ORACLE FORENSICS by Paul M. Wright ~ Three Tier Security in London

Just landed in at San Francisco and preparing for SANS and RSA conferences where I am due to Speak and have a few minutes to spare so lets catchup on what has been happening in the world of Three Tier Oracle Security:

This article from Alexandr is interesting
http://www.dsecrg.com/files/pub/pdf/Penetration_from_application_down_to_OS_(Oracle%20database).pdf shows how to make a Windows 2003 server attempt NTLM authentication from its Oracle DB. This is creative thinking and well written though my main thought is that Oracle on Windows has had a lot of problems generally so this is probably best avoided altogether if you have the choice.

April 2009 CPU exploits are out with RDS showing good form with this 11g SQL Injection.
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html among others.

Just finished reading http://www.amazon.com/HOWTO-Secure-Audit-Oracle-10g/dp/1420084127.
I enjoyed the read and of interest was the relatively high performance hit of OAV described on p281. OAV logs as normal via native audit, with its associated performance hit, and then adds an additional performance hit from the collectors. This is good news for Sentrigo AND Guardium though it would be good to see the actual figures for this, as my contacts at Oracle have reported differing results. This emphasises the need for public data that is verifiably correct. The notion of Information Security skills being used more to protect the integrity and availability of widely available data rather than being used primarily to keep secrets is one that I am attracted to and I think will have increasing importance.
In this vein I like Ron’s descriptions of the Oracle Total Recall feature with Flashback Data Archive (p252) which I will be writing in detail on in the near future. This feature provides an “immutable” record of the past states of a tuple which avoids tampering and adds a time dimension to the relational model. It does not, to my knowledge, involve any Arnold Schwarzenegger films, directly.
There is some 9i specific material included in the book for backward compatibility.. but for me the most interesting contribution is the practical HOWTO material describing the actual usage of OAS features.

I have been busy as well and have a new paper that is with Oracle ~ entitled: “Database Malware using Namespace Attacks”. This is due for release soon and has two new elements to it that I know are going to be of interest, but have to follow the ethical reporting process first. Of key interest is the fact that only Host Based DB monitoring systems that can identify the true schema name of an object even when it is not given in the query will be immune to this new type of attack and others that are related. Sentrigo HH is one of these systems that is immune and can identify an attempt to carry out this attack. I am happy to talk in general about the concepts behind this vulnerability at RSA, and how I have tested that Sentrigo HH defends against it plus how to forensically respond to a related incident. Most importantly my experiences of keeping availability and integrity of the business function whilst simultaneously deploying the security solution should make the talk worth attending.

Session Detail
Session Code: HOST-302
Session Title: Protecting Your Enterprise Database: Challenges, Approaches and Best Practices
Scheduled Date/Time: Thursday, April 23 09:10 AM
Purple 304
Session Abstract: With growing incidence of attacks across industries and strong regulatory requirements to secure private data, enterprises need to make database security a top priority. Today, database attacks are more sophisticated than ever, requiring enterprises to take stronger security measures. This panel, comprising of customers, will discuss database security strategies and give practical advice on what organizations should be doing to protect their critical databases.
Panelist: Jason Perkins Senior Application Security Lead
First Advantage
Paul Wright VP Database Application Security Development
Markit Corporation
Ayad Shammout Lead Technical DBA
Caregroup Healthcare System
Patrick Buie Information Security Analyst
Carlson Wagonlit Travel
Moderator: Noel Yuhanna Principal Analyst
Forrester Research


San Francisco is a great place to be and the Golden Gate is a positive symbol of American Technology ~ plus sun is forecast so should be a good week.

RSA summary and the new paper to come shortly.

Best regards,
Paul

April 19th, 2009 | Category: Uncategorized | Leave a comment

There has been a lot of good work carried out recently on Database forensics approached from the OS, particularly using reverse engineering techniques to understand the format of metadata in the datafiles such as timestamps . However it is commonly found in practice that OS level access is denied to the DB team in order to enforce segregation of duty. Additionally the Terrabyte datafile size of many commercial enterprise DBs makes Datafile analysis impractical. The impact of this is that DB level methods of verifying the state of an object or dataset are often more useful.
For instance Timestamps within the DB are easily accessible via ALL_OBJECTS and provide some level of DB based integrity checking using the created and last compile time. Problem is that a user can set the timestamp of an object back in time quite easily. For instance:

SQL> set serveroutput on
SQL> create or replace procedure time_test as
2 timevar varchar2(20);
3 begin
4 select sysdate into timevar from dual;
5 dbms_output.put_line(timevar);
6 end;
7 /
Procedure created.
SQL> exec time_test;
18-JAN-09
PL/SQL procedure successfully completed.
SQL> alter procedure time_test compile timestamp '1066-11-11:12:0:59';
Procedure altered.
SQL> select timestamp from User_objects where object_name='TIME_TEST';
TIMESTAMP
-------------------
1066-11-11:12:00:59


The above is a good reason for using a checksum method of verifying the integrity object source code e.g. this code adapted from newly reprinted Oracle Forensics Book, creates checksums of oracle triggers.

set wrap off
set linesize 400
set serveroutput on
CREATE OR REPLACE PROCEDURE SHA1DBTRIGGERSTATECHECKER(lvschema in varchar2) AS TYPE C_TYPE IS REF CURSOR;
CV C_TYPE;
string varchar2(32767);
l_hash raw(2000);
lvname VARCHAR2(30);
lvtype varchar2(30) :='TRIGGER';
begin
OPEN CV FOR 'SELECT DISTINCT OBJECT_NAME FROM SYS.ALL_OBJECTS WHERE OBJECT_TYPE=''TRIGGER'' AND OWNER = :x' using lvschema;
LOOP
FETCH CV INTO lvname;
DBMS_OUTPUT.ENABLE(200000);
l_hash:=dbms_crypto.hash(dbms_metadata.get_ddl(lvtype, lvname, lvschema), 3);
dbms_output.put_line(l_hash||' ~ '||lvname);
EXIT WHEN CV%NOTFOUND;
END LOOP;
CLOSE CV;
end;
/

Which when ran gives a report as follows:

SQL> exec SHA1DBTRIGGERSTATECHECKER('SYS');
B312355402E68C3774A5AA9924DDFAA34DBFEB39 ~ AURORA$SERVER$SHUTDOWN
98A197D536C0E980E69BE7F4AACF6BA8AF16C185 ~ AURORA$SERVER$STARTUP
1A754A605EAFF286019E63523341552ECD566D23 ~ AW_DROP_TRG
4A745424A0F74535FBB8071492E08716FD472B34 ~ CDC_ALTER_CTABLE_BEFORE
04B324FB25F554912E00C900601FC927983D61BB ~ CDC_CREATE_CTABLE_AFTER
9713B54BB1C32460187701B943118741D659B2BD ~ CDC_CREATE_CTABLE_BEFORE
2EEB4B0E86F503127850EA09ABB9F5EA6A2D8C6D ~ CDC_DROP_CTABLE_BEFORE
9EA99FDBF89486184E14CC5B8A3522C8BBB9C0A2 ~ NO_VM_ALTER
D7290D62A24C97BC9B54213F0A8E026D883CF8EC ~ NO_VM_CREATE
D87B235B866C59D011B3BB8155A3BC60A372144E ~ NO_VM_DROP
01C69F6F073D542B53A96D9A40971D3FDCF5C64F ~ OLAPISHUTDOWNTRIGGER
C59C0EE44E255744DDF757CC4A8576AD6E8AF556 ~ OLAPISTARTUPTRIGGER
C59C0EE44E255744DDF757CC4A8576AD6E8AF556 ~ OLAPISTARTUPTRIGGER


The logical extension of the above concept would be a Tripwire-like monitoring product for DB objects…but how can the same ideas be applied to the data contained within the DB i.e the actual data that the DB is designed to contain. The data is the crown jewels that will be the target of an attacker. A forensic examiner should be able to confirm the integrity of evidential data at the DB level. Additionally DBAs would like to be able to statecheck static read-only tables over time. This could be attempted by converting the SCN recorded for the last update of each row in a table to a timestamp as follows:

SELECT SCN_TO_TIMESTAMP( ORA_ROWSCN ) FROM table_name;

However the SCN to timestamp relationship is not direct and can be changed, for instance when a client DB connects to a server DB via a dblink the SCN of the DB with the lowest SCN will become the same as the SCN on the DB with the higher SCN. (Incidentally this fact could cause a denial of service if the client DB had an SCN close the maximum)..

So timestamp/SCNs are not perfect for verifying integrity ~ what is needed is statechecking for evidential data itself? This is the realm of DB Data Forensics.

Ok ~ so the aim in this example is to check that the evidential data in a table has not changed from a previously known state (I have used dual here for convenience so replace dual with the table to be statechecked).

–1.Select the checksum for the dataset returned by the required query.

select DBMS_SQLHASH.gethash('select 1 from dual', 2) from dual;
SQL> select DBMS_SQLHASH.gethash('select 1 from dual', 2) from dual;
DBMS_SQLHASH.GETHASH('SELECT1FROMDUAL',2)
--------------------------------------------------------------------------------
9D9DFF9320E27082B15B4ED7A086BA83

–2.Compare that known checksum to the current checksum for the same dataset

(select utl_raw.cast_to_raw(DBMS_SQLHASH.gethash('select 1 from dual',2)) from dual)intersect
(select utl_raw.cast_to_raw('9D9DFF9320E27082B15B4ED7A086BA83') from dual);
SQL> (select utl_raw.cast_to_raw(DBMS_SQLHASH.gethash('select 1 from
dual', 2)) from dual)intersect
2 (select utl_raw.cast_to_raw('9D9DFF9320E27082B15B4ED7A086BA83') from dual);
UTL_RAW.CAST_TO_RAW(DBMS_SQLHASH.GETHASH('SELECT1FROMDUAL',2))
--------------------------------------------------------------------------------
3944394446463933323045323730383242313542344544374130383642413833

-If a result set is returned (as above) then the state of the table data is the same as the previous known checksum.
-If “no rows” are selected then the state of the table’s data has changed from that represented by the previous known checksum (9D9DFF9320E27082B15B4ED7A086BA83).

This is a great feature of Oracle, though remember that this query has a high performance hit but the performance hit can be decreased by changing the last argument of DBMS_SQLHASH.GETHASH to 1 (md4) and security increased by raising to 3 (sha1).
Only problem is by default DBMS_SQLHASH is only accessible to the SYSDBA. Another SYSDBA-only feature to add to the others. Personally I think the ability to statecheck data in the DB should be open to more users as the ability to verify the integrity of data has wide appeal. Of additional relevance to DB Data Forensics is the tracking of that data once it has left the DB and is “mobile”. Solutions such as Fidelis are aimed at this growing DLP market. Of course Fidelis cannot read SSH and does not understand TNS so Hedgehog has an advantage. This is especially true given that Oracle Audit has been shown to be bypassable by this interesting example. http://blog.red-database-security.com/2009/01/16/proof-of-concept-how-to-bypass-oracle-auditing-using-dbms_ijob/
….Perhaps we will soon be celebrating the Chinese Year of the Hedgehog? Though the problem of securing sensitive data once it has left the DB is still in process..

Seperate point - I noticed an interesting post on collecting evidence regarding the activity of a Toad user at the excellent SANS Forensic blog.
http://sansforensics.wordpress.com/2009/01/13/oracle-forensics-toad-from-quest-software/

Also a tool named Fuzzor, for Fuzzing Oracle PL/SQL input, has been released by Slavik at his blog which often has new material of interest.

There are quite a few exploits since the January 2009 CPU. I still have bugs outstanding so there is still work to be done..especially with regards to DB Data Forensics..

Cheers,
Paul

January 18th, 2009 | Category: Uncategorized | Comments (3)

New Year, New Computer with New Nvidia graphics card which enables me to report that Vista 64-bit and Nvidia GeForce 9800 GT work fine with CUDA and BarsWF

More graphics cards on the way..
For AMD/ATI users there is CAL which is a similar paralell processing GPU technology.
Elcomsoft are using CUDA technology to speed up it’s password auditing in EDPR which I have just been trying out on some Oracle hashes and it is blindingly fast… however there is currently no public open source implementation of a CUDA or CAL enhanced oracle password auditing tool. My prediction for 2009 is that there will be one soon. Mario Juric has published C++ code for dictionary checking MD5 hashes using CUDA at this URL http://majuric.org/software/cudamd5/source/ and Lazlo Zoth has published source code for a fast Oracle password auditor at this URL http://www.soonerorlater.hu/index.khtml?article_id=513 so it does not take too much of a leap to predict the next stage.
This makes it more urgent to move away from 10g hashing algorithm to 11g. Problem is that the 10g passwords are persisted in sys.user$ even when 11g passwords are used. Therefore good idea to purge the 10g passwords after moving to 11g algorithm.

update sys.user$ set password='';

One of the cliches I hear in forensic circles is that the courts lag well behind the technical industry. This is generally true but here is a good example of an early court decision on the validity of MD5 for checksumming evidence. http://corpau.blogspot.com/2008/02/smile-youre-on-speed-camera.html

Lastly some good news to start the new year as my book Oracle Forensics book, published by Rampant Techpress in May 2008, sold out it’s first print run and was therefore temporarily out of stock - so a second larger print run has been completed and more new copies are available from Rampant Techpress.

Here’s to a safe and forensically secure New Year.
Cheers,
Paul

January 4th, 2009 | Category: Uncategorized | Leave a comment

The Computer Chaos Convention has spawned an example of how MD5 collisions can be used to create a rogue CA cert that has the same MD5 as a valid CA cert.
The example is interesting but only affects CA Certs that rely on the MD5 checksumming algorithm for the digital signature. This is the minority and includes these CAs as of 2008.

RapidSSL
FreeSSL
TrustCenter
RSA Data Security
Thawte
verisign.co.jp

MD5 has been known to be weak for many years but this is a good exemplification, however the method that the team used for finding the collision has not been made public yet. There has already been a lot of work leading up to this such as the hashclash project and work by previous work by Xiaoyun Wang.

The obvious implication for Oracle is that Application passwords should not use MD5 especially since parallel computing using GPU/CPU combined makes collision calculation a much easier task as demonstrated by CUDA . This has been known for a while but since there are still application passwords using MD5, repetition is required.

The real answer is SHA2 (256 etc) and in the future SHA3 .

Given that Oracle does not yet support any of the SHA2 algorithms and SHA1 via DBMS_CRYPTO has been shown to have similar problems security conscious Oracle folks will have to use both MD5 and SHA1 together in order to gain secure integrity checking. See this post from a while back for more detail.

As a piece of trivia did you know that the CCC was initiated by folks sitting at the same table that Kommune 1 was also formed. The same Kommune 1 that Hendrix visited in the late sixties. Apparently this table has gone missing, not sure what it was made of, in case you see it, maybe Oak or similar material. It will probably turn up somewhere. Anyhow I can recommend the CCC paper’s description of CA concepts so enjoy the read and have a Happy New Year.
Cheers,
Paul

December 30th, 2008 | Category: Uncategorized | Leave a comment

Initially a DLP implementation can be labour intensive especially if it requires the categorisation of data into appropriate sensitivity levels. Most security measures have a corresponding cost. This was borne out in Tom Kyte’s presentation on Encryption at UKOUG this year where the encryption routines were measured to show the performance hit of encrypting data within PL.

However, there are some security measures that have double benefits e.g. bind variables also giving quicker performance. It is important in security to emphasise these Win-Wins.

An example of a DLP precaution that also has performance benefits is the enforcement of a custom profile on low privileged DB users. It is usually the case that DB users do not need to select more than 100 rows in a single statement. By using an Oracle profile with a limit on CPU/IO per session and per call, access to Oracle can be regulated like a tap regulates water flow.

For example:

ALTER PROFILE DLP_PROTECTED_USER LIMIT FAILED_LOGIN_ATTEMPTS 3;
ALTER PROFILE DLP_PROTECTED_USER LIMIT connect_time 500;
ALTER PROFILE DLP_PROTECTED_USER LIMIT cpu_per_call 2000;
ALTER PROFILE DLP_PROTECTED_USER LIMIT cpu_per_session 20000;
ALTER PROFILE DLP_PROTECTED_USER LIMIT logical_reads_per_call 500;
ALTER PROFILE DLP_PROTECTED_USER LIMIT logical_reads_per_session 100000;
ALTER USER low_priv_users PROFILE DLP_PROTECTED_USER;

Rationing resource via profiles has normally been the reserve of the performance folks but it is an easy DLP prevention measure. Resource metering in security has been used for many years and a web related presentation that springs to mind is by Gunter Ollman whilst at the newly acquired NGSSoftware.

Back to the DB example of Oracle Profiles …once an attacker is sharply limited in the amount of data they can select out of the DB then they have to be cleverer about finding exactly the right data in the DB to select out. Oracle’s built-in RegEx support is superb but should be monitored to make sure it is not being used to locate sensitive data. This book is a handy reference for Oracle RegEx http://oreilly.com/catalog/9780596006013/. POSIX compliance makes learning Oracle RegEx reasonably painless and here are some example RegExs already written.

A simple Sentrigo Hedgehog rule to alert on searches using Oracle RegEx for credit card numbers would look something like this.

statement CONTAINS '(([0-9]{4})([[:space]])){3}[0-9]{4}’

Of course CCs should be encrypted but even then the length of the encrypted value can give away its contents or the encryption algorithm used. On this forensic slant I note David is giving a presentation on Oracle Forensics http://www.securityfocus.com/archive/1/499120 on Thursday using his new CADFILE toolkit. I like to get a lot of my new forensics information from this URL http://sansforensics.wordpress.com/

Anyhow.. congratulations to Chris Hoy for winning Sports Personality of the Year. He had my support given the 3 medals and unlucky Lewis ~ there will be another time.

Cheers,
Paul

December 14th, 2008 | Category: Uncategorized | Leave a comment

Recovered from UKOUG now,
As Alex mentions on his blog GSAuditor has been updated to include 11g passwords and it is very fast.
Pete Finnigan’s PL based password cracker can be conveniently run from PL/SQL on the DB in question and is easily modified to take it’s passwords from SYS.USER_HISTORY$ …but bear in mind that the script will need to be ran as a SYSDBA in order to read this table. Of course this table is sensitive because the pattern of a users previous passwords can be gained and used to predict current and future passwords.
Home password testing for those without access to the newly updated top500 may become easier given the new TESLA machines though even HPCs for the home need to have their time synchronised if there logs are going to be useful in future.
Cheers,
Paul

December 7th, 2008 | Category: Uncategorized | Leave a comment

That was quick..good to know that folks are reading the blog.

Christian wrote an email to me specifying the following.

Consider this example, which gives access to the root directory:

SQL> exec create_directory.createdirectory('rootdir as''/''--','/u01/thisismypath');

It results in the creation of the root directory “/” but without granting the privileges to the user so not a home run but the code can be improved so thank you for this input Christian.

Please adopt this new version where I pass first argument through DBMS_ASSERT after stripping quotes.

--CREATES A DIRECTORY IN A SPECIFIC OS LOCATION AND GRANTS PRIVS
CREATE OR REPLACE PACKAGE CREATE_DIRECTORY AS
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path
IN VARCHAR2);
END create_directory;
/
CREATE OR REPLACE PACKAGE BODY CREATE_DIRECTORY as
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path
IN VARCHAR2) IS
l_exec_string VARCHAR2(1024):= 'CREATE OR REPLACE DIRECTORY ';
l_directory_name_stripped VARCHAR2(1024);
l_directory_name_dstripped VARCHAR2(1024);
l_directory_name_validated VARCHAR2(1024);
l_directory_validated VARCHAR2(1024);

BEGIN
l_directory_name_stripped := REPLACE(directory_name,'''','');
l_directory_name_dstripped := REPLACE(l_directory_name_stripped,'"','');
l_directory_name_validated := DBMS_ASSERT.simple_sql_name(l_directory_name_dstripped);
l_directory_validated := REPLACE(directory_path,'.','');
IF instr(l_directory_validated,'/u01/thisismypath') = 1
THEN
l_exec_string := l_exec_string||l_directory_name_validated ||' AS
'||''''||l_directory_validated||'''' ;
EXECUTE IMMEDIATE (l_exec_string);
l_exec_string := 'GRANT READ, WRITE ON DIRECTORY
'||l_directory_name_validated ||' TO '||user;
EXECUTE IMMEDIATE (l_exec_string);
END IF;
END createdirectory;
END create_directory;
/

I have just tested the above and it will not allow SQL through. The current version at this URL has been updated to v1.1
http://www.oracleforensics.com/wordpress/index.php/create_directory/
If anyone has any other improvements email me at paul.wright@oracleforensics.com
I plan to add logging and error handling to it in the near future.
Cheers and thanks Christian,
Paul

December 3rd, 2008 | Category: Uncategorized | Leave a comment

The code and slides for my talk was first made available at UKOUG’s web site
http://conference.ukoug.org/default.asp?p=842&dlgact=shwprs&prs_prsid=3130&day_dayid=13

I have edited the content into Word .

Below is the CREATE_DIRECTORY package I have written which means that users do not need to be granted CREATE ANY DIRECTORY in future. Updates to the package will be made to this URL.

--CREATES A DIRECTORY IN A SPECIFIC OS LOCATION AND GRANTS READ/WRITE
CREATE OR REPLACE PACKAGE CREATE_DIRECTORY AS
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path IN VARCHAR2);
END create_directory;
/
CREATE OR REPLACE PACKAGE BODY CREATE_DIRECTORY as
PROCEDURE createdirectory(directory_name IN VARCHAR2, directory_path IN VARCHAR2) IS
l_exec_string VARCHAR2(1024):= 'CREATE OR REPLACE DIRECTORY ';
l_directory_validated VARCHAR2(1024);
BEGIN
l_directory_validated := REPLACE(directory_path,'.','');
IF instr(l_directory_validated,'/u01/thisismypath') = 1
THEN
l_exec_string := l_exec_string||directory_name||' AS '||''''||l_directory_validated||'''' ;
EXECUTE IMMEDIATE (l_exec_string);
l_exec_string := 'GRANT READ, WRITE ON DIRECTORY '||directory_name||' TO '||user;
EXECUTE IMMEDIATE (l_exec_string);
END IF;
END createdirectory;
END create_directory;
/
-- EXEC CREATE_DIRECTORY.createdirectory('PAULSDIR2','/u01/thisismypath');

The above code can act as a workround to allocating the CREATE ANY DIRECTORY privilege, in light of the vulnerability I first published on that allows any user with CREATE ANY DIRECTORY to overwrite the password file with a known password file containing an unauthorised SYSDBA account.

Please send feedback about the above code and any additions you would recommend to paul.wright@oracleforensics.com

So UKOUG so far has been interesting. Starting with Tom Kyte talking on Encryption, I picked up these points from it.
-Hard ware add on to Oracle for storing private keys is becoming more popular
-TDE was convenient for application integration (transparent).
-Column level encryption in 11g was a bit of a pain as cardinality (fks) and indexes were inconvenienced.
-From performance perspective BLOB data types very slow to encrypt therefore < 4000 use varchars for speed of encryption.
-Tablespace encyrption is very nice as no query performance hit as SGA cleartext (and sentrigo will still work) but data files on their own do not represent a risk as encrypted.
Then I enjoyed Slavik's Presentation on Oracle vulnerability discovery and Sentrigo Hedgehog.
The new fuzzer looks great and will be available via Slavik’s blog quite soon.
I also enjoyed Michael Moller’s presentation on Internationalisation.
Looking forward to Pete’s presentation on Friday. All in all good conference and great to meet Tom, Jonathan and Julian there. Already started writing my presentation for the next year which is entitled “Three Tier Oracle Forensics”. It is to do with the problems of logging and responding to web activity through to the DB. There are challenges with Time synchronisation and identifying the web session at the DB end, though these are beginning to be solved to the point at which legalised formalities can be standardised upon.
More to come..
Cheers,
Paul

November 30th, 2008 | Category: Uncategorized | Leave a comment

Whilst preparing for UKOUG and talking to another well known Oracle Security expert I had some thoughts about the implications of the CREATE ANY DIRECTORY issue .
Firstly the Oracle utilities could be overwritten with a new binary - LSNRCTL, SQL*PLUS, IMP, EXP and the debugger for instance. It is possible to execute OS binaries from the DB as Tanel’s post shows
But is it possible to patch the Oracle binary itself using UTL_FILE?
It is a serious vulnerability either way, especially given that there is no version of CREATE ANY DIRECTORY without the “ANY”, and there are applications that need to be able to dynamically create directories. This vulnerability is hard to patch imo. That is why I have coded a new PL/SQL package called “CREATE_DIRECTORY”. This package will allow the user to safely create directories in a segregated area of the OS and only grant READ and WRITE to that user.
The code also deals with the ../../ and //// issues that have affected DIRECTORIES in the past.
The code for CREATE_DIRECTORY will be given out for the first time at my UKOUG presentation on Monday night @17.55.
In addition to the new CREATE_DIRECTORY package I will summarise secure Oracle 3-tier Development best practise at DB, Java and Web layers. Lastly I will discuss the results of a long evaluation of Sentrigo Hedgehog. I have thoroughly examined this product in terms of its security and its affect on performance and will be able to give a summary of what it is good for and lessons learnt from the deployment. This will be the first presentation of it’s kind in the UK. Apparently there are free drinks and “luxury Canapés” straight after, so the talk will also be concise :)
Cheers and look forward to seeing you there.
Paul M. Wright

November 27th, 2008 | Category: Uncategorized | Leave a comment