The Balance of Business

In every business, there is a balance between business goals and various impediments.

The Balance of Business

You need to make sure that you don’t allow legal, QA, security and other internally-focused concerns tip the scale towards paralysis. There is more in this week’s edition of my newsletter “Technology That Fits” – sign up here.

You don’t know what happens

Suddenly, our offshore colleagues could not access the database. We scrambled to find a solution, and and it soon transpired that the central security function had rolled out out a security policy upgrade the night before. Unfortunately, our offshore colleagues were connected to the network in an uncommon way, so the new security policy cut them off.

You don’t know what will happen when you change a system. Enterprise IT landscapes have reached a complexity (more...)

Oracle Database Security Assessment

Data Security has taken a front seat in terms of IT Security lately. Database security is an area of information security that is concerned with the use of security controls to protect databases. Organizations are trying to protect their databases from both internal and external threats. 

In this regard, Oracle has put up an online Database Security Assessment on their website. You may now check how secure your database is by answering few simple (more...)

The Age of Transparency

It seems that Boing just lost a 4 billion dollar deal to supply fighter jets to Brazil, because the Brazilians were miffed that the NSA spied on them.

You also live in a transparent world. If the NSA was unable to weed out Edward Snowdon in their hiring procedure, do (more...)

Control Your Information

It appears that international credit bureau company Experian was inadvertently selling private information to online criminals posing as “private investigators”. These criminals then used Social Security numbers, birthdays and drivers license records to commit identify theft. Ironically, Experian is also selling protection against identity theft to private customers…

Do you know (more...)

Fix for oradebug disable auditing available (11.2.0.3/11.2.0.4/12.1.0.1)

2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.

Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)

Tightening Security with SELECT ANY DICTIONARY in Oracle 12c

Developers and users sometimes request the SELECT ANY DICTIONARY system privilege to enable them to view various data dictionary tables.  This may be fine for querying DBA_TABLES, etc, but the Oracle data dictionary contains a LOT of information.  Some of the views/tables are compromising from a security standpoint. (more...)

How One Man Killed the Cloud

While I was not surprised that the U.S. intelligence agencies monitor web activity, I was surprised at the scale revealed by the Edward Snowdon leaks.

If there are still American cloud providers that do not routinely provide the NSA with wholesale access to their customers’ data, it will only (more...)

Create a CA, issue server/client certificates and test them via Apache

Here is a quick way of creating your own CA and issue server and client certificates via OpenSSL.

I will test the certificates via the Apache HTTP Server by configuring one and two-way SSL.

I use Oracle Linux 5.

You should of cause only use this for test scenarios.

Install (more...)

Protect the Apache HTTP Server against CRIME SSL/TLS attacks

It is now possible to protect Apache on both Windows and Red Hat servers against CRIME SSL/TLS attacks.

I have updated my Hardening the Apache HTTP Server post accordingly.

Using the Apache HTTP Server as a forward proxy to the Internet

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a (more...)

Security Fix Breaks Recovery

Oracle’s “Security Alert Advisory for CVE-2012-3132” issued a warning about an attack vector that once again was discovered by security expert David Litchfield. The vulnerability allows to execute SQL code with SYS privileges by using object names containing quotation marks, if the attacker has authorized access to the database, has CREATE TABLE and CREATE PROCEDURE privileges […]

SSL Server Certificates – Lessons learned

It is not difficult to create an SSL/TLS certificate and configure an Apache HTTP Server to use it. But I found that there are some things you need to know that does not necessarily make much sense. Here are some lessons learned and a couple of tips.

Intermediate and Root (more...)

Auditing users in WebLogic Server

If you do a default installation of the WebLogic Server user activity is not audited. WebLogic has a build in Auditing Provider but it has to be enabled.

The Audit Provider can log these events.

To enable it via the Admin Console got to Security Realms => myrealm => Providers (more...)

Protect your servers against brute force SSH attacks

Share

I bet if any of you have an exposed server to an internet connection, without properly firewall protection, that your server is under heavy fire from hackers around the “world”… By the world I mean mostly China and Russia ssh attacks. If you’re curious, on Linux you can check the (more...)

side channel attack on ORA-00942

Oracle Databases has a powerful set of grants and permissions. One of the easy philosophies behind it is just to hide anything a user is not allowed to see. Technically this leads to an error message
ORA-00942: table or view does not exist.
More precisely it should give a text like table or view does not exist or you are not allowed to access it.
For an ordinary user/schema separation there might be no big difference: If user A can not read table B.TAB it's of no value for user A whether the object does not exist or is just not (more...)

Oracle ADF with SSO – The Definitive Guide

by Fábio Souza & Eduardo Rodrigues Introduction We know. It’s been a looooooong time again. But once you read this post, we are quite sure you’ll be happy we took the time to write it. And it’s also...

This is a summary only. Please, visit the blog for full content (more...)

Installing NGINX on RHEL 5/6 (Centos and Oracle Linux too)

Share

I’m an huge NGINX fan. Nginx pronounced “Engine-X” is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. Nginx is awesome… really. I use it since 0.6 beta and never (more...)

how to secure CMAN against CVE-2012-1675 – or an easier method than ASO

In the Oracle DBA World at the moment CVE-2012-1675 is a great issue. Oracle announced some methods how to secure existing systems. But these are sometimes not that easy, and there is no backport for older systems.
As I investigated the problem how to secure a connection manager I was hinted at Note:1455068.1.
The solution is somewhat easy: Only allow incoming connections to your systems. e.g.
    (rule=(src=*)(dst=10.220.8.114)(srv=*)(act=accept))

In a well designed environment where you can separate your DB Servers from others at low network layers, a set of CMAN (more...)

OBIEE11g SampleApp OID doesn’t start

Yep, I did again :-(.

After playing around with the new sampleapp107 I managed to crash the VM. After a reboot the OID refused to start up. It seemed that because there was still an active status record in the ODS schema, the OPMN couldn’t find anything to start.

Solution: truncate the "ODS"."ODS_PROCESS_STATUS" and  "ODS"."ODS_GUARDIAN" tables in your database repository.

(Not sure if the "ODS"."ODS_GUARDIAN"  is really necessary…. Please correct me if I’m wrong)

Till Next Time