Re: Hacking An Oracle Session : Is It Possible?

Frank van Bortel <fvanbortel_at_netscape.net> wrote in message news:<c8505i$u17$1_at_news2.tilbu1.nb.home.nl>...
> Aakash wrote:
>
> > Thanks for the response, i am asking this just to get an security
> > perspective, a group of colleagues were disscussing about this when we
> > came upto this point,
> > most of us were of the opinion that its not possible. hence i thot i
> > wud put it up here to get views from all over.
> >
> > the actual disscussion was like " if an sql*plus session is in
> > progress, can anyone get into the active sql*plus session and play
> > around with the transactions happening, without know the
> > username/passwd being used by the session"
> >
> > thanks again, any more view will be appreciated.
> >
> >
> > Hans Forbrich <forbrich_at_yahoo.net> wrote in message news:<6Dbpc.8769$j6.8739_at_edtnps84>...
> >
> >>Aakash wrote:
> >>
> >>
> >>>hello everyone,
> >>>
> >>>after a client machine,say SQL*Plus, establishes a session with the
> >>>oracle database , is it possible to intrude into the established
> >>>session? i.e is it possible to get into the session layer of the
> >>>oracle session? is oracle vulnerable to such an hacking?
> >>
> >>Not if your network is protected.
> >>
> >>Very very difficult if your network is open and sniffable.
> >>
> >>You might want to look at http://www.petefinnigan.com for a gernreal
> >>discussion of Oracle security.
> >>
> >>/Hans
>
> It is extremely easy to make sqlnet connections encrypted.
> Merely requires one or two entries in the network configuration
> files on client and server, and you're done.
> uid/password are then encrypted as well.

don't forget the check for the advanced security option on top of enterprise edition. $10K per CPU USD, last time I checked.

sounds worth hacking in ssh for those kinda dollars.

Pd Received on Sat May 15 2004 - 15:35:33 CDT