OraNA :: Security

Another Java Security Alert

Paul Wright — Tue, 05 Mar 2013 15:42:22 PST

Hi Oracle Security Folks, Following the tradition for one off Java Security Alerts Oracle Critical Patch Updates and Security Alerts: http://www.oracle.com/technetwork/topics/security/alerts-086861.html Oracle Security Alert for CVE-2013-1493: http://www.oracle.com/technetwork/topics/security/alert-cve-2013-1493-1915081.html The reporters http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html say it is an unreliable exploit. Of course it depends on Java being used in the browser so one fix is to unplug the JVM [...]

McAfee wins best database security solution award

Slavik — Thu, 28 Feb 2013 14:26:18 PST

It’s hard to believe that another year has passed from last RSA. But, indeed, time flies when you’re busy, I guess. So, for the second year in a row, McAfee wins the SC magazine award for best database security solution. I’m so proud!

Nice way to bring some coolness to Oracle statistics

Slavik — Fri, 15 Feb 2013 18:12:45 PST

Turns out that Tanel has an artist hidden deep down inside!

Wow

Slavik — Fri, 15 Feb 2013 17:51:40 PST

These are some amazing statistics…

Oracle Dictionary Integrity Health Check

Paul Wright — Mon, 11 Feb 2013 11:14:59 PST

Hi, It is good to check the integrity or health of a system to avoid future problems. DBMS_HM.RUN_CHECK(‘Dictionary Integrity Check’, ‘my_run’); SET LONG 100000 SET LONGCHUNKSIZE 1000 SET PAGESIZE 1000 SET LINESIZE 512 SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; SQL> SELECT DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) from dual; DBMS_HM.GET_RUN_REPORT(‘MY_RUN’) ——————————————————————————- ——————————————————————————- ——————————————————————————- ——————————————————————————- Basic Run Information Run Name : my_run Run [...]

Secure Coding PL/SQL

(author unknown) — Mon, 14 Jan 2013 11:45:51 PST

I wrote a new presentation last year on secure coding with PL/SQL and presented it twice; once at a SIG in London and once in Oracles office in Edinburgh. This is a really interesting subject for me as i have....[Read More]

Posted by Pete On 14/01/13 At 07:43 PM

Java Security Alert

Paul Wright — Sun, 13 Jan 2013 16:20:13 PST

New Year – New vulnerabilities…yes it’s alert season again, with the main patch out on the 15th, but an out of band alert today for the Java 0 day. It is good to see Oracle taking this well publicised issue so seriously. Here is the alert – http://www.oracle.com/technetwork/topics/security/alerts-086861.html For an excellent advanced analysis please see [...]

Dark Reading – Database Security

Slavik — Thu, 20 Dec 2012 10:16:56 PST

I was interviewed for a nice article about database security on Dark Reading. The interesting question, I think, is not wether to invest in DB security. To me, it’s a given that you have to do it (even though some customers still don’t agree). The question is – how will the threat landscape change if [...]

UKOUG 2012 in a nutshell

Paul Wright — Wed, 12 Dec 2012 16:21:27 PST

Hi Oracle Security Folks, UKOUG 2012 in a nutshell: OAK Table day highlight was Julian’s analysis of RAT capture formats, which made reverse engineering proprietory formats look a lot easier than it should do. Christian’s super secret talk was so secret that it was not given, but managed to catch up on that later. Monday [...]

Poor man’s data discovery for Oracle

Slavik — Wed, 05 Dec 2012 22:58:44 PST

I’m sure we all did something similar once or twice in our DBA lives. I had to create a simple script to perform regular expression based data discovery for Oracle. This script will be used as a check in our McAfee Database Vulnerability Manager. We do support data discovery directly in the tool but the [...]

SYS Security

Paul Wright — Wed, 28 Nov 2012 22:52:20 PST

Hello Folks, A few people have told me that they thought only SYS could select db link passwords. Truth is any user with SELECT_CATALOG_ROLE can select the passwords from ku$_dblink_view as well. SQL> select name, userid, utl_raw.cast_to_varchar2(dbms_crypto.decrypt((substr(passwordx,19)), 4353, (substr(passwordx,3,16)))) password from ku$_dblink_view; NAME -------------------------------------------------------------------------------- USERID ------------------------------ PASSWORD -------------------------------------------------------------------------------- TEST_LINK.ENTERPRISE.INTERNAL.UK DBLINK_ACCOUNT mongo If missing execute on [...]

Database Link Security

Paul Wright — Thu, 22 Nov 2012 15:37:34 PST

Hello Oracle Security folks, Good news and bad news – which would you like first? Ok.. so the bad news is that these user/role/privileges can select and decrypt DBLink passwords on 11.2, as the key to decrypt the ciphertext is included in the password itself. •SYS •SYSDBA •DBA •SYS WITHOUT SYSDBA •SYSASM •EXP_FULL_DATABASE •DATAPUMP_EXP_FULL_DATABASE •DATAPUMP_IMP_FULL_DATABASE [...]

DOAG 2012: Best of Oracle Security 2012

Alexander Kornbrust — Thu, 22 Nov 2012 01:35:55 PST

Yesterday I gave a presentation ”Best of Oracle Security 2012” at the DOAG 2012 conference in Nürnberg.

Securing Data from the Threat of SQL Injection

Slavik — Thu, 15 Nov 2012 10:42:26 PST

An article Raj Samani and I wrote was published in infosecurity magazine.

McAfee Threat Report 2012

Slavik — Thu, 15 Nov 2012 10:27:37 PST

Just published a blog entry on my McAfee official blog. It talks about some of the trends of database security as we see them from the global McAfee Threat Report. Just today I reviewed Verizon’s Intellectual Property Theft and it has a large section about databases, privileged users and compromised assets. The one figure that [...]

Self-Defending Databases

Alexander Kornbrust — Fri, 02 Nov 2012 10:15:38 PDT

I just uploaded my talk Hashdays 2012 ”Self-Defending Databases” to the Red-Database-Security website. The talk explains how to detect SQL Injection attacks in databases (Oracle/MSSQL/MySQL) and how to react in case of a SQL Injection (e.g. done with Pangolin, Havij or Netsparker).

Initially the idea covered only Oracle and MSSQL but Xavier Mertens extend the concept to MySQL (MySQL Attacks Self-Detection) after he saw my presentation at the Hashdays Management Session.

CPU, PSU, SPU - Oracle Critical Patch Update Terminology Update

skost — Tue, 30 Oct 2012 17:50:28 PDT

It all started in January 2005 with Critical Patch Updates (CPU). Then Patch Set Updates (PSU) were added as cumulative patches that included priority fixes as well as security fixes. As of the October 2012 Critical Patch Update, Oracle has changed the terminology to better differentiate between patch types. This terminology will be used for the Oracle Database, Enterprise Manager, Fusion Middleware, and WebLogic.

Critical Patch Update (CPU) now refers to the overall release of security fixes each quarter rather than the cumulative database security patch for the quarter. Think of the CPU as the overarching quarterly release and not as a single patch.

Patch Set Updates (PSU) are the same cumulative patches that include both the security fixes and priority fixes. The key with PSUs is they are minor version upgrades (e.g., 11.2.0.1.1 to 11.2.0.1.2). Once a PSU is applied, only PSUs can be applied in future quarters until the database is upgraded to a new base version.

Security Patch Update (SPU) terminology is introduced in the October 2012 Critical Patch Update as the term for the quarterly security patch. SPU patches are the same as previous CPU patches, just a new name. For the database, SPUs can not be applied once PSUs have been applied until the database is upgraded to a new base version.

Bundle Patches are the quarterly patches for Windows and Exadata which include both the quarterly security patches as well as recommended fixes.

References: New Patch Nomenclature for Oracle Products [ID 1430923.1]

Tags:

Oracle Database Oracle Critical Patch Updates

Upcoming Webinar: Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues

skost — Wed, 15 Aug 2012 11:22:07 PDT

Upcoming Webinar: Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues

Credit Cards and Oracle E-Business Suite - Security and PCI Compliance Issues
Thursday, August 16, 2:00pm - 3:00pm EDT

Credit card data breaches are headline news, thus organizations must properly protect credit card data or risk being tomorrow's headline. Oracle E-Business Suite implementations that "store, process, or transmit cardholder data" must comply with Payment Card Industry (PCI) security standards regardless of size or transaction volume. PCI is focused on securely handling cardholder data, but also has a significant emphasis on general IT security. The difficultly with the Oracle E-Business Suite and achieving PCI compliance is that even though credit card processing may be only a one minor feature, the entire application installation must be fully PCI compliant due to the tight-integration and data model of the Oracle E-Business Suite. This presentation will review the credit card processing within the Oracle E-Business Suite and will provide general guidance for the Oracle E-Business Suite implementations on securing cardholder data and complying with relevant PCI requirements.

Click here to register for this Oracle E-Business Suite educational webinar.

Tags:

Webinar Oracle E-Business Suite

Upcoming Webinar: Securing 1,000 Oracle Databases

skost — Tue, 24 Jul 2012 07:29:41 PDT

Upcoming Webinar: Securing 1,000 Oracle Databases - Challenges and Solutions

Thursday, July 26, 2:00pm - 3:00pm EDT

For those of you that missed this session at the recent Collaborate12 conference, please read on.

Oracle Database security checklists and standards are focused on one database, not 1,000 databases. The significant challenge is when you have 100, 500, 1,000, or even 10,000 Oracle Databases in your organization to protect. In order to protect and securely maintain a thousand Oracle Databases requires an enterprise database security framework and database security program. This session will describe how to implement a database security program with all the necessary components to protect the databases in a large enterprise. The database security program will include configuration management, enterprise database user security, periodic access reviews and controls, routine security patching, and an enterprise database auditing strategy.

Click here to register for this Oracle Database Security webinar.

Tags:

Webinar Oracle Database

The Manager's Guide to Securing the Oracle E-Business Suite

skost — Tue, 19 Jun 2012 11:31:23 PDT

Upcoming Webinar: The Manager's Guide to Securing the Oracle E-Business Suite

The Manager's Guide to Securing the Oracle E-Business Suite
Wednesday, June 20, 2:00pm - 3:00pm EDT

For those of you that missed this session at the recent Collaborate12 conference, please read on.

The Oracle E-Business Suite is usually an organization’s most important application and the consequences of having it compromised could be catastrophic. However, often CIOs, project managers, and technical managers have little understanding of Oracle E-Business Suite security and compliance risks and issues. This session will provide a managerial level overview of how to properly secure the application and comply with requirements such as SOX, PCI, and HIPAA, including key questions to ask DBAs and IT Security.

Click here to register for this Oracle Database Security webinar.

Tags:

Webinar Oracle E-Business Suite