I think 2 years is long enough to wait between posts!
Today I delivered a session about Oracle Exadata Database Machine Best Practices and promised to post the slides for it (though no one asked about them :). I’ve also posted them to the Tech14 agenda as well.
Direct download: UKOUG Tech14 Exadata Security slides
Just a quick note to point out that the October PSU was just released. The database has a few more vulnerabilities than usual (31), but they are mostly related to Java and the high CVSS score of 9 only applies to people running Oracle on windows. (On other operating systems, the highest score is 6.5.)
I did happen to glance at the announcement on the security blog, and I thought this short (more...)
On the presentations page you can find the my presentation material from DOAG regional meeting September 2014 in Munich about “Enterprise User Security”.
The UTL_FILE database package is used to read from and write to operating system directories and files. By default, PUBLIC is granted execute permission on UTL_FILE. Therefore, any database account may read from and write to files in the directories specified in the UTL_FILE_DIR database initialization parameter [...] Security considerations with UTL_FILE can be mitigated by removing all directories from UTL_FILE_DIR and using the Directory functionality instead.
© Eddie Awad's Blog, (more...)
There are a lot of security admins out there that are going to hate me for this post. There are a lot of system administrators, developers, and users, however, that will LOVE me for this post. The code I'm about to share with you will keep the logged in PeopleSoft user's session active as long as the user has a browser window open that points to a PeopleSoft instance. Why would you do this? I (more...)
We’ve just had a leak of 900,000 national identifier numbers here in Denmark. That’s about 16% of the total population, so it’s pretty big. These numbers are unique identifiers for a person (similar to Social Security Numbers) and are a good starting point for identity theft.
Never ascribe to malice that which can adequately be explained by incompetence.
So how did these numbers leak? Through plain incompetence and lack of procedures. It (more...)
On Monday, a U.S. judge gave Microsoft control of 22 domains owned by domain hosting service No-IP.com. Microsoft intended to filter out some domains used by malware, but promptly screwed up. The result was that millions of legitimate users could not access their servers.
This will happen again and again as infrastructure moves to centralized cloud providers. What do you think will happen if the server just above yours in the server rack (more...)
Credit for finding this bug is given to Daniel Ekberg – https://www.linkedin.com/profile/view?id=10435009. He got the official credit given by Oracle Corp for helping out with security related bugs in the January 2014 CPU. He found the bug and had the tenacity to track down and prove that it was a bug and not just a flaw in the logging mechanism where this first was indicated to occur.
Today is the day when (more...)
The above phase means “who will guard the guards themselves?” and is relevant in many security contexts.
Here in Denmark, we are currently having our own “News of the World” affair. In our case, a contractor at the payment processor handling almost all Danish credit cards was able to automatically send a tip to a journalist whenever a celebrity used his or her credit card. That makes it hard to take an incognito honeymoon (more...)
The Heartbleed bug has shown that security vulnerabilities can pop up everywhere. Unfortunately, many IT organizations depend on a single security layer to secure their network – and as the ineffectiveness of the Maginot Line proved, that is a risky strategy. You need multiple security layers – what soldiers call Defence in Depth.This illustration is from my weekly Technology That Fits newsletter – sign up here.
I'm currently at IOUG Collaborate 2014 in Las Vegas, and I recently finished my 2-hour deep dive into WebCenter. I collected a bunch of tips & tricks in 5 different areas: metadata, contribution, consumption, security, and integrations:
As usual, a lot of good presentations this year, but the Collaborate Mobile App makes it a bit tough to find them...
Bezzotech will be at booth (more...)
Sid is doing his popular course, The Art of Exploiting Injection Flaws, at this year’s Black Hat. You can find more details here. Definitely highly recommended.
A bit of a follow-up to my previous post on Digest authentication.
The fun thing about doing the hard yards to code up the algorithm is that you get a deeper level of understanding about what's going on. Take these lines:
v_in_str := utl_raw.cast_to_raw(i_username||':'||i_realm||':'||i_password);
v_ha1 := lower(DBMS_OBFUSCATION_TOOLKIT.md5(input => v_in_raw));
Every time we build the "who we are" component for this site, we start with exactly the same (more...)
I will describe how you configure trust stores for the WebLogic Server.
Chain of trust
When a SSL server certificate is issued by a CA it is signed by a another certificate. Normally this will be an intermediate certificated, that is again signed by the CAs root certificate. So there is a chain of trust between the (more...)
In every business, there is a balance between business goals and various impediments.
You need to make sure that you don’t allow legal, QA, security and other internally-focused concerns tip the scale towards paralysis. There is more in this week’s edition of my newsletter “Technology That Fits” – sign up here.
Suddenly, our offshore colleagues could not access the database. We scrambled to find a solution, and and it soon transpired that the central security function had rolled out out a security policy upgrade the night before. Unfortunately, our offshore colleagues were connected to the network in an uncommon way, so the new security policy cut them off.
You don’t know what will happen when you change a system. Enterprise IT landscapes have reached a complexity (more...)
This post is about exploring the mechanisms used by Oracle Clusterware 184.108.40.206 to restrict remote service registration, i.e. the 12c new feature "Restricting Service Registration for Oracle RAC Deployments"Why is this useful?
This improvement of 12c clusterware and listeners over the 11.2 version is useful mainly for security purposes, for example as a measure against TNS poisoning attacks (see also CVE-2012-1675
), and it is particularly relevant for (more...)