sh
# ~/.bash_profile
# ~/.bashrc
# /etc/bashrc
# User specific environment and startup programs
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
DB_HOME=$ORACLE_BASE/product/10.1.0/db_1; export DB_HOME
OPR_BASE=/home/opr;export OPR_BASE
OPRREPOS=/home/opr/data/repos.opr;export OPRREPOS
ORACLE_HOME=$ORACLE_BASE/product/10.1.0/db_1;export ORACLE_HOME
export PATH
#LD_LIBRARY_PATH=$DB_HOME/lib:/lib:/usr/lib; export LD_LIBRARY_PATH
LD_LIBRARY_PATH=$DB_HOME/lib:/lib:/usr/lib:/usr/local/lib; export LD_LIBRARY_PATH




That is it, I hope that people find this useful, thanks again to Mike for sharing it.

An excellent XSS cheatsheet

Damon P Cortesi emailed me over a week ago to tell me about the sysinternals website - i mentioned this in my post Another great Windows internals site. Damon also mentioned in a further email to me that he has a blog of his own that does include a small number of security related posts. I found one very good one titled - (broken link) XSS Cheatsheet - this post is short and sweet and links to a superb paper called "XSS cheatsheet - Esp: for filter evasion". This is a paper not for people who want to know what XSS (Cross Site Scripting) is but instead it is a superb list of possible tricks and hacks to try in XSS type attacks.

Frank talks about Bruce Schneier's book "secrets and lies"

I saw Franks post on orablogs talking about Bruce's book last week some time and made a note to have a look. Franks post is titled "Security: Secret & Lies, Digital Security in a Networked World, by Bruce Schneier" and in it Frank talks about Bruce Schneier's book Secrets and Lies : Digital Security in a Networked World. Frank has just finished reading it and recommends it highly. He also says that this book is a considered must read in the security community. I have heard the same. Frank gives some good examples from the book and some good analysis. Basically security is not just about the technology. This I can agree with, as I always try to think like a hacker when I look at security of an Oracle database. You need to see the whole picture and not just a feature. Franks review is good, take a look. Also read Bruce's book which is excellent.

Grant talks about patch 2 for 9.0.4 for certified Linux and Mac clients

I saw Grant Ronalds post to his blog titled - (broken link) Patch 2 of 9.0.4 certified Linux and Mac clients this evening. Basically Grant is letting the Oracle Forms community know that patch 2 for 9.0.4 has been released and included certification for Linux and Mac clients. Read more details on - (broken link) Grant's blog post.

Doug followed up on DBA_REGISTRY

I saw Doug's post on his - (broken link) blog titled " - (broken link) dba_registry (again) last night that follows up on his own post - (broken link) dba_registry and also my post An issue with DBA_REGISTRY. In this latest post Doug discusses the issue again in depth or rather some reasoning as to why it may have happened. This is worth reading, I don't think Doug should be too embarrassed, as I said and as he alludes to now there should be something put in place by Oracle to ensure everything gets done (besides the instructions in the patch) - how about a final check script that just verifies the versions - how about a way to easily and reliably get patch levels in the binaries and databases?

Orablogs seems to be down - or maybe not!

I am an avid follower of the great - (broken link) Orablogs site and was saddened to notice that it has not been reachable for the last couple of days. I don't know if this is a global issue or a local one (I am UK based). I also noticed that someone had posted a question on comp.databases.oracl.server today asking - (broken link) orablogs down?. I replied to that post on C.D.O.S. that it seems to be a DNS issue and also I suggested an alternate way to see Brian's site. I have emailed Brian to ask what the issue is as well.

The problem seems to be with DNS servers. But first some security background. I like my posts to at least have some security content! - I thought I would check into Brian's site and see if i could see where the problem lies. I did a ping from my PC on and got no results. I then tried tracert, to see if I could see where the problem lies, again no result. So I next thought about accessing orablogs by using instead the IP Address instead of the domain name. First I need the IP address. I like the Netcraft site as it gives some great info about sites. Kevin Mitnick mentions this site in his book The Art of Intrusion : The Real Stories Behind the Exploits of Hackers, Intruders & Deceivers - this is where i found it from a while ago. has a search box in the top left corner where you can check out a siteís hosting details. I entered and found out the IP address and also noted that orablogs has had its server details changed a few times this year. It is interesting to note that the nameserver, DNS admin and reverse DNS are marked as not known. I checked my own site and saw these details are present. This confirmed my suspicions. So i tried to access orablogs with and found that it works. I was able to view orablogs. Then i thought about DNS issues and used the site and entered, the report shows some warnings and failures. As I said I have asked Brian what the problems are.

This is a good issue to look into; the moral of the story is that there are plenty of sites out there on the net that can divulge huge amounts about your own site or about anyone elseís. This information is effectively public. If you run a site or host an Oracle database to the Internet then beware of what can be found out about it.

Pete Finnigan is now a member of the Oaktable network

I was asked a week or so ago by one of the members of the Oaktable if I was interested in joining the group. Of course, I accepted as the Oaktable includes a - (broken link) great selection of people who are members and who know a lot about Oracle. I hope to learn a lot from these guys. The Oaktable also hosts a mailing list for the members and the site includes links to info, FAQ, papers etc. The Oaktable have also started publishing Oracle books under the name of the Oaktable press - although I am not certain what Pro Hibernate 3 published in 1969 means on this page?

The three Oaktable books are :- PeopleSoft for the Oracle DBA (Oaktable Press) by David Kurtz, which I have not read but will buy and do so when I get chance. There is also Mastering Oracle PL/SQL: Practical Solutions by Connor et al. This book I have got and have read, it is excellent and worth reading. Finally the third book is Oracle Insights: Tales of the Oak Table which is also an excellent read. I am looking forward to seeing more books released by the Oak Table press.

An issue with DBA_REGISTRY

I made a note about Doug's blog post a week or so ago titled - (broken link) dba_registry where he discussed the fact that a select from the view DBA_REGISTRY didn't show the correct version after an upgrade had taken place. Doug went on to test this at home on 10g and he proved the version displayed in this view did not match the binaries. A couple of commenters (I cannot post a link to Doug's comments as they are accessed via Javascript - I think?) mention that fact that patching the software only doesnít patch the database and that catpatch.sql needs to be run to update the views output. Doug seems embarrassed a little by this but this is common mistake. I believe this is partly because Oracles patch update mechanisms need to be simplified (which is now happening with recent patches) so that applying patches is more transparent and most importantly so that is is much easier to find out the exact patch level the software and database are at. This has not been consistent in the past. Ed Stangler talked many times a few months ago in his blog about catpatch.sql - My first post was on his series was Edward Stangler talks about running catpatch. I talked about this subject - prompted by Ed many times. See my archives page for details of these posts.

10gR2 adds a "wrap" package procedure, TDE and makes DBMS_OUTPUT output unlimited

I just saw Justin kestelyn's post to his OTN blog on - (broken link) orablogs this evening titled - (broken link) Oracle Database 10g Release 2 "Sneak Peek". This is a great post as it includes links to several resources on 10gR2 that have just been made available today. This includes technical papers. The paper I particularly noticed first is a paper discussing Oracle Advanced Security that discusses encryption.

Another particularly interesting paper is Arup Nanda's paper Part 1: SQL and PL/SQL Features which is to be part one of a set of papers in the Oracle Database 10g: Top Features for DBAs - Release 2 Features Addendum. This paper is very very interesting for those of us interested in security. The paper includes a description of how Transparent Data Encryption (TDE) will work in 10gR2. Arup also shows that TDE can be used to encrypt the columns in external tables. The most interesting part of this paper for me is the item about the new wrap database package. This is a new function is DBMS_DDL.CREATE_WRAPPED which will allow dynamic PL/SQL to be create wrapped in the database. Arup gives examples. There is also another function DBMS_DDL.WRAP that will output the convert PL/SQL code passed as an argument in a wrapped form. This can then be spooled to a file and created later in the database wrapped.

Arup then goes on to discuss another great new feature, conditional compilation in PL/SQL. This is a feature that I have wished for many times in the past. This feature works like the pre-processor in C. This means that conditional code can be added at compilation time rather than at run time. This is a great addition and Arup gives some examples. A good use for this would be to conditionally compile debug code in to your source to instrument the PL/SQL code as Arup shows.

The final interesting addition in 10gR2 is the fact that the package DBMS_OUTPUT can now have unlimited output and each line of text can now be of any length. I have had this issue many times in the past. The source for this package used to be shipped in earlier version 7 databases so it was possible to see roughly how it worked and implement your own version in a local schema to get around the issue in earlier versions but this is a useful addition to 10gR2.

Have a look at the rest of the links in Justin's post for more information on new additions in 10gR2.

Security is a major force in the new 10g Release 2 database

I have just seen a new news item on the website.. The article was released today, June 20, 2005 and was written by Clint Boulton and is titled "Security's Starring Role in Oracle's 10g DB".

The item talks about the fact that Oracle have been releasing information about 10g R2 today and security is high on the agenda for Oracle's new release. Self management and increased XML support are also included. The writer talks about Sarbanes Oxley being a requirement for many firms now and that means that data has to be kept. This is an issue for companies, to be able to keep that data secure. 10g R2 will bring new encryption technology in the database that will allow transparent encryption of data without any developer intervention. This will make it easier for companies to encrypt the huge swathes of clear text data that they have stored that should be encrypted. This is particularly relevant where legacy applications are involved and re-development would be cost restrictive.

There are third party encryption solutions such as Application Security Inc's DBEncrypt product that allow data to be encrypted with relative ease in current versions of the database. The 10gR2 enhancements will make things easier of course. The new feature in 10gR2 allows the DBA to simply change a column definition to allow the data to be transparently encrypted.

The article goes on to talk about some of the other new functions / features set to be available in the 10gR2 database.

OT: RSS fixes just done

I my last post i talked about the fact that I have changed my RSS feed to just output the first 20 words of each post and to also included a [read more] link after the 20th word. I couldn't test this completely until I had made a new post. Everything was OK, the RSS feed was correct, the main index page for my blog was fine, the monthly archives were fine and it appeared that individual entries were fine. That is until I checked a post from January but the entry page included the RSS feed text (the 20 words) and link before the body text... hmmmm... this meant the 20 words was a repeat. It has now taken me an hour or so to track down that I had added extra template text to all the main entry pages including the archives. So I have now removed the 20 word clauses from the archives and it looks like it works now. This entry is off topic as it is intended as a test to make sure it is working properly!

Changed my RSS feed to spit out the first 20 words and a link to the entry

Spurred on by Tom's recent post titled - (broken link) RSS I have changed my own RSS feed generator to just write the first 20 words of each posting to the RDF file. Tom discussed his desire to know how many people were actually reading his blog entries and he couldn't do this if the complete entries ended up in the RSS file as he then did not know if people actually read the posts or not or simply pinged (I know this might not be the correct terminology but I think it is?) the RSS file to see if it has changed. The main Oracle blog aggregator site is - (broken link) Orablogs and it takes the RSS feeds from a lot of bloggers who write about Oracle. This is a great site but I notice that sometimes when someone posts a long entry in their blog most of the orablogs page is taken up by it. I have done it myself a few times as well. I think Tom is right, it is nicer to have the teaser and to then have people come and read the article if they want. Orablogs will also look cleaner. I have noticed a few bloggers recently seem to have teasers that I am sure did not have before. I am hoping to get a better picture of how many people read my blog entries.

Anyway I have changed my blog to output just the first 20 words to the RSS file and to also add a [read more] link at the end. This was the tricky bit to do. I use greymatter for my blog and greymatter doesn't support RSS file generation natively. I used the gm-rss perl script to create my RSS file. They offer some advice as to how to just add a specific number of words to the blog RSS file but they didn't give any clues on how to add a [read more] link at the end of the 20 words (or how ever many words you want). I managed to work this out for myself after a bit of revision on greymatter template variables. Anyway I hope that those who take my RSS feed like the new method!

Here goes with the first test run!

An interesting alternative technique to crack passwords

I was asked this afternoon what experience I had with DPA. My first guess was none as I didn't know what it meant. So I used good ol google to have a look. I pulled up a good short news article that I found titled - (broken link) Company to license device-security tools. It was published some time back, April 18 2004 to be exact and was written by Michael Kanellos. The item and the technique of DPA is very interesting so I thought I would share it here. DPA stands for Differential Power Analysis and is a technique whereby a hacker monitors variations in electrical consumption of a card that performs encryption functions. He can then do a reverse analysis to discover the passwords being used. This type of attack was found in the 90's according to this news item. This is a very interesting technique and a company called Cryptography Research has taken out more than 60 patents for technology to protect against this type of attack. There is another link in this article to another about - (broken link) differential power analysis that explains the technique in a little more detail. I am not sure that this could ever apply to an Oracle database but I suppose you should never underestimate the levels to which someone can go to hack your database.

Britain's hi-tech crime wave

I caught part of the breakfast program this morning on BBC1 where one of the reporters talked about security and the current increases in attacks on web sites where large numbers of personal computers are commandeered to attack a site or a company to cause a denial of service for that company. The article talked about one company who was held to ransom. It was quite interesting to hear something about computers in general and particularly about hacking / security as we don't tend to get much computer coverage in programs in the UK. The reporter also mentioned that there is tonight a half hour program on BBC2. The program is called "Britain's Hi-Tech Crime Wave" and is on for 30 minutes and talks about the fact that Britain is being hit by a high tech crime wave. If you are in the UK it may be worth watching.

Oracle unveils its identity management suite

I just saw a news item on - (broken link) with a short article titled - (broken link) Oracle unveils Identity Management suite and dated 15 June 2005. It is also written in Bangalore, India. It says that Oracle had announced the first integrated release of its identity management suite since its acquisition of Oblix recently. It goes on to say that this new release is the most complete identity solution available. It serves as the security backbone for Oracle Fusion middleware. This is an interesting development and a fast release considering the short elapsed time since the acquisition of Oblix. Well done Oracle!

Another great Windows internals site

I had on my list to talk also about another Windows internals site that includes some great tools and also great information. The site is I had planned to talk about this site on my blog todo list but it has jumped up my priorities a bit as - (broken link) Duncan Mills and Damon Cortesi both emailed me to suggest that sysinternals is a great site, up to date and full of great tools that cannot be done without if you run on Windows. I first came across sysinternals quite a few years ago partly because they used to get a mention from time to time in DDJ or MSJ or Windows Developer or one of the other many magazines I read and used to read. I think, I first visited the site a few years ago because someone recommended FileMon for use to solve a problem we had at the time on a job I was working on.

Sysinternals is a site run, created and maintained by Mark Russinovich and Bryce Cogswell. It includes a good array of free tools, source code and technical information useful to those exploring Windows itself or those wanting to monitor what a program is doing whilst it is running. This is something hackers and crackers do so you should be aware of the tools that hackers could use. Of course most if not all of these tools are also valid options for general monitoring and maintenance..:-)

The site includes a very impressive array of utilities including file and disk tools, security tools, networking tools, process and thread tools, system information tools and miscellanious tools. There is also a lot of source code for utilities, - (broken link) information, forums, newsletters etc. This is again a superb site for the depth of information and the large collection of free tools.

A nice Windows internals website

I came across a good website for Windows internals tools and information. The site is and seems to be run by Yariv Kaplan. The site also seems a little dated as some of the copyright notices are for 2000 and 2002. Why am I interested in Windows internals? - well because Oracle runs on Windows and even if the database runs on Unix then clients and other processes such as reporting tools may run on Windows. Hackers can use internals knowledge of operating systems such as Windows to gain knowledge of how an application or the database may work and use that information to steal data such as passwords or critical application data or to exploit the application to gain control of the operating system and therefore the machine.

This, as I said is a slightly dated site but there are some useful tools and papers on there. The most useful is the APISpy32 utility that can be downloaded as a zip file called APISpy32. This utility can be used to spy on the internal structure of applications or the operating system itself. APISpy32 gets around some of the problems of similar tools such a breaking when used with large pieces of code. APISpy32 also monitors all API calls made by all active processes. It is dated and marked as supporting Windows 9x/NT/2000 and ME but I have had it running on XP.

There is also a good paper on how spying programs work. This paper is called "API Spying Techniques for Windows 9x, NT and 2000" and covers different methods for hooking API and DLL imported functions. This is an excellent detailed paper, again if a little dated.

Brian talks about why JPasswordField.getText() is deprecated

I saw Brian's interesting post on - (broken link) orablogs last night and made a note to have a look. Brian's post is titled - (broken link) Why is JPasswordField.getText() deprecated? and it discusses why the javadoc says to use the getPassword method instead. Basically Brian tells us it is because getPassword() returns a char[] and getText() returns a String. He goes on to explain why char[] is supposedly more secure with some simple examples and also how more often than not the use of a more secure API is undermined by further coding issues, i.e. assigning the char[] to a String later in the program.

Whilst this is a Java specific issue example wise it is a good example for those writing code in any language that handles application or database passwords. As Brian points out passwords could be grabbed from memory on the machine or from swap files. Nice post!

A book on Peoplesoft for the Oracle DBA

I came across David Kurtz book PeopleSoft for the Oracle DBA (Oaktable Press) last night and had a look at the details on the Apress site and also on David's own site for the book. Whilst this book is not specifically about security my interest in it is the detail that it presents on how the Peoplesoft application interfaces with the Oracle database. David's angle and experience is mainly performance tuning the book covers the whole gambit of administering PeopleSoft on Oracle. For anyone who is interested in securing the new Oracle product! Then this looks like a great book to get started with.

I have not seen the book, just the descriptions, when I next get a chance to look in Borders I will check if its in else probably will order it.

Shay talked about version control through JDeveloper

I made a note on my list to look at Shay Shmeltzer's Weblog post titled - (broken link) JDeveloper now supports all version control tools about a couple of weeks ago as it sounded useful. Using version control for any software development and also for configuration files involved in the applications and the database is something that I recommend to clients and also in my writings (book and security course). Storing important files in version control systems can help control changes made as well as control access to those files. Of course a hacker may alter the live files if he is able but at least a controlled version will exist. The same applies to applications source code of course. JDeveloper is an important development tool for Oracle so itís good to see that version control software can be integrated. As Shay points out in his post JDeveloper doesn't exactly support all version control tools but Shay has written a how to show how they can be supported without coding. The how-to is called "Integrating 3rd Party Version Control Tools with JDeveloper - Codeless Integration of 3rd Party Tools with JDeveloper". This is quite an interesting post by Shay.

OT: Another Apple post

This is starting to seem like a weekend tradition, to post off topic and also to post about Apple computers. I don't think it will become a regular thing though as I don't have enough material on Apple's computers..:-). I posted last week an entry titled "OT: A book on how to build an Apple 1 replica" - where I talked about the book Apple I Replica Creation which I had seen advertised. I have not had the chance to buy it yet but I probably will. I went into Borders in York today to have a look and see if they had it but had no luck. Out of interest in my last post I mentioned the book Hackers: Heroes of the Computer Revolution by Steven Levy and said that I had a copy that had circumvented the globe twice with me. Josh Wright who is teaching the 6 day hands on SECURITY 509: Securing Oracle track that I wrote for SANS Institute told me that if I could circumvent the globe then could I let him know how it is done!, Of course I meant circumnavigated..:-)

Back to the plot... As I said I was in Borders looking for the Apple 1 replica book and by chance came across another book about Apple called Revolution in The Valley which I picked up with interest. I have read most books on the personal computer revolution and its history. My favourite being Steven Levy's Hackers: Heroes of the Computer Revolution but I also liked his book on the history of Apple and Macintosh - Insanely Great: The Life and Times of Macintosh, the Computer That Changed Everything. The new Andy Herzfeld book is very well laid out and designed and looks like a very interesting read. There is a forward by Steve Wozniak that says this is the best and most true book that he has read about the history of Apple and the Mac. The book includes loads of photos and even copies of Andy's notebooks from the time. The book is based around short stories that Andy had written down and published on a website about Apples history and the history and memories of creating the Mac. There are a number of other authors that have now written for the site and you can search and add comments. This is a good website. The book -
Revolution In The Valley: The Insanely Great Story of How the Mac Was Made
- is based on the site and includes key events and stories mostly written by Andy. Anyway i bought it and will read it mostly because I like these types of history books.

Of interest this evening i also note that Mark is also talking Apple in his post Apple Move To Intel Processors From 2006. This is an interesting post by Mark and could prove a good alternative platform for Oracle in the future.

OK, that is it, back to Oracle security now..:-)

Interesting post in Amis about "who called me"

I saw an interesting post on the Amis blog posted by Lucas Jellema and titled "Who is calling me? - Analyzing the Java Callstack" this evening about finding out who is a Java class invoked the method. The trick Lucas is showing is to create a new throwable and to then inspect the stacktrace. Lucas then goes through some example code. This is a very useful post and reminds me of Tom's similar methods for finding out who called a function or procedure but for PL/SQL - in fact similarly named who_called_me. There is an example of its use on a page titled - (broken link) How Can I find out who called me or what my name is and the code or who_called_me and who_am_i is available here. I have changed the links to be asktom links that I found on Tom's site as they were pointing at - which Tom told me some time ago are not valid anymore.

A truss like tool for IBM AIX and a file undelete program

I have been reading Reversing: Secrets of Reverse Engineering as I mentioned a few posts ago in a post titled "A good book on reverse engineering". I have been reading and skimming the book, which so far is excellent. I started to look at different ways that can be used to analyse what a program does or rather how it does it. One way that is less intrusive (if that is the right word) in finding out how a program got where it did is to trace it. This is exactly what Oracle's own trace mechanisms do, except that their trace is built into the code tree as instrumentation. If a piece of software has been instrumented then it is easy to turn on trace and gather information about flow of control and also error stacks and details of certain internal structures and values. If there is no instrumentation then it is much harder to track what the program does. Tools like OCI Spy (There is a link on my Oracle security tools page) and P6Spy for Java allow function calls to be caught and the parameters displayed. This is the same trick that tools such as strace, ltrace and truss use to hook function calls as they are made.

If you are interested in security then you need to be aware of the techniques that hackers can use to find out how your applications work.

Thinking about trace methods made me remember my good friend Phil's program libtrace that was written a few years ago. Phil wrote the C and PowerPC assembler code to hook calls made to functions in dynamic link libraries for IBM AIX 4.3 and higher. This enabled Phil to get truss like functionality for the IBM. The code is available on Phil's companies page Useful Programs and Scripts. libtrace is included along with some other useful programs, for instance inf_vgda that Phil wrote to allow the manipulation of the VGDA area of a LVM managed physical disk. This all means that you can hot swap disks (as Phil says, "if you know what you ar doing").

Another program that is of interest is rsb also written by Phil that allows the superblock of a jsf file system to be read and dumped. This includes inodes of files that have been deleted. If this is the case and the physical space has not be overwritten it allows files to be "undeleted". This can be useful if something is deleted and you need it. But also remember that someone else could "undelete" files or data that you thought had been deleted.

Default passwords for Oracle BPEL Process manager

I saw Antony Reynold's blog entry in - (broken link) orablogs last night and made a note to have a look at his post titled - (broken link) Default Passwords for Oracle BPEL Process Manager What is the $***#! Password?. This is a short but useful post that lists 4 default users and their default passwords for the BPEL Process manager 10.1.2. Antony details the components, the username, the password and some short notes for each to determine its use.

I am always interested in default accounts and their default passwords. These are always a useful addition to an auditorís toolkit. I have a good list of database usernames and passwords on my page
Oracle Default Password List and also a check tool on my page Oracle Default Password Auditing Tool.

Debu talked about EJB security hole

I made a note about Debu Panda's post "Anonymous EJB Lookup - leaving a security hole in your applications" in his web log a couple of months ago in my bookmarks file and have finally got around to looking at it. I keep a huge list of interesting things I find and papers to read etc in a file and work through them when I get chance but I tend to surf in my spare time for new items so some tend to end up way down the list like this one. I kept it on the list though, rather than marking it as read as it talked in the title about a security hole. Phrases like this always keep me interested, eventually.

In the post Debu talks about how some customerís complain that OC4J does not support anonymous EJB lookup and execution of EJB methods. Debu says

"In my opinion security is a practice that starts during development and I view this as a big security hole in the applications because you are leaving your EJBs in ?ejb30slsb? Applications to be executed by anyone and I will advise against doing this."

he goes on to say that many people have been doing similar for years with other application servers and that they had been looking at this for years but did not allow it out of the box. He then goes on to show an example of how to do it for those who do not care about security. He finishes with

"THINK twice before you do this!"

This is an interesting post because it shows a good lesson. In general if something is not possible or available out of the box and itís a security risk then do not enable it. There are good reasons not to do so. If the product you are using is internet or Intranet facing then the risks are very high. People do love to have things made easy, including not having to authenticate or go through hoops to use something. If something that is a security risk is disabled then don't enable it!

Wait even enhancements in 10g

I was looking for something about trace in 10g and found Mark Rittman's blog entry titled "Wait Event Enhancements in Oracle 10g". Trace is an area that i have an interest in for many reasons. the first being that trace is a good tool for discovering details about how Oracle works and sometimes for discovering information leakage such as passwords being leaked in clear text or when passwords are leaked by using some of the many Oracle dump commands - I talked about this in a post I made to a mailing list a long time ago - A link is available to the post "Revealing clear text passwords from the SGA" on my Oracle security white papers page. I am also interested in trace for forensics and audit work. I wrote a detailed paper some time back called "many ways to set Oracle trace for your session, others sessions and at instance level" - This paper details many ways to set trace for your own sessions or others and at different levels. In Marks post I was particularly interested in the paper Mark quotes - (broken link) Wait Event Enhancements in Oracle 10g written by Terry Sutton and Roger Schrag of Database Specialists, Inc. This is a good very detailed paper and worth reading. Mark's post is also worth a look as it suggests an earlier paper - (broken link) Interpreting Wait Events to Boost System Performance and also Mark suggests some other good links on the same subject at the end of his post.

DBA Audit 2.5 - An interesting audit product.

I was looking for something on Google and came across an audit product called DB Audit 2.5. I recognised the name and the site as I had added this product to my Oracle Security tools page some time ago as version 2.0. I did notice that the DB Audit product has been updated to version 2.5 from the previous version 2.0. I have updated my security tools page and changed the link I had and also updated the version number.

This looks like an auditing interesting product. Setting up and auditing Oracle can be very complex as it is a huge area to get to grips with. I wrote a paper for Security Focus some time back called "An Introduction to simple Oracle Auditing" - A link is available on my Oracle security papers page. DB Audit 2.5 works for other database products such as Sybase, DB2, MS SQL Server as well as Oracle and itís a centralised tool that allows access to a set of built in reports. I have not had a chance to look at this software yet so cannot recommend it BUT from viewing the website and the product details it is certainly worth a look. There are a number of players in this product space now but this tool looks quite comprehensive. There is a free trial download available and also a white paper called DB Audit white paper.

OT: A book on how to build an Apple 1 replica

I get occasional emails from Syngress advertising their books and saw a book about a week or so ago about building your own Apple 1 so I made a note to take a look. This evening I went over to Amazon to find the book. The book is called Apple I Replica Creation and is written by Tom Owad and John Greco. This sounds like a great book, it starts with an introduction by Steve Wozniak the creator of the Apple 1 the computer that kick started the personal computer revolution in the mid 1970's. The book then describes how to build the computer so that you can create your own, how to program it and then how to play with it an how to modify it. You can either find all the bits yourself and build your own Apple 1 the hard way or buy a kit and put it together.

This post is off topic but for me very interesting. I have always been interested by the computer revolution and have read most of the classic books on the history of it, including Accidental Empires by Robert X Cringely and of course Hackers: Heroes of the Computer Revolution by Steven Levy of which I have 3 copies of, one of which has circumvented the globe twice with me.

The Apple book looks great and I will probably order it, whether I would build an Apple 1 or not is another thing. I did build a Microtan 65 around 1980 - which I still have in my loft along with an oscilloscope I built from scratch in 1979 / 1980. It would be great to see a detailed book like Apple 1 book for some of the other classic computers such as the MITS Altair 8800 - regarded as the first real micro-computer. Great idea for a book though, how to build a classic computer.

SANSFIRE is coming up very soon

I was searching for something on Google today and noticed a link to the SANSFIRE conference coming up soon - June 12 - June 18 in fact in Atlanta, GA. So I thought it worthwhile mentioning the SANS training / conference here. The SANSFIRE annual conference main page is here.

I wrote the new 6 day hands on Securing Oracle track that is being presented there this year. The track is called SECURITY 509: Securing Oracle and will be taught by Josh Wright. Links for each course day give details of what is covered each day. Here they are:

Day 1 - Securing Oracle Foundations

Day 2 - Securing Oracle's Authentication Process

Day 3 - Oracle Access Controls - Configuration

Day 4 - Auditing Oracle

Day 5 - Networking, Backups and SQL*Plus

Day 6 - Securing Applications and an Introduction to 9ias

If you want to know more about Oracle security and securing your Oracle database then SANS is the best place to go for good training on Oracle security and for many other security courses.

A good book on reverse engineering

I was in Borders the other looking for a book for my wife and ended up (as usual!) in the computer books section. I was browsing the security books and came across a book on reverse engineering that I had not seen before. The book is titled "Reversing: The Hacker's Guide to Reverse Engineering" and is written by Eldad Eilam. I have always been interested in this area and also decompilers so i ended up buying it. I have not had chance to read it yet, except to skim it. The book starts with some basic background on reversing and then moves on to look at low level software, assembler, compilers etc. The book then includes some Windows fundamentals and then moves on to talk about creating a reversing toolkit by discussing some useful tools, dissasemblers, debuggers (kernel and user), decompilers, patch tools, system monitoring, tracing etc. The second part then looks at some practical examples, auditing binaries and also how to reverse malware. Part three then looks at cracking, piracy and copy protection and how to help prevent reversing techniques, how to break protection and then finally in part 4 Eldad talks about reversing .NET and also decompilers.

This looks like a great book, I will let you know when I have read it if it really is. The obvious question is why read a book like this? - Well for me because I am interested in anything security related and also as you know Oracle related. Reverse engineering is normally not something a DBA or anyone managing an Oracle system and applications should be concerned with but if you want to secure your applications then its is worth knowing what hackers get up to. If you understand the threats then you can better secure your applications and data. As Reg Holdsworth used to say on Cornonation Street "Knowledge is power". (For those not in the UK, Coronation Street is one of the most popular and long running soap operas here).

Steve has improved his Custom JDBC URL example

I just saw Steve Muench's post to his blog titled "Improving the Comments in my Custom JDBC URL Example for Pete" (I think that is the first blog entry I have seen addressed to me!). Steve has made some changes to the comments in his example code that he discusses in his earlier post "Providing Fixed JDBC Credentials from Custom Source" because of my comments in my post "Steve has added an undocumented sample for fixed JDBC credentials". I said it was not a good idea to hard code passwords in applications. Steve never intended this to be the case, his new class was instead a starting point for users to read in the username and password from a more secure location such as a properties file, custom repository or something else. Steve also points out that an encrypted password will improve the security somewhat more.

Thanks for the update Steve and for the clarification.

An interesting post about PeopleSoft and Oracle

I saw Richard Byrom's post this morning on - (broken link) orablogs titled Project Fusion at Peoplesoft Planet and went across for a look as I am interested to see how the new Oracle / Peoplesoft marriage is going. Richard informs us of an interesting portal site called Oracle and Peoplesoft planet. The part of the post that was interesting to me was the page on Project Fusion on the same site. Fusion is the rumoured codename of the first Oracle / Peoplesoft combined application. This is due to be released after PeopleSoft 9 has been out for a while. Fusion will be a major competitor for SAP.

The site then details some of the items that they feel Oracle should do to make Fusion a success. The whole list makes interesting reading but the one item that interested me was the one related to security. The author states that security integration is the key to success. Security companies such as Oblix and Netegrity are mentioned as companies familiar with securing ERP solutions. The suggestion is that industry standard tools if added to the product would make it an industry winner. As the author says, companies that are able to keep client data secure will triumph.

Interesting sentiments.

Steve has added an undocumented sample for fixed JDBC credentials

I saw Steve Muench's blog entry this morning on - (broken link) orablogs and went over to Steve's site for a proper look as it sounded security related. Steve's post is titled "Providing Fixed JDBC Credentials from Custom Source" and talks about a customer question he has recently received from an Oracle consultant asking if it is possible to provide JDBC connection information in a place other than the bc4j.xcfg file. Steve has added an extra item to his undocumented samples page, number #38 titled "Set Fixed JDBC URL Connection to Custom Value from Alternative Source". In this example Steve has hard coded the connection information in a class called CustomJDBCURLInfoProvider.

I am never convinced about hard coding usernames and passwords inside application source code that is then deployed into a number of locations that are under less control than the configuration file could be - Yes I know that in a lot of clients neither the file or the Java will probably be secured. The Java source can be either reversed quite easily or a string utility or binary editor used to extract the password quite easily. Of course a configuration file does not need to be reversed!, it can be simply read if access is gained. BUT, as I am not an expert in Steve's Java areas it is harder for me to know about the whole security landscape used. My opinion would be that if presented with two choices of either hard coding the password in a configuration file or in the source code, I would choose the configuration file as there are better potentials for securing the file as there is a better chance of centralising it rather than having the password in multiple deployments of the Java classes. That said neither solution is great for strong security - This is no reflection on Steve's example.

If you are concerned with good security then look at password repository solutions, or do not store the password, have it passed in if possible or use solutions such as LDAP. Of course always use the least privilege principle. This means ensuring that the privileges assigned to the user who's password is stored or hard coded is set to the minimums possible, this is sometimes hard to do especially with existing systems but it is worth the effort. If you seriously reduce the privileges to only what is necessary you lessen the risk of an attacker being able to do anything with an account if he learns its password.