June 14th, 2013 by Pete
The latter part of the title of this blog post first!. I submitted a couple of entries for the up-coming UKOUG Oracle conference this year; I hope that they will be accepted. The Judging process is on going now. The conference is moving this year to Manchester from its normal home of the ICC in Birmingham so it will be good to be in a new venue. I volunteered for the abstract judging as I normally do and the thing that struck me this year is that there is a good number of talks submitted on Oracle security so it should be a good conference; excellent!
The second part of this short blog is that whilst looking at the broken web site earlier this week Marcel-Jan sent me an email to let me know that he could not access a forum post that he had made recently titled "
oracle-enum-users doesn’t work on Nmap 6.25" that he could not longer access. This was due to my webserver file system telling itself that it was read only; an aspect of the disk issues we were having. In Marcel-Jan's post he referenced his blog and I made a note to mention it here.
Marcel-Jans Oracle Blog is excellent and includes a number of posts around Oracle security, these include:
1) discussing nmap against the Oracle listener
2) the subject of Marcel-Jans post on my forum which was that the oracle-enum-users didnt workin his testing for an upcoming talk,
3) hacking Oracle as a way to learn why you need to secure it
4) Public database links are a problem
5) creating Oracle database honey pots
6) auditing the listener
7) a good discussion of worms and Oracle
and many more, head over to
Marcel-Jans Oracle blog for more details.
[
No Comments]
June 12th, 2013 by Pete
For the last week some of you may have noticed issues with our website
PeteFinnigan.com as at times it failed completely or was giving 403 errors even where there was no protected regions of the site and at some other times the forum was not working when you tried to access forum posts. Also the "visitors on line" tag line was showing an error. The issue related to a failing disk on the server that our site is hosted on. We tried to work around this to avoid a full site migration and full rebuild for a while to no avail and now finally yesterday the website has been moved to a new server, new disks of course and is now fully migrated and working again properly. Well the public side is working, we still have some admin functions to get running again.
So if you found we were not live in the last week, sorry for that and hopefully you can now find what you are looking for. The site is back.
Our products
PFCLOBfuscate to protect and secure PL/SQL and our database scanner
PFCLScan are on seperate websites and hosts so these were not affected.
My company started with my
PeteFinnigan.com website a long time ago, indeed the site existed before the company hence it made a good vehicle to use as my limited companies name and so my company was born just over ten years ago using the name of my existing website. The website still has the look and feel of a private persons website collecting information on Oracle security and of course talking about Oracle security. i have been reluctant to change that over the years as in one sense I like the approach that we live and breath Oracle security but we also sell training, securty audits of Oracle databases and also consulting and design around areas such as Oracle Label Security, Virtual Private Database, Fine Grained Audit, encryption, Security controls and well indeed anything related to Oracle Security.
Also we have created our two software products
PFCLObfuscate to protect PL/SQL and SQL and also
PFCLScan to scan and test databases for security compliance. We also have two other software products coming soon.... more details about those later....
We have been very successful over the years providing Oracle Security services, training and products from a company named after my website and also to a lot of big and small clients worldwide but with a site that looks a little more like a personal site. I have been mulling over recently that we should make it look more professional (Note: to people cold selling web design and seo services this is not an invitation to offer these to me!!!) and more product/service oriented and remove the big picture of myself.
,
I will let you know what we decide and finally if anyone finds any area of the site still broken that we have missed please let me know.
Bye for now!
[
2 Comments]
May 30th, 2013 by Pete
I have just agreed a public class dates of my very popular "
How to perform a security audit of an Oracle database" with Oracle University to be held on September 24th and 25th in Rome, Italy. The registration link with Oracle is :
http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=609&p_org_id=32&lang=I&get_params=dc
80323_1025738,p_preview:N
- Sorry the link on Oracles site breaks when embedded as a link so please cut and paste into your browser.
I have just done two successful public classes in Istanbul and Prague and have quite a number of private classes booked in over the next few months. If you would like a private class then please
contact me. Also if you would like to organise a public class; many have so far, then also please
contact me.
We have had great success in the last few months with our new
competitive license model for our Oracle database security scanner
PFCLScan. The license model as you will read is based on software installation and not the number of databases that you scan. This works well for companies using the scanner internally or if you are a consultant. The primary goal for me was to have a product that is reasonable to license and also that is useful to either use out of the box but more importantly for customers to create their own custom policies in PFCLScan that can be used to test against their own internal Oracle security standards. To this end we designed and developed the product to make it easy to create projects to scan with and also to develop your own policies to acheive easily a policy that matches your own standards. You can use our policies and checks and mix and match them into your own policies and projects. We don't encrypt the checks so you can easily modify or extend them. We also have the concept of libraries so that you can create simiilar checks once as a library and then use it and parameterise its inputs. This makes cutting and pasting unnecessary in terms of writing policies. We also support checks in many different languages and targets as well as questionaire type checks.
As I said the focus for us was to provide a rich interface that is open and very flexible to allow easy creation of your own policies to your own standards. You can of course just run ours!
We have adopted the same license model for our other product
PFCLObfuscate. This is again licensed per software installation and not targets or files protected. This product can be used to protect your PL/SQL. If you write/sell/deploy applications written in PL/SQL then you should look at PFCLObfuscate to help protect the invested IPR in your PL/SQL code.
Contact us for more details or if you would like to purchase a license.
January 14th, 2013 by Pete
I wrote a new presentation last year on secure coding with PL/SQL and presented it twice; once at a SIG in London and once in Oracles office in Edinburgh. This is a really interesting subject for me as i have spent a lot of time working with PL/SQL code, looking for bugs for customers, securing PL/SQL code and also developing
PFCLObfuscate our product to help customers protect the Intelectual Property in their PL/SQL code.
We are going to release a new version of PFCLObfuscate soon with some major new features; I will talk about that soon and show some demonstrations.
In the meantime the purpose of this blog post is to say that I have posted the slides to this securing PL/SQL talk on my
Oracle Security white papers page. The talk
Securing PL/SQL Coding can be downloaded!
September 6th, 2012 by Pete
This post if not specifically about Oracle Security but I got here because of Oracle security so i am going to talk about Oracle security first...:-)
I am working this morning on a proof of concept code for a security solution for a clients database; so i am creating code for a high level design i wrote a couple of months ago to now demonstrate that the custom Oracle Security feature will work in practice for them and that its protected from bypass - I might talk about the actual solution here generally later if the client is happy for me to do so or simply discuss some of the protection features I use as they are my IPR. The solution for them is a security feature I am designing for their database also with secure coding in mind. I am implementing a feature in PL/SQL that has some protections built in to stop the feature being bypassed; its got PL/SQL software license type features added not because the client wants software license features added but to prevent someone from selecting the code from the database and adding it to their own database to run it, play with it and try and break it. The license features also try and make sure it runs in the right context in the installed database; this is an area (secure code, PL/SQL IPR protection, PL/SQL software license features, context based security...) I am realy interested in at the moment and that i have done quite a bit of work with for clients in the last couple of years; hence i will talk about all of these things at the UKOUG SIG on October 10th and also on December 5th at the UKOUG conference.
So these protections and context based checks stop code from being broken or reverse engineered to allow the hacker to understand how the code and protections work and also these protections try and make sure the code only runs when it is supposed to and also wont run if installed in another database. Of course no protection will work forever when its protecting code in a database that someone could take and run or simply study somewhere else privately until they break it. The idea is to make it very hard and also to make it take so long that they will give up.
I have four layers of protection on top of the original code:
layer 0) PL/SQL Code - just normal code you and I write
layer 1) Add in license features and context based protection
layer 2) Obfuscate the code with out PL/SQL Obfuscator
PFCLOBfuscatelayer 3) Wrap the obfuscated code with 9i Wrap
layer 4) protect the wrapped code with WrapProtect our tool that stops unwrappers from; well unwrapping the code
The obfuscation with PFCLOBfuscate makes the code hard to read and removes meaning but it also means that when the 9i Wrap is used the symbol table no longer gives away secrets in the underlying PL/SQL code. Its then not possible to simply modify the wrapped file directly to change a setting or check as it would also change functionallity elsewhere so breaking the code from running. Using 9i Wrap is also better as getting a working 9i unwrapper is harder and more importantly all the work i have done over the years understanding the PL/SQL wrap mechanism and unwrapping PL/SQL now becomes useful as I have worked out hundreds of ways to prevent all known 9i and earlier unwrappers from working. When these hundreds of ways are also randomised there are literally thousands of protections. The 9i wrap and the WrapProtect program doesnt have to be used of course but it adds that final layer of protection that makes it very hard for most people to steal your PL/SQL based IPR or to even try and run that code elsewhere or in a different context.
For a hacker to break the code they must find an unwrapper, defeat the unwrap protection, defeat the obfuscations and then defeat the license and context features.
OK, the reason I started this post was that during my work this morning I wanted to search for something in google related to this work. I did a search and i have noticed a really annoying feature about this more and more recently; the results are completely flooded with single domain names; whilst the actual pages may have some relevant data on the single domains, i can tell from just the snippits visible they are not relevant for me and I dont want pages and pages of results for one domain. I did a search in google.com and and the first five results are for various pages on oracle.com, the sixth result was my site, the seventh was actually not relevant at all for the search; then 3 results for old books and then 27 results for oracle.com (yes 27 results for one domain, google never used to do this!!!) and then one for me again.
What use is this? over 30 results for oracle.com in the first four pages of google results. I did this search in firefox; in IE, i get first 4 results for oracle.com, then two pages for my site then the same pages as before in a different order and then pages of oracle.com. So not only are the results flooded by single domains they are different between firefox and IE, why?.
I then checked bing.com for the same search and the results are much more balanced. I did the same check in
duckduckgo.com which is a great little search engine that gives that clean simple feel that google did many years ago; i really like it.
Come on google, give us back that great search and remove all the gimics like auto-complete which also annoys me. The current google algorithm must favour large sites with lots of back links otherwise how do we get pages and pages of results from strong sites instead of varied results from lots of sites. OK, in my search oracle.com came back and according to google it has 31 million pages in its index, its a huge amount of pages that carry a massive collective weight and some are clearly relevant but i want balanced search results to find what i need not just pages of results from one site.
OK, google officionados are going to tell me to log in and taylor the search to not include the domains that I dont want to see or to do other trickery but I really don't want to log in to search. I just want plain vanila results everyone else gets. I don't see why I need to log in to get better results; bing and duckduck and othger search engines don't need me to do so to give balanced results.
Also I think that this has not passed others by as when i check search results in google webmaster tools I see a big difference to not that long ago. I used to see people clicking through on terms more where i ranked in the first page of results I now see click through for results where my site is pages and pages down in the results; this means in my opinion that people are probably looking deeper to get what they want instead of clicking the first page only as was previoulsy the norm.
I started to use bing.com and duckduckgo.com a while ago but still by habit use google but it annoys me for some results so i am tending towards the others instead but i have used google since the 90s.
September 5th, 2012 by Pete
OK, its not Oracle database security but its big news and it is from Oracle. Oracle have recently released an out of band
Java security patch which supposedly fixed serious security flaws; then a few days ago the guys at
Security Explorations who reported the bugs said that Java is still vulnerable and the fix didn't patch the hole entirely. There have already been phishing attempts with fake Amazon order emails and others exploiting these bugs.
Back to the database; doesn't this attempt to fix Java sound like what was happening with Oracle database fixes 6 or 7 years ago. We all would have to say that the database CPU, patches, fixes and more are getting much better than they were in the bad old days of alerts such as the monster alert 68 and we are all aware that. This is good of course. The topics of conversations a few years ago (4 years at least) for instance at the Oracle Security round table at the UKOUG conference were always focused around CPU's and bugs, I remember one round table where the talk around the group was almost exclusively about bugs/hacks and of course fixes. Even just talking to people out at clients or conferences or anywhere really the talk aways degenerated to CPU's and bug fixes BUT I really feel that has changed now and people are focusing more on actual data security and not just patches. This is good. We also know of Oracles efforts at teaching staff about secure coding and their use of code analysers mentioned in old blog posts so we know for the database there has been a concerted effort to get better.
When i read the stuff about the Java fix and the patch not properly fixing the bugs (see links above) it so reminded me of the old database days and i made a note to blog about it. I did a quick dig and found a post "
A Decade of Oracle Security" quoting David Litchfield; scroll down the linked page to 2005, January 6 and see what David is quoted as saying on BugTraq; sounds very familiar!
Deja-Vu?
September 4th, 2012 by Pete
I am going to be doing three sessions at the UKOUG conference this December in Birmingham. I am going to be chairing the Oracle Security Round table on the 4th December. I am also writing three new presentations; two for the conference and one for a SIG.
I will do two new papers on the 5th December for the UKOUG conference; the first is "Security controls for DBA's, power users and third parties" - this will talk about how to design security controls to allow DBA's, power users and others to access and use the database safely without creating a bigger risk than necessary; i am also going to talk about how to allow third party and power access by using context sensitive security controls. I will cover the issues and example solutions for the problems. The second new paper is "Building Practical Audit TrailsBuilding Practical Audit Trails" where I am going to talk about building usefuk audit trails using just the core features of the database. So we will cover designing, managing, tech setup, reports, alerts and more. I will also cover auditing of the audit trail itself to capture changes or unauthorised access to it. I will also cover audit of security controls and also discuss the obvious risks and trade offs in using database audit features and what we can do to reduce those risks.
The final new presentation will be on secure codeing in PL/SQL; this will be given at a UKOUG Sig in London on October the 10th. This talk covers the risks to your PL/SQL code, how it can be exploited - so obviously SQL Injection but other attacks, how to prevent them and also I will dicuss protective coding, securing your IPR in PL/SQL, how to make sure your code only runs where it is supposed to (so context based security again) and i will also talk about secure coding when creating security features in PL/SQL with a couple of examples.
OK, thats it for now.
