Re: password
- From: Howard Latham <howard.latham@xxxxxxxxx>
- To: Guillermo Alan Bort <cicciuxdba@xxxxxxxxx>
- Date: Wed, 24 Mar 2010 15:54:02 +0000
Thats the solution - post from Argentina ! :-)
On 24 March 2010 15:32, Guillermo Alan Bort <cicciuxdba@xxxxxxxxx> wrote:
> I remember a tool in PL/SQL by a member of this list (I think it was Pete
> Finnigan), that had to run with DBA privileges, but checked DBA_USERS and
> found 'weak' passwords. Meaning it tested simple things like a dictionary
> list and user=password stuff. It was very well written and while being
> inherently slow (PL/SQL) it was not as slow as most ERP/CRM/DWH applications
> out there ;-)
>
> This tool, in theory, would be of no use to a hacker, since you already
> need privileges to run it. However, someone exploiting a bug could gain the
> privileges and find weak passwords...
>
> Oh, and as to the original question: google this: oracle password brute
> force.
>
> that should yield something useful. Just make sure you change the profile
> of the user so it doesn't lock up or expire (which should already be the
> case for an app schema).
>
> And I'm not worried about prosecution, in Argentina criminal law has not
> yet been updated to cybercrimes, so the worst they could do is give me a
> fine, and they have a lot of easier targets ;-)
> Alan.-
>
>
>
> On Wed, Mar 24, 2010 at 11:08 AM, Howard Latham
> <howard.latham@xxxxxxxxx>wrote:
>
>> I think you would have to take reasonable steps to verify the credentials
>> of the requestor. That is what I am doing!
>>
>> On 24 March 2010 13:39, Joel Slowik <jslowik@xxxxxxxxx> wrote:
>>
>>> “if they are attempting to illegally gain access then we can be
>>> prosecuted for helping them.”
>>>
>>>
>>>
>>> That’s the case even though the request to the list appeared to be
>>> genuine? Good Samaritan / good faith does not apply here?
>>>
>>>
>>>
>>> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
>>> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Howard Latham
>>> *Sent:* Wednesday, March 24, 2010 9:07 AM
>>> *To:* Goulet, Richard
>>> *Cc:* david.robillard@xxxxxxxxx; robertgfreeman@xxxxxxxxx; oracle-l
>>> *Subject:* Re: password
>>>
>>>
>>>
>>> Only if the person asking for help is genuine and that is the issue - if
>>> they are attempting to illegally gain access then we can be prosecuted for
>>> helping them.
>>>
>>> On 24 March 2010 13:03, Goulet, Richard <Richard.Goulet@xxxxxxxxxxx>
>>> wrote:
>>>
>>> Howard,
>>>
>>>
>>>
>>> Now I don't know about British law and I'm no attorney so take it
>>> with a truck load of salt, but US law does make a distinction between
>>> malicious and non-malicious hacking. Meaning that it's illegal to hack a
>>> system to gain improper access but OK if it's has a proper business
>>> purpose. In the case here I believe it would be looked upon as OK since
>>> it's an internal person trying to do their specified job that's doing the
>>> hacking because they have no recourse.
>>>
>>>
>>>
>>> *Dick Goulet*
>>> Senior Oracle DBA/NA Team Lead
>>> PAREXEL International
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto:
>>> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Howard Latham
>>> *Sent:* Wednesday, March 24, 2010 7:53 AM
>>> *To:* david.robillard@xxxxxxxxx
>>> *Cc:* robertgfreeman@xxxxxxxxx; oracle-l
>>> *Subject:* Re: password
>>>
>>> Are the members here vetted in anyway?
>>> In the UK you can be prosecuted for Aiding a Hacker- And the email here
>>> is good for evidence. So lets be careful out there guys.
>>> Hey Ive got this great way to crack an Oracle password .........
>>>
>>> On 24 March 2010 06:53, David Robillard <david.robillard@xxxxxxxxx>
>>> wrote:
>>>
>>> > In fact, a well done presentation that demonstrates the vulnerability
>>> of
>>> > an existing database using publicly available hacking tools is often
>>> > very eye opening to management types if you are trying to secure a
>>> > database and such management types are hesitant to spend the
>>> time/money.
>>>
>>> Hi Robert,
>>>
>>> Could you please share some URLs to such presentations?
>>>
>>> Many thanks,
>>>
>>> David
>>> --
>>> David Robillard
>>> UNIX team leader & Oracle DBA
>>> CISSP, RHCE, SCSA & SCSECA
>>> Notarius
>>> --
>>> //www.freelists.org/webpage/oracle-l
>>>
>>>
>>>
>>>
>>> --
>>> Howard A. Latham
>>>
>>>
>>>
>>>
>>> --
>>> Howard A. Latham
>>>
>>> Confidentiality Note: This electronic message transmission is intended
>>> only for the person or entity to which it is addressed and may contain
>>> information that is privileged, confidential or otherwise protected from
>>> disclosure. If you have received this transmission, but are not the intended
>>> recipient, you are hereby notified that any disclosure, copying,
>>> distribution or use of the contents of this information is strictly
>>> prohibited. If you have received this e-mail in error, please contact
>>> Continuum Performance Systems at {203.245.5000} and delete and destroy the
>>> original message and all copies.
>>>
>>
>>
>>
>> --
>> Howard A. Latham
>>
>>
>>
>
--
Howard A. Latham
Other related posts:
