IOUG 2009 Database Security Study – 50% increase in data breaches

Oktober 1st, 2009

Today the IOUG released a database security study. This study, sponsored by Oracle, revealed some interesting facts.

  • 50% increase in data breaches since last year
  • Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
  • Database adminstration outsourcing increased by 40%
  • Nearly 50% of the organization use production data for non-production environments.

You can download the study from the oracle site.

Database security becomes more and more important. People should think about using Oracle security tools (e.g. our database security scanner (Repscan) or innovative security monitoring solutions (Hedgehog)) or to join our 5-day Oracle Anti-Hacker-Training.If you are interested in a (in-house) security training, just us an email.

  • 50% increase in data breaches since last year
  • Internal threats (e.g. unauthorized users) is a bigger problem than external hackers
  • Database adminstration outsourcing increased by 40%
  • Nearly 50% of the organization use production data for non-production environments.

You can download the study from the oracle site.

Posted in Allgemein, Oracle Security | No Comments »

Oracle postpones October 2009 CPU

September 4th, 2009

Yesterday Oracle announced that the Oracle October 2009 CPU will be postponed due to the Oracle Openworld in San Francisco.Instead of releasing the patches on the 13th October 2009, Oracle will release them 1 week later at the 20th of October. The reason is that many people responsible for deploying the Oracle CPU will be at the Openworld.Good choice because I will visit the Openworld to and will give a presentation on SQL Injection.

Posted in Oracle Security | No Comments »

New Security Features Oracle 11g Release 2

September 1st, 2009

Here are the New Features Oracle 11g Release 2.

  •  Enhancements to the Audit Trail Cleanup Process
    (Oracle has added several enhancements to the audit trail cleanup process, e.g. set maximum size and age for os audit trails, mobe audit trail from SYSTEM tablepace, purge audit trail records in one operation or purge job, timestamp audit trail records based on their archive date)
  • Enhancements to Directory Objects
    (Execute Privilege for Directory Objects. Since Oracle 11.1.0./10.2.0.5 it is possible to run OS commands via external tables. This privilege allows to restrict the execution of OS commands.
    Auditing of directory objects „AUDIT EXECUTE ON DIRECTORY rds_dir BY ACCESS;“)
  • Enhancements to Fine-Grained Access to External Network Services
    (utl_http supports azon Simple Storage Service (S3) scheme,
    support for IPv6)
  • Global Application Contexts Available Across Oracle RAC Instances
  • Secure Sockets Layer (SSL) Version 2 Support Change
    (SSL is no longer included in the default list of default supported protocols)
  • Tablespace Master Key Rekey: Changing the Encryption Key Password
    (To fullfil the PCI DSS requirements it is now possible to rotate the encryption key)

Some features are deprecated with this version of Oracle:

  • DB_EXTENDED Setting for the AUDIT_TRAIL Parameter Deprecated
    (instead use the DB,EXTENDED string)
  • WKUSER Role and Ultra Search Schemas Deprecated
    (The WKUSER role and the schemas WKSYS, WKTEST, WKPROXY have been deprecated)
  • Database Configuration Assistant No Longer Provides Default Security Settings
    (Audit options and password policies are automatically added to the database if you use DBCA)
  • ALTER USER Clause AUTHENTICATED USING PASSWORD Deprecated
    (btw „IDENTIFIED BY VALUES is still undocumented, see Oracle documentation)
  • Password for the listener.ora File Deprecated
    (According to Oracle it is no longer needed and will be removed in Oracle 12)

Posted in 11g | 3 Comments »

Oracle 11.2.0.1.0 is available for download

September 1st, 2009

I just saw on OTN that Oracle 11.2.0.1.0 is out.

New possibility for new security bugs 😉

Posted in Oracle Security | No Comments »

Defcon Presentation about an Oracle Worm, oap_hacker and bsqlbf

August 5th, 2009

Sumit Siddharth has published his Defcon presentation about „The Making of Second SQL Injection Worm (Oracle Edition)„.

Sumit describes the differences between SQL Injection and PL/SQL Injection and presents his tool „oap_hacker.pl“ which allows to run OS commands via Java. oap_hacker.pl and Bsqlbf v.2.3 are using a PL/SQL Injection bug in dbms_export_extension (the old one and not the new one which was fixed with the CPU July 2009).

BTW, the (underground) tool darkORASQLi.py to dump data from Oracle databases is also using the dbms_export_extension vulnerability to run OS command.

A demo of his Oracle worm ora_w0rm.pl is available on YouTube.

Here are some screenshots how to overtake a client PC accessing an (via worm) infected Oracle System:

Oracle Worm 1

Oracle Worm 2

Oracle Worm 3

Oracle Worm 4

Very interesting work. Thanks Sumit for this presentation.

Posted in Exploit, Oracle Security, SQL Injection | 1 Comment »

« Older Entries
Newer Entries »