Re: Funny sort of question re sys password

• From: "Nuno Souto" <dbvision@xxxxxxxxxxxxxxx>
• To: <oracle-l@xxxxxxxxxxxxx>
• Date: Wed, 10 Mar 2004 23:28:09 +1100

----- Original Message ----- 
From: "Pete Finnigan" <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx>

> - these are toys really compared to a real cracker like John the ripper
> or lopht. 

Ah yes: I'm quite familiar with the second one.  Used it to 
"harden" my bank account passwords.  It can't crack them now
and I can still (barely!) remember them.

> I guess he is not talking about breaking the encryption or using a brute
> force or dictionary attack. he most probably is talking about being able
> to simply change the password of SYS. There are many many ways that
> would allow this that i can think of. Most depend on what your current
> set up is and whether you have blocked these avenues off. There are also
> issues of password leakage, vulnerabilities...

I'd class most of those under the umbrella of "social engineering": 
indirect aquisition of knowledge through exploitation of other weaknesses
in security.  But yes, it is possible that way.  

> If you look at my site http://www.petefinnigan.com/orasec.htm there are

Ta, I'll definitely look this up.


> Your Sun guy is easy though, he is just connecting as root and logging
> on as "/ as sysdba" - i guess.

This doesn't count: it assumes root password knowledge which would break 
ALL security in the system, not just Oracle's.   Also, logging in as the 
install user would achieve the same.  Or any user authorised to dba group, 
I suppose.  But all that assumes a breakdown in other than Oracle's 
security to start with.  That is not an Oracle inherent security problem.

I was more concerned with obvious security breaches such as unencrypted 
passwords ending up in log files or file headers, or unencrypted comms 
eaves-dropping.  Guess those are not that easy with 9i, they used to be 
the order of the day with earlier versions.

Anyone knows of any other ways?  
Cheers
Nuno Souto
in sunny Sydney, Australia
dbvision@xxxxxxxxxxxxxxx
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to:  oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------

• Follow-Ups:
  • Re: Funny sort of question re sys password
    • From: Pete Finnigan

• References:
  • Funny sort of question re sys password
    • From: Nuno Souto
  • Re: Funny sort of question re sys password
    • From: Pete Finnigan

Other related posts:

• » Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » RE: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password
• » Re: Funny sort of question re sys password

1. Home
2. oracle-l
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---