Using Log Miner for database forensics

Hacker Gained Access To Data On Millions Of TD Ameritrade Customers

Hacker Gained Access To Data On Millions Of TD Ameritrade Customers
The online brokerage is blaming the database breach on "unauthorized code" that was found in the network. E-mail addresses, names and phone numbers were stolen.??more
Update your feed preferences	powered by SimpleFeed

6 Oracle security presentations added to Oracle security white papers page

I have added short descriptions and links to 6 Oracle security presentations that I wrote and presented at various conferences this year and last year whilst I was employed at Siemens and before I recently started by own company. I....[Read More]

Posted by Pete On 13/09/07 At 10:41 AM

Hacking hardened and patched Oracle databases

Alex has posted the slides from his Hack In The Box presentation titled " Hacking Hardened and Patched Oracle Databases " and he has also posted an extension to one of the ideas to create tables with; shall we say....[Read More]

Posted by Pete On 13/09/07 At 08:56 AM

Security analysis of the JInitiator buffer overflows

Steve Kost has a good paper on his site titled " Security Analysis - Oracle JInitiator 1.1.8 Buffer Overflow Vulnerability Analysis " that talks about the recent JInitiator bugs found and reported by Will DorMann at US-Cert. Steve's paper gives....[Read More]

Posted by Pete On 12/09/07 At 05:41 PM

Make Oracle PCI compliant

Damon sent me a good link to an 11g Oracle security paper on Oracle's web site that is worth mentioning here. The paper is titled " Oracle Database Security and the Payment Card Industry Data Security Standard " and is....[Read More]

Posted by Pete On 11/09/07 At 01:42 PM

Oracle security presentations

I am speaking a number of times in the coming months on the subjects of Oracle Security. These are: UKOUG Windows SIG - Blythe Valley Park - September 25th My presentation is called "Securing Oracle on Windows" - The description....[Read More]

Posted by Pete On 09/09/07 At 09:06 PM

Code Breaking

I saw Mary Ann's post to her blog today titled " Summer reading " and I was in tune with Mary Ann's comments on books and reading. I am also someone who likes books, i have over 1000 in my....[Read More]

Posted by Pete On 04/09/07 At 08:12 PM

Oracle 11g Security – part 3 {peek and poke}

Its been a few days, I had planned to write more often now that I am my own boss again but I have been too busy working and dealing with running a business. Anyway to 11g Security; I wanted to....[Read More]

Posted by Pete On 31/08/07 At 10:29 PM

Oracle 11g Security – part 2 {The beginning}

OK, I left the last post on 11g 4 days ago with a promise for "more tomorrow.." - well as they say tomorrow never comes. Well its been busy the last few days, becoming the boss of my own company....[Read More]

Posted by Pete On 26/08/07 At 10:52 PM

11g and Oracle Security

I have started to research the new Oracle 11gR1 specifically in the area of Oracle security. For me this doesnt just mean looking at the documentation and pulling out the new Oracle security related features. Of course I will look....[Read More]

Posted by Pete On 22/08/07 At 11:09 PM

Oracle security services, products and training

Red-Database-Security GmbH in Germany and PeteFinnigan.com Limited in the UK are pleased to announce a joint partnership to promote and sell services / training and products in the area of Oracle security to give customers the best choices in securing....[Read More]

Posted by Pete On 22/08/07 At 12:55 PM

Oracle Forensics Paper part 6

David dropped me an email to let me know that part 6 of his series of papers discussing Oracle forensics is out. Part 6 is titled " Examining Undo Segments, Flashback and the recycle bin " and is worth having....[Read More]

Posted by Pete On 21/08/07 At 10:20 PM

Pete Finnigan is now an independant and available for Oracle security work

This is an overtly commercial post, which I don't normally do here, so please forgive the intrusion at this exciting time for me and my family. Last Friday was my last day in salaried employment and from tomorrow I will....[Read More]

Posted by Pete On 19/08/07 At 04:36 PM

Oracle Forensics presentation and a new paper

David has released part 5 of his Oracle forensics paper series. Thi part is titled " Finding evidence of data theft in the absense of auditing ". The paper concentrates on finding evedence of SQL being executed by examining the....[Read More]

Posted by Pete On 14/08/07 At 09:25 PM

11g is here

I just got back from holidays to the nice news that 11g is available for download now . This is only for Linux but hopefully other platforms will follow soon. I am currently downloading although I dont have a spare....[Read More]

Posted by Pete On 10/08/07 At 10:38 PM

Are security tools a virus or a trojan or even a danger?

I got an email from someone a couple of weeks or so ago about the fact that he had downloaded Patrik Karlsson's excellent OAT (Oracle Auditing Tools) software and that it had been flagged as a virus by the security....[Read More]

Posted by Pete On 06/08/07 At 10:30 PM

Advice On Building A Better Password

Advice On Building A Better Password
We're always hearing that we need stronger passwords, but many people don't know how to craft a better, stronger password or they simply don't take the time to come up with some crazy complex string that they have no chance of remembering. I was just talking with someone who gave me some great advice. ??more
Update your feed preferences	powered by SimpleFeed

Critical Patch Update – July 2007

Securing the database against insider threats

In the ever increasing global workforce nature of business, securing the database against insider threats is more complicated than anything else. There are several tools available in the market to track activities of insiders and help audit suspicious activities:

1) DBProtect from Appssec Inc. is a great tool which works on multi-platform backed by an extensive knowledgebase of security vulnerabilites

2) Oracle Data Vault is a great solution for companies running Oracle database systems.

3) Microsoft SQL Server connection auditing is managed via built-in auditing features

Secure Data From Insider Threats

There’s an upcoming Web seminar featuring Forrester Principal Analyst Noel Yuhanna and database security experts Application Security, Inc.  on Securing Your Data from Insider Threat, on June 26, 2007 at 2 p.m. EST / 11 a.m. PST. 

Forrester Research* estimates that 70% of all database breaches are internal. Organizations must be aware of and compensate for the risk associated with employees, contractors and other privileged external employees. Whether malicious or not, data breaches have grave consequences – ranging from disruption in operations and embarrassing information breaches to loss of consumer confidence. Implemented properly, real-time activity monitoring, ongoing database auditing, and state-of-the-art vulnerability assessment combine to reduce the risk and mitigate the impact that internal and external threats pose to your network.Register  for this free 45-minute Web seminar. This presentation focuses on  gaining practical insight on how to secure  databases and reduce the risk from insider threats. Also ,  the following  topics are covered :

• Recognize the most common insider threat attack scenarios and how to prevent them
• Utilize robust database access controls and policies to deter or prevent unauthorized data access
• Implement best practices for database auditing, including:
  • Access and authentication auditing
  • User and activity monitoring to identify suspicious behavior
  • Change auditing
• Create tamper-evident monitoring systems and audit trails

Database security

Following note is a very interesting article on database security  by Larry Ponemon who is a best known writter in the database security world :

http://www.darkreading.com/document.asp?doc_id=125692

By Larry Ponemon
Special to Dark Reading
June 5, 2007

Databases are among the most widely deployed, complex, and fastest
growing technologies in corporate infrastructures. Stocked with vast
amounts of business-critical, sensitive records, theyre now the focal
point in highly-damaging data breaches. Its a safe bet that perpetrators
will target databases even more in the days ahead.

Yet, as businesses rush to provide real-time information flow inside and
outside their organizations, database security remains one of the least
understood and most under-funded aspects of corporate security — and IT
is yelling for help.

These are some of the key findings in a new study [1] we released
yesterday in conjunction with Application Security (AppSecInc). We
queried 649 highly experienced IT professionals, more than 70 percent of
which are responsible for managing all or part of their organizations IT
budget — a solid barometer for corporate priorities.

Of the 2007 total corporate IT budget, respondents said they have
allocated 34 percent for database infrastructure and 20.6 percent for IT
security overall. More than 53 percent believe their databases are
critical to their businesses.

But only 15 percent said that extending security best practices to the
database is a “critical priority” for 2007. Higher priorities included
upgrading applications (25 percent), improving the efficiency of IT (20
percent), and consolidating IT infrastructure (19 percent). Upgrading
security overall (13 percent) finished slightly lower, as did supporting
Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities
(9 percent).

Interestingly, 92 percent of respondents are seeking a better tool to
help them identify and analyze risk factors that exist within their
systems or IT infrastructure. This makes sense, particularly as a
majority of respondents plan no, or only slight, increases in IT staff
in 2007.

According to our study results, IT security practitioners are fairly
confident they can stop hackers from compromising their systems (68
percent), but they are far less certain that they can prevent malicious
insiders (43 percent) and negligence (45 percent). Respondents in larger
organizations are more confident than those in smaller-sized companies
when it comes to their ability to control these threats.

Whats in corporate databases? Lots of valuable data. Some 55 percent of
respondents said their databases contain customer data, 54 percent said
databases contain employee data, and 50 percent contain confidential
business data. Intellectual property — the most highly-guarded data in
our survey — resides in 38 percent of respondents’ databases.

Respondents’ database environments are of substantial scale and
complexity — a majority of respondents manage more than 500 databases.
Twenty-nine percent have many different database types and technologies.

Another 38 percent said their IT environment consists of a few different
types of databases. Only 24 percent of respondents stated that their
organization utilizes one primary database technology. One of the
biggest challenges, then, is coordinating database security across the
enterprise.

SQL, Oracle, and DB2 are the most frequently used database solutions for
respondent companies. In addition, our results show that both Oracle and
DB2 are the most likely to be used for critical or high-priority data.
MySQL and Sybase were the least likely to be used for critical data.

What are the features most important to respondents when purchasing a
database security software application or tool? Robust access controls,
ease of integration, and the ability to identify unauthorized access are
viewed as the three most important features. Real time alerts and
preformatted policies for Sarbanes Oxley or PCI compliance ranked low on
the list.

Clearly, database security is becoming an important part of the security
picture, but most organizations still have a lot of work to do. If you
have questions about the research, please contact us.

- Larry Ponemon is founder and CEO of Ponemon Institute LLC. – Special
 to Dark Reading.

[1] http://www.appsecinc.com/news/pr/2007_6_04_Ponemon-Study.shtml

Critical Patch Update – April 2007

Critical Patch Update – January 2007

January 2007 Critical Patch Update Released

Hello, this is Eric Maurice, Manager for Security in Oracle?s Global technology Business Unit.

Today, Oracle released its ninth Critical Patch Update (CPUJan2007).  The January Critical Patch Update (CPU) addresses a total of 51 vulnerabilities affecting Oracle Database Server, Oracle Applications Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise Applications.

Our Critical Patch Update Pre-Release Announcement stated that 52 fixes would be issued in today?s CPU.  However, an issue was detected with one of the database fixes for a number of database versions.  Per our policy, which is intended to ensure that all customers have an equal security posture, we removed the fix from the January CPU.   We are working to resolve this issue to release the fix on all supported database versions with the next CPU in April (CPUApr2007).

This is the second time that Oracle published the Common Vulnerability Scoring System (CVSS) scores of the vulnerabilities fixed in the CPU.  Our use of CVSS has generated a lot of support from customers and genuine interest from the industry.  A positive industry development was Cisco?s recent commitment to publish the CVSS scores of its vulnerabilities in its advisories.  We also received a number of questions concerning how the base metrics scores were computed by Oracle?s security team.  Darius Wiles, in a previous blog entry, discussed Oracle's implementation of CVSS, including the use of the Partial+ rating to provide additional information.

It may also surprise a few of you (and avid CPU documentation readers) that seven of the security flaws addressed in this CPU have a CVSS ?Base Metric? score of zero.  This is because this type of vulnerability represents problems that we believe are not exploitable in a default database environment (as provided by Oracle ?out of the box?).  Code that runs affected programs as a privileged user (e.g. custom code developed by customers, which passes input from an untrusted source) may be exploitable.  In particular, it may allow malicious code to be run with administrative privileges.  The CVSS guide available online is an excellent source of information to understand how CVSS scores are computed.  The section on blended threats in Oracle's guide on the implementation of CVSS is also relevant to vulnerabilities with a CVSS ?Base Metric? score of zero.

Our next CPU will be released on April 17, 2007.  As usual, we highly recommend that customers apply all patches promptly.  The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU as well as previous CPUs and Security Alerts.  The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources, including security guides, how to guides and recorded technical presentations.

January 2007 Critical Patch Update Pre-Release Announcement

Oracle’s Approach to Configuration Hardening

Hello, my name is Chad Hughes.  I am a Principal Program Manager in Oracle's Global Product Security Group.  One of my responsibilities is to help our product teams define secure configuration baselines for our products.  In other words, I am helping our development organizations define what our default configurations should look like in order to be more secure out-of-the-box. 

Our objectives with providing basic hardened configurations are to:

• Enable non-security experts to deploy our products in a more secure configuration without the immediate need for advanced security experience and knowledge.
• Reduce the number of possible attack vectors by limiting the exposed surface area, thereby reducing the risk of successful attacks (for example by limiting the number of unneeded ports left open or activated default accounts).
• Minimize unused functionality being left enabled by default, as unused functionality may facilitate future vulnerabilities and provide additional exposure surface area. This is also important in older products that are no longer supported and which have not been recently patched.

Customers typically prefer an "opt in" approach, which starts with a secure configuration by default, and adds or modifies functionality as required by each customer, over the potentially more error-prone process of stepping through configuration-hardening checklists which remove or change default functionality to make it secure. For some organizations, stepping through long hardening checklists requires bringing in external consultants and lengthening normal deployment cycles.

One of the most important tenets of default secure configuration is that applications should run with the least privileges required and always apply appropriate protection for sensitive resources.  The principle of least privilege requires that users, groups of users, and entire applications be given no more privilege than necessary to perform a job.  This also means that what is not explicitly permitted should be denied.  Ensuring least privilege requires identifying what job a user, group, or application is trying to do, determining the minimum set of privileges required to perform that job, and restricting the user, group, or application to a domain with those privileges and nothing more.  Least privilege efforts also include eliminating unused default user accounts, expiring default passwords or prompting for password changes on install, and reducing unnecessary default execute grants to public.

I am often asked why Oracle's recommendations for secure configuration are different than those from the Center for Internet Security (CIS) and other third parties, who create Oracle database configuration hardening, or lock-down guides.

CIS calls their guide a "benchmark," which is essentially a checklist of user-configurable changes that can be made to the Oracle database.  After applying the benchmark, customization is often required and tends to vary by application, company, and industry.

The Oracle database default configuration is different than third party recommendations.  The main reason there are differences is that third parties and Oracle do not necessarily share the same approach to application hardening.  There are many good reasons for different approaches.

Let's start with the assumptions made surrounding the targeted environment.  CIS makes assumptions about what the architecture of a typical database application might look like.  In practice, these assumptions may not be appropriate for some Oracle and third party applications.  CIS typically recommends changing the default values of configuration parameters, or disabling specific default functionality.  Oracle or third party applications may assume the default values of those parameters, and/or existence of default functionality, and would therefore be broken if the defaults were changed in accordance with CIS's recommendations.

Most sophisticated CIS Benchmark consumers probably expect this limitation.  These consumers understand the risks of breaking their applications and still want the strongest hardening advice available.  They are often fully capable of self-supporting any impact on their systems due to their actions.  They know how to test incremental changes in their own Development and Quality Assurance environments, and when something breaks they know how to reverse changes.  They may also prefer starting with a stronger starting baseline that they loosen up, rather than a loose baseline, which they need to further harden. 

Compared with the CIS Benchmark, Oracle provides a smaller number of security recommendations in its secure configuration guidelines.  Oracle's recommendations have to go through extensive Quality Assurance to test their effect on Oracle's products and packaged applications.  This provides assurance that Oracle's recommendations will work at least with our products without extensive customer testing. The CIS Benchmark for Oracle does have the notion of "Level 1" and "Level 2" strength notations to help identify those recommendations that could prove to be more problematic, but CIS does not perform extensive application testing to identify which applications will be affected by their benchmark recommendations.

CIS Benchmark consumers tend to approach hardening their environment by starting from a more aggressively locked-down state and loosen up the configuration from that state, incrementally, by testing each step.  This approach is often considered a best practice, as it can be an effective way to determine and assure true enforcement of the least-privilege principle.  For some customers, however, this methodology can be prohibitively expensive and may not produce a positive cost/benefit value.  It is truly impossible to define a one-size-fits-all approach to least-privilege configuration, as every customer has varying least-privilege requirements, even within the same industry and applications.  Furthermore, every customer's risk-profile, and tolerance to risk, is unique.

In summary, Oracle's security recommendations are different than the core CIS recommendations because Oracle tries to strike the most effective balance between the application of an "ideal" security theory (which may be prohibitively expensive) and real customer cost/benefit requirements and practices.  Our customers expect that our default configuration is tested, supported, and will not break various typical deployments of Oracle and third party applications.

Different goals, support obligations, motivations, and consumer expectations require different approaches to producing configuration-hardening recommendations and in determining the default configuration.  These differences are appropriate and expected.  From a customer standpoint, both approaches have value because they are serving different purposes.

Chad Hughes, CISSP

Critical Patch Update – October 2006

Critical Patch Update – April 2006

Critical Patch Update – January 2006