Archive for the ‘Allgemein’ Category

« Older Entries
Newer Entries »

Security Workshop „Database Activity Monitoring Systems“ in London

Dienstag, November 17th, 2009

In 3 weeks Paul Wright will give an 1 day workshop for SANS (Sat. 5. Dec. in London) about Database Activity Monitoring Systems (DAMS).  Paul will use the free Hedgehog Standard Edition in the class to demonstrate solutions for common problems like user monitoring, defending against public zero days, …

Here is the table of content:

1. Defend against public and zero day attacks via free custom written IDS rules
2. Gain  Compliance
3. User activity monitoring
4. Application monitoring
5. Sensitive data access monitoring
6. Diagnostics prior to changes such as CPU installation.

A case study about using DAMS from Paul Wright is available in the UKOUG Scene magazine (Issue 39).

You should not miss the chance to join this workshop because it can help your company/organization to secure their databases …

Posted in Allgemein, Trainings | No Comments »

Oracle Database Vault is now certified with SAP

Sonntag, November 8th, 2009

I just read that SAP is now certified with Oracle Database Vault. This is an important step to increase the security of SAP systems. Well done Oracle. Let’s see if SAP customers will use this functionality.

The Oracle whitepaper „Best Practices Installing and Configuring Oracle Database Vault in an SAP Environment“ decribes the step-by-step installation of database vault in SAP.

The following screenshot from the document (July-2009) contains an information disclosure bug for the Oracle SID (reported by me, fixed by Oracle with CPU July 2007). It seems that the installation of the security component was done with unpatched security software 😉

Posted in Allgemein | No Comments »

Oracle Openworld 2009 – SQL Injection Presentation

Dienstag, Oktober 13th, 2009

Just back from a short trip to the Oracle Openworld where I gave a presentation „SQL Injection Crash Course for Developers„. This was the first time I talked at the Openworld in San Francisco. The feedback from the attendees was quite good.

In the SQL Injection presentation I showed some screenshots of the brand new web application scanner Netsparker (previously known as Dilemma) from Mavituna Security.

Netsparker is one of the most advanced web application scanner. Really professional GUI, easy to use. Well done Ferruh
Netsparker GUI

Supports the execution of SQL statements and OS commands on the DB server.

Netsparker Command Window

I also met the APEX team from Oracle and had a long interesting chat with them. Joel Kallmann gave me a few tips how to harden my APEX 3.2.1 installation using mod_plsql.

What else happened in the Oracle security scene?

Slavik posted today an interesting blog entry about SQL Injection too.

Today Pete Finnigan published an entry about spoofing users and programs in Oracle. In his blog entry he mentions also the bug DB18 from January 2006, found by Imperva. AFAIK I was the first came up with the idea patching the oraclient9.dll  using a hex editor and then I sent an email with a description to Pete.

Nowadays this trick is no longer necessary for exploiting this after David Litchfield released a small tool (part of OAK – Oracle Assessment Kit) called ora-auth-alter-session.exe. But for many other applications the client patching technique can be really useful.

Posted in Allgemein, Oracle Security, SQL Injection, Tools | No Comments »

Oracle Password Benchmarks

Dienstag, Oktober 6th, 2009

Yesterday, Dennis Yurichev has published details about his FPGA based Oracle (DES) password cracker. His cracker can check up to 60 Mill. passwords per seconds (for short usernames) in brute force mode.

This is a good opportunity to show the current status of Oracle Password Cracking.
The benchmark numbers on our website are a little bit outdated and I will refresh them soon.

Here a quick summary of the fastest programs in every class (AFAIK, please correct me if you know
faster tools). All tests were performed on my old Core2Quad 2.4 GHz.
New Intel i7 would perform much faster (30-50%) comparing to Core2Quad.

If you look for pure numbers, dictionary based rainbow tables for DES are the fastest solution with approx. 250 Mill password hashes, followed by FPA with 60 Mill pw/sec, followed by brute force with 4 Mill pw/sec.

The SHA1 algorithm is a bad choice from the password cracking perspective because it can be cracked much faster (30 Mill pw/s instead of 4 Mill pw/s) on the same computer.

1. Dictionary Based (* Core2Quad 2.4 GHz)
DES: approx. 3 Mill pw/sec    (Repscan 3.0 and woraauthbf)
SHA1: approx. 19 Mill pw/sec  (Repscan 3.0)

2. Brute Force (* Core2Quad 2.4 GHz)
DES: up to 4 Mill pw/sec       (Repscan 3.0 and woraauthbf)
SHA1: approx. 30 Mill pw/sec   (Repscan 3.0)

3. Rainbow Table (* Core2Quad 2.4 GHz)
DES: n/a                       (Cain)
SHA1: hash salted, not useful

4. Dictionary based Rainbow Tables (* Core2Quad 2.4 GHz)
DES: up to 250 Mill pw/sec     (ophcrack)
SHA1: hash salted, not useful

5. FPGA
DES: up to 60 Mill pw/sec      (Dennis Yurichev)
SHA1: not available

6. GPCPU
DES:  n/a
SHA1: n/a (estimated 175 Mill pw/sec)

Posted in Allgemein, passwords, Tools | No Comments »

IOUG 2009 Database Security Study – 50% increase in data breaches

Donnerstag, Oktober 1st, 2009

Today the IOUG released a database security study. This study, sponsored by Oracle, revealed some interesting facts.

  • 50% increase in data breaches since last year
  • Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
  • Database adminstration outsourcing increased by 40%
  • Nearly 50% of the organization use production data for non-production environments.

You can download the study from the oracle site.

Database security becomes more and more important. People should think about using Oracle security tools (e.g. our database security scanner (Repscan) or innovative security monitoring solutions (Hedgehog)) or to join our 5-day Oracle Anti-Hacker-Training.If you are interested in a (in-house) security training, just us an email.

  • 50% increase in data breaches since last year
  • Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
  • Database adminstration outsourcing increased by 40%
  • Nearly 50% of the organization use production data for non-production environments.

You can download the study from the oracle site.

Posted in Allgemein, Oracle Security | No Comments »

« Older Entries
Newer Entries »