Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Alex Hutton Podcast on data breach - (broken link) Lindsay blogged about the recent data breach report from Verizon last week. Alex Hutton, one of the authors has just re-tweeted DennisF's tweet that he has done a podcast about the data breach report. Enjoy!

EDITED: I incorrectly added the link to the background music first time, now the link is to DennisF's podcast!, thanks for the correction Lindsay

Would You Like A Job in Database Security?

Lindsay from - (broken link) Cervello Consultants has asked me to promote a job he is recruiting for. Lindsays company specialises in data security assurance and particularly in designing, deploying, integrating and testing database security vulnerability scanning, enterprise scanning solutions, database activity monitoring solutions and database auditing solutions. They are an experienced team who are looking to expand and this is a great oppertunity if you live in the UK and are looking to work on exciting projects in this database security space. The job description is on the - (broken link) Cervello Careers Page, please take a look and if you are interested send your CV to Lindsay (his details are on the same page)

Hacking Oracle over the web and exploiting Database Vault

The BlackHat USA event in Caesars Palace Las vegas was on at the end of July and now the papers have been put up on the BlackHat site. I saw that Sumit Siddharth had posted his slides a couple of days ago to his site in a post titled BlackHat 2010 and made a note but i didnt time until this evening to blog about it. Sid has posted the slides and some videos to this blog post. The slides are on slide share but dont play properly in IE you need Firefox!

I went over to the Blackhat site and found the link to his paper and also checked what else is there. The only other Oracle paper I could see is Estebans; more on that in a minute.

Sid's paper is titled "Hacking Oracle from the web: Exploiting SQL Injection from web applications". This is a nice summary paper of SQL Injection against Oracle covering data extraction, privilege escalation and OS Code execution and a little on PL/SQL Injection.

Estebans paper is called "Hacking and protecting Oracle database vault" and is a really nice summary of some of the ways to exploit DV and of course to protect against those issues. Some are well known such as unlinking, os bypass and some less known such as masqurading as MACSYS. As usual from Esteban its a good paper. The slides from his talk are also available as are the scripts he made available.


Data Breach Survey Results

Lindsay Hamilton of - (broken link ) Cervello Consultants has just started a new blog aimed at data security, data breaches and data security vulnerability scanning and activity monitoring. This should be worth watching as data breaches are certainly an in topic subject with lots of reports of data loss and data theft reported on main stream news and also even dedicated TV programs created on the subject.

Lindsay has just posted an entry to his blog about a new survey on data breaches. The blog post is titled - (broken link) The ignored evidence of data breaches …. and is very interesting in that its been conducted over many years using a lot of data and also it certainly confirms what I see day to day at clients; particularly the fact that most clients seem to leave the data outside of the database and any security that they have created there. Also telling is the issue of breach evidence that is not noticed by the owner of the data.

This is a nice post and I have also added Lindsays blog feed to my blogs aggregator.