Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed
 

Database Vault Faults

Hello Oracle folks,

Just read on Alex’s blog about a couple of Database vault faults.
http://blog.red-database-security.com/2008/11/21/oracle-database-vault-privilege-escalation-exploit-published/

However the number of vulnerabilities in Oracle is not the main controlling factor to threat level. Note that the UK govt have suffered from an average of one data breach per week for the last year. The increased drive capacity, network speed and staff technological know-how along with outsourced development make DLP issues top of the agenda. There are many solutions such as http://www.varonis.com/ for Windows share monitoring and Beyond Encryption Technologies which timeout errant laptop data but the Oracle database on it’s own is susceptible to allowing too much data out to too many users.

There is a simple way to alert to an Internet based data breach. Set a unique record in the table of clients to be protected, say of email addresses. Set a unique internally generated value as a single dummy row in the table e.g. fredblogs@thisurldoesnotexist.com . This is a honeytoken. Then set up a googlealert for that honeytoken.This was from the “closing the door after the horse has bolted department“. But be careful about building Google into your business processes as Google own the data content of emails etc that use their services. This is one reason Cloud computing is going to contribute to the increase profile of DLP.

So my presentation is finished for UKOUG. It is on Advanced Oracle Development Security and will mainly be PL/SQL/Java Security focused. There are two brand new pieces of real research in the presentation which will be of interest to devs, dbas and anyone involved in securing oracle db 3 tier architectures. I will dig deeper into my recent vulnerability research on CREATE ANY DIRECTORY issue…and in fact I will give out new code that solves the CREATE ANY DIRECTORY problem thus bridging the time before Oracle are able to provide a patch. Brownie points please.
I am glad to inform you that I have accepted an invitation to the Sentrigo Advisory Board. The Sentrigo Hedgehog product continues to impress me but has to be taken in context of a holistic data security management plan which includes DBA, Devs and Users. More on this to come at the UKOUG presentation Monday night.

Lastly congratulations to Mr Obama for his constructive success in recent elections.

Cheers,
Paul

Leave a Reply

You must be logged in to post a comment.