Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

An interesting post on Stephen's Oracle blog about SYSDBA passwords

I was surfing my Oracle blogs aggregator this evening and saw Stephens post on his blog titled "Does Oracle cache the SYSDBA password?". This post if true is quite interesting and for someone with a devious mind may prove to be useful in a security / hacking context. If Oracle is caching the password file (This should be testable - is that a word? - with truss) than there could be a way to abuse that fact. Interesting post nonetheless.

Survey: Hardware, not hackers, usually causes Oracle database downtime

Survey: Hardware, not hackers, usually causes Oracle database downtime - Despite stricter service-level agreements, few DBAs use grid, clustering systems - by Eric Lai

"June 21, 2006 (Computerworld) -- Faulty hardware, not hackers, caused most of the unplanned downtime experienced by Oracle Corp. databases in the past year, according to the results of a recent survey by the Independent Oracle Users Group (IOUG)."

Social Engineering, the USB Way

Social Engineering, the USB Way

"JUNE 7, 2006 | We recently got hired by a credit union to assess the security of its network. The client asked that we really push hard on the social engineering button. In the past, they'd had problems with employees sharing passwords and giving up information easily. Leveraging our effort in the report was a way to drive the message home to the employees."

Nice post about identities

I was just browsing my Oracle blogs aggregator and came across Nishant Kaushik's blog entry titled - (broken link) Phil Becker identifies the top 5 Identity Fallacies. This is a blog entry about Phil Beckers's 5 article series about identities. Nice post.

Building a Simple Firewall Using Oracle Net

Building a Simple Firewall Using Oracle Net - by Arup Nanda

"So, you want to set up a secured database infrastructure?
You are not alone. With the proliferation of threats from all sources — identity thefts to corporate espionage cases — and with increased legislative pressures designed to protect and serve consumer privacy, security has a taken on a new meaning and purpose. Part of the security infrastructure of an organization falls right into your lap as a DBA, since it’s your responsibility to secure the database servers from malicious entities and curious insiders."

Excellent paper.

The DTI security breach survey is out

I saw at the weekend that the DTI's security breach survey for 2006 had been released in April. This is an interesting survey produced by PWC for the DTI (Department of Trade and Industry). The "DTI Information Security Breaches Survey 2006 – full survey results" details links to the executive summary and also to the full report. I have read the "executive summary" which makes interesting reading on a number of levels. First is that at a high level there seems to be improvement since last time the survey was done in 2004. At a lower level though the figures tell a different story and it seems to be about expenditure and budget. A shocking 14% of companies do not spend any of their budgets on security! and 18% of big companies admitted they had discovered users sharing ID's and performing unathorised access to systems. It makes interesting reading.

An Expert's Perspective on the VA Data Theft

An Expert's Perspective on the VA Data Theft - Government security expert Bruce Brody shares his thoughts on the data theft from the VA. - This is an interesting news item about data theft and specifically about identity theft. This is real world news that onyone who is in charge of the storage of personal details should heed. This is a good example of a public theft of data, a large amount of data. How many more have gone un-detected or un-reported? - I am not just talking about government or Oracle here. Everyone needs to be aware that private personal data is now a target. is to be a terminal release

I saw with interest this evening a post on Matt Penny's blog titled - (broken link) - "terminal release. He refers to a metalink note 189908.1.

Laurent on mod_plsql

I saw a post by Laurent over a week ago with a simple example of how to use mod_plsql and the Apache web server. Laurent's post is titled "mod_plsql". This is fantastic technology, I run a website and install and configure software. I write software in many languages when i get any chance to do so, I appreciate how easy it is to create a web based application with Oracle. This is so easy that its scary, the problem for me is the security risks. If you can expose a database to a network and create nice browser based applications this easily there have to be risks. Take a look at laurents post, its interesting reading. Look for the obvious security problem.

undocumented pragmas

I came across Eddie's post this evening about three undocumented pragma's that are used the the SYS.STANDARD package. These are BUILTIN, FIPSFLAG and INTERFACE. Like Eddie I am always interested in undocumented Oracle. I like undocumented features, we should not use them of course in production databases but they give clues to the internal workings of the database and for people like they also give clues as to how you can break Oracle. Eddie's post is titled "About the BUILTIN, FIPSFLAG and INTERFACE pragmas in Oracle".

I knew about these previously, as quoted by Eddie in his post. Also read my comment at the end of his post as I actually tested the INTERFACE C pragma back in August 2001, this is documented in the Expoliting and protecting Oracle paper. My comment is here:

"A couple of comments. Normally FIPS stands for Federal Information Processing Standards, I don’t know but maybe its related?

Also on the Pragma interface C, if you read further in my first big Oracle paper (Expoliting and protecting Oracle) you will see that i tried to use the syntax myself but if fails with an ORA-6509 - ICD vector Processing error. I assumed at the time that Oracle implements a function call table. Like a table of structs that includes details for each function implemented as a pragma interface C call. This table or linked list would include function pointers for each C function, hence you cannot simply call your own C directly from PL/SQL unless you can update this table to add the address of the function you add. This is a great interface for calling C directly without the extproc overheads if only we coluld find a way to make it work..:-)"

Good post Eddie!

Oracle blogs aggregator speeded up

I have seen some severe performance issues with my oracle blogs aggregator recently which I have finally tracked down last night and made some changes for this evening. I use the - (broken link) lilina RSS feed aggregator for my Oracle blogs aggregator, it uses in turn the MagpieRSS code which includes cache features. I found the issue was that the cache was not being honoured. I have set the cache refresh time to one hour, I may extend it out further and fixed the core issue and now the page reloads much faster. it is even faster in the default configuration of 24 hours. If you choose week from the top menu then it still takes a little longer to load but no where near as bad as it was.

So now that its working much faster I have added in the feeds from (although, I have noticed that this doesn't include all feeds listed on the site), Brian Duff's - (broken link) Orablogs and also Eddie's excellent oraNA :: Oracle News Aggregator. Adding these feeds has caused some duplication of entries. I will see how that goes for now.

New paper "Oracle Database Security"

I found a new paper about Oracle security this evening titled - (broken link) Oracle database security by Nathan Aaron. This is quite a good high level paper on Oracle and database security in general.