Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Webinar: The right way to secure Oracle by Pete Finnigan - Wednesday 29 September 2010

I am going to present my paper "The right Way to Secure Oracle" on Wednesday 29th September 12:00pm - 1pm EDT which should be 17:00 UK time (we are on BST at the moment and New York is also on DST, so 12 noon New York and 5pm UK.

Here is my text from the registration page:

Most companies use the checklist/tip based approach to secure their databases. However, this is a flawed approach. The checklists available for hardening are based around parameters and the core database software â€" not the data. The goal must be to secure the *data*, not the software; of course we must use the software setttings to secure the data, but the focus of any data security project must be the data.

Pete will show the issues with the traditional approach and then outline what is the correct approach to securing data with lots of examples and tips. Pete will work through the process needed step by step to target and understand your data, and then outline steps to secure it.

Presenter: Pete Finnigan
Pete is well known in the Oracle and security worlds for contributing to the field with books, papers and presentations. Pete wrote the SANS Oracle Security Step by Step (SANS) and created the S.C.O.R.E checklist, and the CIS Benchmark is based on his work. He recently wrote chapters on data security and user security for the new Oak Table book, "Oracle Expert Practices." Pete also consults for clients worldwide, securing their data through design work and security audits, and also teaching his very successful training courses.


If you would like to join the webinar, please go to the registration page.

Oracle Post Exploitation and Password cracking

I have been busy on a number of database security audits over the last few weeks as well as working on PFCLScan demos so I have not had much time to blog or tweet.

The Hactivity conference in Hungary took place last weekend and Laszlo Toth emailed me to let me know that he has posted his slides from the conference to his website. Laszlo did a nice talk covering descrypting OEM.Grid control passwords by extracting the keys from the emkey.ora file; this means that the newer method to encrypt passwords in OEM is broken and like the old method of simply calling the decrypt function its now possible to decrypt OEM passwords. The OEM repository should be protected in terms of architecture and security to prevent access to the encrypted data. This is of course an issue as blocking all access is not possible. This is an inherent issue of encryption in the database; that its virtually impossible to secure the keys used.

Laszlo also looked at the TDE wallet and master key and remote job scheduling and decrypting the scheduler credentials. This is an interesting area of weak encryption and shows Oracle allegiance to DES. Also Laszlo showed how to "hook" the encryption functions in the Oracle kernel on Linux and Windows to capture calls to the functions and to log the parameters. Very nice paper Laszlo.

Laszlo's paper is called "Oracle Post Exploitation Techniques" and he has also posted a flash demo for the injection part of the paper and promises more to come.

I also checked out Laszlo's friends site http://www.marcellmajor.com/ - (broken link) Marcell Major and he has also released the slides from his talk. Marcell's talk is titled http://www.marcellmajor.com/Hacktivity2010_WritingOwnPasswordCracker.pdf - (broken link) Writing your own password cracker and is an excellent talk of how to go about reverse engineering password algorithms so that password crackers can be created to test the strength of users passwords. Marcell talks about the Apache Derby algorithm, the Sybase SHA-256 and SYB-PROP algorithms. Marcell has published details of the http://www.marcellmajor.com/sybase_sha256.html - (broken link) Sybase SHA-256 algorithm and a http://www.marcellmajor.com/sybcrack.zip - (broken link) sybase password cracker based on Laszlo's woraauthbf. he promises to also release the SYB-PROP cracker soon.

Very nice paper Marcell!

English Football Fans Data Allegedly Sold to the BlackMarket

I saw today via my Oracle Security forum in a post by Marcel-Jan titled "Rogue employees sell passport data of World Cup fans" that refers to a blog on net security that alledges that passport and other details of 35,000 English fans who visited the World Cup in 2006 have been sold to the black market.

This is really interesting and backs up what I have been saying for years on a number of levels. The attack wasnt technical, the data was stolen by abusing functionallity and privileges granted to the attackers. This was also an insider attack. I constantly go on about the insider threat and the fact that having a firewall on the perimeter of an organisation does nothing to protect the data within as most staff have access to it via applications or directly to the databases. Often also data is not even held in just the database, often its copied many times and replicated outside of the database, this just means there is no controls over data and someone can pick it off easily if they wished. Whats more organisations rely on application security to protect the data whilst the database often has sweepingf privileges. When the same users are allowed different access through different applications they often can see data that was not intended for them to see.

You must know where your data is and who can access before any attempt to secure that data is made otherwise you are wasting your time.

Also today I came across another new blog in the data security space, that of Michael Smith which is called "Database Security" which i have also added to my Oracle security blogs aggregator.

Oracle Security Presentation Available

I was at the UKOUG UNIX SIG in Thames Valley park - Oracle's UK headquarters a couple of days ago, wednesday the 8th September to do a two part talk for the SIG. Of course my two talks were on Oracle Security and i felt went down really well. there was some good feedback and lots of discussions after the first part and all through lunch and I met a lot of nice people. I had to shoot off straight away after the second talk to a meeting so no time for questions/chat afterwards but all attendees are welcome to email with any further questions.

The two talks were around my favourite hobby horse, which is securing data - note I said securing data and not the database software - this is a very important as its impossible to secure your data unless you know where it is. That means all copies, all access paths to it and also you must know how it leaves the database. If someone wants to steal your credit card details and you have hardened your production database BUT you copy that data to test or dev or you print out reports and leave them on unsecured desks or you send reports to your suppliers or.... you get the picture. You must know where all copies of the data are and then you must know who (job descriptions, processes and people) can access that data. Armed with that knowledge you can start to secure the data.

The talk included quite a few demos that started with a basic exploit typical of that you can download. The point being that its easy to download and easy to execute BUT, if the exploiter has little knowledge of techie things (Oracle or the application) for instance then what does he/ she do next? This really says that your internal people who have technical knowledge pose a bigger threat than those that dont. I then did a demo that is more realistic, i.e. use your existing user account or guess an account and take advantage of bad design and access the data. This is the reality in real life. I then did a demo discussing what evidence was left by these two simple attacks. The bottom line is that unless you have pre-thought out your audit strategy then either you will have little or no audit trail or you will not be auditing whats needed to capture the attack. The second part to this is that unless there is some trigger to tell you that you have a security problem you dont even know what to look for.

Evidence trails are even more powerful for the attacker as he will guess you dont know who does what and he will check out what you can log and where the data really is and take a route to the data that doesnt log anything meaningful. Also he could spoof some or most of his identity. I demonstarted a simple stealth exploit by showing current connected users details in the database and then showing a simple Java JDBC client that I have created that spoofs identity in the database on demand. We also looked at reviewing data access to find out how the data has been copied and also to identify the access paths to the same data. Finally we looked at reviewing user accounts in the database and assessing the privilege levels.

The two part Oracle Security presentations are available on my Oracle Security white papers page. Also because last time i did a demo based talk someone asked me if it had been video'd or if anything else was available. This time i have written down the steps I took with names of scripts etc. Not all detailed steps mind you! but its better than nothing. The document is also included in the download in the Oracle Security white papers page.

Oracle Security

A few things to report about Oracle Security after we have had a short break for familly holidays and also because of a lot of work being done over the last few months. It is nice to be busy in these recessed times.

I am going to be down at Oracle's UK HQ at Thames Valley Park next week on Wednesday the 8th doing a two part talk on http://www.ukoug.org/calendar/show_events.jsp?year=2010&month=09&day=08 - (broken link) Oracle Security for the UKOUG. This should be fun as I am going to do a lot of demos and demos always have the possibility to go wrong; so its exciting especially as I have only loosely planned them and will do it unstructured...should be fun... hope to see some of you there.

I have been using twitter quite a bit over the recent couple of months, more than I have in the past mainly because I have been setting up some websites for a client with a social networking element. Please feel free to follow me at my twitter profile. Its not just Oracle security there, but also a splash of general IT Security, hacking, web development, SEO, SN and coding (although I have not found my coding people to follow yet!).

PFCLScan - our enterprise security scanning tool and database vulnerability scanner now has its own web page - called PFCLScan of course!

I saw yesterday - note the ad-hoc nature of this blog, i have a few things I wanted to mention - a blog post via TheRegister. It caught my eye as the writer of the blog Charles Anderson also lives in York (The original one in England, not the New one in the states!) and he had also just been to North Wales on holidays. He posts a blog post "Somebody wants me dead!" that really caught my eye. It seems scammers who used to send emails telling you that some relative you have never heard of has died and left a few million in a foreign bank account and that you can have it all if you send some money and your bank details; yeh right! Well this post says Charles got an email telling him there is a contract on him and he has been followed for a couple of weeks. If the author gets $50,000 US then he will not execute the contract... wow.. I wrote a comment on Charles blog but because its one of these major sites its impossible to comment unless you are also a member of that or one of the other general sites; which I am not. So i left it and decided to mention it here.

Also in my Oracle Security forum Marcel-Jan posted a note to say that Oracle have broken the links to Arup Nanda's excellent multi-part paper on Oracle Security, Project Lockdown. Well Marcel-Jan has found a link to the complete paper as a PDF and its listed on the forum post - Project Lockdown is not gone, but hard to find

There has also been two new books published on Oracle Security recently, the first is "secure Oracle - 100 things you can do to get it done" - by Patrick J McShea. Any book on Oracle security is welcome but this one has some slight issues i will get out of the way first. What irks me most is things like pages 27 - 53 (over 25 pages of listing!) are simply a list of insert statements reported there as taken from my site. I am not bothered that they are from this site, there is a link there to credit Marcel-Jan who created it but why buy a book with a listing thats over 25 pages long. Then pages 95 - 111 are the same, a big listing of insert statements for a different peice of code. It would have been better to have these as a download and not print them. Also irking me is the fact that the code font seems to be the same as the text making it hard to distinguish between the two - a nice distinction in font/size would have been worthwhile.

The book also makes an initial bold statement on the rear cover that there are a number of books out there on Oracle security but most are theory and not practical. Hmmmmmm, The SANS Oracle Security-step-by-step was certainly not theory. Arups Excellent HIPAA book was also quite a lot of step-by-step practicallity. My two chapters of the new Oak Table book on user and data security are also quite practical - at least I think so. Also the second new book is the ISACA "Security, Audit and control features - Oracle database 3rd edition" This is an excellent book and in its third edition. I have all three and there newest is worth having even if you have a previous one. This is an excellent practical book. Also I suspect Patrick meant securing specifically so probably didnt include books like David Knox's two parter, the latest published recently. Davids book is also very practical but focused on features rather than out and out hardening. There are quite a few books out there now, plus the checklists like the SCORE and the CIS benchmark and the DoD STig which are also practical in nature.

Back to Patricks book. I have not read all of Patricks book yet cover to cover but skimmed it all a couple of times and read closely around 100 pages so far - I have a few plane trips soon to give me some forced reading time..:-). The book is not bad in terms of content so far but there are some things I dont agree with and also some silly technical typo errors. Also the main idea of the book is to create Patricks toolkit and install it in the database being checked. I personally dont like this idea (how he has done it only - i do like the idea of basing the book round a toolkit) as I dont think you should install objects and certainly not security scan results in the database being tested. BUT, a lot of others do this particularly the US government and companies that use the S.R.R. scripts from the US DoD. These take a similar approach. The code Patrick provides could be modified to not reside in the database being tested though. There has clearly been a lot of work put into the book and thought on structure and on helping people take a practical approach to securing Oracle - well done for that Patrick.

Finally I think the book would have benefitted from peer review before it was published, maybe Patrick can do this for the next release. The SANS book is no more so its nice to see a book in a similar veign.

Its also nice to see two books dealing with Oracle security and both taking a practical approach.

OK, back to my clients report!