RE: Funny sort of question re sys password
- From: April Wells <AWells@xxxxxxxxxx>
- To: "'oracle-l@xxxxxxxxxxxxx'" <oracle-l@xxxxxxxxxxxxx>
- Date: Wed, 10 Mar 2004 09:36:59 -0600
and actually, the fundamentals of security say that you should follow the
principal of least privilege. Only allow any person to have exactly the
amount of authority that is necessary to do his or her job.
That also has little or nothing to do with the Oracle situation at hand, but
it does speak to having (or allowing) physical access to boxes.
My dad told me that it doesn't matter how big or how good you lock is, it is
only designed to be sure to keep out an honest person. Anyone determined to
not be honest will get in.
April Wells
Oracle DBA/Oracle Apps DBA
Corporate Systems
Amarillo Texas
@>-->-->--
"Few people really enjoy the simple pleasure of flying a kite"
Adam Wells age 11
"Imagination is the highest kite one can fly."
Lauren Bacall
-----Original Message-----
From: Igor Neyman [mailto:ineyman@xxxxxxxxxxxxxx]
Sent: Wednesday, March 10, 2004 8:51 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: RE: Funny sort of question re sys password
All this has nothing to do with Oracle security - it's OS security.
Igor Neyman, OCP DBA
ineyman@xxxxxxxxxxxxxx
-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of Juan Cachito Reyes
Pacheco
Sent: Wednesday, March 10, 2004 9:32 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Funny sort of question re sys password
The principle of security says
if you have access to the server (the physical computer) you have
access to its data.
For example in
Oracle in NT, you drop the service and recreate it, this is the time it
takes to recreate the service
and restart the server.
In NT, to bypass NTFS there is a floppy disk (cia software) used to
restart
with it you can change server password, fix regedit, copy files, etc.
Other chance is install another nt installation that gives you acces to
everything.
----- Original Message -----
From: "Nuno Souto" <dbvision@xxxxxxxxxxxxxxx>
To: "Oracle L" <oracle-l@xxxxxxxxxxxxx>
Sent: Wednesday, March 10, 2004 6:07 AM
Subject: Funny sort of question re sys password
> Someone at work maintains that it takes them 10 minutes to
> break the Oracle SYS password security.
>
> And the Sun boof-head (a different person and I use the
> term loosely...) assures me he's capable of doing so any time
> he wants.
>
> Now, I've been away from this security stuff for a year or so and
> I may well be wrong here, but breaking the password security
> means cracking the Oracle encryption. While this may be possible,
> I can't believe it only takes 10 minutes?
>
> Wouldn't it rather be a case of social engineering at work?
> Or just a plain vanilla "change_on_install" case?
>
> <says he who used to change it to "changed",
> with the obvious funny consequences>
> Cheers
> Nuno Souto
> nsouto@xxxxxxxxxxxxxxx
> ----------------------------------------------------------------
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> ----------------------------------------------------------------
> To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
> put 'unsubscribe' in the subject line.
> --
> Archives are at //www.freelists.org/archives/oracle-l/
> FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
> -----------------------------------------------------------------
>
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
The information contained in this communication, including attachments, is
strictly confidential and for the intended use of the addressee only; it may
also contain proprietary, price sensitive, or legally privileged information.
Notice is hereby given that any disclosure, distribution, dissemination, use,
or copying of the information by anyone other than the intended recipient is
strictly prohibited and may be illegal. If you have received this communication
in error, please notify the sender immediately by reply e-mail, delete this
communication, and destroy all copies.
Corporate Systems, Inc. has taken reasonable precautions to ensure that any
attachment to this e-mail has been swept for viruses. We specifically disclaim
all liability and will accept no responsibility for damage sustained as a
result of software viruses and advise you to carry out your own virus checks
before opening any attachment.
Other related posts:
