2 days ago I gave a presentation “Oracle 12c from the attackers perspective” at the DOAG SIG Security. I learned some interesting things, especially that a fix for the Oracle oradebug “disable auditing” problem is available since 9 months.
Oradebug allows to run OS commands and to enable/disable Oracle SYSDBA (more...)
While I was not surprised that the U.S. intelligence agencies monitor web activity, I was surprised at the scale revealed by the Edward Snowdon leaks.
If there are still American cloud providers that do not routinely provide the NSA with wholesale access to their customers’ data, it will only (more...)
Here is a quick way of creating your own CA and issue server and client certificates via OpenSSL.
I will test the certificates via the Apache HTTP Server by configuring one and two-way SSL.
I use Oracle Linux 5.
You should of cause only use this for test scenarios.
It is now possible to protect Apache on both Windows and Red Hat servers against CRIME SSL/TLS attacks.
I have updated my Hardening the Apache HTTP Server post accordingly.
Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a (more...)
Oracle’s “Security Alert Advisory for CVE-2012-3132” issued a warning about an attack vector that once again was discovered by security expert David Litchfield. The vulnerability allows to execute SQL code with SYS privileges by using object names containing quotation marks, if the attacker has authorized access to the database, has CREATE TABLE and CREATE PROCEDURE privileges […]
(blogarhythm ~ Can you keep a secret? - 宇多田ヒカル)
(“megaargh!” in pirate-speak) is a Ruby wrapper and command-line client for the Mega API
In the current release (gem version 0.0.3), it has coverage of the basic file/folder operations: connect, get file/folder listings and details, upload and download files. You can use it directly in Ruby with what I hope you'll find is a very sane API, but it also sports a basic command-line mode for simple listing, upload and download tasks.
If you are interested in hacking around with Mega, and prefer to do it (more...)
It is not difficult to create an SSL/TLS certificate and configure an Apache HTTP Server to use it. But I found that there are some things you need to know that does not necessarily make much sense. Here are some lessons learned and a couple of tips.
Intermediate and Root (more...)
These are some amazing statistics…
If you do a default installation of the WebLogic Server user activity is not audited. WebLogic has a build in Auditing Provider but it has to be enabled.
The Audit Provider can log these events.
To enable it via the Admin Console got to Security Realms => myrealm => Providers (more...)
I bet if any of you have an exposed server to an internet connection, without properly firewall protection, that your server is under heavy fire from hackers around the “world”… By the world I mean mostly China and Russia ssh attacks. If you’re curious, on Linux you can check the (more...)
I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if [...]
Oracle Databases has a powerful set of grants and permissions. One of the easy philosophies behind it is just to hide anything a user is not allowed to see. Technically this leads to an error message
ORA-00942: table or view does not exist
More precisely it should give a text like
table or view does not exist or you are not allowed to access it
For an ordinary user/schema separation there might be no big difference: If user A
can not read table B.TAB
it's of no value for user A
whether the object does not exist or is just not (more...)
by Fábio Souza & Eduardo Rodrigues
We know. It’s been a looooooong time again. But once you read this post, we are quite sure you’ll be happy we took the time to write it. And it’s also...
This is a summary only. Please, visit the blog for full content (more...)
I’m an huge NGINX fan. Nginx pronounced “Engine-X” is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. Nginx is awesome… really. I use it since 0.6 beta and never (more...)
In the Oracle DBA World at the moment CVE-2012-1675
is a great issue. Oracle announced some methods
how to secure existing systems. But these are sometimes not that easy, and there is no backport for older systems.
As I investigated the problem how to secure a connection manager
I was hinted at Note:1455068.1
The solution is somewhat easy: Only allow incoming connections to your
systems. e.g. (rule=(src=*)(dst=10.220.8.114)(srv=*)(act=accept))
In a well designed environment where you can separate your DB Servers from others at low network layers, a set of CMAN (more...)
Gone are the day when cleartext passwords had to be stored in scripts for Oracle database access. The solution to this requirement is “Oracle Secure External Password Store (SEPS)”. This article will give a short introduction and a practical example of the solution.
no Advanced Security Option (License) necessary
every unix-account, who has access to the wallet can use it to log on to the contained databases without a password! Therefore prevent other unix-accounts from accessing your wallet! (chmod, chown)
: Unix-Account, who wishes to connect to the database without providing a password needs to (more...)