Join this Blog for direct reference of any post into your inbox. To join just click on "Join this Site" under "Follower" then Login with your Email.*** DECLARATION: I Maintain this Blog for Helping Myself While at Work and Welcome any body Needing Help!!!.*** CAUTION: Using any of the script from this Blog may contain at Own Risk. These scripts May or May not have been Tested.***

Saturday, 2 June 2012

How difficult is it to hack an Oracle database?

I have not much idea about database security. I just started reading on this topics and my interest about oracle database security grows day by day. I found some of the basic and useful stuff about oracle database security.
There are many areas that could not be covered as I try to restrict this article with a study involving oracle database only. My aim is to focus throughout this article on security threats on Web clients and database servers, attacks on databases. We do not claim that the solution describe in this article is going to work for any organization. We described a number of available security features, so that any security team could make the right decisions for their organization.
Attacks on Database
Threats on database security can be grouped into two different categories:
  1. Physical
  2. Logical.
Physical threats consist of (but are not limited to) forced disclosure of passwords, destruction of storage devices, power failures, and theft. The most common way to prevent this type of threat is limit the access to the storage devices and put backup and recover procedures in place. Logical threats are unauthorized logical access to information. This is usually through software. Logical threats can result in denial of service, disclosure of information, and modification of data.
I am just giving here brief idea about database security threats:
Insider Threat: The Corrupt authorized user can access the important information and these information can be leaked electronically or by some other means. This type of threat is usually handled by limiting the number of users with that level of access and other complicated procedures.
Login Attacks: Another attack could involve accessing password lists stored in an operating system. And of course, login information. To minimize these type of attack on web server. The web server could be set up to either pass the user authentication information directly to the database or authenticate the user and then use the web server’s own authentication information to login to the database.
Network attacks: There is more possibility of attack on a database if it is accessible over a network (internet). A number precaution can be put to avoid the possibilities such as setup firewall, secure socket layer, Certification can also be used to ensure authentication for this purpose.
Many more reason you can search on net. I am limiting this discussion here coming to the main topic.
How difficult is it to hack an Oracle database?
Easy When:
– Old or unpatched versions
– Database not hardened (weak passwords, unsecure code, …)
– Many exploits
Relatively Difficult When:
– Latest, fully patched version
– Hardened database           
– Database Activity Monitoring running
– Custom exploit needed
As similar to real life case attackers may be the known to the database such as
– Curious DBA or Employee
– Criminal employee
– Ex employee
– External hacker
Ø       Use McAfee Database Activity Monitoring to audit sensitive data
Ø       Use McAfee Security Scanner for Databases to search sensitive data (Data Discovery)
Ø       Use McAfee Database Activity Monitoring to audit sensitive data or export utilities
Ø       Use and audit fake data (honey table) to catch curious people
Ø       Monitor direct updates without using the application
Ø       Monitor the integrity of sensitive data

SQL Injection:
A technique that exploits (External Hacker) a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed.
SQL injection in-band and out of band
SQL> select utl_inaddr.get_host_name('') from dual;

SQL> select utl_inaddr.get_host_name((select
from dba_users where rownum=1)) from dual;
select utl_inaddr.get_host_name((select
username||'='||password from dba_users where rownum=1))
from dual
ERROR at line 1:
ORA-29257: host SYS=8A8F025737A9097A unknown
ORA-06512: at "SYS.UTL_INADDR", line 4
ORA-06512: at "SYS.UTL_INADDR", line 35
ORA-06512: at line 1

Send information via HTTP to an external site via HTTPURI
Send information via HTTP to an external site via utl_http
Send information via DNS (max. 64 bytes) to an external site
Blind SQL Injection

How to protect your code
Ø       SQL Injection Fixing
Ø       Use static SQL where possible
Ø       Use invoker rights
Ø       Use bind variables where possible
Ø       Check that the schema exists (to avoid blind SQL injection)
Ø       Check that the object exists

What is Oracle Database Vault?
Oracle Database Vault, part of Oracle's comprehensive portfolio of database security solutions, helps organizations address regulatory mandates and increase the security of existing applications. With Oracle Database Vault, organizations can pro-actively safeguard application data stored in the Oracle database from being accessed by privileged database users.
Oracle Database Vault is an add-on option that is installed on top of an existing Oracle Database. The main goal of Database Vault is to provide separation-of-duty to protect against the insider threat.
Oracle Database Vault was launched in 2006 to put a limit on Database Administrators (DBAs) unlimited power especially over highly confidential data and where it is required by regulations.


Post a Comment