This is not the document you are looking for? Use the search form below to find more!

Hack-proofing Oracle Databases

2.25 (4 votes)

Document Description

What we are going to do is look at security from a different perspective – to see how an attacker would approach your database and how you can stop an attacker. Without understanding the attacker, you likely will not be able to thwart an attack. That’s why its important to be able to think like the attacker to be able to stop the attacker.

File Details

Added: October, 19th 2008
Reads: 565
Downloads: 138
File size: 1.40mb
Pages: 51
Tags: oracle, database, security
content preview

Submitter

Username: fitzgibbons
Name: fitzgibbons
Documents: 35

READ ONLINE

Hack-proofing Oracle Databases screenshot

Embed Code:

DOWNLOAD

Add New Comment

Protecting Oracle Databases

by: fitzgibbons, 17 pages

It is very easy in the security community to create an air of fear, uncertainty, and doubt (FUD). As Oracle professionals, it's important to see through the FUD, determine the actual risks, and ...

Toad for Oracle:Fast, Accurate Development and Simple Administration

by: niklas, 4 pages

Toad® for Oracle provides a new frontier in productivity for DBAs, developers and analysts. With its superior usability, automation, education and flexibility, Toad enables efficient and accurate ...

Expert Billing Means A Far More Efficient Medical Practice_

by: ferellear68802, 2 pages

securely store your computer data on reliable Oracle databases, located in 2 separate, HIPAA and

Oracle Archive: Managing Databases For Reference

by: solixtechnologies, 1 pages

The onset of technology oriented business environment has not only paved way for an increased IT infrastructure, but has also increased the amount of data and information being stored. Applications ...

Oracle Database Security

by: fitzgibbons, 10 pages

It is important to understand the concepts of a database before one can grasp database security. A generic database definition is “a usually large collection of data organized especially for ...

SAS/ACCESS 9.1 Supplement for Oracle (SAS/ACCESS for Relational ...

by: armida, 40 pages

This document includes details only about the SAS/ACCESS Interface to Oracle. It should be used as a supplement to the main SAS/ACCESS documentation, SAS/ACCESS for Relational Databases: Reference.

Oracle/SQL Tutorial

by: desantis, 66 pages

This Oracle/SQL tutorial provides a detailed introduction to the SQL query language and the Oracle Relational Database Management System. Further information about Oracle and SQL can be found on the ...

Oracle Database Management

by: fitzgibbons, 6 pages

Oracle Database software is a web ready relational database management system delivering high levels of reliability, performance, and scalability. With the Neohapsis Management Framework, Centris ...

OPTIMIZE SALES, SERVICE AND SATISFACTION WITH ORACLE DEALER MANAGEMENT

by: shinta, 5 pages

The Oracle Dealer Management Solution helps OEMs and dealers collaborate more effectively with each other, plan more adaptively for sales and service, and respond more rapidly to ...

Demo of Poka-Yoke Mistake Proofing

by: isoconsultant, 17 pages

Demo of Poka-Yoke Mistake Proofing provided by Global Manager Group, a leading global ISO Consultancy Service.

Content Preview

Hack-proofing Oracle Databases
Aaron Newman
anewman@appsecinc.com
Application Security, Inc.
www.appsecinc.com
Download updated version of presentation from
http://www.appsecinc.com/news/briefing.html
1
Hack-proofing Oracle
www.AppSecInc.com
Good morning and welcome to this discussion on protecting your databases.
What we are going to do is look at security from a different perspective – to see how
an attacker would approach your database and how you can stop an attacker.
Without understanding the attacker, you likely will not be able to thwart an attack.
That’s why its important to be able to think like the attacker to be able to stop the
attacker.
1

Agenda
• State of Oracle Security
• Listener Vulnerabilities
– Tnscmd demonstration
• Oracle in a Web application
– SQL Injection Demo
• Database Vulnerabilities
• Resources, Conclusion, and Wrap Up
2
Hack-proofing Oracle
www.AppSecInc.com
We will be covering various ways databases can be broken into and how to prevent
yourself from being hacked.
Start with an introduction to talk about the state of Oracle security
We will be talking about listener security
Including a demonstration on using an attack tool that can be down loaded from the
internet
We will talk about how a database could be hacked through a web server and how to
prevent this from happening. We will be demonstrating an example SQL Injection
demo.
We will be covering some basic database vulnerability and misconfigurations.
Then we will take some questions.
2

State of Oracle Security
3
Hack-proofing Oracle
www.AppSecInc.com
3

In the media
“Look what they've done to my database, Ma”
- By John Leyden, The Register
Posted: 23/01/2002 at 17:40 GMT
• 1 out of 10 corporate databases connected to the
Internet had a breach of security last year.
• Taken from a survey of 750 US database developers
which also reveals growing concern about security
issues.
http://www.theregister.co.uk/content/55/23800.html
4
Hack-proofing Oracle
www.AppSecInc.com
4

Underground Hacking World
• Increasing number of presentations on
hacking databases at conferences
– Blackhat, Defcon
• Exploits being written
• Worms found in the wild using databases
– Alpha Voyager
– Spida worm
• Whitepapers on attack Oracle
5
Hack-proofing Oracle
www.AppSecInc.com
5

Oracle Website – Alerts Web page
http://otn.oracle.com/deploy/security/index2.h
tm?Info&alerts.htm
• Prior to July 2000
– One vulnerability acknowledged by Oracle
• From July 2000 to August 2002
– 41 vulnerability reports on the Oracle website
• Vulnerabilities reported on
SecurityFocus.com
– About 75 vulnerabilities reported about Oracle
6
Hack-proofing Oracle
www.AppSecInc.com
6

Myth – Oracle is secure behind a firewall
• Is your database secure because it’s behind
a firewall?
• NO!!!
• Most security compromises are result of
inside jobs
• Internal threats are the most dangerous
• Non-privileged users in the database
7
Hack-proofing Oracle
www.AppSecInc.com
7

What to do about the situation
• The problem exists but it won’t be fixed
tomorrow
• But we must start plugging these holes
• Become aware of the risks and threat
• Find the right solutions
8
Hack-proofing Oracle
www.AppSecInc.com
We do need to start taking a proactive approach to securing databases
There is however a growing interest for database among black hats:
-In the past few year, the Black hat/Defcon conferences have had talks on Database
security
-Exploits reported on Security Focus has increased dramatically over the last few
months
Also, we will not be discussing operating system security, although this is a critical
component of database security. You can’t have one without the other.
8

Securing the Listener service
9
Hack-proofing Oracle
www.AppSecInc.com
9

Listener Vulnerabilities
• What is the listener?
– Proxy between the client and the database
• Why is it important?
– Separate authentication and auditing
– Runs as a separate process
– Accepts commands and performs tasks outside
the database
• Vulnerabilities in Listener Service
10
Hack-proofing Oracle
www.AppSecInc.com
Let’s start by talking about a single component in the Oracle subsystem - the
Listener service.
The listener service is a proxy during the connection process which sets up the
connection between the client and the database. The client directs a connect to the
listener which in turn hands the connection off to the database.
The issue that exists is that the listener has separate authentication and is controlled
and administered outside of the database. The listener runs in a separate process,
and in the past that process was run as setUID. The listener accepts commands and
other tasks besides handing connections to the database.
10