Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Funny sort of question re sys password

Re: Funny sort of question re sys password

From: Nuno Souto <dbvision_at_optusnet.com.au>
Date: Wed, 10 Mar 2004 23:28:09 +1100
Message-ID: <015901c4069c$31e088c0$9b00a8c0@dcs001> 








> - these are toys really compared to a real cracker like John the ripper

> or lopht. 




Ah yes: I'm quite familiar with the second one.  Used it to 
"harden" my bank account passwords.  It can't crack them now
and I can still (barely!) remember them.



> I guess he is not talking about breaking the encryption or using a brute

> force or dictionary attack. he most probably is talking about being able

> to simply change the password of SYS. There are many many ways that

> would allow this that i can think of. Most depend on what your current

> set up is and whether you have blocked these avenues off. There are also

> issues of password leakage, vulnerabilities...




I'd class most of those under the umbrella of "social engineering": 
indirect aquisition of knowledge through exploitation of other weaknesses
in security.  But yes, it is possible that way.  



> If you look at my site http://www.petefinnigan.com/orasec.htm there are




Ta, I'll definitely look this up.




> Your Sun guy is easy though, he is just connecting as root and logging

> on as "/ as sysdba" - i guess.




This doesn't count: it assumes root password knowledge which would break 
ALL security in the system, not just Oracle's.   Also, logging in as the 
install user would achieve the same.  Or any user authorised to dba group, 
I suppose.  But all that assumes a breakdown in other than Oracle's 
security to start with.  That is not an Oracle inherent security problem.



I was more concerned with obvious security breaches such as unencrypted 
passwords ending up in log files or file headers, or unencrypted comms 
eaves-dropping.  Guess those are not that easy with 9i, they used to be 
the order of the day with earlier versions.



Anyone knows of any other ways?  


Cheers


Nuno Souto


in sunny Sydney, Australia


dbvision_at_optusnet.com.au




Please see the official ORACLE-L FAQ: http://www.orafaq.com




To unsubscribe send email to:  oracle-l-request_at_freelists.org
put 'unsubscribe' in the subject line.

--
Archives are at http://www.freelists.org/archives/oracle-l/
FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------


Received on Wed Mar 10 2004 - 06:32:16 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US