Database and ERP Security and Best Practice Management
Up-to-date syndicated information on database & ERP privacy, security, audit and compliance
Checklist 2.0 - Organized Best Practices
Learn more about organized best practices at Checklist 2.0 - www.checklist20.com
-
Fax to email service provider | coercs
Posted on July 30th, 2010 No commentsOnce you have a maintenance contract, part of the service is “preventive maintenance” It is specifically to reduce losses during the contract period. This means also needed in many cases, all spare parts for keep your copier ... Epicor Software Corporation (NASDAQ: EPIC), a leading provider of enterprise business software solutions for the midmarket and divisions of Global 1000 companies, announced today that Niro Ceramic Group, the award-winning porcelain tile producer, ... -
Oracle Database Server Security Patching Webcast
Posted on July 30th, 2010 No commentsHi, this is Eric Maurice.
On August 11th at 11:00AM Pacific / 2:00PM Eastern, the Independent Oracle User Group (IOUG) will host a webcast on Database Server security patching. Speakers include Bruce Lowenthal, Director for Security Alerts for Oracle, and Lois Price, Director for Product Lifecycle Services for Oracle.
The purpose of this technical webcast is to discuss the various aspects of the Critical Patch Update program (CPU) that are specific to Database Server. The speakers will outline the difference between the Patch Set Update (PSU) and traditional CPU patches. An overview of the CPU program will also be provided.
Register for the webcast here
For more information:
- Patch Set Updates for Oracle Products [ My Oracle Support Note 854428.1] is located at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=854428.1 (My Oracle Support subscription is required)
- The Critical Patch Updates and Security Alerts page is located at http://www.oracle.com/technology/deploy/security/alerts.htm
-
Garmin Forerunner 305 or 405 is the best? | coercs
Posted on July 30th, 2010 No comments... unlocked long before the official release of the phone. And even if it is possible to unlock the iPhone 3G, it would probably be someone with a reliable software monthsbefore allow the iPhone 3G to connect to a mobile operator. But a surprise ... Once you have a maintenance contract, part of the service is “preventive maintenance” It is specifically to reduce losses during the contract period. This means also needed in many cases, all spare parts for keep your copier ... -
Eclipse Hot Topic: Converting to Linux « Zerion's The Link
Posted on July 30th, 2010 No commentsThe idea of converting from Windows-based IBM servers to UNIX platform servers running Linux software isn't new. Organizations have been talking about and making the switch to open-source (or free) software of all kinds for the last several ... The company was halfway through a 5-year, $45000 maintenance contract with IBM on a seven-year-old server that was beginning to fail. They were able to cancel that contract and spend less than the remaining cost to purchase a brand ... -
This feed has moved!
Posted on July 29th, 2010 No commentsPlease update your bookmarks and RSS readers. -
What would be the best add on lens for a Canon PowerShot S3? | coercs
Posted on July 29th, 2010 No comments... unlocked long before the official release of the phone. And even if it is possible to unlock the iPhone 3G, it would probably be someone with a reliable software monthsbefore allow the iPhone 3G to connect to a mobile operator. But a surprise ... Once you have a maintenance contract, part of the service is “preventive maintenance” It is specifically to reduce losses during the contract period. This means also needed in many cases, all spare parts for keep your copier ... -
The best way to unlock your iPhone 3G | coercs
Posted on July 29th, 2010 No commentsAnd even if it is possible to unlock the iPhone 3G, it would probably be someone with a reliable software monthsbefore allow the iPhone 3G to connect to a mobile operator. But a surprise to many people, a hardware solution instead of a software .... Once you have a maintenance contract, part of the service is “preventive maintenance” It is specifically to reduce losses during the contract period. This means also needed in many cases, all spare parts for keep your copier ... -
Leviton Manufacturing Upgrades to Oracle E-Business Suite Release 12.1
Posted on July 29th, 2010 No commentsLeviton Manufacturing is a global manufacturer of electrical wiring devices, data center connectivity solutions, and lighting energy mgmt systems. It's portfolio consists of more than 25,000 devices and systems used in homes, business, and industry. Leviton upgraded to the latest version of Oracle E-Business Suite Release 12.1 to support its service business with change management, purchasing, accounts payable, and an internal IT help desk. They consolidated seven Web sites that are used to host individually onto iStore. In addition, they run a site, using the Oracle E-Business Suite configurator, pricing and quoting for their sales agents to do configuration work. This site can now generate a complete sales proposal using Oracle functionality. -
U.N. Appoints Former IIA Chairman as Director of Watchdog Group
Posted on July 29th, 2010 No commentsFormer IIA Chairman (1994-1995) Carman Lapointe, CIA, CCSA, CFE has been appointed under-secretary-general for Internal Oversight Services (OIOS) at the United Nations. The United Nations issued a statement on behalf of Secretary-General Ban Ki-moon last week welcoming the General Assembly’s quick approval of his nominee to the challenging position. “Ms. Lapointe ossesses the breadth and depth of experience and expertise required for this demanding position,” the statement reads. It goes on to point out that “transparency and accountability are essential to the work of the Organization, and OIOS is critical to advancing that effort. That is why the Secretary-General acted as quickly as possible to propose an experienced, high-profile and able successor to this important post.” Lapointe, a Canadian, will be expected to build up the OIOS team, filling vacancies and taking on responsibilities that have largely gone unmet in recent years. She brings much experience to the post, having formerly served as auditor general of the World Bank and most recently as the director of the Office of Audit and Oversight of the International Fund for Agricultural Development in Rome. Beyond her IIA chairmanship in 1994, Lapointe has been an active volunteer leader of The Institute. She currently serves as The IIA’s representative to the International Federation of Accountants’ Task Force revising auditing standard 610 on Using the Work of Internal Auditors. Most recently, she served on IIA committees to help develop a Capability Maturity Model for the public sector and The IIA’s value proposition to internal audit stakeholders. And as a leader of the IIA’s professional issues committee in the early 90s, Lapointe was key contributor to The IIA’s role in helping develop COSO’s original Internal Control Integrated Framework. She also assisted in the development of the Certification in Control Self-Assessment. Lapointe has served on The IIA’s global advocacy committee, board of regents, research foundation board of trustees, and global and North American nominating committees -
On the Ground at Burton Catalyst 2010
Posted on July 29th, 2010 No commentsThis is not your father’s analyst conference. In fact probably not your grandfather’s either. Strong focus on technology? Check. Without the other stuff. And it was no surprise that 90% of the attendees held technical positions.
Despite the madness of ComicCon happening simultaneously, Catalyst 2010 (not quite over yet) took a number of technology industry issues and dissected them down to a granular level.
Of note, I attended two 4-hour workshops. One on securing cloud environments and another focused on building security into the software development lifecycle (SDLC).
Ramon Krikken and Kirk Knoernschild put together a formidable model and plenty of backup around building out software that is developed and published with secure code.
As a result of so many organizations NOT developing software that is free of vulnerabilities or exploitable code, they pointed out that technologies like Database Activity Monitoring (DAM) are rising in demand because of the simple fact that once vulnerabilities are discovered or exploited, they can’t be remediated immediately – and for the fact that its very difficult to ‘get it right’ in the SDLC, 100%.
Its no shocker that in an anecdote, the analysts talked about a situation where one of them in their former life as a developer worked for a company that had a system set up with a single user ID/PW connector to the dev/test database. The developers weren’t granted access to the production db’s, but found out how to access it as someone had outputted that ID/PW to the log files. Otherwise ONE person owned the ID/PW’s to production, and despite the fact that the developers knew how to gain access by just going to the log files, no one raised the issue. What if there was a rogue developer with an axe to grind?
It all speaks to the sensitive nature of the database itself, and the critical information that resides in there. It brings up the fact that there are often process issues associated with access controls to the database also. What if that one person with the keys to the kingdom was hit by a bus? Does business cease to exist as a result? Contingency planning anyone?
All in all, fascinating and informative presentation by both analysts, and you can probably find more out about their research by heading to Burton’s site. I’d recommend getting yourself to a Catalyst conference at some point based on the technology knowledge you’ll walk away with.
Part II will address the cloud security workshop which was equally as informative.
-
Oracle E-Business Suite: Great for Small and Medium Size Organizations
Posted on July 29th, 2010 No commentsRedDOT is a 100% employee owned business with sales revenues in the 100 million dollar range. They use Oracle E-Business Suite to manage their Financials, Purchasing, Manufacturing, Sales and Suppliers. One of the interesting things about this company is that they run their entire I.T. operation with a staff of four, which not only includes Oracle, but the corporate desktop (Microsoft Enterprise User), Parametric Technology Pro Engineer Suite, web services and security, e-business web site and telephones. They not only support Seattle, but operations in Memphis, TN, Ipswich, UK, and Shanghai. -
The best way to pimp your music on YouTube | coercs
Posted on July 29th, 2010 No commentsOnce you have a maintenance contract, part of the service is “preventive maintenance” It is specifically to reduce losses during the contract period. This means also needed in many cases, all spare parts for keep your copier ... First Can you tell me what are the different software available Welt.2 database. Advantages and disadvantages of each ihnen3. Where to get the software and Preis.4. How to save Datenbank5 Access. Can we access for multiple users, and if so, ... -
Exadata and OLTP
Posted on July 29th, 2010 No commentsWhen Oracle teamed with HP to introduce the first version of Exadata, the new product was positioned more as data warehouse appliance. In its second incarnation, Exadata (or rather, the Sun Oracle Database Machine – Exadata is really the storage component of the machine), Oracle has dramatically upped the ante – it’s now promoting as a solution for OLTP (online transaction processing) as well.
For customers who are wondering if Exadata is for them, the way to decide is simple: if you have a large production database with tens of Terabytes of data, do consider Exadata – it probably will make a lot of sense, when you compare its cost with the improvement in performance, due to the Flash Cache feature and a brand new SQL processing strategy wherein most of the unnecessary data for a query is weeded out at the storage level. If you have an OLTP database, you may want to consider Exadata even if your database isn’t very large - Exadata supports extreme levels of transactions per second (TPS), even if you buy but a quarter rack, the smallest size in which Oracle sells Exadata.
Field reports have just started trickling in about production implementations and they indicate that the actual performance does match the promises. The much wider data I/O “pipes” made possible by Infiniband and the fact that you can continue to use all of Oracle’s industry leading database capabilities (partitioning, parallel processing etc) with Exadata mean only one thing: contenders such as Teradata and Netezza better watch out!
-
Choose the best service contract for photocopiers | coercs
Posted on July 29th, 2010 No commentsOnce you have a maintenance contract, part of the service is “preventive maintenance” It is specifically to reduce losses during the contract period. This means also needed in many cases, all spare parts for keep your copier installed ... So what about software updates of the system? One aspect is, again, before a service contract, the system provides upgrades for software you will be performed free thought. A photocopier is like a computer, over the term of your contract ... -
Stealing AutoComplete form data in Internet Explorer 6 & 7
Posted on July 29th, 2010 No commentsAt the time of this writing Internet Explorer 6 & 7 collectively command 29% market share (~500M users), making them STILL the world’s most widely used Web browser when combined together. Similar to the recent Safari AutoFill vulnerability, a malicious website may surreptitiously obtain an IE 6 & 7 users private information including their name (aliases), addresses, telephone numbers, credit card numbers, place of work, job title, search terms, secret questions & answers, etc. by simply abusing HTML form AutoComplete functionality. Furthermore, the attack may succeed even if the user has never been to the malicious website or provided any personal information.
IE 6 & 7 have a feature (Tools > Internet Options > Content > AutoComplete Settings > Forms) that remembers user-submitted values entered into HTML form text field across disparate websites. When AutoComplete form is enabled, users submitting their email address to website A (input tag with a name attribute of “email”) have their data saved in the browser so that when any other website asks for an email address using a text field of the same name (i.e. “email”), the remembered values will appear in a convenient down-down menu. When a user selects one of these previously submitted values, by either mouse-click or the enter button, it is AutoComplete’ed into the text field. Put simply, the names, addresses, credit card numbers, and so on provided to website A are made available by the browser in the AutoComplete menus of website B, C, D, etc. One key exception is if website A has marked their forms or input tags with autocomplete=“off”, but users cannot rely upon this measure.
<* form>
<* input type="text" name="name">
<* input type="text" name="company">
<* input type="text" name="city">
<* input type="text" name="state">
<* input type="text" name="country">
<* input type="text" name="email">
<* /form>
Activating the UI AutoComplete functionality (drop-down) requires a user to type the first character of a remembered value (behavior is search-like), double-click into the field, or by pressing the down arrow while focus is within the field. It is the down arrow functionality that can be taken advantage of to perform an AutoComplete data theft.
Down-Down-Enter
All a malicious website must do is create a text field with a commonly used attribute name, again such as “email,” then dispatch a series of down arrow and enter keystroke events with javascript. By initiating Down-Down-Enter, the first AutoComplete value of that field becomes accessible to javascript where it can sent to a remote location. As shown in the live demo proof-of-concept code & video below, this process can be scaled out to steal the data from dozens of text field names in seconds, obviously representing a major breach in online privacy and security.
This issue could be further leveraged in multistage attacks including email spam, (spear) phishing, stalking, mass data collection, and even blackmail if a user is de-anonymized while visiting objectionable online material. Such attacks could also be easily and cheaply distributed on a mass scale using an advertising network where likely no one would ever notice because it’s not exploit code designed to deliver rootkit payload. This no guarantee or effective way to determine if this has not already taken place.
At this point it is very important to emphasize two key facts. 1) This issue affects only IE 6 & 7. While IE 8 & 9 also possess the AutoComplete forms feature, they are immune. 2) The AutoComplete form feature is NOT enabled by default in IE 6 & 7, bringing the affected rate under 100%. To be affected, users would have had to manually turn on the feature in the preferences or by clicking “Yes” when the browsers asks if they’d like to do so after filling out a non-password form. When considering the second method of activation it should be reasonable to assume that a nontrivial number of people are affected. User are often inclined to click “Yes” to a browser recommendation, especially ones providing such convenience. Also, nothing suggests to the user that they should turn off AutoComplete at any point or that it is even on, so presumably they’d forget about it.
File this hack under yet ANOTHER reason for people to abandon IE 6 & 7, which have been very hazardous to user security for quite some time. So while the obvious answer is to simply “upgrade” to IE8, Chrome, FF, etc. for a variety of reasons nearly 1/3rd of the Web hasn’t or can’t yet do so. Fortunately in this case all a user must do to protect themselves is disable AutoComplete in forms.
Proof-of-Concept Video & Live Demo:
// hit down arrow an incrementing number of times.
// separate with time to allow the GUI to keep pace
for (var i = 1; i <= downs; i++) { time += 30; // time padding keyStroke(this, 40, time); // down button } time += 15; // time padding keyStroke(this, 13, time); // enter button // initiate keystroke on a given object function keyStroke(obj, code, t) { //create new event and fire var e = document.createEventObject(); e.keyCode = code; setTimeout(function() {obj.fireEvent("onkeydown", e); }, t); } // end keyStroke
Interesting Disclosure Process
I had been researching browser auto-complete security and discovered the issue during the summer of 2009. After searching around and conferring with a couple of trusted colleagues, nothing suggested this particular issue had be previously disclosed. Feeling confident in my work, I disclosed the findings to the Microsoft Security Response Center (MSRC) on December 14, 2009. A human, imagine that eh Apple, responded the same day to say thanks and report they were actively investigating.
Over the next few days and weeks Nate and Jack from the MSRF were able to confirm the bug, verified the exposure, and kept me nicely appraised of the expected patch dates. The patches were delayed once or twice, but they kept an active dialog open. They politely asked if I could refrain from publicly publishing the materials until a patch was made available. Sure no problem, this vulnerability had been out there for about decade anyway, a couple months was no big deal. Plus, it was scheduled to be fixed long before BlackHat USA 2010 so it could safely include it my presentation.
This is when something really interesting happened.
Remember when I said nothing turned up in search engines results and no one else seemed to have recalled a similar discovery? Well in April, three or so months into the disclosure process, the MSRC shared a link privately discussing something very similar. If fact, it was damn identical! Andrea Giammarchi, member of the Ajaxian Staff, actually had found and published this issue on their blog back in September of 2008! That’s roughly 9 months before I found it independently and about nearly 1.5 years before disclosure to the MSRC. Completely unbelievable. Yet another example how often discoveries relating to security are made, missed, and rediscovered by others. Great find Andrea! Wish we all saw it sooner. -
The Coming Upheaval In Tech Services
Posted on July 29th, 2010 No commentsThe tech services market is about to undergo a massive transformation that will call traditional provider business models into question. Four factors will combine to dramatically change the dynamics, economics, and competitive landscape of IT services over the next three to four years: 1) the "restructuring economy"; 2) innovation moving to the edge of the enterprise; 3) the redefining of buying and governance dynamics in accounts; and 4) "as-a-service" becoming the norm. This is the first in a series of reports that detail the success imperatives for tech services vendor strategists. The five initial success imperatives include: a ruthless continuing focus on process excellence and efficiencies; portfolio management with a product marketing and proactive solution packaging mindset; a sales strategy that builds and rewards a new type of client relationship; a culture and processes that drive success across client and partner ecosystems; and a management vision and thought leadership underpinned by strong governance. -
Creating An Enterprise Database Security Plan
Posted on July 29th, 2010 No commentsHackers continue to break into critical databases across the globe, largely because of gaps in database security implementations and lack of cohesive controls. Although enterprises can pass high-level compliance audits by enabling a few database- and-application level security controls, that's not good enough when it comes to preventing growing attacks or even passing audits that span more than a few applications. A key component missing from many organizations — one that can uncover security holes, flush out vulnerabilities, and improve overall data security — is database security planning. While organizations often have an information security plan in place, most don't have a database security plan, which is critical in protecting the crown jewels. Database security plans focus on the granular level of controls and approaches essential in nailing down critical data across the enterprise. Application delivery and security professionals should consider building a database security plan, starting out with a few security policies and then moving on to build comprehensive controls across the enterprise. -
Hot Insurance Tech Companies To Watch In 2010: Q2 Update
Posted on July 29th, 2010 No commentsEffective vertical strategies are becoming more critical for tech vendors as they try to address the core business problems — not just the pure technical problems — of their customers. This is especially evident in the insurance industry, which emerged on the other side of the financial crisis in relatively good shape, relative to its banking peers, but the crisis proved to be a catalyzing event for many insurers. Carriers and their distribution networks are confronting not just consumer economic pressures that show little sign of relenting but regulatory forces, emerging technology, and megatrends like changing demographics and new communication channels. This report describes 10 tech vendors that are addressing challenges in key insurance industry processes like business agility, claims management, and market expansion. Strategists looking to expand or enter into the insurance market can learn from the innovations of these vendors. -
Midyear Planning: Predictions For 2011
Posted on July 29th, 2010 No commentsInteractive marketers are working hard to keep up with the evolving landscape of channels, tools, and technologies at their disposal for 2011 budget planning. Seventy percent of marketers expect budgets to stay the same or improve, which means that there is room for innovation and experimentation in the coming year. The most important theme for 2011 is "multichannel planning." In order to spend budgets wisely, marketers must find synergies between channels — from using search behavior to target display ads to making social engagement more mobile friendly — and press partners for proof of unduplicated value within them. -
Upcoming Webinar: Oracle Critical Patch Update July 2010 Database Impact
Posted on July 28th, 2010 No commentsOracle July 2010 CPU - Oracle Database Impact
Thursday, July 29, 2:00pm - 3:00pm EDT
Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a number of security vulnerabilities in the Oracle Database. This quarterly eLearning session will focus on the July 2010 CPU and the impact on the Oracle Database. The topics will include:
- A review of the security vulnerabilities fixed in this CPU,
- An analysis of the required CPU patches,
- A discussion of patching including CPUs vs. PSUs.
Example vulnerabilities will be demonstrated in order to show how easy it is exploit many of the fixed security bugs.
Click here to register for this webinar. -
7 Links Challenge – My Turn
Posted on July 28th, 2010 No commentsI read about an interesting challenge on ProBlogger, Take the 7 Link Challenge Today #7links. It's really interesting in that it digs up some of my favorite posts as well as me picking a favorite from an external blog. The rules are simple. I pick 7 blog entries and link to them but I have to follow certain guidelines. -
Best Practices: Starting Or Restarting An EA Effort
Posted on July 28th, 2010 No commentsEnterprise architecture (EA) continues to gain recognition as a key practice for maximizing the impact of business' use of technology. An effective EA practice can eliminate business-IT alignment problems and help lead an enterprise to advanced levels of collaboration and innovation. And yet many EA programs crash and burn due to the perception that they lack value. Why? Incorrect EA scope, inappropriate EA priorities, lack of visibility of EA deliverables, and lack of organizational maturity are among the most common problems, to name a few. EA value is very real, but leaders of new EA programs must begin their programs with a carefully planned agenda, and leaders of ongoing programs must regularly reassess their environments to ensure traction and success. -
The Forrester Information Security Maturity Model
Posted on July 28th, 2010 No commentsAfter an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I'm happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.
Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security's role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.
What makes the Forrester Information Security Maturity Model work?
-
The second IOUG / Oracle Security Assurance Survey
Posted on July 27th, 2010 No commentsI wrote about the first IOUG joint security survey with Oracle two years ago here in my blog in a post titled " An Oracle Security Survey by The IOUG and Oracle " and I encouraged participation on the survey....[Read More]
Posted by Pete On 27/07/10 At 08:53 PM
-
59 Security bugs fixed, 28 remotely expolitable, 13 in the database
Posted on July 27th, 2010 No commentsOracle yesterday released the latest in its series of quarterly security patches known as CPU's Critical Patch Updates. Oracle released an advisory detailing the fixes. The patch set contains 59 new security fixes. For me the interesting part are the....[Read More]
Posted by Pete On 14/07/10 At 02:20 PM
-
Pete Finnigan will be teaching Oracle Security in Tallinn, Estonia and speaking at UKOUG Unix SIG at TVP
Posted on July 27th, 2010 No commentsI have just added another public training date to my upcoming Oracle security trainings calendar. This is for November 4th and 5th in Tallinn, Estonia which I am really looking forwards to. I have also just agreed to do two....[Read More]
Posted by Pete On 07/07/10 At 01:31 PM
-
Do Oracle 11g features weaken security?
Posted on July 27th, 2010 No commentsI did a session at the Logica Guru4Pro event a few weeks ago and posted the slides to my site on my Oracle security white papers page . I also talked about this in my blog in a post titled....[Read More]
Posted by Pete On 01/07/10 At 12:01 PM
-
V3rity has released a redo log mining tool to extract DDL from redo logs
Posted on July 27th, 2010 No commentsV3rity is the new company founded by David Litchfield in March 2010 since he left NGS and until recently his site had little on it. I suspected that his new company would focus on Database forensics and I am glad....[Read More]
Posted by Pete On 29/06/10 At 01:18 PM
-
Leaking information about your database to help a hacker!
Posted on July 27th, 2010 No commentsHow many of you reading this are DBA's? how many have issues to solve and you turn to the web to find answers or ask and write questions? - quite a few I suspect. When you post to the web....[Read More]
Posted by Pete On 24/06/10 At 11:19 AM
-
New Public Oracle Security Training Class Dates announced
Posted on July 27th, 2010 No commentsI have just agreed four new public Oracle Security classes to be taught this year. All of the new classes are our very popular two day class " How to perform a security audit of an Oracle database ". These....[Read More]
Posted by Pete On 17/06/10 At 03:57 PM
