Database and ERP Security and Best Practice Management

Advantages of DVR / NVR Solutions Over Software-Only …

A paper on Sentrigo Hedgehog and Pete Finnigan webinar slides

I did two webinars this week with Sentrigo titled "The right way to Secure Oracle", these went well. The slides for the talks have been added to my Oracle Security white papers page . I have also written a short....[Read More]

Posted by Pete On 12/03/10 At 01:59 PM

Blocking Tools from using the database

I saw Charles Hoopers post titled " Why Doesnâ??t This Trigger Work â?" No Developer Tools Allowed in the Database " via my Oracle blogs aggregator and read it with interest as its related to issues i come across with....[Read More]

Posted by Pete On 10/03/10 At 11:08 AM

Pete Finnigan Webinar on Oracle Security

It has been quite a while since my last blog post; i keep promising to post more often and even worse I have a long list of things to blog about but I don't seem to get enough time recently....[Read More]

Posted by Pete On 08/03/10 At 04:04 PM

SANS 2010 CWE/SANS Top 25 Most Dangerous Programming Errors

SANS, Mitre and a lot of security experts have just completed the top 25 most dangerous programming errors list. This is a really useful resource and anyone developing code not just against Oracle but in general should be concerned to....[Read More]

Posted by Pete On 23/02/10 At 01:42 PM

SQL Injection and Java exploits

It has been a while since my last blog post as I have been extremely busy over the last weeks and this blog post is being posted straight after finishing a customer training session using the clients internet connection (with....[Read More]

Posted by Pete On 17/02/10 At 04:01 PM

Turkey, Germany, York, Holland and the Oak Table book

I was away most of last week to teach my class How to perform a security audit of an Oracle database in Istanbul, Turkey including the travel out and back. It was a good class, very well attended and some....[Read More]

Posted by Pete On 02/02/10 At 06:37 PM

The Oracle listener password algorithm

There has been a thread on my forum for a couple of years discussing the Oracle listener password algorithm. The thread is titled " Key and algo for encrypting the listener password ". This thread discussed the issue of being....[Read More]

Posted by Pete On 01/02/10 At 07:39 PM

Two new Oracle root kits

Dennis has made two great posts about Oracle rootkits on his blog. The first is about creating a backdoor into the Oracle binaries and logon process/function by replacing the C library function kziaia() so that if the user presented is....[Read More]

Posted by Pete On 20/01/10 At 02:06 PM

Case Study: USAA Uses Social Media To Drive Sales, Product, And Service Strategies

Defining Social Intelligence

Advantages of Dvr / Nvrs Over Software Only | CCTVmonitors.org

Plane crashes and security breaches

by Christian Moldes

In Outliers, Malcom Gladwell analyses how plane crashes are the result of a combination of errors. I found this analysis very interesting because of the similarity with most security breaches. A brief excerpt of his book:

“Plane crashes rarely happen in real life the same way they happen in the movies. Some engine part does not explode in a fiery bang. The rudder doesn’t suddenly snap under the force of takeoff. The captain doesn’t gasp, “Dear God,” as he’s thrown back against his seat. The typical commercial jetliner – at this point in its stage of development – is about as dependable as a toaster. Plane crashes are much more likely to be the result of an accumulation of minor difficulties and seemingly trivial malfunctions.

The typical accident involves seven consecutive human errors. One of the pilots does something wrong that by itself is not a problem. Then one of them makes another error on top of that, which combined with the first error still does not amount to catastrophe. But then they make a third error on top of that, and then another and another and another and another, and it is the combination of all those errors that leads to disaster.”

Security breaches happen exactly like that. They are the result of a combination of minor or seemingly insignificant errors. Let me illustrate this. A few years ago, a merchant suffered a breach, and its case is one of the best examples for this topic. Their e-commerce website was developed in-house but some of the components had been developed by a third party. The application had been thoroughly reviewed for security vulnerabilities and none had been identified as risky. However, one of the components was not reviewed, it was added a few days after the application review had been completed, and since it was not related in any way with payment transactions, it was deemed as non-critical.

The merchant had a network IDS which was maintained and monitored by a MSS (managed security services) vendor. The device had signatures that were able to recognize SQL injection attempts and they were supposedly enabled. One of the vendor’s security analysts disabled rules monitoring attacks on port 80 and 443 for the e-commerce servers. This was probably because they generated many false-positive alerts, and was most likely intended as a temporary action. As a result, none of the attacks and unusual traffic on those ports was detected by the IDS.

The e-commerce site was using a trusted relationship to connect to the database. Credit card numbers had been encrypted in the database a few months ago. During the process as a contingency plan, the DBA exported the tables containing sensitive data before encrypting some of the columns. The backup files had been left on the database server since then.

Hackers found the security vulnerability in the e-commerce website; the third-party component was vulnerable to SQL injection. By exploiting the vulnerability, they were able to create local administrator accounts on the database server and run OS commands with local administrator privileges. Unfortunately, since the IDS was not monitoring traffic on ports 90 and 443, none of the SQL probes was detected by the IDS, nor was any other unusual traffic on those ports. Remote management tools were installed and password hashes were cracked off-line. The hackers reviewed every folder on the web server looking for scripts, source code, and data files. They found the backup files left behind by the DBA.

The merchant was only aware of the intrusion several months after the fact, when they were notified by law enforcement agents that their data was on sale on one of the carders websites.

This case clearly illustrates that even when proper security controls are in place, a breach could happen at any moment. Relying on single controls or single layers of security is never sufficient.

The case also illustrates the need to assess security controls independently of any other surrounding security or other layers of security. QSAs and internal staff in charge of PCI DSS compliance should not consider risk-based discussions until all the security controls have been independently assessed.

Evaluating Corporate Social responsibility/Sustainable Development

MITRE Chairman Schlesinger Receives DoD’s Fubini Award

Notes Richard Bejtlich OWASP Podcast

Jim Manico has produced another great addition to his OWASP podcast canon, the latest discussion is with Richard Bejtlich. Jim is very good as an interviewer which means the questions are all meat and potatoes on in the trenches issues.

One of the main points that Richard makes that is lost on many security programs is how to take information security concerns and then communicate them to the business. How do you talk about security to people (i.e. business) that could care less about SQL injection. As James McGovern says, the business doesn't want a maturity model, they want working software.

Richard talks about extending the communication through using threats, and that this is a way to put a face on the problem. I have no doubt that this works well. The BBC show "Spooks" (called MI-5 in the US) is a pretty detailed (for a TV show) look at counter terrorism in the UK, they get into a lot of hidden assumptions we have about the intersection of security and privacy. One of the criticisms of the show is that it looks like all the problems are solved in one hour by the same three people. And this is one issue I have with using threats as the primary means for communicating security concerns to the business. I have no doubt its effective, and its for sure an important part of telling the story, but I think some aspects are not addressed if there's an overfocus on threats. Threats must be assumed but its resilience and survivability that matter in the end and that goes back to your company's mission.

I came up originally looking at security as something that we solve through equal parts access control, defensive coding, and crypto. Those are still the basic workhorses of most software security regimes, but there is a missing piece. For me, Richard's work going back Tao of Security Monitoring is the best distillation that made me realize that all of the above areas must be backstopped by a robust detection and response lifecycle, or what Richard calls "Building Visibility In"

So in terms of building visibility in, every process that we design/code for should have a "monitor first" mandate. We saw the lack of this just recently with the Chip and PIN fiasco. There are real challenges to getting the right amount of visibility in the app. Where you put the detection determines what you see. On the presentation layer it looks like raw HTTP, at the middle tier it looks more transaction-like and at the DAO layer you can observe the data operations. In the secure audit logging class I teach we go through each of these areas and its very interesting to see what you can see from these different angles, just like turning a Rubiks cube.

Jim and Richard explore a couple of other areas - issues around incidents/compliance for funding (for which I propose the need for a flat tax). Jim asks about how attackers have advantage, and Richard responds with his black hat budget, in other words what can the bad guys do with a fraction of your assets.

Jim asked Richard a question I sent in - "The trustworthiness of a digital asset is limited by the owner's capability to detect incidents compromising the integrity of that asset." Given that we don't have any high integrity database, identities or application servers - how do you detect a breach of integrity when there is no verifiable integrity in the system in the first place?"

Richard's response is that trustworthiness impossible inside an asset itself (agree)- for an asset to defend itself look outside of the asset. The network is a cheap way to watch. That logic makes perfect sense to me, but it still makes sense to push for more and better data out of the apps. There is a lot of context there about transactions, data, identity and so on that can be harvested.

I quite liked the final challenge that Richard threw down - enterprises need to focus on getting real data. How many of us have an accurate scoreboard based on real data?

Print Spooler Software Automates Printer Failover Allowing …

Taking The Fog Out Of Cloud Computing: Infrastructure-As-A-Service

Case Study: Williams Presents The Carrot, Not The Stick, Of Privileged Identity Management (PIM)

Approaches for Discovering Security Vulnerabilities in Software Applications

Hello, this is Denis Pilipchuk again.

Hearing about a critical security issue in a product is one of the most feared situations for a product manager. Vulnerabilities, in addition to compromising the security postures of customers using the affected products, impact the bottom line of software vendors as a result of the direct costs associated with the release of the patches, as well, as indirect costs generated by customer lack of confidence..

In a previous blog entry, Darius Wiles explained that a majority of security defects in Oracle software are detected and fixed without ever reaching customers. This is because Oracle's goal is to provide security defect-free products and has significantly invested in various security tools and programs to achieve that goal. Apart from the efforts of the Ethical Hackers from Oracle's Global Product Security (GPS) team, the development teams at Oracle have several additional resources available to them.

Regular code reviews are the front line of defense when attempting to prevent vulnerabilities in released software. While regular code reviews may not catch every vulnerability, especially the most complex design issues, it does provide an effective safeguard against such pesky errors as improper checks for boundary conditions, failures to release the resources and handle exceptions, as well as general adherence to the product's design specifications (including its security part). This activity may be carried out in different ways: by outside consultants or by the development teams themselves. Key success factors in the effectiveness of regular code reviews are the technical expertise of the reviewers and their understanding of the product type they review. In Oracle experience, it generally works best when product teams are deeply involved with the reviews themselves, because they have the most direct knowledge of the code base and the new features being introduced. Of course, reviewers need to be knowledgeable in security coding, and their expertise must be maintained through ongoing security training. In addition, as much as possible, case-based training is desirable, so as to exposing reviewers to the proper context of their job.

The second line of defense involves the use of various code analyzers. Code analyzers should be used regularly during the entire development lifecycle. In fact, the use of these tools should be encouraged as soon as there is buildable code checked into the source repository. The tools should then be used regularly, for example - with nightly builds, or separately and with less frequency for larger products. Typically, these tools trace inputs (sources) and outputs (sinks) to analyze control flow and permutation of "tainted" data through different code paths in the tested software, and check more general code quality issues (like exception handling and hardcoded passwords) along the way. It is most inexpensive to fix issues when vulnerabilites are discovered at this stage because they only require making a bug entry against a developer and a code fix be produced.

Choosing the right tool for the job is extremely important. The tool needs to provide an appropriate coverage across the different languages (like Java, C/C++) and technologies (like Adobe Flash). We have found that tools are not necessarily equally efficient on all languages and platforms: a tool, which works great on C/C++, does not necessarily perform appropriately for Java, even if it claims to support it.

Unfortunately, not all classes of security vulnerabilities (and definitely not instances) can be found using static analysis tools. While these tools can usually discover certain classes of security vulnerabilities, such as Buffer Overflows, Cross-site scripting, and SQL Injection), pretty effectively, they are not helpful for other classes of issues, especially those related to weak design choices, such as key and credentials storage. Furthermore, all static code analyzers by design tend to be verbose and suffer from a significant number of false positives. "Training" static analysis tools to reduce false positives is usually possible, but this requires significant time and investment.

Another issue with static analysis tools is related to "false negatives", i.e. instances where the tools report the code to be secure, when it isn't. Recent research, including the SATE project by NIST, reported that static analysis tools from all of the participating major vendors generated significant (up to 50%) level of false negatives. While the exact percentage of false negatives may be the subject of endless controversy, it is clear to me that, as a matter of good security development practice, static analysis tools should be supplemented by dynamic testing in order to reduce the number of vulnerabilities in complex software.

Dynamic testing tools such as blackbox and graybox testing applications, and various types of fuzzers, comprise the third line of defense. These tools are executed against a running product instance (or a group of products), and as a result, can only be utilized toward the end of the product release cycle, when QA testing begins. All of those tools are based on a similar principle - they mimic the behavior of a rogue client and use a variety of pre-built known attack patterns to hit the server's exposed network interfaces with one of more malicious exploits, checking return values (or their absence) to find out whether the attack was successful. Note that proper care should be exercised when using these tools because, among other things, they can actually trigger alerts with the IT security staff. This is because the use of dynamic testing tools, from an Intrusion Detction System perspective, can look like a real attack.

Graybox tools have the added advantage of knowing the "internals" of the applications being tested: they can instrument the application during the build to add realtime monitoring of their behavior during a simulated attack. Blackbox and graybox testing for assessing web applications usually takes place over the HTTP/HTTPS protocol. There exists an overlap between the classes of security issues that can be checked by Web application dynamic assessment tools and those that can be discovered by static tools. However, dynamic tools usually report additional vulnerabilities, not generally caught by static analyzers, because in practice it is impossible to analyze all execution paths within the application for every possible permutation of input data. In addition, unlike static code analyzers, which often report on only theoretically exploitable issues, dynamic tools tend to result in more precise and practical reports. Although not 100% false positive-free, dynamic tools usually provide clearer information, showing request path and parameters that lead to the vulnerabilities.

Fuzzers constitute a special subcategory of dynamic tools and are typically used for protocol-level verification. Fuzzers are designed to break a server by submitting permutations for a valid message to see whether one of them will cause an unexpected/undesirable behavior such as a denial of service. Typically, fuzzers operate at a lower, protocol level, than blackbox Web application testing tools, which work at the application level. Specialized fuzzers are available for pretty much any well-known protocol (such as HTTP, FTP, SOAP, etc.), as well as custom frameworks for developing new ones. Protocol-specific fuzzers generally possess a great deal of intelligence about the protocol they're designed to test, and its message structure, checksums, and features. This results in better, more intelligent testing of the targeted protocol, whereas lower-level fuzzers (for example - PCAP fuzzer) do not have that knowledge and often try to change data blindly (or depend on the tester to define the anomalies).

For a number of years, Oracle has been investing a lot of time and money in deploying various tools to catch security problems before software is released to customers. Furtermore, most recently, we have observed that a growing number of customers' security teams have started running their own assessment tools, utilizing many of the same tools Oracle has been using. I feel that the growing adoption of these tools by customers will put additional pressure on those vendors who may not have yet adopted robust secure development practices. The proper use of a combination of tools, people, and processes, demonstrates due diligence in establishing and running an efficient security assurance programs and ultimately a commitment to the security posture of customers. The proper use of security tools is an integral part to this commitment.

Conferences, webinars, trainings, new training dates…..

It has been a very busy last few months; lots of travelling, teaching and consulting. We have also spent time working with our new partners and also working to set up new country partners. PFCLScan has also taken some of....[Read More]

Posted by Pete On 19/01/10 At 03:21 PM

Training in York, England and Washington DC and adverts

I have added the registration page for the upcoming Oracle security training - how to perform a security audit of an Oracle database to be held in York on February the 9th and 10th in England. The registration page gives....[Read More]

Posted by Pete On 05/01/10 At 06:34 PM

Trends 2010: North American Insurance eBusiness And Channel Strategy

Olympic Opportunities In Emerging Markets

Olympic Opportunities In Emerging Markets

Trends 2010: North American Insurance eBusiness And Channel Strategy

News: Change in Focus

What Does the Criminal Conviction for Privacy Law Violations of Three Google Executives in Italy Mean for Multi-National Employers in the U.S.?

On February 24, 2010, a Milan court convicted Google’s Chief Legal Officer, Global Privacy Counsel, and a former member of Google Italy’s board of directors for violating Italian privacy law and imposed a six-month, suspended jail sentence. The case stemmed from a posting on Google Video® — a YouTube® predecessor — of a video depicting several teenagers bullying a classmate with Down’s Syndrome. Although the Google executives had no involvement in either the posting or in the decision whether and when to remove it, Italian law imposes criminal liability on senior executives for the actions of the corporation. Prosecutors alleged that Google should be held responsible not only for permitting the video to be posted in the first instance, but also for allegedly not having acted quickly enough to remove the video after receiving a complaint.

The convictions have wide ranging implications for e-commerce, but what are the implications for global businesses with employees in the European Union?

First, the Google convictions serve as an important reminder that government authorities in the E.U. are serious about enforcing data protection laws. Thus, U.S.-based multi-nationals need to confirm that their local affiliates are complying with local data protection law. Of equal importance, international transfers of employee data to the U.S. — for example, for inclusion in a centralized human resources data base — must satisfy local data protection requirements. Even after the employee data has been received in the U.S., data protection requirements (in addition to any imposed by U.S. law) will apply.

Second, the Google convictions highlight for U.S. employers a critical distinction between U.S. and E.U. privacy law. Under U.S. law, an employer’s legitimate business interests typically trump an employee’s countervailing privacy interests. U.S. employers, for example, have substantial leeway in conducting workplace video surveillance and searches of employees to prevent theft or deter workplace violence. In the E.U., privacy is a fundamental right that, as the Google convictions demonstrate, does not give way even to the freedom of expression so cherished and zealously protected in the U.S. According to the Italian prosecutor, protecting the dignity of the bullying victim took precedence over Google’s commercial interests, including its interest in being a platform for expression and communication over the Internet.

Finally, “privacy” in the E.U. is conceptually far broader than the “right to be left alone” underpinning U.S. privacy law. In the E.U., “privacy” encompasses the notion of data protection. Consequently, any use of individually identifiable information about a natural person — even a business e-mail address and phone number — is presumed unlawful unless the possessor of that information (known in E.U. law as the “data controller”) has a lawful justification for using the information. This prophylactic approach contrasts starkly with U.S. law which permits the use of personal information at the possessor’s discretion unless the law expressly prohibits or restricts the use. Moreover, such prohibitions and restrictions typically are confined to discrete categories of employee information, such as health information.

In short, the Google convictions should serve as a blinking yellow light to every U.S. employer with operations in the E.U., warning employers to consider potential implications under E.U. data protection law before using individually identifiable information about any employee who resides in the E.U.

This entry was written by Philip L. Gordon.

Microsoft online services – licensing tips

Microsoft online services, which are growing in popularity, are a subscription-based model and are very specific in its use. Licensing is much simpler to decipher, especially due to the lack of hardware associated with the service. Just like any other web-based service, you can buy one or multiple licenses, or a company-wide unlimited usage plan. For certain products, such as Forefront Protection for Exchange, you can purchase it in either a per device or per user subscription, dependent on your Exchange licensing model.

Online services are great for companies that need a Microsoft product, but don’t want to commit to purchasing them or, for example, will only need to use the service for a limited time. The subscription-based model makes licensing simple and is great for companies on the go, because they can be accessed from anywhere.

Jump-Starting Your Business Architecture Program