Re: Funny sort of question re sys password

From oracle-l-bounce@freelists.org Wed Mar 10 08:12:40 2004 Return-Path: Received: from air189.startdedicated.com (root@localhost) by orafaq.com (8.11.6/8.11.6) with ESMTP id i2AECeS16254 for ; Wed, 10 Mar 2004 08:12:40 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air189.startdedicated.com (8.11.6/8.11.6) with ESMTP id i2AECco16247 for ; Wed, 10 Mar 2004 08:12:39 -0600 Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id F12F33956A1; Wed, 10 Mar 2004 09:01:59 -0500 (EST) Received: with ECARTIS (v1.0.0; list oracle-l); Wed, 10 Mar 2004 09:00:48 -0500 (EST) X-Original-To: oracle-l@freelists.org Delivered-To: oracle-l@freelists.org Received: from mail.sagelogix.com (unknown [69.15.85.3]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with SMTP id 3965F395623 for ; Wed, 10 Mar 2004 09:00:45 -0500 (EST) Received: (qmail 7100 invoked from network); 10 Mar 2004 13:54:36 -0000 Received: from unknown (HELO ocs.sagelogix.com) (192.168.25.20) by 0 with SMTP; 10 Mar 2004 13:54:36 -0000 Received: from 0-1pool59-214.nas22.thornton1.co.us.da.qwest.net by ocs.sagelogix.com with ESMTP id 495261078926824; Wed, 10 Mar 2004 06:53:44 -0700 User-Agent: Microsoft-Entourage/10.1.4.030702.0 Date: Wed, 10 Mar 2004 07:04:47 -0700 Subject: Re: Funny sort of question re sys password From: Tim Gorman To: Message-ID: In-Reply-To: Mime-version: 1.0 Content-Type: multipart/alternative; boundary="B_3161747088_5139468" X-archive-position: 312 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: tim@sagelogix.com Precedence: normal Reply-To: oracle-l@freelists.org X-list: oracle-l --B_3161747088_5139468 Content-Type: text/plain; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Good idea, but just be careful that some bonehead on your system isn=B9t entering =B3sqlplus sys/=B2 on the OS command-line? Or that he=B9s not found a =B3hidden file=B2 with the password embedded and file-permissions not set properly? (Is that what you meant by =B3social engineering=B2?) Otherwise, he=B9ll have that $10 out of your hands, toot sweet! Either way, it would still be $10 well spent... :-) on 3/10/04 6:49 AM, Whittle Jerome Contr NCI at Jerome.Whittle@scott.af.mil wrote: > Tell them that the proof is in the pudding. Challenge them to a $10 bet; = get > out a stopwatch; and sit them at a computer. If they succeed, it will be = $10 > well spent to expose a security weakness. Otherwise enjoy the $10 and wat= ching > them squirm. >=20 > Jerry Whittle=20 > ASIFICS DBA=20 > NCI Information Systems Inc. > jerome.whittle@scott.af.mil > 618-622-4145=20 >> -----Original Message----- >> From: Nuno Souto [SMTP:dbvision@optusnet.com.au] >>=20 >> Someone at work maintains that it takes them 10 minutes to >> break the Oracle SYS password security. >>=20 >> And the Sun boof-head (a different person and I use the >> term loosely...) assures me he's capable of doing so any time >> he wants.=20 >>=20 >> Now, I've been away from this security stuff for a year or so and >> I may well be wrong here, but breaking the password security >> means cracking the Oracle encryption. While this may be possible, >> I can't believe it only takes 10 minutes? >>=20 >> Wouldn't it rather be a case of social engineering at work? >> Or just a plain vanilla "change_on_install" case? >>=20 >> > with the obvious funny consequences> >> Cheers=20 >> Nuno Souto=20 >> nsouto@optusnet.com.au >=20 --B_3161747088_5139468 Content-Type: text/html; charset="ISO-8859-1" Content-transfer-encoding: quoted-printable Re: Funny sort of question re sys password Good idea, but just be ca= reful that some bonehead on your system isn’t entering “sqlplus = sys/<password>” on the OS command-line? Or that he’s= not found a “hidden file” with the password embedded and file-p= ermissions not set properly? (Is that what you meant by “social = engineering”?)

Otherwise, he’ll have that $10 out of your hands, toot sweet!

Either way, it would still be $10 well spent... :-)

on 3/10/04 6:49 AM, Whittle Jerome Contr NCI at Jerome.Whittle@scott.af.mil= wrote:

Tell them that the proof is in the pudding. Challenge= them to a $10 bet; get out a stopwatch; and sit them at a computer. If they= succeed, it will be $10 well spent to expose a security weakness. Otherwise= enjoy the $10 and watching them squirm.

Jerry Whittle
ASIFICS DBA
NCI Information Systems Inc.
jerome.whittle@scott.af.mil
618-622-4145

-----Original Message-= ----
From: Nuno Souto [SMTP:dbvision@optusnet.com.au]=

Someone at work maintains that it takes them 10 minutes to
break the Oracle SYS password security.

And the Sun boof-head (a different person and I use the
term loosely...) assures me he's capable of doing so any time
he wants.

Now, I've been away from this security stuff for a year or so and
I may well be wrong here, but breaking the password security
means cracking the Oracle encryption. While this may be possible, I can't believe it only takes 10 minutes?

Wouldn't it rather be a case of social engineering at work?
Or just a plain vanilla "change_on_install" case?

<says he who used to change it to "changed",
with the obvious funny consequences>
Cheers
Nuno Souto
nsouto@optusnet.com.au

--B_3161747088_5139468-- ---------------------------------------------------------------- Please see the official ORACLE-L FAQ: http://www.orafaq.com ---------------------------------------------------------------- To unsubscribe send email to: oracle-l-request@freelists.org put 'unsubscribe' in the subject line. -- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------