Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Security professionals at risk from hacking laws

http://www.techworld.com/security/news/index.cfm?newsID=6990&pagtype=all - (broken link) Security professionals at risk from hacking laws - by Jeremy Kirk

"Company networks could be made less secure if projected computer crime legislation is introduced in several European countries. According to several security professionals, that would be the unintended consequence of anti-hacking laws.

The UK and Germany are among the countries that are considering revisions to their computer crime laws in line with the 2001 Convention on Cybercrime, a Europe-wide treaty, and with a similar European Union measure passed in early 2005."


This is a worrying possible change in the law for the UK and Germany, if the politicians get it wrong with the changes to the Computer Misuse Act as discussed in this article then it could become dodgy for security testers. The bigger implications suggested in this article is that it would effectively become illegal to own hacking tools. Would that mean that it would become illegal to disclose exploits and security holes? afterall they could be used to commit an offense! if the laws change how would anyone legally check their systems for secure configurations or have a penetration test performed by third parties if te tools used are illegal or the information pertaining to potential exploits is also made illegal? -

Security Inside

Security Inside - Oracle database vault secures the inside of the enterprise.

by David A. Kelly

"Creating a data security strategy that fits your business is more than simply ensuring that basic access controls are defined or proper firewalls are in place. Having a comprehensive security plan means going beyond traditional security approaches to find flexible solutions that can help reduce internal and external risks, improve accountability, and enable organizations to do business more efficiently."

The Oracle magazine is now available electronically so I went for a look and found the above security article. The September / October issue is titled "Security Inside". There is also a good article on secure search titled:

"Secure Search Returns Best Results" - by Ron Hardman

"If your company is like most, data—some meant to be shared and some not—is stored in multiple locations. Those locations may include


File servers
E-mail messages and attachments
ERP modules
An intranet
Configuration management repositories
Multiple databases
Applications with existing search interfaces
Document archives
Desktop/laptop computers "


Nice article.

Project lockdown

I was looking for the project lockdown paper by Arup Nanda at the weekend to re-read this paper to see if is covered a specific issue i was interested in and when i went to the Oracle page i noticed that there is now a pdf version of the complete 4 part paper. This is called "Project lockdown - A phased approach to securing your database infrastructure". I am not certain that the pdf was there when i originally looked at Arups paper. i didnt write about it and I didnt have a copy downloaded so I suspect not. I also note that the pdf has some extras in it. There is an appendix that includes a brief security primer and also three useful checklists aimed at the first three phases of the project.

It is well worth a visit to look at the pdf to get the extras and to keep a complete copy of this paper locally for future reference. Excellent paper Arup!

Only 6% of identity theft can be attributed to data theft.

I saw Beth's post today on her blog titled "Identity Theft: Only 6% From Data Breaches?" and was interested to read. She refers to an article "Data breaches yield few ID thefts, survey says - A bigger danger: Stolen wallets and checkbooks" that discussed identity thefts and this article claims that the biggest culprit is theft of wallets or checkbooks. I have to wonder about these results. Is this based on actual numbers of crimes or numbers of identities stolen. One wallet - likely to be one identity theft. One database breach can be 10s of thousands and in some cases millions of identities stolen. Imagine the number of wallets stolen every day, a lot are most likely stolen for the contents (Money and cards) for use not to clone or steal identities. This would seem to imply that large data breaches result in very small numbers of identities being stolen. This is an interesting study, the article sites two other studies that seem to back up the claims.

Cybercrime Is Getting Organized

Cybercrime Is Getting Organized - Reuters

"Cyberscams are increasingly being committed by organized crime syndicates out to profit from sophisticated ruses rather than hackers keen to make an online name for themselves, according to a top U.S. official.

Christopher Painter, deputy chief of the computer crimes and intellectual property section at the Department of Justice, said there had been a distinct shift in recent years in the type of cybercriminals that online detectives now encounter.

"There has been a change in the people who attack computer networks, away from the 'bragging hacker' toward those driven by monetary motives," Painter told Reuters in an interview this week."


This is a very interesting post whilst not directly about Oracle and Oracle security it says something about how the protection of data should be becoming much more important for any company that stores data in databases.

Two years of Oracle Security blogging and still going strong

Today is the second anniversary of me running this blog. I have enjoyed the two years so far its been an interesting journey with lots of interesting stuff to write about and link to. The biggest thing that has surprised me over the last two years has been the amount of Oracle security news, articles, tools and good information that i have been able to find and write about. Database security in general and Oracle security specifically have become very mainstream. I guess people are finally waking up to the fact that data is now the target for hackers and identity thieves.

OK, so how has the blog faired in the last year? - This is the 912th post so far. Last year on the first aniversary I had reached 560 posts so I guess I have slowed down in my second year. The statistics for the site have increased again over the second year. Last year i was getting around 2100 visits per day and around 0.5 million visits in the year and 1.5 million page views in the year. This has increased to an average of around 3500 visitors per day and 1.2 million visits in the year and 3.2 million page views. I have had a peak of around 150,000 visits on one month and a highest visit number of 7200 in one day. So i guess its going well.

What is the highlight of the year? - for me speaking at BlackHat in Las Vegas at the beginning of August on how to un-wrap PL/SQL and the podcast I did for searchOracle recently.

whats in store for the next year? - I think that Oracle security is becoming more mainstream and this is bourne out by the amount of stuff I can write about. I have posted less posts in the last year but I have a huge choice and backlog of things I can post about. Maybe I have become better at finding interesting subjects to include here?

Pete Finnigan at UKOUG 2006

I have seen that the agenda for the UKOUG 2006 to be held in Birmingham Nov 14th to Nov 17th is now on-line. I have been accepted for four slots at the conference, so I will be very busy whilst there and also during the next month and a half getting presentations ready. I actually put in five papers but as they have combined two of mine I felt I got at least a sort of full house in acceptance of papers. I also signed up to do the intro's for other speakers but have not heard about that yet. I am doing one of the masterclasses listed on the main http://conference.ukoug.org/agenda - (broken lnik) agenda highlights page. This is http://conference.ukoug.org/default.asp?p=246&dlgact=shwprs&prs_prsid=46&day_dayid=4 - (broken link) Many Ways to become a DBA. This paper is an update on the same paper I have given at a number of conferences. This is a more in-depth look at Oracle security and will include more demonstrations and also more chance for the attendees to ask questions. This should be fun!

My second slot is one of the round table panel events although the date and time are still to be sorted. The panel session is called http://conference.ukoug.org/default.asp?p=246&dlgact=searchshwprs&prs_prsid=120&day_dayid=1&src_dayid=1%2C+2%2C+3%2C+4&prs_keywords=pete+finnigan - (broken link) Oracle Security Roundtable and will include some of the worlds leading database security experts.

My third slot is titled http://conference.ukoug.org/default.asp?p=246&dlgact=shwprs&prs_prsid=48&day_dayid=1 - (broken link) Encrypting data, is it possible to prevent access? and as the titled suggests it explores if it is possible to encrypt data at rest, in transit or in the database with off the shelf options. I also discuss some of the "key" issues (pun intended!).

My final slot is titled http://conference.ukoug.org/default.asp?p=246&dlgact=searchshwprs&prs_prsid=460&day_dayid=1&src_dayid=1%2C+2%2C+3%2C+4&prs_keywords=pete+finnigan - (broken link) Does VPD, FGA or audit really cause performance issues? and in this presentation I will explore some of the myths and facts about these technologies.

Cache missing for fun and profit

I saw a mention of this paper on a list somewhere and made a note to have a look. This is a very interesting idea on how to hack cryptographic keys. The paper is titled "Cache missing for fun and profit" - by Colin Percival

"Abstract. Simultaneous multithreading — put simply, the shar-ing of the execution resources of a superscalar processor betweenmultiple execution threads — has recently become widespread viaits introduction (under the name “Hyper-Threading”) into IntelPentium 4 processors. In this implementation, for reasons of ef-ficiency and economy of processor area, the sharing of processorresources between threads extends beyond the execution units; ofparticular concern is that the threads share access to the memorycaches.We demonstrate that this shared access to memory caches pro-vides not only an easily used high bandwidth covert channel be-tween threads, but also permits a malicious thread (operating, intheory, with limited privileges) to monitor the execution of anotherthread, allowing in many cases for theft of cryptographic keys.Finally, we provide some suggestions to processor designers, op-erating system vendors, and the authors of cryptographic software,of how this attack could be mitigated or eliminated entirely."

IT Underground conference in Rome cancelled at last minute

I reported last week that I would be speaking at the IT Underground conference in Rome in a post titled "I will be speaking at the IT Underground in Rome" next week but today I received an email from the organiser telling me that the conference has been cancelled. He did not say why. This is a pity as I was looking forwards to doing a hands on version of my many ways to become a DBA presentation. It is also very annoying as I spent quite a bit of time building a VMWare image and Oracle database on it prepared for the attendees to try Oracle security exploits against and also for them to try some Oracle security tools against. I also spent time updating the presentation. I also prepared quite a number of exercises for attendees to try.

Nice network trace tool

I saw this evening a post on the Blogging About Oracle blog titled http://www.bloggingaboutoracle.org/archives/low-level-debugging-webservices - (broken link) Low level debugging webservices and went for a look. Security, undocumented stuff and low level / debugging internals type stuff always grabs my interest. This is a post about a nice tool YATT. There are of course other network analysers out there but this doesnt look bad.

Pete Finnigan podcast interview on Oracle security

I have just noticed that the interview i did with Mark Brunelli of SearchOracle.com. I did the interview over the phone around 2 weeks ago and have been watching out for it appearing on the searchoracle site but Eddie beat me to it by blogging earlier...:-)

A description of the podcast is on the page titled "Podcast: Oracle security guru Peter Finnigan on the problem with PL/SQL" and the PL/SQL security podcast can be downloaded here.

I have to say that i really enjoyed doing this podcast, it was really interesting to chat about Oracle security using my voice rather than my fingers and keyboard. I have not done a podcast before, i have done telephone interviews that then have elements and quotes extracted in writing but not a podcast.

Nice idea on audition using trace events

There was an interesting post on my Oracle security forum yesterday by Marcel-Jan about using event ORA-942 to detect if someone is attempting to access tables that do not exist. This post is titled "ORA-942 as addition to auditing" and is an interesting idea. It will be interesting to test this to see if the performance hit would be too great. It would be interesting to compare this with table access audit on error and also with system error triggers.

Its an interesting idea if you know anything of SQL Server as it can use trace for detailed level audit.

I will be speaking at the IT Underground in Rome

I will be speaking at the IT Underground conference in Rome on September 21st. This is a two day conference with a bit of difference. There are normal presentations and also Bring Your Own Laptop (BYOL) presentations. I will be doing one of these, the fisrt hour will be me speaking and the second hour will be a hands on chance for the attendees to have a go at hacking Oracle and auditing Oracle for security issues.

I am looking forwards to this conference, it will be nice to be back in Rome again.

Interesting post about protecting PL/SQL

I saw a post on Robert Vollman's blog tonight titled "Protecting PL/SQL Code" which interests me as I am interested in how to unwrap PL/SQL. What Robert says is still good advice as there are no real other options to protect intellectual property written in PL/SQL apart from not shipping the code to the server and also locking down the privileges on the source$ table and the IDL$ tables.