13 Apr 2010 von Alexander Kornbrust.

I found an interesting whitepaper “Securing the Enterprise with Intel AES-NI” from Intel.

This white paper explains how the new AES-NI instructions in Intel Xeon 5600 series can improve the AES encryption/decryption. When I read the first time about this feature I was impressed.

OpenSSL (AES part) is up to 7 times faster with this new instruction set.

Intel did also some tests with Oracle 11g and Transparent Data Encryption (TDE) in AES-256 CBC mode. The usage of the optimized Intel Integrated Performance Primitives (IPP) shows an 89 percent reduction (3.33 GHz Xeon X5680 vs 2.8 Intel Xeon X5560) against a previous processor.

This is a huge advantage and if you use TDE you should think about using such a new processor.

Geschrieben in Oracle Security | Drucken | Keine Kommentare »

12 Apr 2010 von Alexander Kornbrust.

Wendel Guglielmetti Henrique  and Steve Ocepek will demonstrate at the upcoming Black Hat Europe 2010 in Barcelona (14-15 April) how to steal credentials by downgrading authentication mechanisms as well as overtaking existing user sessions. They will also show their thicknet tool which will be available after the conference.

This sounds similar to Laszlo work on downgrading JDBC. But I had already a chance to review their presentation so I know it is different.

More information after their presentation.

Geschrieben in Tools, SQL Injection, Oracle Security | Drucken | Keine Kommentare »

9 Apr 2010 von Alexander Kornbrust.

Yesterday Oracle released the CPU April 2010 Pre-Release. These patches will fix 47 security vulnerabilites. The database patch itself will contain 7 new security vulnerability fixes. None of these vulnerabilities are remote exploitable without authentication.

The highest CVSS base score for the Oracle database is 7.5.

The following components are affected:

• Change Data Capture
• Core RDBMS
• JavaVM
• Oracle XDB
• RDBMS Security
• XML DB

Oracle will fix one of my findings in the April 2010 CPU.

At the DOAG Expertenseminar “Oracle Hardening & Patching / Auditing & Co.” in Berlin (26.04.2010 - 27.04.2010) I will talk about this CPU as well. If you are interested you can attend this 2 day seminar.

Geschrieben in Oracle Security | Drucken | Keine Kommentare »

8 Apr 2010 von Alexander Kornbrust.

Today I want to present the Netsparker Community Edition.

Netsparker (from Mavituna Security) is the best web application scanner I know. Easy to use and a really good web application scanning results.  It saved me a lot of time and helped me to find security bugs in Oracle applications (Enterprise Manager).

The best thing: The new community edition is free (OK, with some limitations).

The commercial versions have even more interesting features like Time Based Blind SQL Injection, Remote Code Injection, OS Level Command Injection , CRLF / HTTP Header Injection / Response Splitting, …. The entire feature (and price) list is available here.

Here is a screenshot from Netsparker:

If you are interested just download the community edition.

Geschrieben in software, Security, Allgemein | Drucken | Keine Kommentare »

6 Apr 2010 von Alexander Kornbrust.

Joxean Koreat has released his presentation “Hackproofing Oracle Financials 11i / R12” from RootedCON 2010. Joxean shows some nice ways to own old and new Oracle Financials installations.

Thanks to Sid for the link via twitter.

Geschrieben in Oracle Security | Drucken | Keine Kommentare »