Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: Oracle Database Security

Re: Oracle Database Security

From: Pete Finnigan <pete_at_peterfinnigan.demon.co.uk>
Date: Tue, 27 Nov 2001 15:44:13 +0000
Message-ID: <ccm2R5BNT7A8EwbH@peterfinnigan.demon.co.uk> 





Hi



have a look at a white paper i wrote about Oracle Security on
http://www.pentest-limited.com/oracle-security.htm, its written from an
attackers frame of mind, but highlights the area's that you should
consider looking at. 



Also you could look at the list of all the default users and passwords
that i know of and a script to check them 
http://www.pentest-limited.com/default-user.htm, there are a couple of
other Oracle security papers on our site as well in the white papers
section, please have a look.



There are a lot of known exploits for oracle databases and application
servers. Different versions have different exploits and you should make
sure you have the latest patches applied. There is a list of exploits on
Oracle's OTN web site or you could search the bugtraq list on
http://www.securityfocus.com, also Aaron Newman has a very good list of
known Oracle holes / exploits on his company site at
http://www.appsecinc.com.



You could consider encrypting critical data so that even DBA access
cannot read it. There is the built in package dbms_obfuscation_toolkit
package but you have the problem that its a symmetrical algorithm and
its up to you to hide the key. You could consider third party solutions
that use public key encryption methods.



As far as can someone break in?, well it depends how determined they
were, there are so many issues with a standard Oracle install that would
allow a determined hacker to break in that you could spend a lot of time
and money making it secure.



HTH



Pete Finnigan


www.pentest-limited.com



In article <1006870068.128927_at_proxy.storm.co.za>, dps
<dps008c_at_yahoo.com> writes


>I have configured Personal Oracle 8.1.7 (including Oracle DBA Studio,

>Oracle enterprise Manager) on my win 2000 pentium 4.

>

>I am wanting information on securtiy aspects of my database I have

>created.  I have already taken steps to change the passwords for all the

>users listed for each of the databases incudling sys and system and scott.

> 

> 1)Can someone still break into my databases and corrupt them?  

> 2)What else can i do to prevent unauthorised access?  

>My workstation is sometimes left on with my username. 

> 3)Rather then the Operating system level - what can I do at the databas

>elevel in terms of maximum security???

>

>Posted via www.orafocus.com - Focusing on the World of Oracle

>



-- 
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at admin_at_pentest-limited.com
--
Pete Finnigan
IT Security Consultant
PenTest Limited

Office  01565 830 990
Fax     01565 830 889
Mobile  07974 087 885

pete.finnigan_at_pentest-limited.com

www.pentest-limited.com


Received on Tue Nov 27 2001 - 09:44:13 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US