Pete Finnigan's Oracle Security Weblog

MAry Ann Davidson, who is the Chief Security Officer at Oracle has started a weblog recently. It is titled "Mary Ann Davidson Blog" and her first post was made on March 13th. Her first post is titled "IT Lessons from Military History" and is about her reading habits centered around military history and how that helps her day job in IT Security.

I doubt we will see Mary Ann writing about Oracle exploits and vulnerabilities or particularly revealing exploit code but I guess you never know..:-)

Welcome to the world of Oracle blogging!!

Oracle has sent out an email this evening to ask any customers who have previously downloaded the Jan CPU 2006 to check if they are vulnerable to a bug in the patch and if so to download a new one-off interim patch. The full email is included here:

"Critical Patch Update January 2006 for Oracle Database 9.2.0.7



Dear Oracle Customer,

You are receiving this email because our records indicated you downloaded Critical Patch Update January 2006 (CPUJan2006) patches for Oracle Database version 9.2.0.7 on all Unix and Linux platforms (Patch 4751923) or Windows platforms (Patch 4751528 or 4741074).

Due to problems in the patch building process, you may experience ORA-00933 when running Change Data Capture related packages after applying the above patches. To check whether the issue is applicable to your Oracle Database, connect to the database as SYS and run the following command:

SQL> SELECT dbms_registry.script('CATJAVA','@javacpu.sql') AS sqlfile FROM DUAL;

If the above command returns "?/rdbms/admin/nothing.sql", no action is required. If it returns "@javacpu.sql", please download and apply interim (one-off) Patch 5090555 to the Oracle Database 9.2.0.7 home to correct the problem.

Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in securing your Oracle server products.

Regards,
Oracle Global Product Support

P.S. Please do not reply to this email as this email account is not monitored. If you require further assistance, please use MetaLink, https://metalink.oracle.com, to submit a Service Request. "

http://www.redherring.com/Article.aspx?a=16112&hed=Oracle%E2%80%99s+New+Search+Efforts&sector=Industries&subsector=InternetAndServices - (broken link) Oracle’s New Search Efforts -

"The software giant sets a new pace in the enterprise search race.
March 20, 2006 Print Issue

Trolling the Net looking for Jessica Alba fan sites or back hair removal options, chances are you’ll start with Google. But what about the drones who need to find an old invoice in the company network? If Oracle has its way, they’ll use Secure Enterprise Search 10g.



It’s a clunky name all right, but if it simplifies finding stuff as well as Oracle says, most people should get over it."

What has it to do with security? - Well Oracle are promoting this as secure search, one feature is that management can regulate what their employees search for, interesting!

I saw on Laurents blog in a post titled "isqlplus and sqlplusw desupport" today that iSQL*Plus will be desupported in 2010. This is a long time into the future but could be for the best as allowing web based access for free form SQL and DDL is a security risk for anyone who is using it.

I saw a nice post on Frits Hooglands blog tonight titled "Changing Oracle Internet Directory for Fedora Directory Server for oracle net names resolution, part 1: preparing the ldap server" that describes why you might want to change from Oracle OID and he goes on to show how to create the files necessary from OID and how to transfer and use the contents of the directory in Fedora Directory Server.

Nice post, I have also added Frits's blog to my Oracle blogs aggregator.

Experts unconcerned by RFID virus - by Iain Thomson

"A team of Dutch researchers has shown that it is possible to install a virus onto an RFID chip, but security experts told vnunet.com today that such activities do not pose a serious threat."

Read on, it uses and Oracle database as an example in the hack.

Chaos among PC Users over McAfee Update - This is the same virus issue I showed the other day in a German language article where the virus update hosed Oracle systems on the same machines:

"McAfee Inc., a major maker of anti-virus software has admitted that its update for a number of virus-scanning products caused havoc Friday in corporate and consumer systems using the virus protection products when a virus definition file triggered the quarantine or deletion function for several executable files, including Microsoft's Excel."

Microsoft goes public with Blue Hat hacker conference - By Robert McMillan

"Microsoft is going public with some of the hacking information discussed at its Blue Hat Security Briefings event. On Thursday, just days after the end of its third Blue Hat conference, the software vendor posted the first blog entries at a new Web site. Microsoft (Profile, Products, Articles) is also promising to publish more details on the secretive invitation-only event."

Fataler Fehlalarm bei McAfee VirusScan - An interesting news item that describes the fact that McAfee has released an incorrect signature as part of an update. This incorrect signature leaves Oracle and ERP installations unstable. An english translation is http://www.google.com/translate?u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2F70771&langpair=de%7Cen&hl=en&ie=UTF8 - (broken link) Fatal false alarm with McAfee virus CAN - Thanks to Alex for the link.

I have been thinking about changing some of the features of my site for quite sometime now and even mentioned some of them here in this blog before, particularly to do with CMS's and spam prevention. Now I have finally gone ahead with looking into some of the issues and improvements and starting on the implementations. I want to talk breifly about some of the changes I have planned and also request for some help.

Update Frequency

Due to various committments and being very busy of late I have not had much time to write detailed blog entries for some weeks now but I managed to keep my blog going by highlighting some of the key news events that have been going on in the Oracle security world. More on improving this later in this entry. This will hopefully change over the coming weeks as I want to try and get back to some examples, some good content, some tools and some examples.

Hosting

I have been using shared hosting for quite a few years now for PeteFinnigan.com and have been frustrated recently by some of the hindrances. These are mainly around fighting spam and particularly referral spam. I was not able to use mod_rewrite for instance or have access to firewall facilities, either harware or software (ipchains) and my site has been down a few times recently due to issues mostly with other peoples sites on the same server. I have been thinking about the size of my site andhow that fitted with the space allocations available at my ISP. I have some plans to increase the usefulness of my site and that it turn means needing more space.

Therefore I spent some time a few weeks ago listing out over 30 companies / ISP's here in the UK that provide dedicated servers. i found out costs per month, disk space, RAM, speed, other featutres etc and listed them all on a peice of A4 in a table to see if I could spot who hd the best deals. I did not include my current ISP http://www.uklinux.net - (broken link) UK Linux as they did not actively promote dedicated servers but i asked them if they could do it and costs etc and was pleasantly surporised at how competitive they are. There are a small number of very cheap servers available by the way but I was not convinced by these for other reasons, my ISP is very competitive so I have decided to stay with them. I have been happy with their good service for a few years now.

Features

I am planning to have some new features on my site and also some features that are less obvious (i.e. they help me!). I have talked before about the limitations of Greymatter and in a couple of weeks once the dedicated server is up and running I will most likely move to Wordpress. This is for a number of reasons. The most important being its more modern and has features like draft posts, categories and comment management. I really want to open up comments again on this blog.

I am not sure about how to migrate to the new blog software. There are facilities to import greymatter entries but i am not convinced about how that would work with SEO issues. I may take the "Mark Rittman" route and simply leave the old posts in place and start afresh. The main page would occupy the same URL (although I need to look at how that works with a .php main page instaed of my static .html page now) and the feed would need to stay the same. The rest would be new URL's and the old greymatter posts would stay where they are.

I have been thinking about admin and CMS's. I have spent a lot of time readning about CMS systems and I am not convinced. I think I will most likely stay with my ramshackle home grown admin page and functions for now. I would like to make the rest of the site (non blog, news, forum) template based and i have been reading around the Perl template library for this. The main driver for this would be to add to other pages more easily without editing raw HTML in UltraEdit. Things like my papers page, alerts, whatsnew etc. I may start simple and build an admin page for each main section and then try and template it.

I have also had a wiki installed on this site for almost one year but I have never made it available to the public yet. I have planned out exactly what is going to be in this and done some basic work on setting it up bit not enough to make it public yet. More on this soon.

Statistics

I had a public stats page for over one year using webalizer to generate them but took it down a couple of months ago because of spam. Statistics and web measurement are an area I have been quite interested in. I added a web based one recently for a few weeks on a section of my sites pages (you may have noticed it) just to see how it works and what it can do. I think a combination of the page based stats and access_log's are needed to understand websites more. I probably wont make my stats public again because of the referral spam problems but it is an area I am very interested in. I have been playing with writing my own page based stats collection using Javascript and I plan to develop this further over the coming months - really just for interest and learning more about how websites work and are used.

Other sites

I have some other sites attached to this one, that unfortunately have not had much attention from me over the last 6 months or so. I plan to change this. Having an integrated blog package such as Wordpress that allows categories and other features will help me to update these sites more easily. Also when I get some sort of simple CMS up and running it will be easier to add content without tedious coding. The SQL Server security and mySQL security sites will hopefully get some of my attention as I am keen to learn something more about the security of these databases as well as Oracle and to apply some of the lessons I have learned with Oracle to those databases. Hopefully I will get time to add to my other sites as well from time to time.

style

I am also planning to spend some time to make my site a bit more compliant by changing the layout to CSS based rather than tables and also by cleaning up the HTML/CSS code. i have been looking at quite a few editors recently, more of that later. The basic styling will remain the same, simple design but my main trust i suppose is to make updating the site quicker and easier.

Translations

One of my other main reasons to got to Wordpress is the fact that it has a translation plug in available. I am pretty excited by this feature and thought it is one major reason to use the software. I know quite a lot of non-English speakers read my blog and it would be great to offer it in other languages as well. I also purchased some software to run on my PC to translate other blocks of text and I plan to translate as much of the static pages with that software as well. I cannot guarantee how good the translations are but its probably better than not having native languages for some people.

Newsletter

Some of you may have noticed that I advertise a newsletter and have written one entry almost three years ago. I have a lot of subscribers and basically have not had time to write a newsletter. This will also change. I plan to at least generate a simple regular newsletter that will include key forum posts, wiki posts, blogs and other major site changes. I have been playing with some software for this. In time I hope to actually write for the newsletter as well.

Help needed, call for papers, blog authors, blog hosting

Here is the help section. I read huge amounts on the net almost every day and search out new papers and news on Oracle security. I write a lot myself, either as part of this site or that doesnt get published. I thought it would be nice if people wrote anything about Oracle security that they might like to publish it here. I cannot pay anyone, I run this site in my own time but its non commercial and in fact it costs me money to host and run the site but if anyone would like to be published here I would be happy to post papers here. email me on pete_at_petefinnigan_dot_com if you have any papers you would like posting.

I was also thinking about Oracle security and blogging and was inspired by sites like Amis and Oracle WTF where there are a number of authors and wondered if anyone was interested to write guest blog entries, regular or sproadic or even one off here about Oracle security. Again if you are interested drop me an email at pete_at_petefinnigan_dot_com.

On the same lines if anyone would like to write any entries in other langauges - Russian, German or any other langauge then again please let me know, this would be useful.

Again on the same lines if anyone would like their own blog hosted here to talk about Oracle security, Oracle, SQL Server security, mySQL security. Oracle E-Business Suite or security, SAP.... then please drop me an email as well, i would be happy to host a blog for anyone.

Finally if anyone would like to moderate a foreign language forum on my forum particularly about Oracle security in any language then please also drop me a line and I can set it up.

I have ran this site alone for a long time and never really thought about it as a community project until recently. I know this site is useful to a lot of people. I can see this from the stacks of email i receive so I wondered if asking for help, contributions or whatever would also be great for the community at large.

OK, that's it for my summary of news and happenings on this site for today.

Security is the password - by V. Rishi Kumar

"Security breaches cost companies and individuals billions of dollars each year.IT'S no use crying over spilt milk - or a system whose security has been breached. The smarter thing would be to make sure that security is not compromised."

quite a nice interview and quite current with I&AM

Oracle Security Under Scrutiny - By Larry Greenemeier

"When someone attacks your company's I.T. systems, they're usually after one thing: your data. Pilfering information about employees, clients, intellectual property, or business strategy from well-guarded databases has typically been an inside job perpetrated by employees with a certain level of access to the database system. This is still the case, but databases are becoming more vulnerable to the outside world as Web-facing apps demand faster access to information and databases move closer to the network perimeter, opening them to network-based attacks."

This is a very good 4 page article discussing the current state of Oracles security. I particularly like the quote "Generally speaking, databases are very difficult to attack," MacPherson says. "They're the most secure aspects in a network." on page 4

Oracle on track of secure search

"ORACLE, the world's third- biggest software maker, has begun selling software that allows users to search only personal data on their work computers such as email, word documents and calendar appointments."

I saw the Oracle WTF post tonight titled "Umm, I forgot my password" and had to laugh at the stupidity of some users of the Oracle database. What seems like a useful function for some is an ideal way to hack for others. Have a look, some of the comments are great as well.

Oracle releases critical, out-of-cycle patch - By Bill Brenner

"Oracle Corp. has issued a critical, out-of-cycle patch for its E-Business Suite applications, two months ahead of its next scheduled security update.

Customers can access the Redwood Shores, Calif.-based database giant's MetaLink site for more details on the patch. Meanwhile, Oracle experts are analyzing the security update in their blogs and on their Web sites."