Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Update to Dennis Yurichevs FPGA cracker plus exploit code for the CPU CVSS 10.0 bug

I got an email from Dennis Yurichev to say that he has improved the output of his FPGA cracker to now include the speed at which its cracking. Great, I asked for this enhancement. To test it i have created two sample users for my 11.1.0.7 database as follows:





SQL> connect system/oracle1@ora11gpe
Connected.
SQL> create user AA identified by zzhg76j;

User created.

SQL> create user AB identified by aaghb6g;

User created.

SQL> select name,password from sys.user$
2 where name in ('AA','AB');

NAME PASSWORD
------------------------------ -----------------------
AA 3FC24C0BFAED94B1
AB 111E83722DB9BF88

2 rows selected.

SQL>




I then added them to Dennis's FGPA cracker page. You can see this here:
FPGA password cracker queued

I had created two tests before looking at the screen and as there is now another test running that has 3 or so hours left i didnt want to now wait before blogging. I deliberately created the two sample users above with passwords starting at "A" and "Z" because I wanted to test whether the password choice has an effect on the time to crack. From the screen dump above it would seem that this will be the case. When mine finish I will know for sure. From the output above it seems that passwords starting later in the alphabet take more than 15 minutes and those earlier in the alphabet around 10 or less.

There should be a possible improvement that could be made to the algorithm of Dennis's cracker that requires some math and statistics calculations to be made. If passwords generally have a skew towards starting with certain characters more than others then there will be a benefit in start choice for the cracker or in randomizing the journey through the brute force choices. If passwords for instance were spread evenly across the character set for start point then having the cracker always start at A could be a good choice (you have to start somewhere) but if the spread is not even then a better start choice could be made.

The speeds shown for runs already completed are good, 62M, 69M, 85M hashes per second...

The cracker page also now shows the elapsed time taken.

Dennis has also published proof of concept code for CVE-2009-1979 which was found by him and fixed in the October 2009 CPU. The C code and a binary is available from http://blogs.conus.info/sites/default/files/CVE-2009-1979.zip - (broken link) here. This is the CVSS 10.0 bug on Windows that relates to improper AUTH_SESSKEY parameter length validation.

Some training and speaking dates

I posted a while ago about some classes I would be teaching; well the dates are now firmed up and some have moved so its worth just publishing these again:

Prague - November 3rd and 4th - This should be fun as I have not been in Prague since 1998. The details are http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getCourseDesc?dc=D70365_1025738&p_org_id=9&lang=CS - (broken link) here.

Helsinki - November 23rd and 24th - I was in helsinki twice this year already but i am always happy to go back. The details are here.

Turkey - January 27th and 28th - the dates have just changed so i dont have a link for this yet but will post it to my training page as everything settles down.

York - England - February 9th and 10th - the venue is still to be finalised - we are looking at a new venue this time. Details to follow soon - for now to register please email me - my email address is on the home page.

Warsaw - Poland - February 24th and 25th - I have never been to Poland so this will be fun. The details for the course are on Oracles site but the dates are wrong so I wont show the link at the moment.

Slovakia - 16th and 17th March. Again I have actually been to Vienna around 80 times during the 90's when i worked there but never over the border to Slovakia so i am looking forward to this one.

During the same timescale I am also doing three private trainings for clients in the UK and Europe. I am also going to be doing an event in Switzerland (more details soon) and I will also be speaking at the IT-Underground conference in Cologne in February and also speaking twice at the upcoming UKOUG conference at the end of November/Beginning of December.

Finally I am also in talks with a number of partners for trainings in other countries in Europe and also the states.

A new Oracle Security book.... or three!

I saw via Paul's blog yesterday that Alexandr Polyakov who works for Digital Security Research Group has written a new book on Oracle Security titled "'езопасность Oracle глазами аудитора: нападение и защита" which translates in Google to English as "Security Oracle eyes of the audience: attack and defense" which gives us the jist of what its about. The book is the first written by a Soviet author on Oracle Security - this is overdue in my opinion as there has always been a lot of Oracle security info out there in Russian but perhaps less known than the English speaking papers and work.

I emailed Alexandr to ask if the book is available in English or electronically - no to both - its also only for sale on Russian book-seller sites. I bought it today from ozon.ru which even though I have a fluent Russian speaking wife seemed quite difficult. I do know some words in Russian and used google to translate but it doesnt translate buttons so when the screens say do "x-y-z" you are stuck unless you type the words into google translate or have a Russian speaking wife to hand! - also useful by the way to read the emails sent by the site!

Its been despatched - don't know how long it will take to get here but I am eagerly waiting to read what i can and then annoy my wife to read out what i dont understand..:-)

Also David Knox and a few co-authors have released a new book called "Applied Oracle Security : Developing Secure Database and Middleware Environments" - Its available in the states for a while now and also on Kindle but its on pre-order still in the UK. I ordered it some time ago and the due date was january but today i got an email from Amazon saying it will ship next week. So i am also looking forward to reading that as well as I have around 9 trips on planes over the coming weeks so I need some reading material.

Finally I also saw via Paul's blog that my new book (with lots of other co-authors) - "Expert Oracle Practices: Oracle Database Administration from the Oak Table" is available for Alpha release. This includes my two chapters on "User security" and "Data Security". The chapters have been tech reviewed by Jonathan Gennick and also Arup Nanda but they are not final proof but you can get the book now on Apress and read the Alpha versions and get the full complete book when it comes out.

Cold remedies and Oracle Security

OK, it is a strange title for the blog post but bear with me there is a reason for it.

In the UK and I am sure in many other so called developed countries there is a norm or accepted idea that there is no known proper cure for the common cold. The reality of this is somewhat muddied as various very large companies and equally as many smaller companies and individuals all produce all sorts of cold remedies by the bucket load and sell them to us from the shelves of large supermarkets and pharmacies.

I have had colds throughout my life and tried various lemon drinks with Paracetemol, cough mixtures and nose drops, medicines.... but none ever really cure you so I have always been in the camp of believing the UK doctors that there is no proper cure. In fact if you have a cold (very bad cold) and you go to the doctors here in the UK they won't give you anything; except that sometimes, maybe, sometimes they may give in and give you stronger cough mixtures which also inevitably don't work.

Then you can mention the "anti-biotic" word and the doctors say "no, you cannot have them and they wont work, blah, blah, blah........ its a virus, viri do not get killed off by anti-biotics....." - so you end up feeling ill for weeks on end. I personally remember having a very bad cough when speaking at the UKOUG conference a few years ago; after some 5 weeks of coughing the doctor finally prescribed anti-biotics and low and behold I was better in 2 days (should i be putting my medical details in print considering my recent post "Health Data Theft" - BTW, Frank emailed me from DC to say that my fears where right, you cannot view the TV program on-line from outside the UK).

In my case anti-biotics worked at that time which made me slightly suspicious as to why they would not work all the time.

Then we can take the flip side; if you live in the former Soviet Union or various other countries in eastern europe then you can get cold cures and they work; these are not hocus-pocus but cures available from pharmacies properly packaged by drug companies often also without prescription. I know for instance of "biseptol" - I may have the name slightly wrong as i am going from memory - a course of tablets that cures a cold dead. These tablets "obviously" amongst other things include anti-biotics; people in the former Soviet Union are fixed quickly. They even sell smaller dose tablets for children if i remember correctly.

Whats the point of this discussion? well hard and fast rules in one place are not hard and fast rules in another. What works in one country WILL work in another just because the solution is not available or it doesnt conform to the way of thinking or laws doesnt mean its not valid. It's like the time when the world was flat, everyone beleived it was flat until proven otherwise.

Is the Soviet solution a sledghammer to crack a peanut solution? - I don't know I am not a doctor or pharmacist but the main point is that just because the rules of the UK say that there is no cure doesnt mean that there isn't even if you cannot buy these solutions here (I didnt check but i am guessing not - legally of course).

Why did I start to think about this? - well I was remembering one thing Mary Ann said on her interview in the OTN lounge at Oracle Open World and it made me think about it. She said - paraphrased - "wouldnt it be great if the database could protect itself, if it could detect an attack and prevent it it would be great". I am not convinced this is completely acheivable simply because the set of attacks is huge and when combining layered attacks its hard to develop some automated builtin solution. Imagine that Mrs Jones wants to change her own salary; the screen she uses allows her to increase her salary but not approve the change, her manager Mrs Smith must do this. There are roles and responsibilities, segregation of duties implemented and more. Normal changes of salary done to procedure are not detected as suspicious BUT if she (Mrs Jones) Simply makes the change, queues it for approval and jumps on Mrs Smiths terminal and approves it how would it be detected. Instead, imagine she is a ninja hacker and she takes a different approach and decides to create the salary update and queue it but instead intercept Mrs Smiths communications with the server and modify the screens she sees in real time. She could alter the approval to look like another and get Mrs Smith to do it. The point is how would the database detect this? - it cannot, it's application layer. I guess Mary Ann meant database layer bad news such as a SQL injection in progress? - fine but how do you detect a SQL Injection from a genuine dynamic SQL (just because its bad doesnt mean people wont do it - think UK and Soviet cold remedies) again its not always possible because we must go up to the application layer to categorise issues.

OK, argue differently, maybe a bug is detected, a PL/SQL injection in DBMS_METADATA - doesnt matter which procedure, it's just an example. It's reported to Oracle and fixed in a CPU. It would seem that Mary Ann's solution may work by detecting SQL injections on this particular package or even detecting SQL Injection exploits that have been published on internet sites. But again what if an application used this package for its legitimate business purposes AND it used dynamic SQL or PL/SQL as part of this; would it be an attack - maybe, maybe not? - again intelligence is needed from another layer.

It was a really interesting point that Mary Ann made and there is some mileage in it but i think further intelligence and knowledge is required in the solution for it to be effective.

What about the comparison again to cold cures? - well for some there is no cure, for others there is, which group is which is fluid and flipping. The fact remains that if a cure exists then it should work for all whether they or their peers beleive or not. I again had a reason for saying this. The thing I often get asked by my clients is why does Oracle portray itself as a "security company" but the security features are often not there by default or you have to pay more for them. Some I can appreciate they should be cost options such as identity and access management but what about encryption for the network or within the database, what about the features of DV, great idea, Label Security, great idea, Advanced Security, nice solid technology, i like the concepts but they are not free and most sites I work with dont use them; pity. Things like settings are recommended in Oracles own security guide but not implemented in the database; "do as I say, not as I do" seems to spring to mind; why is this so? well because its hard to do as stated.

Mary Ann Davidson fields security questions at Open World

I made a note a few days ago when i saw the link to Mary Ann Davidsons (Oracle's security chief) interview with Justin at Open World had been posted to mention it here.

The interview was done in the OTN lounge at Open World and covered some interesting topics ranging from bug fixing and Oracles attitude and stance with Oracle security researchers; then to single fixes, CPU's and even how long it really takes to fix a security bug properly and release a reliable patch.

Someone also asked about Oracles attitudes towards different factions of researchers. The discussion then moved onto federated security and identity management with Mary Ann making a good point about gun owners and credit histories not mixing. She then discussed web security and glueing web components together and that anyone who expects this sort of arrangement to be secure is not realistic.

Someone asked about Oracle source code being found on the web and Mary Ann discussed an ongoing project in this area. Doug asked about the fact that some customers are still not applying CPU's and Mary Ann's comments were excellent in this area. Mirroring my impressions of last time i heard her speak. She is pragmattic and realistic about commercial awareness and security and how they mix with risk; this was really good to hear from someone so senior; no waffle just reallity, i like that!

Mary Ann then went on to talk at some length about legislation and laws and I found this part particularly interesting. I will state what my view is on this. Mary Ann said that the government (US, I guess) should legislate for software (she started likening software to cars and airbags and brakes etc) vendors at a high level to make three things available:

1) secure configuration guides should be easily available
2) make the software install itself to those guides if required
3) provide tools to monitor against those guides

This is very interesting as Oracle don't seem to comply with these totally, Oracle has a security standard that is basic when compared to the CIS Benchmark or the DoD standards - so the standards are there albeit not through Oracle. The software installation to this standard is not there. Even to Oracles own standard is not there (Oracle says remove PUBLIC execute on UTL_FILE for instance but doesnt install that state). Oracle do install open by default still (27,000 PUBLIC privileges in 11gR1 for instance).

Perhaps this is slightly unfair as there has been a lot of improvements in the default installation from a security perspective but not to the level of installing to a specific security standard. Finally the tools option, Oracle does not provide these tools, others do, the SRR scripts or the CIS Benchmark or SCUBA or commercial alternatives such as PFCLScan from us, Appdetective from AppSec....

Oracle will counter the tools argument and the previous statement on secure installs by default by sighting OEM/Database Manager with its security checks and also with Oracle configuration manager BUT this nicely brings in a final point; cost options. One thing that always causes gnashing of teeth and wailing with my clients is that fact that Oracle is known as a security company but most of the nice security features are either cost options (Oracle AS for instance, or OLS for instance) or included in the enterprise edition (maybe the client doesnt run EE). It would be really nice if as much security came as part of the solution at least for things like network encryption and strong authentication and of course secure default installations.

It was a really nice talk and it can be found here.

October 2009 Critical Patch Update is out; Paul has a paper on escalation to OSDBA

The latest and greatest Critical Patch Update from Oracle was released last night along with the usual advisory. I talked about the pre-release note a few days ago here in a post titled "Oracle's October pre-cpu advisory is released". Oracles actual advisory is here. There is not much more to say now than there was for the pre-release note except that two things of note were in the advisory. The first is that there is a nice array of "names" in terms of number of people. There are just 38 bugs fixed over the whole array of products so there is a good cross reference of people to bugs. What does this mean? new people looking at Oracle security or just new people because some of the products are new to the process? remember the post "How many Security bugs are in the Oracle database software product set"? this also means that the number of actual bugs is bigger. All this sums up to good positive steps on Oracles product security; bugs are being tackled, people are interested in helping Oracle test their software..

The second thing of note for me is that is 6 bugs in the database with a CVSS of 10.0 on Windows and 7.5 on other OS's and also the problem that they are remotely exploitable without username/password. Anyway the interesting thing is the advice for workarounds; on average Oracle do not usually give workaround advice. In this case they say remove privileges or ability to access on the affected packages and also to restrict network protocols. Of course the primary advice is to apply the CPU.

Also Paul has released a new paper "Create table to OSDBA with reverse shell". Paul explains the how in the paper.

Health Data Theft

I watched the Tonight program last night on ITV (This is a UK TV channel for all the non-UK readers of this blog) because I saw an ad for it at the weekend and it sounded really interesting.

The program is available on the ITV website on their ITV Player feature but the program is time restricted in that it will only be there for the next 29 days. I am also not sure if its also region restricted (i.e. can you only watch it is you are in the UK), I cannot check this but i am guessing possibly not. The Tonight program was about the black-market sale of UK health records in India. The bottom line is actually appalling. The reporter Chris Rogers was able to locate someone calling himself JAY.S who said he could provide British health records that include names, address, health registration details, doctors name, address and even hand-written doctors transcripts. He made contact with Jay S and went to India to meet him in person and to view sample records and make a possible deal to buy. Then amazingly someone higher up the food chain calling himself John intervened and offered a better price and better/more data. The best bit (in scale of appalling not that i think it was good) was when he said (paraphrased) "you name the disease and we will give you as many records as you want for people with that disease", amazing. So you could say you wanted 15,000 cancer patients records for instance. The reporters cover story was that he wanted the leads to market products and get customers/leads. The "Tonight show: Health records for sale" even tracked down a few of the people whose records they had been given in India.

I was appalled by the story; especially because I work in a data security business. The focus was on the off-shoring of work/data to India; but this has nothing to do with India specifically or off-shoring in general in my opinion; the real issue is that the original holder of this sensitive data asked one company to help electronicise (is that a real word? i must get a spell checker added to Greymatter blog software) their data, this company asked a second company to help, which in turn off-shored some of the work. It doesn't matter how many steps were involved or that the sales of this data were occuring in India, the issue for me is that the holder of the data lost control of his data once the data was managed by an outsider who then passed it out again. This is typical of data flow. Once data gets out, it multiplies. In my expericence most companies do not know where their data is; they think they do but in reallity they don't. In other words they often have a naive view of their data; they think that the credit card details are only in the table CREDIT_CARD for instance when in reallity its in a lot lot more places - some obvious, some not so.

Often data is replicated within the database itself through copying to other tables or because Oracle tends to copy data transiently and also permanently in some cases. Also data is often stored outside of the database in things like export files, old databases, output files from system / application features, reports, logs and many more; its also often copied to multiple databases thereby multiplying the problems.

For me the issue is really fundamental; if you store and manage critical data you must know where that data is. If you dont know where it is then it is impossible to secure that data. If you do know where your data is then you must know where every copy of your data is; this TV program illustrates why. It would be very difficult for thousands of health records to go missing from the source storage (i.e. a thief would need to infiltrate the original health practice in this case and then attempt to steal thousands of records - this would not go un-noticed) but it was clearly easier for the data to go missing from a copy of that data. This is the case in my experience in Oracle databases. You may have fantastic security features in you application, the database may be hardened to the nth degree, the privileges locked down on the CREDIT CARD table (say!) but if the data sits outside of the security cordon (database and application) because maybe it's in an unathorised list file created by a DBA or its copied to a development database with no security then the value of the original security doesnt matter. The thief will always take the data from the easiest option.

You must know where your data is, you must know how it flows, you must know who can see or modify the data; otherwise you cannot secure that data. period.

Oracle's October pre-cpu advisory is released

Oracles usual pre-release for the CPU (Critical Patch Update) for October has been released. The pre-release document is usually released the Thursday before the CPU; the CPU is due out next Tuesday the 20th October. The CPU should have been out this Tuesday though but Oracle delayed this CPU because of Open World.

The CPU contains 38 security fixes (16 for the database) but if we consider Oracles internal fixing rate (i.e. security bugs that are not individually recognised on the advisory) may actually indicate that could be 123 silently fixed bugs (who knows!).

The bigger worry is that for this CPU 16 bugs are fixed in the database, one is for the client only and 6 are exploitable remotely without a username and password. The highest CVSS score is 10.0 for Windows and 7.5 for other platforms.

The cynical view when Oracle delayed the release of the CPU before Open World to allow DBA's to attend without worrying about applying patches was that there was bad news coming. Well the number of bug fixes is not astronomical but the news is bad, 6 remotely exploitable bugs without authenication and a CVSS of 10.0 is not exactly good news. The pre-release is now issued after Open World with this news.

OWASP Leeds meeting slides available

Just a quick post this evening; I have had a busy day. Last night i spoke at the inaugural meeting of the OWASP Leeds chapter which was a really good meeting; good audience and some good participation. Jason opened the proceedings and then Justin Clarke launched into a very enjoyable talk on SQL Injection. The talk covered most aspects of SQL injection but from a reasonably high level. I thought the most interesting thing Justin said (note all of the talk was interesting but this bit stood out for me) was that there is nothing new in SQL Injection and indeed there hasn't been anything new in the last 5 or more years (I think his slide said 7 years, but i may have remembered that wrong) and that all the main ideas and discoveries were done in the first few years of SQL Injection (some 10 or more years ago) and that now all thats being done is variations on existing ideas.

Firstly, I find this interesting as if the main ideas of exploiting via SQL injection were 5 - 7 years ago then the big problem (i.e. why people are still getting injected) must be lack of training, lack of acceptance of the problem, lack of work on the systems to protect agains SQl Injection or perhaps the wrong protections? It was a really interesting idea though.

After Justin finished I launched into the "Right way to secure Oracle"; this is a talk I have done before for the UKOUG but i modified it a bit and extended it to one hour. The talk basically looks at the reasons why you must start with the data if you want to have a hope of securing your database. This talk seemed to go down well and I have had quite a few emails today from people who were there complementing me on it. The slides are on my Oracle security white papers page.

SQL Injection and a presentation on data security

Slavik has a nice post on his blog picked up from my Oracle blogs aggregator) titled "Blind SQL Injection in Oracle". This is a nice article that discusses SQL Injection types with nice examples for Oracle and also talks a bit about blind SQL Injection and the use of timeouts. Slavik asks if using timeouts with blind SQL Injection is a valid technique; well yes it is. Chema Alonso talked about this a couple of years ago in a paper he wrote on the Microsoft Website using SQL Server as the example. I mentioned this paper in my SQL Server Security blog (which unfortunately I have not had much time to update recently). Chema also links to the previous work by Chris Anley, David Litchfield (on Oracle as well) and others in the same area.

I also came across a paper for the CIPFA CATS Information Technology Seminar written and presented by Lindsay Hamilton titled "How Secure Are Your Personal Details?". This is quite a nice paper (beware its MS PPT not pdf) covering Data auditing and monitoring from a high level and also security assessment.

Spoofing users and programs and presenting at OWASP

I found a nice blog the other week called oraganism and added to my list of things to blog about; so in visiting it again at the weekend I saw a nice post by Pawel Krol about spoofing the osuser and the program. Pawel shows an example output for a program he has written in Java using the thin Java client (It would have been nice to also see the code of course) that allows the user to enter the OSUSER and the PROGRAM to spoof them in the V$SESSION views. As Pawel points out these columns and many more in V$SESSION are important often for security as security solutions such as auditing, VPD, Label Security, secure application roles, security based triggers scuh as logon/logoff and many more use these values to control access or to record access. These values are stored in SYS.AUD$ if database auditing is enabled. Pawels blog entry is called "Spoofing V$SESSION.OSUSER".

This is not a new subject; spoofing client details that is; it is accepted that all values except the database username can be spoofed. Some are much harder to spoof than others such as the client IP Address but most are easy. There are at least three easy routes to do the spoofing; either do as Pawel has done and create a Java interface and use the java provided calls simply to set these values. Some values are also settable via the thick client by doing the spoofing in an OCI program; Slavik had a good post 12 days ago titled "Oracle client " changing the program name in the session" that discussed how to change the client program name reported in V$SESSION (X$KSUSE) in an OCI program. Slavik included the C source code for two programs to demonstrate this by manipulating LD_PRELOAD. It is also possible to manipulate the client session values using a proxy that allows to edit values as they pass on their way to the server. This is possible to write simply in Perl; I wrote three years ago about René Nyffenegger's code in a blog post here titled "exploit code released for the DB18 AUTH_ALTER_SESSION bug - how to make any user a DBA" which of course was showing how to exploit the DB18 bug. http://www.adp-gmbh.ch/blog/2006/01/24.php - (broken link) René showed a simple Perl proxy that just as easily could be used for spoofing client values. My own solution to the DB18 bug exploit which was much simpler to do was to edit the Oracle client lib directly in a hex editor and modify the embedded code to do the same; of course this route is also possible for spoofing.

Finally on the subject of spoofing Steve Kost also wrote a nice paper some three or so years ago titled "Spoofing Oracle Database Session Information" which discusses this problem in detail and is still worth a read.

I have added the ORAganism blog feed to my Oracle blogs aggregator.

Finally I am also speaking tomorrow evening in Leeds (North of England) at the first OWASP Leeds chapter meeting. The agenda is here although Jason asked me to swap time slots with Justin so the agenda is slightly wrong only in terms of timing. Myself and Justin Clarke (SQLBrute) are both speaking. If you are in the area, please come along.

Oracle's new Oracle database security and compliance solution

I saw a few posts on news channels at the turn of the current month talking about Oracles new "Oracle database security and compliance solution". A quick search of google shows that this seems to have been a heavilly promoted launch for India. The problem for me is two fold.

Firstly, the name of the "solution" entices interest for me as its Oracle Security related so I wanted to have a look. The press releases talk about the fact that RBI guidelines demand secure use and storage of financial data such as credit card and personal banking details; The solution aims to help banks reach compliance guidelines quickly. There are lots of nice words about enforcing security at the database level; there is talk about the solution building controls at the data level and the fact that 80% of India's banks use Oracle is quite compelling for a solution such as this BUT for me there is a lack of detail about what exactly it is; except that is for a list of Oracle products, database vault, audit vault, label security, enterprise management packs such as patch management, data masking and much more.

Second, most, if not all are cost options on top of enterprise edition licenses but even if you move the cost out of the equation implementing these packages is an immense undertaking in its own right (more cost). Where is the actual solution? - I cannot find more details on the net or on Oracles' site. If you need to implement these packages for RBI compliance then whats the "glue" that hold them together; that makes implementing simple? a standard solution should not be possible as every site has different combinations of database versions, platforms, applications used and importanly implementation details.

The fact that this is launched for the Indian market only and for RBI compliance certainly hints that its definetely not just a list of additional cost options and that there is more details substance to "how" you would use these products to comply in India.

I am all for new Oracle security solutions, I would just like to see what the value add is with this, how it works and also to confirm that its not just a list of value add products; which I am sure it isn't.

Nice Summary of setting up audit options

I noticed a nice post on Robert Geier's blog a while ago and made a note to link to it from here. The post is titled " http://blog.contractoracle.com/2009/09/enable-oracle-auditing-before-you-need.html - (broken link) Enable Oracle auditing BEFORE you need it." which of course carries a lot of true sentiments. The article is quite long and suffers from not being easy to read as all of the text and the code is all in the same font but percevere (probably thats the wrong spelling but GM doesnt have a built in spell checker - yet!).

The article is a fast ride through lots of options; turn on audit, sys audit, audit options, some forensics ideas, querying the audit trail, using statspack, database vault, audit vault, FGA, checksumming, flashback, log miner, system triggers, AWR, Materialised view logs, trace,DML triggers, even DBMS_SYSTEM.KSDWRT, alert logs and even the scheduler logs. This is a great article that contains a lot of valuable data on what you can do for free in terms of auditing and monitoring your database. Well worth a read.

Expert Oracle Practices: Oracle database administration from the oak table

I was sent an email from some guy promoting some twitter (or some other site of the same ilk, i dont know now as i marked his mail as junk and deleted it) software that promotes books; he found me and my email address because he is interested in new books and had noticed that the new Oak Table is now listed on Amazon - "Expert Oracle Practices: Oracle Database Administration from the Oak Table (Paperback)"; my email address is not hard to find so i guess he found it and emailed me. So thanks for the tip but i wont be using your software. Sometimes unwanted email does have some use. wink ,i guess the trick is getting someone to read it.

Yes the new Oak table book is under development and should be published in January. I have mentioned it briefly here before. I have written two complete chapters; the first is about user security and the second is about the security of your data, around 60 pages in total. Its been a fun process and i wanted to get across some messages around how to secure your data gained over many years of securing data for other people full time.

Watch out, i will post again when the publication date gets closer.

How many Security bugs are in the Oracle database software product set

I don't talk much about security bugs anymore here primarily because my focus has always been at the auditor / help secure end of the spectrum rather than others who focus at the research/find security bugs/exploits/penetration test end of the spectrum. My services are focused correctly to help clients secure their database. They are non-intrusive, non-invasive... A lot of what I do is around configuration / parameters / security privileges / segregation of duties issues / privilege duplications / privilege redundancy and a lot more.

But, that said, I am always of course still interested in security bugs, exploits and outright Oracle security research so when I saw Darius Wiles post "Security Defect Testing" i read it with great interest; any public insight into the machinations of the internal security team at Oracle is interesting. Darius shows that Oracle has used most free and commercial code auditing and security tools over the years and indeed is now using commercial/free and internally developed tools at all stages of their own development process.

The interesting part of Darius's post is that he says they categorise security bugs into three groups, "internal", "external" and "customer". The internal ones are easy to understand, they are found through automented testing during development or via ethical hacking. The customer bugs are not described but i assume these are normal bugs reported via metalink, whats significant is these must be security bugs to be counted but they exceed those found by researchers by a three fold factor. The researcher found bugs are clumped with posts to the net and also bugs in third party products.

The upshot is that its difficult for us mortals to make a lot of sense of the figures; Darius does warn against interpreting the figures. The first comment that I have is that I am warmed by the fact that Oracle are now publishing figures such as this; it's a good move for us to see. Can we make some simple calculations?

The figures given are for the year, 3% for external (researchers, external products and web posts), 10% for customers and 87% for internal. If we take a very simplistic view and say that the CPU recognises all non-internal bugs (porbably not true, I know) and also just look at the Database product bugs; there were 12 in July, 16 in April and 20 in January. I chose the database product set numbers because I focus on the security of the database layer with my company.

So continuing the simplistic sums (you know where this is going) thats 12+16+20 = 48 security bugs in the database product set this year. If this represents 13% of the total then 100% would be 369 security bugs fixed in the database. I stress this is not accurate but its all I can work with. I have said in the past that Oracle credits those who find bugs on the CPU advisory but fixes other bugs silently. The guys who spend time reverse engineering the Oracle patches may be able to confirm this.

What would be really great now would be for Oracle to give us more details of the free tools and commercial tools they use but also release some of the internal tools developed so that customers can review their own application code. Its agreed that Oracles code is getting better so we now need to get customer code to the same state and letting us see what tools are used would be a good first step.

Oracle Security Worst Practices

I got an email yesterday from a client I have worked for a number of times over the last 6 and a half years of running PeteFinnigan.com Limited and he asked an interesting question. He said (slightly edited)
you have audited our databases, helped us develop baseline security standards and secured our credit card details implementation so we are good to go, we can build new databases to secure standards and we are monitoring and securing our existing databases. When you audited the database and created the baseline and security standards i remember you included things that were already "good" in the systems you reviewed; this made sense to us as building a new secure database or hardening an existing one needs to include items that were also correct. BUT, what about new bad things, new bad practices, how do we prevent bad practices from recurring; shoudl we include a list of "DO NOT DO THIS" in our standards


This is a very interesting point and is of course related to the point in his email. I do security audits of customers Oracle databases and i produce a report detailing all of the issues located in their databases. I don't tend to tell them about the things that were correct mainly due to space/time but if I am employed to write a baseline standard/secure build document I do consider the things that were found to be correct during the audit; this is normal. Should we also include things that "you definitely should not do" BUT we also didnt find in the database that was audited? - I am not sure? The issues located during an audit fall into three groups:


  1. Security issues located - things that are bad for security

  2. Security issues not located - things that are bad for security but the database tested was secure in these respects

  3. Security issued not located - things that are bad for security but were not found in the database (so we were good/secure) but are worst practice and should be avoided



I audit each database for thousands of possible security issues so listing them all in a clients report is not good for space, clarity or my IPR. So the question is should I also include a section in my hardening guides/secure build standards that describes worst practice issues from an Oracle security perspective in each client report so that the client is aware of them at the "point of sale" so to speak; the hardening guide. Its a good idea but I am uncertain as worst practice unless its common worst practice doesnt need to be pointed out to everyone - in case they go and do the worst practices.

So what would fall under Oracle Security Worst Practice? - I have seen some corkers but i need to be prudent about whether i talk about them here. At a general level we can start to list some worst practices from an Oracle security perspective, these are some I can think of just now, I will add more later:


  • Don't use built-in sample accounts for business purposes. I have seen sample accounts used for business purposes running parts of applications

  • Don't make your DBA's accounts too powerful (this should get reaction!) - I have seen DBA accounts that have ALL PRIVILEGES, SYSDBA, SYSOPER and the DBA role

  • Dont allow users (or indeed anyone) to share database accounts - i almost always see evidence of this

  • Don't write crazy interfaces that allow any code to be run (like CTXSYTS.DRILOAD.VALIDATE_STMNT) - i see these quite often, they not always easy to find

  • Don't write crazy interfaces - I often see back-doors implemented to satisfy some business purpose - like the Java interface that allowed communication to be passed to the listener - With this is was possible to become SYS from inside the database

  • Don't wirte crazy code - I often see back doors implemented by sofwtare vendors that allows someone an interface to become the admin in the application

  • Work practices often include the idea that the data is best held outside the database - hmmmm - i always find data outside the database, in files, in old databases, in exports......



Thats just a few to get you started.

60 million password hashes/second Oracle password cracker available

I first chatted to Dennis Yurichev probably around a couple of years ago about his efforts to make an FPGA password cracker. We exchanged numerous emails and i think without checking back he had one FPGA cracker working that did 76 million hashes per second. Well Dennis has finally finished up his cracker and has added a web based front end to the hardware that is accessible from his website. Dennis emailed me this morning to test it out but when i tried unluckilly he had a power outage. Now his site is back up and you can go there and submit Oracle usernames and password hashes to be queued to run on the hardware. I submitted a user "DY" with a password of GH56BG8




SQL*Plus: Release 11.1.0.7.0 - Production on Mon Oct 5 12:21:05 2009

Copyright (c) 1982, 2008, Oracle. All rights reserved.


Connected to:
Personal Oracle Database 11g Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create user dy identified by gh56bg8;

User created.

SQL> select name,password from sys.user$
2 where name='DY';

NAME PASSWORD
------------------------------ ------------------------------
DY 4BD6926200326C0E

SQL>




The FPGA cracker is available at Dennis's site, simply cut and paste the username and the hash into the boxes on the screen, Dennis queues the job to run on the cracker. The screen updates to give you progress.

Here is a look at the cracker running (click the image to increase it):


FPGA password cracker running



The Oracle RDBMS passwords solver page gives some details, make sure that you don't post production passwords/hashes as these will be displayed publically.

Nice site Dennis, it will be interesting to see how much it gets used.

IOUG Data Security Report 2009 is out

I saw via Roxana Bradescu's blog that the IOUG has released its second "annual" - not twice a year, the second time its been done - security survey. This year its different as last year bloggers like myself were asked to promote the survey outside of the IOUG and get people to log in and fill it in on the IOUG site. This year Oracle has sponsored it and they have used a research company to survey IOUG's members, at the deadline only 316 has responded and taken part in the web based survey. I don't know the number of IOUG members but it doesnt sound like a huge response - I am guessing they have a lot more members.

The key findings in the report say that data breaches are up 50% on last year but there is also a growing awareness towards data security; managers are now recognising the issues of internal threats, its taken 4 years since the first surveys (not IOUG) started to quantify that internal threats are greater than external threats, the message is finally getting through to the masses. Interestingly the report says that most sites still dont have any mechanism to prevent admins from messing with sensitive data. This is certainly true in my experience in dealing with clients through performing security audits for them. Also interestingly the report says that over half the organisations use production data in non-production environments. My feeling on this one is that the other half probably do as well and either dont recognise it or dont know (more likely) - my experience from performing security audits is that I always find production data outside of the production database being reviewed. period.

The report makes interesting reading and simply backs up my day to day view of data security. The one thing I would say from talking to and working for a lot of organisations is that the message is getting through; people are more aware of data security (this "could be" / "probably is") skewed as people are likely to talk to me specifically because they have become aware of data security otherwise why do they seek me out to give me work or ask for advice. But the one thing I do draw is that the number of people asking and talking has grown massively since over the last 8 years so the message in my opinion is getting through that data must be secured, its probably not getting through fast enough though.

I could not find the report on the IOUG site and the only link I could find on Oracle's site was in Roxana's blog. The link to the report is here. It would be nice if Oracle provide a more prominent link to an important survey such as this. Also don't get fed up clicking links, logging in, updating profiles.... to get to it, percevere and read it, its the message that we all need to pay more attention to data security that counts.