Three Tier Oracle Security in London ~ Paul M. Wright

(nix, oracle, java, www, cloud ) intersect (safety, security, reliability, integrity)

Three Tier Oracle Security in London ~ Paul M. Wright RSS Feed

Oracle and Google Nexus

Hi All,

Nice paper from Pete on Sentrigo Hedgehog usage which also references the Java vulnerability work by David.

I noticed that David’s 11g presentation is up at YouTube ~ I have already seen the vulnerability being adapted to provide other CREATE SESSION to DBA escalations not yet published… this research is opening the door to a lot of other Oracle/Java vulnerabilities.
But all is not bad for Oracle on YouTube as the Sun Solaris Security team have an interesting video entitled “Protecting Oracle” which includes information on the new “ORACLE” role (not group) within Solaris 10. Worth checking out IMO. Time to reinstall my box.
YouTube, owned by google of course, are also hosting a video showing how to search for tnsnames.ora entries on the Web. . This is pretty basic Google Hacking but a scary wake up call as well. I recommend carrying out this type of google search on your own organisation to make sure that you do not come up in the search results. Additionally don’t open Oracle ports to the Internet as there will always be new research that is ahead of your hardening guide.
Talking of Google I have received my Nexus-One from the States and I am glad to say that it is marvellous.
Standard Micro-USB and SD card with standard earphone and can take the back off to replace the battery. This is the IBM PC of the Smart Phone future IMO and remembering our DOS history lesson tells us that the hardware is not as important as the software…so here is a quick summary of my experience with the Eclair 2.1 Android OS.
When first connected it installs an update,from google and connects gmail, google docs, google maps etc perfectly.
The voice recognition works reasonably well. Screen is excellent and responsive. There are plenty of apps on with linkedin and skype etc in pipeline.
Screen keyboard takes a while to get used to but does work effectively. Multitouch works fine. Was tempting to wait for the Desire or Legend but I wanted to have confidence of connecting to google through their own device to support their OS. Don’t keep anything sensitive in the GCloud but for normal data that you are prepared to share , this is the bees knees. The bottom screen buttons are a bit jittery at times and the trackball could wear out like on the blackberry in a year or two so I think google will improve the hardware with their second phone. However there is no need to use the trackball at all as the screen works perfectly well. Main factor is that the phone connects to the GCloud perfectly. The phone also has the usual news, temp etc and the map integration is amazing especially if you are prepared to opt into the location services. Not for everyone all the time but if you became lost this could be a lifesaver. Oh nearly forgot.. the actual telephone works reliably as well.
I would recommend buying the Nexus-One from google direct. Came in 1.5 days via DHL with the accessories which are high quality and easy to use. Bought the docking bay, spare battery and extra adaptor. Have also ordered a Gel protective case from Amazon. Even though the phones get tested for resiliency, the Nexus is heavy and metallic and will IMO be prone to dropping and cracked screens. Rather than test this theory I am playing safe with a case though the silicon screen covers reportedly make the screen greasy and not as easy to use so not bought any of those.
The HTC Legend and Desire look good but had to get something now and also prefer to be able to sync closely with google’s services. Take care though as clear-text confidential work information should not go through google and keep an eye on resources like this to see both sides. The Desire and Legend have a better optical trackball but I have not had to use the trackball at all yet, so if you like the logged in google services, I think the Nexus is the better option (with SIM only plan e.g. Vfone or O2). Given that the UK launch of the Nexus has been put back, ordering direct from the states will be the only option for a while.
Lastly we have to watch out for folks phishing that google cookie..there have been some gmail attacks documented by Mike Bailey at Blackhat among others.
“Cloud” security, for googlephones or shared Oracle infrastructure, is one of the hot subjects for this year for good reason so keep safe and secure,

Leave a Reply

You must be logged in to post a comment.