Re: Re: Funny sort of question re sys password
- From: dbvision@xxxxxxxxxxxxxxx
- To: "oracle-l @ freelists . org" <oracle-l@xxxxxxxxxxxxx>
- Date: Thu, 11 Mar 2004 08:22:58 +1100
> Pete Finnigan <oracle_list@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> password and then having access as SYS - those methods are not social
> engineering but hacking. I am trying to be vague as its not a good
> idea
> to show people in a public forum how to hack.
Beg to disagree. If hacking techniques (including social engineering)
are not made public, there is no way in the world we can expect people
to learn how to "harden" their systems. I've learned a lot about how to
secure my systems by frequenting hacker exploit sites. It's amazing what
can be learned this way. Where I got l0phtcrack among so many others.
The dblinks weakness has been around for a long time and is
fixed I believe since 8.0. The command line uid/pwd weakness
is common to any other product where one types passwords
in the command line. A proper password check must always involve
a challenge. Volunteering a password is the quick way to a cracked system.
IMHO, it should be fixed by disallowing uid/pwd to be used in the command line.
Ie, make SQLPuss and other commands not accept pwd in command line.
The log files are a real problem. Proper protection on them is mandatory,
but who bothers? I can count on one hand the number of sites
I've been to in 15 years that had their log directories protected.
The SGA dumping was news to me. A roundabout way, but effective.
The SQL injection has been doing the rounds for a while and is not
only Oracle's problem. The comms eavesdropping can be countered
by using an encoded comm protocol. There are a few now that can be
used with Oracle Net. But once again, I can count on one hand the
number of sites where I have seen a custom Net setup including
encryption. Too hard basket.
April said it in one: increased security should be the default, not the option.
Coming back to the initial concern, I still can't see how someone
can claim to crack the Oracle security in 10 minutes. Other than by
using external exploits. As far as I know, DES is still 10-minute
safe?
> If
> he is the sysadmin and he has an exploit and its not patched then
> someone should be considering his loyalty to your company.
Exactly. That is why I reckon exploits should be discussed openly.
Otherwise the potential is there for someone to grab hold of one and do
untold damage before others become aware it is possible.
> SQL> alter user scott identified by tiger;
>
> User altered.
>
> and the SQL*Net trace shows:
Yup. So if anyone has access to the trace, security is history.
BTW, thanks for the feedback everyone. Much appreciated.
Cheers
Nuno
@work
----------------------------------------------------------------
Please see the official ORACLE-L FAQ: http://www.orafaq.com
----------------------------------------------------------------
To unsubscribe send email to: oracle-l-request@xxxxxxxxxxxxx
put 'unsubscribe' in the subject line.
--
Archives are at //www.freelists.org/archives/oracle-l/
FAQ is at //www.freelists.org/help/fom-serve/cache/1.html
-----------------------------------------------------------------
Other related posts:
