Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle Password Cracker written in PL/SQL is available

I have just created a dedicated page for my PL/SQL Oracle database password cracker and also linked to it from the Oracle Security Tools page. The code is available as a zip file at the end of the PL/SQL Oracle password cracker page.

I won't go into more detail here as I have shown it running previously in this blog in a post titled "A new Oracle Password cracker that runs inside the database" and I have also described it in great detail in the page for the cracker, listed above.

Its raw and beta still and I have some work to do to it, but its stable and works so its worth putting it out now. I will make some changes over the coming days and add some more functionallity and post up the updates when they are ready.

I recommend anyone interested in securing their database to download it as its free, its simple, you can run it in SQL*Plus, so there is no excuse now for any DBA to not hardend and strengthen the passwords in their databases.

Oracle Security talk available as slides and also video

On Tuesday I did a webinar for Sentrigo on the subject of Oracle Security (of course). This went well and we had quite a good attendance. I started the talk with a ten minute or so demo of hacking an Oracle database to steal credit cards. I wanted to get across the message that hacking Oracle is not about granting DBA to PUBLIC or SCOTT but its about any privilege or access abuse that allows data to be stolen. Unfortunately (for the owners of data) its not rocket science to steal data from an Oracle database.

The slides for the presentation are available on my Oracle Security white papers page.

Also Sentrigo recorded the session as video. This is available from this URL:

An update, slides, USA and a masterclass

Well it has been a really busy last few weeks, phew.... I have had litle free time to do anything for myself except work for clients and keep the business running. On one hand thats great, but on the other it would also be nice to have free time.

OK, a number of people have emailed me, sent me PM's, even someone sent me an SMS and a couple of blog comments have been posted. What is happening with the PL/SQL password cracker. Well I just have not had free time to sort it out. I need to simply add a header text to it, clear out all the debug code, ideally add the 11g code and of course post it up. I am going to have some free time Thursday so I will promise to post it up on my tools page on Thursday and also mention it here. Sorry to those that have been waiting and sorry to those who have been teased by seeing it running last week in Iceland.

I also gave a webinar talk today for Sentrigo on the subject of Oracle security of course. This was fun although it is still weard after now having done three webinars to speak and get absolutely no feedback. I will post the slides on my site on Thursday for those who have asked me about them.

I also saw a couple of posts last week around travel to the states and the new rules that allow the US customs to take laptops and other electronic items to review. This is very worrying as it is probably pot luck as to whether you fall victim to this. There is a story "Homeland Security: We can seize laptops for an indefinite period" about it and some tips on PC World in an article titled "Five Things to Know About U.S. Border Laptop Searches" and finally Toms experiences in the same area in a post titled "Crossing the border... ". This is a worry if you use a laptop for your business, what do you do?, stay out of the states, dont take a laptop, or email in your data and collect it there? - i guess if you need to go to the states you need to prepare for this.

Finally for this short post, i saw from browsing the UKOUG calendar for the conference in December that i have also had my Oracle Security Masterclass accepted. This is good news and should be a fun session. I have enjoyed the masterclasses particularly in the past as they allow a more in-depth look at the subject. I will talk more later in the year about the content of this masterclass, it will be worth coming along.

OK, enough for now, i have worked past midnight a few nights i the last week, i need a rest..:-)

Oracle Security webinar with Pete Finnigan

Next week on the 23rd of September at 15:00 UK time I am going to be doing another webinar on Oracle database security with Sentrigo. Here are the details being sent out for the webinar, I would be please for any of you to join us on this event:

Database Security Masterclass with Pete Finnigan

DATE: Tuesday, September 23rd
TIME: (US Attendees) 7am PT/ 10am ET (UK Attendees) 3pm UK
DURATION: 60 Minutes


Back by popular demand, Pete Finnigan, one of the world's foremost authorities on database security, will lead this live Database Security Masterclass. In this Masterclass, Finnigan will share his knowledge and best practices on securing the DBMS.

For over a decade, Finnigan has been one of the most well-known experts on DBMS security, has authored a best-selling book on the topic and regularly attracts large crowds at user group events in the UK and the US, and many security conferences world-wide. He consults to a wide array of blue-chip clients, and his Website ( comprises the best reference on the Web for Oracle database security.

Learn about:

• How databases are compromised (including live demonstrations)
• Techniques and tools that can help secure the DBMS
• Priorities in risk mitigation and remediation of security gaps


If you are unable to join us but know of a colleague in the database or security departments who may be interested, please feel free to forward them this e-mail.

Best regards,
The Sentrigo team

Oracle Security Masterclass slides available

It has been a while since my last blog entry, things have been very busy work wise over the last few weeks, lots of travelling all over the place and lots of work..:-)

Last week I was in Reykjavik to teach an Oracle Security Masterclass, which went really well. The slides are available on my Oracle Security White papers page, first entry.

I have not forgotten about releasing the PL/SQL cracker. The code still needs cleaning, I hope to do this and release it in the next few days, please bear with me.