Musings on Database Security

Mixed case passwords for Oracle

Slavik — Thu, 02 Sep 2010 00:03:08 +0000

So, we all know that Oracle used to be non-case sensitive when it came to user names and passwords. We also know that since 11g this is not the case and Oracle, by default, is case sensitive. The one thing I wanted to point out is that even if you are using sec_case_sensitive_logon=false and ignore [...]

Changing MS SQL Server system stored procedures

Slavik — Fri, 20 Aug 2010 03:30:43 +0000

Sometimes, you want to enhance or change system stored procedures to add functionality like security related code. This is not supported and might blow up in your face so all the standard caveats apply. If it blows in your face, tough luck! SQL2000 is pretty straight forward and you can find plenty of places on [...]

Upcoming presentation with McAfee for their ‘Hacking Exposed’ Webcast series

Slavik — Fri, 16 Jul 2010 01:29:36 +0000

Next week I’ll be doing a really fun webcast, as a guest speaker for McAfee’s ‘Hacking Exposed Live’ series. The series takes a look at current and evolving hacks and what you can do to protect your environment. The topic is officially: ‘Understanding Threat Vectors for Database Breaches’, and I’ll be showing some sample attacks [...]

dbms_jvm_exp_perms 0day fixed on Windows 11gR2

Slavik — Thu, 08 Apr 2010 17:48:22 +0000

Alex wrote a nice blog post showing that the 0day found by David Litchfield [pdf] is now fixed in the newest Oracle 11.2.0.1 release for Windows. He has some analysis of the fix as well as some good examples of using Repscan to view permissions and audit records using the online browser. Whenever I need [...]

pysql

Slavik — Wed, 07 Apr 2010 00:36:15 +0000

During the weekend, I stumbled across an interesting project named pysql. The project aims to replace SQL*Plus with a sane shell written in Python with history, tab completion and many extensions. Being a veteran of using SQL*Plus, I know that some of the above can be actually achieved on Linux/Unix environments with SQL*Plus using a [...]

Java Forensics in Oracle

Slavik — Wed, 31 Mar 2010 22:44:00 +0000

Paul Wright published an interesting post about how you can find traces of Java privilege escalation attacks in the database. Great stuff! Of course, Hedgehog already protects against these published attacks as Paul showed earlier here. Hedgehog comes with build-in vPatch protections that cover the DBMS_JVM_EXP_PERMS and DBMS_JAVA attacks.