OpenSSL example commands

OpenSSL
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used in internet web servers, serving a majority of all web sites.
OpenSSL contains an open-source implementation of the SSL and TLS protocols. The core library, written in the C programming language, implements basic cryptographic functions and provides various utility functions. Wrappers allowing the use (more...)

Enterprise Manager and Firewalls

Just a short post, since this is a fairly common question I see. This morning someone asked me a question about Enterprise Manager and firewalls. They have an environment with EM targets placed in different zones / networks – with firewalls between. In the documentation, it states “Each Management Agent is configured to upload data to one OMS. As a result, if there is a firewall between the Management Agent and its OMS, you must (more...)

ORDS Cross Origin Complaint

A few years ago while upgrading to APEX 5.0, we had a few issues when upgrading ORDS.

My loose understanding is that from about ORDS 3.0.3, it started enforcing some security policy regarding cross-origin requests. The big browsers handle this differently, for instance Chrome returns 403 Forbidden and won't let you log in.

Cunning Chrome Cross Origin Complaint
Amusingly, Edge let me in, even after advising me otherwise. No doubt there (more...)

ORDS web services returning BLOBs

When it comes to deliving blobs from the database, I'm sure many of us have used, or came across a procedure that look like the one described here.

This sample includes some commentary on how the surrounding infrastructure should look, but it's a little out of date.
create or replace procedure get_image(p_id  IN  images.id%TYPE) IS
l_mime images.image_type%TYPE;
l_length NUMBER;
l_lob BLOB;
-- This procedure needs
-- Grant to apex_public_user
-- Public synonym, so (more...)

Okta SSO with Snowflake 

Ever wonder how to secure a cloud data warehouse?

ODC Appreciation Day: Two Cool 12c Security Features #ThanksODC #ThanksOTN

There are quite a lot of new features in the 12c database that I like and have discussed and talked about them at various events. On this #ThanksODC day, I would like to take the opportunity to thank Oracle Technology Network (or Oracle Developer Community) and Oracle ACE Program for all the support they provide […]

The Limits of Data Redaction

Data Security is becoming more and more important nowadays.
In fact it was always important, just as the expected problems increase (by count or value) management seems to be more aware now. Due to many discussions I started to have a look at DBMS_REDACT - which is an implementation to show only those data to users they are allowed to use.
One of my first places to go was Tim Halls Data Redaction (DBMS_REDACT) in (more...)

JDBC, Linux and Entropy

Some troubles — especially those happening only sporadically — are not so easy to shoot and call for a deeper understanding of the matter. In the following real-world example this means: SQL*Net Tracing and some knowledge about the inner workings of the server’s operating system, particularly random number generation. This case was suited well to demonstrate an approach to trouble-shoot […]

Password Last Change Time

I read that the PTIME column in the SYS.USER$ table shows when a user’s password was last changed so I decided to try it out in an Oracle 10 database:

SQL> SELECT VERSION FROM PRODUCT_COMPONENT_VERSION
  2  WHERE PRODUCT LIKE 'Oracle Database%'
  3  /

VERSION
--------------------
10.2.0.3.0

SQL>


I noted the time and created a user:

SQL> SELECT TO_CHAR(SYSDATE,'DD-MON-YYYY HH24:MI:SS')
  2  DATE_AND_TIME1 FROM DUAL
  3  /

DATE_AND_TIME1
(more...)

Update WordPress Installations to >4.7.2

This post is applicable for hosted wordpress installations where auto-updates are disabled. Yesterday, I noticed there was blog post "Hacked by Unknown" on Askdba blog. Post was written by White Hat Hacker who exploited the Content injection vulnerability in 4.7.0 and 4.7.1. This vulnerability allows any visitor (unauthorized user) to assume role to edit/create blog…

Enable HyperFIDO U2F Key on Linux

Recently, I bought the Hypersecu HyperFIDO K5 Key to help me secure access to several websites and services with U2F (“Universal Two-Factor Authorization”). This works fine on Windows, but with Linux things get a little complicated: The key isn’t accessible to all users by default. This has to be activated using udev rules, which is widely […]

APEX attributes for Escaping Special Characters

A relatively common on the forums is regarding the escaping of special characters in reports, but it seems the developer isn’t always sure what is actually happening and how to how to search for it.

It seems I’ve had this on my “to blog” list since April 2015, but now that 5.1 has been released, it seems more people are coming out to leave 4.x can’t work out where the Standard Report (more…)

WS Security – enabling passwordDigest authentication in an Oracle FMW environment

Objective:
To have a basic level of authentication on web services (especially where there's no transport layer security) without having to pass clear text passwords in the WS Security headers. 

Background:
The concepts are fairly generic but this post is highly Oracle Fusion middleware specific. There can be complex decision tree (see [1]) involved when selecting the 'appropriate' level of security for any system. As security involves trade-offs between cost, performance, usability (more...)

Hit by the ‘Tech Support’ Scammers

I got a call earlier today from the Tech Support Scammers. You’ve probably heard of this horribly unethical practice already, but the premise is that they cold-call seemingly randomly and try to convince you that there is a problem with your PC/router, and then attempt to get you to allow them remote access to your PC to ‘fix it’. Some then claim problems are due to expired warranties on the computer and demand payment, others (more...)

Collaborate 16: My sessions

I’ll be at Collaborate 16 next month and looking forward to seeing lots of good friends, learning some new things, and sharing a little experience too. For the last of those, I’ll present 3 sessions, er, more like 2.2 sessions:

  • Wed, 13-Apr, 12:45-12:55pm: Oak Table World 10-minute Lightning talk “Tools used for security and compliance on Linux”
  • Wed, 13-Apr, 3-4pm: Oak Table World session “IPv6: What You Need to Know (with Linux & Exadata references)”
  • (more...)

Migrating application roles in OBIEE 11g

My last article talked about a maintenance and hassle free mechanism to implement security. The article moved the security architecture to roles created in EM. The next logical step is to move the roles from one environment to another because lets face it, manually creating roles is a lot of effort.


Oracle has a process to migrate the policy store from one environment to another and is described @ http://docs.oracle.com/cd/E14571_01/core.1111/e10043/addlsecfea.htm#JISEC3593

This (more...)

Configuring VNCR for 11.2.0.4 Oracle RAC

By default on an Oracle RAC installation, the listeners are configured to allow any database to register with them.  There is no security out of the box to determine which databases may register.  While this makes it easy to create new databases without worrying about listener registration, this can cause potential problems in a real environment.

This can be dangerous working with RAC environments where the database registers with both a local and remote listener.  The (more...)

OOW 2015: my presentation

I don’t have an official OOW presentation in the conference this year. However, I am presenting a session at the Oak Table World 2015 event behind held concurrently with OOW 2015. My topic is “Exadata Database Machine Security” and I plan to review some of the newest updates to security for the Exadata Database Machine engineered system.

As the website indicates, the event is completely free and there is no pre-registration or enrollment required–just show (more...)

Introduction to MongoDB Security

View it on my new blog Last week at the Paris MUG, I had a quick chat about security and MongoDB, and I have decided to create this post that explains how to configure out of the box security available in MongoDB. You can find all information about MongoDB Security in following documentation chapter: http://docs.mongodb.org/manual/security/ In this post, I won't go into the detail about

Security Big Data – Part 7 – a summary

Over six parts I've gone through a bit of a journey on what Big Data Security is all about. Securing Big Data is about layers Use the power of Big Data to secure Big Data How maths and machine learning helps Why its how you alert that matters Why Information Security is part of Information Governance Classifying Risk and the importance of Meta-Data The fundamental point here is that