Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Security Issue

RE: Security Issue

From: Richard J. Goulet <richard.goulet_at_capgemini.com>
Date: Mon, 11 Jun 2007 11:09:56 -0400
Message-ID: <C3EE2ADD31ACF64DAB1B236044A1968D90B060@miaexc01.kanbay.com>

OK, so does Veritas support encryption of the data as it passes through it's layers? We're using Legato here which does.

Please note that on May 25, 2007 my email address changed to richard.goulet_at_capgemini.com



Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience


-----Original Message-----
From: Freeman, Donald [mailto:dofreeman_at_state.pa.us] Sent: Monday, June 11, 2007 10:44 AM
To: Richard J. Goulet; Freeman, Donald; oracle-l_at_freelists.org Subject: RE: Security Issue

We are not using RMAN encryption. We have multiple backups and want to use the same encryption for all of them for simplicities sake. I am trying to answer a "what-if?" question. These backups, like probably everyone elses, are going to go off-site to a secure, hardened facility. I'm pretty sure there is limited interest in our data but management wants to know how hard it would be to recover data from a datafile. If they had the whole backup could just to restore it to a server somewhere.

This interest extends to our scratch tapes. Once they expire they old tapes are returned here and thrown into a bin for reuse. If I understand correctly the Veritas software marks them as expired and can't be used to pull them off the tapes but I'm sure some smart person somewhere could.

-----Original Message-----
From: Richard J. Goulet [mailto:richard.goulet_at_capgemini.com] Sent: Monday, June 11, 2007 10:37 AM
To: dofreeman_at_state.pa.us; oracle-l_at_freelists.org Subject: RE: Security Issue

 Don,

        Have you tried setting encryption on for an rman backup? According to the FM it's suppose to encrypt the output for removable media.

Please note that on May 25, 2007 my email address changed to richard.goulet_at_capgemini.com



Dick Goulet / Capgemini
North America P&C / East Business Unit
Senior Oracle DBA / Hosting
Office: 508.573.1978 / Mobile: 508.742.5795 / www.capgemini.com Fax: 508.229.2019 / Email: richard.goulet_at_capgemini.com 45 Bartlett St. / Marlborough, MA 01752

Together: the Collaborative Business Experience


-----Original Message-----
From: oracle-l-bounce_at_freelists.org
[mailto:oracle-l-bounce_at_freelists.org] On Behalf Of David Litchfield Sent: Friday, June 08, 2007 3:48 PM
To: dofreeman_at_state.pa.us; oracle-l_at_freelists.org Subject: Re: Security Issue

Hi Don,

I'm in the process of researching and developing what will be an open source, post-database intrusion forensics tool called F.E.D.S. (the Forensic
Examiner's Database Scalpel) that is capable of extracting information and
row data, deleted or otherwise, from datafiles and the redo logs. Some of
this research I've written up in the following papers:

http://www.databasesecurity.com/dbsec/Locating-Dropped-Objects.pdf http://www.databasesecurity.com/dbsec/dissecting-the-redo-logs.pdf

If you're concerned about people gaining unauthorized access to data on backup files you should look to encrypt them (there are a number of commercial and open source solutions available) and store them in a physically secure location.

HTH,
David Litchfield

Is it possible to recover information from an undo datafile? I have been searching for information on securing oracle datafiles and see that there are .dbf file viewers that claim to be able to view/edit/export the contents as text. I am thinking that its not likely to be possible to reconstruct anything usable from an undo datafile.

I know that Oracle 10G has the ability to encrypt the contents of datafiles and store the key in a wallet. We are planning an upgrade in a year but right now I'm having to answer questions about vulnerabilty of backups stored on removable media.

Don Freeman
Database Administrator 1
Bureau of Information Technology
Pennsylvania Department of Health
(717) 703-5782

--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402
--
http://www.freelists.org/webpage/oracle-l



This message contains information that may be privileged or confidential
and is the property of the Capgemini Group. It is intended only for the
person to whom it is addressed. If you are not the intended recipient,
you are not authorized to read, print, retain, copy, disseminate,
distribute, or use this message or any part thereof. If you receive this
message in error, please notify the sender immediately and delete all
copies of this message.


This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient,  you are not authorized to read, print, retain, copy, disseminate,  distribute, or use this message or any part thereof. If you receive this  message in error, please notify the sender immediately and delete all  copies of this message.

--
http://www.freelists.org/webpage/oracle-l
Received on Mon Jun 11 2007 - 10:09:56 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US