Fine Grained Auditing (FGA) and Protecting Oracle E-Business PII Data for Executives

With the recent news about yet another database breach of Personally Identifiable Information (PII), Integrigy had a discussion with a client about how to better protect the PII data of their executives.

The following Fine-Grained-Auditing (FGA) policy started the discussion. The policy below will conditionally log direct connections to the Oracle E-Business Suite database when the PII data of corporate executives is accessed. For example, it will ignore E-Business Suite end-user connections to the database, (more...)

July Security Alert

Hi Oracle Security Folks, The July Oracle Security Alert is out. My part is smaller than last quarter as just an In-Depth Credit, but Mr David Litchfield makes a triumphal return with some excellent new research. http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html There is a CVSS 9 and a remote unauthenticated issue in this patch so worth installing this one. [...]

Oracle CPU July 2014 + Oracle Exploit CVE-2013-3751

Yesterday, Oracle released a new critical patch update (CPU Jul 2014) for July 2014. This CPU contains fixes for 5 database vulnerabilities. The most critical one, CVE-2013-3751, has a base score of 9.0 and affects Oracle 12.1 only. The same issue was already fixed for Oracle 11.2 in July 2013 (CPU Jul 2013).

After a short research on the web (google and twitter, less than 5 minutes) I found an (more...)

April 2014 CPU

Hi Oracle Security Folks, Thanks to Oracle for fixing a batch of research I sent over in August 2013 regarding ADVISOR, DIRECTORIES, GAOP(GRANT ANY OBJECT PRIVILEGE) and also a critical privilege escalation which gains 8.5 in the CPU which I am not going to publish here as I want to give folks time to patch. [...]

The Art of Exploiting Injection Flaws

Sid is doing his popular course, The Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here. Definitely highly recommended.

INDEX to SYSDBA without SELECT

Hello Oracle Security Readers, If we combine the following factors together then we can identify an escalation route from Index on SYSTEM to SYSDBA which does not require SELECT privileges on the indexed table: 1. SYSTEM passes it’s DBA role through it’s procedures. 2. Oracle indexes allow execution from read via functions i.e. INDEX can [...]

Best of Oracle Security 2013

I just uploaded my DOAG 2013 presentation “Best of Oracle Security 2013“.

 

This presentation shows how to bypass Oracle Data Redaction, become DBA using CREATE ANY INDEX, Hide information from Oracle Auding using VPD and more…

—————————————————

SQL> select * from scott.credit_card where 1=ordsys.ord_dicom.getmappingxpath((card_id),user,user);

(more...)

Decrypt Oracle 11.2.0.3 and 12.1.0.1 database link passwords

At Derbycon 3.0, László Tóth and Ferenc Spala  gave a a new presentation “What’s common in Oracle and Samsung? They tried to think differently… ” (Video). The main focus of the presentation was the Samsung encryption and a new framework called sandy but there was also a small (more...)

Fix for oradebug disable auditing available (11.2.0.3/11.2.0.4/12.1.0.1)

2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)

New interesting feature of Oracle 12c

This looks like an interesting feature of Oracle 12c. I’m still not sure about the security implications but it does say interesting things about pure network monitoring security tools. Now, more than ever, what you see on the network can be something completely different than what runs on the database. So, you can see a […]

McAfee wins best database security solution award

It’s hard to believe that another year has passed from last RSA. But, indeed, time flies when you’re busy, I guess. So, for the second year in a row, McAfee wins the SC magazine award for best database security solution. I’m so proud!

Nice way to bring some coolness to Oracle statistics

Turns out that Tanel has an artist hidden deep down inside!

Wow

These are some amazing statistics…

Dark Reading – Database Security

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if [...]

A Hybrid Identity Management (IdM) Migration Approach

I see an Oracle Waveset Identity Manager (previously Sun Identity Manager) Migration project as a cooking challenge where you need to recreate a given dish in a particular time frame. You are going to be using different tools and techniques in your reconstruction but it has to resemble the taste and look-and-feel of the original dish. I could guarantee that almost everyone knows how to approach the challenge. First you carefully observe the original dish by tasting and feeling its texture, then identify the individual ingredients, and finally design a recipe by choosing the right tools and applying appropriate techniques. (more...)

Doraemon to the Rescue

Doraemon - you’ve seen him even if you don’t know his name, the cutest robotic cat from the future! He was my favorite cartoon character when growing up and he's going to help us today.

When attempting to visualize this (magic) migration tool from Oracle Waveset/Sun Identity Manager to Oracle Identity Manager 11g, (see previous blog entry "Grown Kittens Need a New Home"), I can’t help but to think of Doraemon. He has a 4-dimensional pocket from which he produces gadgets and tools from the future. The Take-copter (a propeller which can be attached to anything to enable flight) (more...)

Grown Kittens Need a New Home

When Oracle announced that “Oracle Identity Manager will be the strategic Identity Administration and Provisioning product moving forward" and with Oracle Waveset going into ‘sustain and converge’ mode, I was ready to offer all of my Waveset knowledge for adoption. Having delivered Sun Identity Manager projects all the way from when it was “Waveset Lighthouse” (Sun acquired Waveset in 2003), I am personally attached to everything I engineered on top of Waveset throughout the years. For the time I spent getting to know my Waveset customers, taking care of their needs and trying to build/customize the best home possible for (more...)

The Blue Cheese Effect

If your refridgerator needs to be cleaned out, everyone living with you probably knows it because the task is usually so far down on your to-do list, you might as well plan a trip to Mars first. The task moves up the list as the odor becomes worse with each door swing. Eventually it reaches crescendo when your friends, neighbors and significant other(s) can stand it no more. This is the point where the "smell" becomes the "stink" or for those of you counting yourselves as fans of Sir David Attenborough, it becomes titan arum.

Back in the 1990s, Kent (more...)

The Age of Scroogle

I hear that the Age of Facebook is upon us. While I was busy tending to my identity and access tomatoes, the new dawn has been declared. Apparently right outside my window there be walking people whose identity has been sucked into a space-time deviation yet they're blissfully unaware of this. For those of you in the know (read: in the possession of a secret handshake), the Age of Aquarius is really where things have been happening for a while but I digress.

Astrology and social networking aside (wait, aren't they one and the same?) I think (more...)

Holiday Pundemonium

There was a jolly man named St. Nick
Who didn't know which IDM stack to pick
By the yule log
He read our blog
That well-rounded cheeky man named St. Nick

Happy Holidays!