OraNA :: Oracle News Aggregator

With the emergence of IT trends such as cloud computing and mobility, enterprises have realized that previous security efforts are inadequate for mitigating the new risks that come with these technologies. While looking to upgrade the security infrastructure, firms are may need remote database support to ensure improvements in data (more...)

Here is a quick way of creating your own CA and issue server and client certificates via OpenSSL.

I will test the certificates via the Apache HTTP Server by configuring one and two-way SSL.

I use Oracle Linux 5.

You should of cause only use this for test scenarios.

Install (more...)

Every time security of apps comes up in any conversation it turns out a lot of people are unaware of this being an issue at all. Simple things like the screenshot iOS takes every time your app gets backgrounded are not the common knowledge I expected it to be by (more...)

It is now possible to protect Apache on both Windows and Red Hat servers against CRIME SSL/TLS attacks.

I have updated my Hardening the Apache HTTP Server post accordingly.

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a (more...)

Oracle released three updates to Java yesterday. It is important to note that they contain several security related changes. The majority of those changes have been announced since a while and first thing to notice is, that Oracle ships as planned.
Oracle's Java Platform Security Manager Milton Smith recently gave (more...)

(blogarhythm ~ Can you keep a secret? - 宇多田ヒカル)

Megar (“megaargh!” in pirate-speak) is a Ruby wrapper and command-line client for the Mega API.

In the current release (gem version 0.0.3), it has coverage of the basic file/folder operations: connect, get file/folder listings and details, upload and download files. You can use it directly in Ruby with what I hope you'll find is a very sane API, but it also sports a basic command-line mode for simple listing, upload and download tasks.

If you are interested in hacking around with Mega, and prefer to do it (more...)

In one of my projects we have to be able to set up a (cold) backup Oracle Service Bus domain in a different data center from a domain backup. One of the requirements was that this data center is -for security reasons- completely independent of the “main” data center. In (more...)

While experimenting with the APEX tree region, I came up with a use case that demonstrated some of the related features, as well as providing some useful information about the roles defined in my database.

I will note that to do so my parsing schema required access to DBA_ROLE_PRIVS and DBA_TAB_PRIVS - something that was fine in my development environment, but would be rightly questioned in a production scenario, but I will demonstrate nonetheless.

Final layout

My page looks like the following screen grab, and below I break down the steps to get there.

The tree lists roles assigned to (more...)

It is not difficult to create an SSL/TLS certificate and configure an Apache HTTP Server to use it. But I found that there are some things you need to know that does not necessarily make much sense. Here are some lessons learned and a couple of tips.

Intermediate and Root (more...)

These are some amazing statistics…

If you do a default installation of the WebLogic Server user activity is not audited. WebLogic has a build in Auditing Provider but it has to be enabled.

The Audit Provider can log these events.

To enable it via the Admin Console got to Security Realms => myrealm => Providers (more...)

I bet if any of you have an exposed server to an internet connection, without properly firewall protection, that your server is under heavy fire from hackers around the “world”… By the world I mean mostly China and Russia ssh attacks. If you’re curious, on Linux you can check the (more...)

One of the most popular posts on my blog is the short tutorial about the JDBC Security Realm and form based Authentication on GlassFish with Primefaces. After I received some comments about it that it isn't any longer working with latest GlassFish 3.1.2.2 I thought it might (more...)

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if [...]

Oracle Databases has a powerful set of grants and permissions. One of the easy philosophies behind it is just to hide anything a user is not allowed to see. Technically this leads to an error message
ORA-00942: table or view does not exist.
More precisely it should give a text like table or view does not exist or you are not allowed to access it.
For an ordinary user/schema separation there might be no big difference: If user A can not read table B.TAB it's of no value for user A whether the object does not exist or is just not (more...)