|
COLLABORATE 09: Anatomy of a Database Attack
This morning I attended Anatomy of a Database Attack Through Forensics, presented by Josh Shaul of Application Security, Inc.
I've always been interested in the security aspects of Oracle going back to their start at the CIA. I've even gotten myself into trouble proving these types of things to others (I'll never do that again without saying something to someone prior). I've read David Litchfield's The Oracle Hacker's Handbook. Mr. Shaul went through 2 attack vectors one against 10gR2 and one against 11g. In the 10g attack, the user only had the CREATE SESSION and was able to gain access utilizing a sys package that has a SQL Injection vulnerability. One anonymous block and the DBA role was acquired. I could have sworn that packages in SYS had to be given explicitly? Hmmm... Attack 2 the user had CREATE SESSION and CREATE PROCEDURE. Creating a procedure within their schema that used Invokers rights. This one was in fact fixed in the most recent (April) CPU. So patch 'em up. Some other notes from his presentation: Database Vulnerabilities Default accounts and passwords Easily guessed passwords Missing patches Misconfigurations Excessive privileges External Threats Web app attacks (sql injection) Insider mistakes Weak or non-existent audit controls Social engineering He also discussed The Heartland data breach which forced us to take a second look at how we did things and ended up tightening up our controls. VPD, Least Privilege, and others were used. I'm off to Running Oracle in the Amazon EC2 Cloud. Labels: 2009, collaborate ¶ 5/04/2009 12:27:00 PM 
|
Guest Authors
How To
EBS Install Guide
Learn OBIEE Parallel Processing: DBMS_JOB Write File to Disk Populate Time Dimension DBMS_CRYPTO PL/SQL: Split URL Parameters Instrumentation: DBMS_APPLICATION_INFO OBIEE: Migrate Your rpd Application Express: A Guide
Popular
Why You Should Blog
AppDev vs DataDev Coding is Easy Fun With Linux Code Style Index Better than Tom Kyte? Previous Posts
COLLABORATE 09: Registration, Bearings, etc.
COLLABORATE 09: What's Your Latest Schedule? COLLABORATE 09: What's Your Schedule? Software Development: Pros vs. Hacks Have You Ever Referred To Yourself As An Oracle Ne... Time Periods Kate Where is Tom Kyte? COLLABORATE 09: OAUG, IOUG and Quest Mentoring Code Projects
Archives
August 2007 /
September 2007 /
October 2007 /
November 2007 /
December 2007 /
January 2008 /
February 2008 /
March 2008 /
April 2008 /
May 2008 /
June 2008 /
July 2008 /
August 2008 /
September 2008 /
October 2008 /
November 2008 /
December 2008 /
January 2009 /
February 2009 /
March 2009 /
April 2009 /
May 2009 /
June 2009 /
July 2009 /
August 2009 /
September 2009 /
October 2009 /
November 2009 /
December 2009 /
January 2010 /
February 2010 /
March 2010 /
|
