Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes

From: HansF <News.Hans_at_telus.net>
Date: Thu, 03 Nov 2005 18:28:30 GMT
Message-Id: <pan.2005.11.03.18.28.41.502179_at_telus.net>


On Thu, 03 Nov 2005 13:12:32 -0500, RollForward Wizard wrote:

> Exciting Oracle News

Sure is ...

>
> Oracle DB Worm Code Published
> http://www.eweek.com/article2/0,1895,1880682,00.asp?kc=ewnws110205dtx1k0000599
>

With very simple solutions: don't set up or unlock the default accounts with default passwords; don't make utilities public that shouldn't be public. Duh!

As written in the article "with hundreds of databases, there is a good chance the DBA will miss a few". Any DBA who doesn't know how to write scripts, that is.

<heavy sigh>

> Researcher: Oracle Passwords Crack in Mere Minutes
> http://www.eweek.com/article2/0,1895,1878883,00.asp

Shows to go ya - Oracle had the right idea when they introduced Enterprise Authentication and password expiry and lockout.

Too bad people dont want to use them. We find organizations and developers STILL insist on one userid for the entire app.

When Convenience overrides Security we will always find the same joy [of viruses and worms] we experience in the world of Windows. It's probably the biggest reason why Windows has a problem.

<heavier sigh>

Apologies for the cross-posted reply. Follow-up set to comp.database.oracle.server

Further apologies for feeding the troll.

-- 
Hans Forbrich                           
Canada-wide Oracle training and consulting
mailto: Fuzzy.GreyBeard_at_gmail.com   
*** Top posting guarantees I will not respond further ***
Received on Thu Nov 03 2005 - 19:28:30 CET

Original text of this message