Re: password

• From: Guillermo Alan Bort <cicciuxdba@xxxxxxxxx>
• To: howard.latham@xxxxxxxxx
• Date: Wed, 24 Mar 2010 12:32:22 -0300

I remember a tool in PL/SQL by a member of this list (I think it was Pete
Finnigan), that had to run with DBA privileges, but checked DBA_USERS and
found 'weak' passwords. Meaning it tested simple things like a dictionary
list and user=password stuff. It was very well written and while being
inherently slow (PL/SQL) it was not as slow as most ERP/CRM/DWH applications
out there ;-)

This tool, in theory, would be of no use to a hacker, since you already need
privileges to run it. However, someone exploiting a bug could gain the
privileges and find weak passwords...

Oh, and as to the original question: google this: oracle password brute
force.

that should yield something useful. Just make sure you change the profile of
the user so it doesn't lock up or expire (which should already be the case
for an app schema).

And I'm not worried about prosecution, in Argentina criminal law has not yet
been updated to cybercrimes, so the worst they could do is give me a fine,
and they have a lot of easier targets ;-)
Alan.-


On Wed, Mar 24, 2010 at 11:08 AM, Howard Latham <howard.latham@xxxxxxxxx>wrote:

> I think you would have to take reasonable steps to verify the credentials
> of the requestor. That is what I am doing!
>
> On 24 March 2010 13:39, Joel Slowik <jslowik@xxxxxxxxx> wrote:
>
>>  “if they are attempting to illegally gain access then we can be
>> prosecuted for helping them.”
>>
>>
>>
>> That’s the case even though the request to the list appeared to be
>> genuine? Good Samaritan / good faith does not apply here?
>>
>>
>>
>> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
>> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Howard Latham
>> *Sent:* Wednesday, March 24, 2010 9:07 AM
>> *To:* Goulet, Richard
>> *Cc:* david.robillard@xxxxxxxxx; robertgfreeman@xxxxxxxxx; oracle-l
>> *Subject:* Re: password
>>
>>
>>
>> Only if the person asking for help is genuine and that is the issue - if
>> they are attempting to illegally gain access then we can be prosecuted for
>> helping them.
>>
>> On 24 March 2010 13:03, Goulet, Richard <Richard.Goulet@xxxxxxxxxxx>
>> wrote:
>>
>> Howard,
>>
>>
>>
>>     Now I don't know about British law and I'm no attorney so take it
>> with a truck load of salt, but US law does make a distinction between
>> malicious and non-malicious hacking.  Meaning that it's illegal to hack a
>> system to gain improper access but OK if it's has a proper business
>> purpose.  In the case here I believe it would be looked upon as OK since
>> it's an internal person trying to do their specified job that's doing the
>> hacking because they have no recourse.
>>
>>
>>
>> *Dick Goulet*
>> Senior Oracle DBA/NA Team Lead
>> PAREXEL International
>>
>>
>>
>>
>>  ------------------------------
>>
>> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
>> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Howard Latham
>> *Sent:* Wednesday, March 24, 2010 7:53 AM
>> *To:* david.robillard@xxxxxxxxx
>> *Cc:* robertgfreeman@xxxxxxxxx; oracle-l
>> *Subject:* Re: password
>>
>> Are the members here vetted in anyway?
>> In the UK you can be prosecuted for Aiding a Hacker- And the email here is
>> good for evidence. So lets be careful out there guys.
>> Hey Ive got this great way to crack an Oracle password .........
>>
>> On 24 March 2010 06:53, David Robillard <david.robillard@xxxxxxxxx>
>> wrote:
>>
>> > In fact, a well done presentation that demonstrates the vulnerability of
>> > an existing database using publicly available hacking tools is often
>> > very eye opening to management types if you are trying to secure a
>> > database and such management types are hesitant to spend the time/money.
>>
>> Hi Robert,
>>
>> Could you please share some URLs to such presentations?
>>
>> Many thanks,
>>
>> David
>> --
>> David Robillard
>> UNIX team leader & Oracle DBA
>> CISSP, RHCE, SCSA & SCSECA
>> Notarius
>> --
>> //www.freelists.org/webpage/oracle-l
>>
>>
>>
>>
>> --
>> Howard A. Latham
>>
>>
>>
>>
>> --
>> Howard A. Latham
>>
>>   Confidentiality Note: This electronic message transmission is intended
>> only for the person or entity to which it is addressed and may contain
>> information that is privileged, confidential or otherwise protected from
>> disclosure. If you have received this transmission, but are not the intended
>> recipient, you are hereby notified that any disclosure, copying,
>> distribution or use of the contents of this information is strictly
>> prohibited. If you have received this e-mail in error, please contact
>> Continuum Performance Systems at {203.245.5000} and delete and destroy the
>> original message and all copies.
>>
>
>
>
> --
> Howard A. Latham
>
>
>

• Follow-Ups:
  • Re: password
    • From: Howard Latham

• References:
  • Re: password
    • From: David Robillard
  • Re: password
    • From: Howard Latham
  • RE: password
    • From: Goulet, Richard
  • Re: password
    • From: Howard Latham
  • RE: password
    • From: Joel Slowik
  • Re: password
    • From: Howard Latham

Other related posts:

• » password- Zelli, Brian
• » RE: password- Holvoet, Jo
• » RE: password- Zelli, Brian
• » Re: password- Steve Harville
• » Re: password- Waldirio Manhães Pinheiro
• » RE: password- Storey, Robert \(DCSO\)
• » Re: password- Howard Latham
• » Re: password- William Muriithi
• » RE: password- Zelli, Brian
• » Re: password- Robert Freeman
• » RE: password- Goulet, Richard
• » Re: password- Jared Still
• » Re: password- David Robillard
• » Re: password- Howard Latham
• » RE: password- Goulet, Richard
• » Re: password- Howard Latham
• » RE: password- Joel Slowik
• » Re: password- Andre van Winssen
• » Re: password- Howard Latham
• » Re: password - Guillermo Alan Bort
• » Re: password- Howard Latham

1. Home
2. oracle-l
3. Archive
4. 03-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---