BI Mobile Security Toolkit for 11.1.1.7.0

The Oracle Business Intelligence Mobile Security Toolkit 11.1.1.7 for Apple iPad (iOS 5 & 6) is now available for download at http://goo.gl/Mq6rI


The Oracle BI Mobile Security Toolkit "provides the ability to generate a signed version of the Oracle BI Mobile HD application. The toolkit (more...)

Protect the Apache HTTP Server against CRIME SSL/TLS attacks

It is now possible to protect Apache on both Windows and Red Hat servers against CRIME SSL/TLS attacks.

I have updated my Hardening the Apache HTTP Server post accordingly.

Using the Apache HTTP Server as a forward proxy to the Internet

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a (more...)

Rolling the Mega API with Ruby

(blogarhythm ~ Can you keep a secret? - 宇多田ヒカル)

Megar (“megaargh!” in pirate-speak) is a Ruby wrapper and command-line client for the Mega API.

In the current release (gem version 0.0.3), it has coverage of the basic file/folder operations: connect, get file/folder listings and details, upload and download files. You can use it directly in Ruby with what I hope you'll find is a very sane API, but it also sports a basic command-line mode for simple listing, upload and download tasks.

If you are interested in hacking around with Mega, and prefer to do it (more...)

SSL Server Certificates – Lessons learned

It is not difficult to create an SSL/TLS certificate and configure an Apache HTTP Server to use it. But I found that there are some things you need to know that does not necessarily make much sense. Here are some lessons learned and a couple of tips.

Intermediate and Root (more...)

Wow

These are some amazing statistics…

Auditing users in WebLogic Server

If you do a default installation of the WebLogic Server user activity is not audited. WebLogic has a build in Auditing Provider but it has to be enabled.

The Audit Provider can log these events.

To enable it via the Admin Console got to Security Realms => myrealm => Providers (more...)

Protect your servers against brute force SSH attacks

Share

I bet if any of you have an exposed server to an internet connection, without properly firewall protection, that your server is under heavy fire from hackers around the “world”… By the world I mean mostly China and Russia ssh attacks. If you’re curious, on Linux you can check the (more...)

Dark Reading – Database Security

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if [...]

side channel attack on ORA-00942

Oracle Databases has a powerful set of grants and permissions. One of the easy philosophies behind it is just to hide anything a user is not allowed to see. Technically this leads to an error message
ORA-00942: table or view does not exist.
More precisely it should give a text like table or view does not exist or you are not allowed to access it.
For an ordinary user/schema separation there might be no big difference: If user A can not read table B.TAB it's of no value for user A whether the object does not exist or is just not (more...)

Kerberos Authentication and Proxy Users

Topic: a discussion on the usage of Kerberos authentication in Oracle and of the usage of proxy users together with Kerberos authenticated accounts

Introduction: Kerberos authentication allows to connect to Oracle without specifying the username/password credentials. The authentication is done externally. Kerberos has a widespread usais in use already in large environments so is a good candidate (for example for windows domain accounts or for an afs file system in Linux).
Proxy authentication allows connect to the DB to a target user via another DB user (the proxy user). For example we can authorize a user with a development account to connect (more...)

Oracle ADF with SSO – The Definitive Guide

by Fábio Souza & Eduardo Rodrigues Introduction We know. It’s been a looooooong time again. But once you read this post, we are quite sure you’ll be happy we took the time to write it. And it’s also...

This is a summary only. Please, visit the blog for full content (more...)

Installing NGINX on RHEL 5/6 (Centos and Oracle Linux too)

Share

I’m an huge NGINX fan. Nginx pronounced “Engine-X” is an open source Web server and a reverse proxy server for HTTP, SMTP, POP3 and IMAP protocols, with a strong focus on high concurrency, performance and low memory usage. Nginx is awesome… really. I use it since 0.6 beta and never (more...)

how to secure CMAN against CVE-2012-1675 – or an easier method than ASO

In the Oracle DBA World at the moment CVE-2012-1675 is a great issue. Oracle announced some methods how to secure existing systems. But these are sometimes not that easy, and there is no backport for older systems.
As I investigated the problem how to secure a connection manager I was hinted at Note:1455068.1.
The solution is somewhat easy: Only allow incoming connections to your systems. e.g.
    (rule=(src=*)(dst=10.220.8.114)(srv=*)(act=accept))

In a well designed environment where you can separate your DB Servers from others at low network layers, a set of CMAN (more...)

No more cleartext-passwords in Scripts – Oracle Secure External Password Store (SEPS)

Gone are the day when cleartext passwords had to be stored in scripts for Oracle database access. The solution to this requirement is “Oracle Secure External Password Store (SEPS)”. This article will give a short introduction and a practical example of the solution.

Key facts:

  • no Advanced Security Option (License) necessary
  • every unix-account, who has access to the wallet can use it to log on to the contained databases without a password! Therefore prevent other unix-accounts from accessing your wallet! (chmod, chown)

Installation

  • Oracle Client: Unix-Account, who wishes to connect to the database without providing a password needs to (more...)

restore DBMS_SCHEDULER.CREATE_CREDENTIAL cleartext password


If you want to use Oracle file watcher, you need to Create a Credential. As there a password needs to be stored in the database, Oracle tries to save it in a secure way. But as the password must be decrypted for the purpose to login on the file watchers agent side, it is not safe at all:
The credentials are stored with DBMS_SCHEDULER.CREATE_CREDENTIAL. Here an example:

exec DBMS_SCHEDULER.CREATE_CREDENTIAL(
  credential_name => 'local_credential',
  username => 'oracle',  password => 'welcome1');
exec DBMS_SCHEDULER.CREATE_CREDENTIAL(
  credential_name => 'local_credential2',
  username => 'oracle2', password => 'welcome1');


It's quite easy to see the values (more...)

OBIEE11g SampleApp OID doesn’t start

Yep, I did again :-(.

After playing around with the new sampleapp107 I managed to crash the VM. After a reboot the OID refused to start up. It seemed that because there was still an active status record in the ODS schema, the OPMN couldn’t find anything to start.

Solution: truncate the "ODS"."ODS_PROCESS_STATUS" and  "ODS"."ODS_GUARDIAN" tables in your database repository.

(Not sure if the "ODS"."ODS_GUARDIAN"  is really necessary…. Please correct me if I’m wrong)

Till Next Time

Red Hat firewall for dummies

Sometimes I need to open for communication on a port in the local firewall on a Linux box. Until now I have relied on the lokkit command or if a GUI is available system-config-securitylevel.

I recently had some situations where lokkit was not working, so I decided to dig a (more...)

Installing Wireshark and sniffing http communication on Red Hat

We had a situation where we were calling an external Web service that required custom http headers. When our request reached the Web service the customer http headers had disappeared. We did not know if the problem was with the OSB, our Internet proxy or the programmer :-) To find out (more...)

Mikko Hyppönen@TED

Doing more than just talking about viruses: he fires up a few classics in a DOS box and pokes around with a binary editor before looking at current threats and live infection data. Very cool and entertaining. Not many are brave enough to do live demos, but if you watch to the end you'll get to see how prepared he was for failure;-)

Best served with sides of: