OraNA :: Oracle News Aggregator

Laszlo has published his slides from Hacktivity in Budapest last weekend where he shows how the Oracle undocumented oradebug command can be used to exploit the database; covering turning off authentication, turning off audit and more. His slides are here....[Read More]

Posted by Pete On 21/09/11 At 12:54 PM

I am going to be teaching by two day Oracle security training course in Berlin on March 6th and 7th 2012 for DOAG - the German Oracle users group. You can find details of the course and also register to....[Read More]

Posted by Pete On 13/02/12 At 11:57 AM

Alex commented on my post about " oradebug " about the select statement on x$ksmfsv which holds a list of all fixed variables amongst other things and joined it to x$ksmmem to get the absolute address in the SGA to....[Read More]

Posted by Pete On 21/09/11 At 07:26 PM

I am going to be doing three sessions at the UKOUG conference this December in Birmingham. I am going to be chairing the Oracle Security Round table on the 4th December. I am also writing three new presentations; two for....[Read More]

Posted by Pete On 04/09/12 At 02:44 PM

The paper " Identifying Yourself in the Oracle Database " is available as a pdf to download from my Oracle security white papers page . This is new paper in terms of it has not been posted to my site....[Read More]

Posted by Pete On 03/09/12 At 08:11 PM

It has been a long while since my last blog post. I have been very busy with Oracle security consulting, data security audits, teaching training courses and of course with my companies Database Security Scanner - PFCLScan . Oracle security....[Read More]

Posted by Pete On 20/06/12 At 02:23 PM

This post if not specifically about Oracle Security but I got here because of Oracle security so i am going to talk about Oracle security first...:-) I am working this morning on a proof of concept code for a security....[Read More]

Posted by Pete On 06/09/12 At 11:38 AM

OK, its not Oracle database security but its big news and it is from Oracle. Oracle have recently released an out of band Java security patch which supposedly fixed serious security flaws; then a few days ago the guys at....[Read More]

Posted by Pete On 05/09/12 At 12:11 PM

I wrote a new presentation last year on secure coding with PL/SQL and presented it twice; once at a SIG in London and once in Oracles office in Edinburgh. This is a really interesting subject for me as i have....[Read More]

Posted by Pete On 14/01/13 At 07:43 PM

Hi Oracle Security Folks, Following the tradition for one off Java Security Alerts Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technetwork/topics/security/alerts-086861.html Oracle Security Alert for CVE-2013-1493: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html The reporters http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html say it is an unreliable exploit. Of course it depends on Java being used in the browser so one fix is to unplug the JVM [...]

It’s hard to believe that another year has passed from last RSA. But, indeed, time flies when you’re busy, I guess. So, for the second year in a row, McAfee wins the SC magazine award for best database security solution. I’m so proud!

Turns out that Tanel has an artist hidden deep down inside!

These are some amazing statistics…

Hi, It is good to check the integrity or health of a system to avoid future problems. DBMS_HM.RUN_CHECK(‘Dictionary Integrity Check’, ‘my_run’); SET LONG 100000 SET LONGCHUNKSIZE 1000 SET PAGESIZE 1000 SET LINESIZE 512 SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; SQL> SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) ——————————————————————————- ——————————————————————————- ——————————————————————————- ——————————————————————————- Basic Run Information Run Name : my_run Run [...]

New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously. Here is the alert – http://www.oracle.com/technetwork/topics/security/alerts-086861.html For an excellent advanced analysis please see [...]

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if [...]

I’m sure we all did something similar once or twice in our DBA lives. I had to create a simple script to perform regular expression based data discovery for Oracle. This script will be used as a check in our McAfee Database Vulnerability Manager. We do support data discovery directly in the tool but the [...]

Yesterday I gave a presentation ”Best of Oracle Security 2012” at the DOAG 2012 conference in Nürnberg.

An article Raj Samani and I wrote was published in infosecurity magazine.

I just uploaded my talk Hashdays 2012 ”Self-Defending Databases” to the Red-Database-Security website.  The talk explains how to detect SQL Injection attacks in databases (Oracle/MSSQL/MySQL) and how to react in case of a SQL Injection (e.g. done with Pangolin, Havij or Netsparker).

Initially the idea covered only Oracle and MSSQL but Xavier Mertens extend the concept to MySQL (MySQL Attacks Self-Detection) after he saw my presentation at the Hashdays Management Session.