Call: +44 (0)7759 277220 Call
Blog

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Two New Oracle Security Public Class Dates

I will be teaching two of my Oracle Security classes with Oracle University soon.

The first is my class "Securing and Locking Down Oracle Databases". This class will be taught on the 24th January on-line via the Oracle LVC platform. The class will be 8 am to 4pm UK hours and 9am to 5pm EU hours. The class focuses on how to lock down and secure the database platform and also data in a sample database and applications. The day starts with a look at all of the issues in my sample Oracle database and applications by hacking the database as different "actors" - a DBA, a developer and a web user. We then assess where and how we can secure the Oracle database platform and also apply data security to the critical data itself. We then proceed to actually lock down an Oracle database in quite a detailed way. We cover patching, hardening of the database, defaults, default users, users rights and privilege, data access, network controls, locking down Linux and much more; we also apply a comprehensive audit trail. The day ends with a look at where we have been and also we hack the database again and show how now its secure but also that audit captures the attacks. If you would like to attend this class please see Oracles registration link and I hope to see you there.

The second public class on the 7th February with Oracle again held as on-line live training and again from 8am to 4pm UK time and 9am to 5pm EU time. This class is an appreciation of Oracle security. We start the day with the basics; looking at the current data security landscape, exploring threats, risks and countermeasures as well as looking at what is Oracle Security. We go on to discuss the aim of Oracle security, the actors, the process and the possible solutions. Next we focus on how the database works in terms of security and how your design choices in terms of data access ad user rights affect the security of data. We cover common attacks and how hackers may access your database and steal your data. We then discuss the approach, how to secure and plan to secure all data and all databases, possible solutions and also creation and use of a data security policy. We have a whole chapter on designing audit trails and also a whole chapter on what if the worsts happens - i.e. you are hacked. We finish the day with a discussion of compliance and automated testing of your databases. If you would like to book your place then please register via Oracles registration page.

Both classes are taught by Pete Finnigan and will include a complete download of the slides and notes and hundreds of free SQL and PL/SQL scripts and tools for you to take away and use.
[2 Comments]

Oracle Security And Merry Xmas And A Happy New Year

I want to wish all readers of my site and this blog a very happy Christmas and a very prosperous New Year!!

It has been some time since my last blog post; that's because we have been incredibly busy on various Oracle Security consulting projects and delivering a lot of Oracle Security training classes both with Oracle University and also with private clients. We have also been busy with PFCLScan (http://www.pfclscan.com) our Security scanner for the Oracle database and PFCLObfuscate (http://www.pfclobfuscate.com) our tool to protect your PL/SQL both in terms of updates and new features to both software and also supporting existing customers. This year has been our best yet in almost 14 years of trading so thanks to all our existing customers and new ones for making it so.

I tend to be on Social Media a little more than blogging nowadays so please feel free to either follow or link to me on Linked in or Facebook or Twitter. I am always happy to connect.

We will be adding Youtube to the mix in the new year as I have added a new channel and plan to add some small videos about Oracle security. Again please follow and we will add content.

In the last year I have conducted 3 days of Oracle Security Training here in York very successfully for the third time so we plan to hold a new 3 day Oracle Security training event here in York (Most likely at the Holiday Inn, Tadcaster Road or the Park Inn in the city Center) early in the new year. This will be a combination of our two day class "How to perform a security audit of an Oracle database" and the one day class "Secure and Lock down Oracle". The date is likely to be late February or early March but I will let you know when it agreed. If anyone is interested to come to York for the three days Oracle Security training then please email me via our contact page.

I mentioned not having much time to blog recently BUT that does not stop me making a list of blog topics to talk about here (all related to Oracle Security of course). I have a list of over 100 topics to discuss and in the next year I hope to cover some of them. As Oracle 12.2 is now available via the Oracle Cloud then I also plan to cover some new security topics for Oracle 12cR2.

IN the next year I also plan to increase my training offerings with two new classes; the first a one day class on Oracle forensics and incident response and the second a one day class - Oracle Security in the cloud.

I have three one day LVC (on-line) Oracle Security classes arranged with Oracle University for early next year; I will add links for those classes when I have the details from Oracle.

I have also just agreed / signed a reseller contract for a company to be a reseller in North America and Canada; More details after the New Year!

I was also recently at the UKOUG conference in Birmingham and this was a great event. I chaired an Oracle Security round table session that was well attended and had some great discussions and on the last day I gave a presentation about Database Vault and what to do if you do not have it or cannot install it as maybe you use SE/SE1 or SE2. I will upload the slides to my site in the new year.

Speaking of my website; this website; it has been up and running in mostly the same guise since 2001 when I first created PeteFinnigan.com as my personal website. It then grew with pages and articles about Oracle Security and then in 2003 became my company website. My site did exist as a home page on demon.co.uk for more than one year before 2001 but I don't know now exactly when that was now or exactly what I had on it. I created my site with hand coded HTML and used Greymatter as the blog platform in late 2004 after hand coding my first blog pages in early 2004 and before that publishing articles since 2001 - all on the subject of Oracle security of course. The trademark element of my site (besides the content) is the picture of me sat in front of a stack of my computers. This picture was taken in probably late 2002 (possibly early 2003). This has been on the front page of the site since then. Earlier this year after a lot of advice from people that the site should really look like a company site as that is what it is really instead of a hobby, I decided to get it re-designed. I did a first draft myself but decided to get it done professionally and also to include a responsive style / functionality to take it into the modern era. So I had the home page, blog page and content pages styled in HTML 5 and also CSS. I then took that and split it myself into header, footer, navigation, masthead, log etc. A first draft of the home page now exists but I am not going to link to it here as it will eventually cause a duplicate content issue with Google when the true home page goes live. The new style incorporates my photo on the old home page as a caricature in the new logo. Soon after xmas I will make the home page live and then the main content pages and then the blog. It will be harder to retrofit the new style and indeed I may even ditch Greymatter and use my own hand coded blog - I am not certain about that yet. Anyway a new site is coming in 2017, watch out!!

Another major area of development in the last half of 2016 has been to take an earlier version of my audit trail toolkit that I give away for free in my Audit trail Oracle Security class and indeed this class is based around this toolkit. The toolkits aim is to provide a simple way for people to enable database auditing in the database at a policy and event level with everything enabled automatically simply by choosing policies. This also includes centralised audit and checksums of the audit trails. The idea is to audit use of the database engine; access, privileges,. error, attack and more. Most people not doing this now. It includes alerts and also reports and soon will also include a dashboard and admin screen. I plan to do a detailed blog about this toolkit very soon. At that time I will ask if anyone is interested to test the toolkit but if you want to let me know now that you are interested that's fine. The toolkit is called PFCLATK - see the pattern!

PFCLScan (http://www.pfclscan.com) has also been updated recently to add a lot more new checks and there will be another new release soon with another new set of checks - watch out - and if you are interested in checking your database for database then talk to us about buying a PFCLScan license. The engagement license is for just £110 + VAT and runs for 30 days and within that time you can scan as many of your databases as necessary - There is literally no risk in trying it for 30 days and learning about your database security.

PFCLObfuscate (http://www.pfclobfuscate.com) our tool to protect your PL/SQL will also be updated to version 3.0 in 2017. This new release will include tools to make the obfuscation process easier in terms of helping you define the public interfaces to your code; it will add a project manager to help obfuscate multiple source code in different ways; hard ware locking and more. Watch out for version 3.0 in 2017 but if you are interested in protecting your PL/SQL talk to us now for a demo. The license for PFCLObfuscate includes support and all major and minor updates.
[No Comments]

Data Loss

Quite obviously (well its obvious to me!) one of the areas I am very interested in is data loss / data theft / data security and of course specifically Oracle security. We spend a lot of time looking at customers Oracle databases, designs and policies and code and help them resolve issues that would make it easy for someone to breach their databases or worse steal or damage data.

Data is pervasive; I always like the example that you are trying to protect data not Oracle; of course you must use Oracle to protect your data but the goal is to protect your data. In order to protect that data you must understand where that data is (in motion and at rest) so the whole process must include protecting data everywhere and not just in the database. If data is loaded by end users and stored in the database but also reports are produced or parts of the data are exposed in reports / papers/ websites / documents then they also must be protected. It may be necessary to involve network security, server security, desktop security and even physical security (i.e. where is that printer and who has access to it; where are the paper reports kept and who sees them...). I would always still start with the Oracle database; what data should be secured and protected; where is it stored; how is it accessed; basically create a flow of that data from user to storage and back out again. Track the data both at rest and also in flow. We need to understand how the data leaves the database and to where - backups, reports, paper or what ever. The core idea is to assess whether it should leave the database and how secure it is when it does; can it be obfuscated or masked, is it necessary anyway to remove the data?

Once we know where the data is and how it works then we can assess and design the best controls and solutions to secure the data both in the database and also outside of it. We use various tools in these assignments including PFCLScan our Security scanner for Oracle databases. This is a very cost effective tool and very useful for securing data.

What if the data is given away or made public? This is a problem if the data is exposed internally to a small group or larger group or worse to the public (Internet) as anyone can read it and copy it and more. This data can then be replicated anywhere. Once its copied it is no longer under your security controls. The only way to protect this copied data is to not let it be copied in the first place.

Once data has been read it cannot be "unread"!!

I had a good example of this public data loss last week. Someone emailed me and asked me a question about one of the many Oracle Security presentations I have made available on my site over the years. This question stood out because of the URL he sent me which was to my MS PPT (saved as a pdf) on scribd.com and not on my site. This was not the question askers problem and he was not to blame. I publish my MS PPTs and other papers and I expect people to read them on my site and download and read on their PC / device. I do not expect (or indeed want) anyone to re-publish my papers to anywhere else. The account on scribd.com that had this particular paper also published literally hundreds of papers from others as well; I cannot say for sure now but I would say almost all of what this person posted he did not own the copyright. My MS PPTs do include a page with legalese that states in simple terms that these PDFs cannot be re-hosted/published or whatever anywhere else - so this was ignored. I did a quick search and found 6 of my papers and even a screen dump of one page of my website published to scribd.com - This was a simple search and indeed there could be more if I searched with more keywords. Each person with an account on scribd who published mine had also published other peoples work as well in contradiction to copyright or individual licenses such as the one I have included on my paper. Scribd took down my papers within a few hours but that's not the point. I am not allowed to complain to scribd by a DMCA request that I found other papers I wrote that have copyright owned by someone else (i.e. others paid me to write them). They will not take down anything unless you are the copyright owner. I have not searched elsewhere as I am sure this is not just an issue with scribd as I simply do not have the time to do detailed searches (not a good excuse!).

Data once put out there is hard to control. This is a fact. To control and protect data you MUST know where it is and control all access to all of the data and understand the risks of it leaving the database in the first place. My papers of course were not in an Oracle database but were about Oracle Security.
[No Comments]

Oracle Security Training

We provide expert Oracle Security training classes world wide to many customers privately and also at public events; either as in person classes where the instructor travels to you or via webex where the instructor teaches the classes remotely. We are based in the UK and we have successfully taught our classes via webex to clients both in the far East and Australia and also clients in the USA on the West Coast, East Coast, Mid-West USA and also South America.

We have also taught in person classes all across the UK, EEC, Balkans, Middle East, Asia, South America and more.

We are happy to provide either form of teaching experience for customers. The classes are taught by Pete Finnigan who is well known and very experienced in providing the same services for clients world wide.

We have just made some small changes to our 4 existing Oracle Security training class flyers / leaflets and re-uploaded these to our site. These flyers are available for download here and detail our training courses:

[2 Day] - How to Perform a Security Audit of an Oracle Database
[1 Day] - Secure Coding in PL/SQL
[1 Day] - Designing Practical Audit Trails for Oracle Databases
[1 Day] - Hardening and Securing Oracle

The first class is a 2 day class and the other three are all one day classes. We have just added a new one day class to our portfolio:

[1 Day] - An Appreciation of Oracle Security

This is also a one day class and it draws from all of the other classes and aims to give students a good overview of security of data, secure coding, audit trails, forensics and also solutions to secure your databases and data.

We have a small number of public classes at the moment arranged with Oracle University:

5 Days training in Reading, UK, September 26th to 30th, 2016. This is the 4 classes listed above and is a rare opportunity to attend all classes back to back in one sitting over 5 days. Details to book here.
classes with Oracle
2 days with Oracle University in Vienna, Austria, November 29th and 30th 2016. Here I will teach my two one day classes, Secure Coding in PL/SQL and Securing and Locking Down Oracle. I don't have a registration link for both classes yet, so please contact Oracle University or email me and I will pass on details.

2 or 3 days with Oracle University in November 2016 in The Netherlands. No details yet but keep an eye on my website.

All of our classes are available as private trainings for your company; please contact me Pete Finnigan to arrange a class to suit you. Our fees are structured and aimed at being very cost effective even more so as you add more students. As me for details.

Finally we are also planning to run another 3 day class in York, UK in the October / November 2016 timeframe. No dates set yet. The event will be the two day class "How to perform a security audit of an Oracle database" and the one day class "Hardening and securing Oracle". We have done this combination many times now at public trainings and also at private clients very successfully. If you are interested in a York class then please contact me as above.
[No Comments]

Data Exposure, leakage and Reporting

I have had an interesting few interactions over the last week or so regarding data supposedly leaked from my website. This is interesting from two perspectives. The first is that three people emailed me and told me that my website is in danger and that I should remove the file Oracle Default Passwords as its a danger. Another person sent me short dump from this page and a third sent me a typed up report that this looks like an SQL dump from my website. The second reason its interesting is that this is not a dump from my website and is part of a free tool written by Marcel-Jan Krigsman to analyse for default passwords in an Oracle database. My website does not use an Oracle database and this is not a user/password dump from my website of course but anyone reading this will know that. Also the OSP code that marcel-Jan created from my default password list is old and is not the best way to analyse default passwords anymore; a password cracker and my much bigger default list is a better approach now BUT the tool is still valid.

When I perform detailed security audits of customers Oracle databases I also look for data that sits outside of the database (a similar analogy to this) and especially where that data includes passwords. So I understand the background to looking for passwords. Someone who emailed me also advised that I reset all of these passwords; again a valid thing to say BUT this is a free tool not passwords for my website.

Why the focus now to find passwords on my site? - well its not a targeting of my site per-se I guess. One person told me that they found me at the top of the listings with a Google search of "ext:sql intext:username intext:password" - So this search must be doing the rounds - but google searches do not distinguish between real data leakage and data that may contain passwords but is not a leakage - In my case it's a free tool. Some investigation should be done even after finding what looks like a gold mine.

Is it wrong to look for this data; it depends on your intentions of course. I also use Google (and other searches and sites) to look for anything leaked from a customer to the wider internet so there is nothing wrong with this if intentions are good

Should you check the relevance of what you have found before going further, maybe. In this case without any Oracle knowledge it would be hard to know if this was a password dump of my website or part of a tool. A quick query of the website itself would have located the rest of the Oracle default password tool.

Am I bothered that three people emailed me to tell me to remove this page? - one anonymously and two others not -NO of course not; I am not bothered, I am actually quite impressed that three people took the time to tell me that my website is in danger and that I should remove this file. Of course I am not going to remove it as its not actually a danger but I am heartened that people took the time to tell me that I may have an issue.

I have added a comment to the top of the SQL page that says its a tool and not a password dump from my website but if someone else emails me to say its a danger I will still thank them!!
[2 Comments]

Oracle Security Talks, Training and Conferences

Kamil Stawiarski who runs Database Whisperers sp. z o. o. sp. k., an Oracle specialist consulting company in Poland and whose company is also a reseller for our Oracle database security scanner PFCLScan in Poland has invited me to speak at the up-coming 1st International Conference in Poland but due to other commitments I cannot make it this year. Kamil and the guys already have some good speakers and I wish I could be there. Please have a look at the link above and come along to what promises to be a very good event in Poland!!

I also got a speaking slot at Oracle Open World but unfortunately due to a critical work commitment have had to decline the slot. This is a great pity as I have never attended Oracle Open World and I would really have liked to spoken there this year. I have however agreed to still write a paper with Oracle on the subject of the proposed talk "In the mind of a database hacker" so watch out for news of that over the coming period as its created and published.

I am also going to be teaching 5 in-depth days of my Oracle security classes with Oracle in Reading, UK from September 26th to 30th. I am looking forward to this as its a rare opportunity to attend all 5 days of my Oracle security classes in one session. If you would like to attend then please register your place with Oracle.

Over the last week or so I have also received notice from the UKOUG that I have two slots at the Tech 16 Conference in Birmingham, UK this year from December 5th to 7th at the ICC. I am hosting an Oracle Security round table and also will present on what to do if you do not have (or cannot have if you are on SE, SE1, SE2) Database Vault and would still like to have some or all of the features. Hope to see you at the UKOUG in December!!

I am also teaching two one day classes on the 29th and 30th November 2016 in Vienna, Austria with Oracle University. These are "Secure Coding in PL/SQL" and "Lock down and secure your Oracle Database".

OK, that's all for now, please come and hear me speak.
[2 Comments]

Oracle Security Expert Seminar

I am happy to announce that I will be teaching a five day Oracle Security expert seminar class with Oracle University at Oracle offices in Reading, UK from September 26th to September 30th 2016.



Oracle Security Expert Summit Reading



This is a 5 days expert class where I will teach all five days of my Oracle security classes back to back. This is a rare opportunity to attend all my classes in one session in the UK.



Oracle Security 5 Days Training



. The training starts on day 1 and 2 from the premise of reviewing your Oracle database to understand its security posture and then walking through a complete sample audit. On day 3 we discuss secure coding in PL/SQL and on day 3 how to design audit trails for your Oracle database and finally on day 5 we start to pull everything together; We attack a sample database and understand its weaknesses and spend most of the day locking down and protecting the data and database and finally at the end of the day attack the database again to show whether the lockdown has worked or not.

This is in-depth training and each attendee gets to take away hundreds of free scripts and tools developed by me over many years of performing security work for my clients.

I hope to see you there. You can book your place by visiting this link and clicking the fourth tab

[No Comments]