| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: Funny sort of question re sys password
and actually, the fundamentals of security say that you should follow the principal of least privilege. Only allow any person to have exactly the amount of authority that is necessary to do his or her job.
That also has little or nothing to do with the Oracle situation at hand, but it does speak to having (or allowing) physical access to boxes.
My dad told me that it doesn't matter how big or how good you lock is, it is only designed to be sure to keep out an honest person. Anyone determined to not be honest will get in.
April Wells
Oracle DBA/Oracle Apps DBA
Corporate Systems
Amarillo Texas
@>-->-->--
"Few people really enjoy the simple pleasure of flying a kite"
Adam Wells age 11
"Imagination is the highest kite one can fly."
Lauren Bacall
-----Original Message-----
From: Igor Neyman [mailto:ineyman_at_perceptron.com]
Sent: Wednesday, March 10, 2004 8:51 AM
To: oracle-l_at_freelists.org
Subject: RE: Funny sort of question re sys password
All this has nothing to do with Oracle security - it's OS security.
Igor Neyman, OCP DBA
ineyman_at_perceptron.com
-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Juan Cachito Reyes
Pacheco
Sent: Wednesday, March 10, 2004 9:32 AM
To: oracle-l_at_freelists.org
Subject: Re: Funny sort of question re sys password
The principle of security says
if you have access to the server (the physical computer) you have
access to its data.
For example in
Oracle in NT, you drop the service and recreate it, this is the time it
takes to recreate the service
and restart the server.
In NT, to bypass NTFS there is a floppy disk (cia software) used to
restart
with it you can change server password, fix regedit, copy files, etc.
Other chance is install another nt installation that gives you acces to
everything.
> Someone at work maintains that it takes them 10 minutes to
> break the Oracle SYS password security.
>
> And the Sun boof-head (a different person and I use the
> term loosely...) assures me he's capable of doing so any time
> he wants.
>
> Now, I've been away from this security stuff for a year or so and
> I may well be wrong here, but breaking the password security
> means cracking the Oracle encryption. While this may be possible,
> I can't believe it only takes 10 minutes?
>
> Wouldn't it rather be a case of social engineering at work?
> Or just a plain vanilla "change_on_install" case?
>
> <says he who used to change it to "changed",
> with the obvious funny consequences>
> Cheers
> Nuno Souto
> nsouto_at_optusnet.com.au
> ----------------------------------------------------------------
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> ----------------------------------------------------------------
> To unsubscribe send email to: oracle-l-request_at_freelists.org
> put 'unsubscribe' in the subject line.
> --
> Archives are at http://www.freelists.org/archives/oracle-l/
> FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
> -----------------------------------------------------------------
>
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html ----------------------------------------------------------------- The information contained in this communication, including attachments, is strictly confidential and for the intended use of the addressee only; it may also contain proprietary, price sensitive, or legally privileged information. Notice is hereby given that any disclosure, distribution, dissemination, use, or copying of the information by anyone other than the intended recipient is strictly prohibited and may be illegal. If you have received this communication in error, please notify the sender immediately by reply e-mail, delete this communication, and destroy all copies. Corporate Systems, Inc. has taken reasonable precautions to ensure that any attachment to this e-mail has been swept for viruses. We specifically disclaim all liability and will accept no responsibility for damage sustained as a result of software viruses and advise you to carry out your own virus checks before opening any attachment. ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request_at_freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Wed Mar 10 2004 - 09:34:28 CST
 |
 |