Archive for April, 2010

Improve Oracle TDE with Intel AES-NI

Dienstag, April 13th, 2010

I found an interesting whitepaper „Securing the Enterprise with Intel AES-NI“ from Intel.

This white paper explains how the new AES-NI instructions in Intel Xeon 5600 series can improve the AES encryption/decryption. When I read the first time about this feature I was impressed.

OpenSSL (AES part) is up to 7 times faster with this new instruction set.

Intel did also some tests with Oracle 11g and Transparent Data Encryption (TDE) in AES-256 CBC mode. The usage of the optimized Intel Integrated Performance Primitives (IPP) shows an 89 percent reduction (3.33 GHz Xeon X5680 vs 2.8 Intel Xeon X5560) against a previous processor.

This is a huge advantage and if you use TDE you should think about using such a new processor.

Man-in-the-Middle attacks at upcoming Black Hat Europe

Montag, April 12th, 2010

Wendel Guglielmetti Henrique  and Steve Ocepek will demonstrate at the upcoming Black Hat Europe 2010 in Barcelona (14-15 April) how to steal credentials by downgrading authentication mechanisms as well as overtaking existing user sessions. They will also show their thicknet tool which will be available after the conference.

This sounds similar to Laszlo work on downgrading JDBC. But I had already a chance to review their presentation so I know it is different.

More information after their presentation.

Oracle CPU April 2010 – Prerelease

Freitag, April 9th, 2010

Yesterday Oracle released the CPU April 2010 Pre-Release. These patches will fix 47 security vulnerabilites. The database patch itself will contain 7 new security vulnerability fixes. None of these vulnerabilities are remote exploitable without authentication.

The highest CVSS base score for the Oracle database is 7.5.

The following components are affected:

• Change Data Capture
• Core RDBMS
• JavaVM
• Oracle XDB
• RDBMS Security

Oracle will fix one of my findings in the April 2010 CPU.

At the DOAG Expertenseminar „Oracle Hardening & Patching / Auditing & Co.“ in Berlin (26.04.2010 – 27.04.2010) I will talk about this CPU as well. If you are interested you can attend this 2 day seminar.

Cool Web Application Scanner: Netsparker Community Edition

Donnerstag, April 8th, 2010

Today I want to present the Netsparker Community Edition.

Netsparker (from Mavituna Security) is the best web application scanner I know. Easy to use and a really good web application scanning results.  It saved me a lot of time and helped me to find security bugs in Oracle applications (Enterprise Manager).

The best thing: The new community edition is free (OK, with some limitations).

The commercial versions have even more interesting features like Time Based Blind SQL Injection, Remote Code Injection, OS Level Command Injection , CRLF / HTTP Header Injection / Response Splitting, …. The entire feature (and price) list is available here.

Here is a screenshot from Netsparker:

Netsparker Community Edition

If you are interested just download the community edition.

Joxean Koret released his presentation „Hackproofing Oracle Financials 11i / R12“

Dienstag, April 6th, 2010

Joxean Koreat has released his presentation „Hackproofing Oracle Financials 11i / R12“ from RootedCON 2010. Joxean shows some nice ways to own old and new Oracle Financials installations.

Thanks to Sid for the link via twitter.