Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

11g Security

As soon as 11g came out I tested the ability to brute force it as per the NISR paper I wrote a while back..
http://www.ngssoftware.com/research/papers/oraclepasswords.pdf
(moved to http://www.ngssoftware.com/Libraries/Documents/01_07_Oracle_Passwords_and_OraBrute.sflb.ashx)
Great news as Oracle have fixed the listener so that multiple connections can not be made in quick succession. The listener in 11g will indeed slow down the speed with which it replies to requests if they come from the same user as is the case with a normal brute force. However the listener only slows down IF the user account exists. Therefore it is a quick and easy task to enumerate existing usernames by trying to brute force their password and seeing if the listener slows down the attempt or not. This has already been reported to Oracle.
11g is certainly an improvment but there is still work to be done. For instance the 11g password algorithm may be more complex (salted) but the 10g passwords still remains in place in sys.user$ even when 11g password algorithm is used. The 10g passwords should be deleted if they are not being used so this is an important hardening step for the DBA to take on 11g. Of course test first and back up the hashes so they can be reinstated if necessary.
Additionally the PL/SQL wrapping algorithm has not been changed which will be on the list for the next release give that it has been publicly reversed by Pete Finnigan and others (see Oracle Hacker’s Handbook).
The fact that 11g audit has less performance impact is very good as there will be less reason to switch it off. This is important given that DB IDS and other off server monitoring systems are far from 100% in their accuracy.
Performance stats for 10g Vs 11g basic audit would interesting to see.
BTW I just upgraded WordPress to the latest version which was a doddle using this youtube videovideo http://www.youtube.com/watch?v=3l5g7F9zk3I

Leave a Reply

You must be logged in to post a comment.