Thats the solution - post from Argentina ! :-) On 24 March 2010 15:32, Guillermo Alan Bort <cicciuxdba@xxxxxxxxx> wrote: > I remember a tool in PL/SQL by a member of this list (I think it was Pete > Finnigan), that had to run with DBA privileges, but checked DBA_USERS and > found 'weak' passwords. Meaning it tested simple things like a dictionary > list and user=password stuff. It was very well written and while being > inherently slow (PL/SQL) it was not as slow as most ERP/CRM/DWH applications > out there ;-) > > This tool, in theory, would be of no use to a hacker, since you already > need privileges to run it. However, someone exploiting a bug could gain the > privileges and find weak passwords... > > Oh, and as to the original question: google this: oracle password brute > force. > > that should yield something useful. Just make sure you change the profile > of the user so it doesn't lock up or expire (which should already be the > case for an app schema). > > And I'm not worried about prosecution, in Argentina criminal law has not > yet been updated to cybercrimes, so the worst they could do is give me a > fine, and they have a lot of easier targets ;-) > Alan.- > > > > On Wed, Mar 24, 2010 at 11:08 AM, Howard Latham > <howard.latham@xxxxxxxxx>wrote: > >> I think you would have to take reasonable steps to verify the credentials >> of the requestor. That is what I am doing! >> >> On 24 March 2010 13:39, Joel Slowik <jslowik@xxxxxxxxx> wrote: >> >>> “if they are attempting to illegally gain access then we can be >>> prosecuted for helping them.” >>> >>> >>> >>> That’s the case even though the request to the list appeared to be >>> genuine? Good Samaritan / good faith does not apply here? >>> >>> >>> >>> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto: >>> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Howard Latham >>> *Sent:* Wednesday, March 24, 2010 9:07 AM >>> *To:* Goulet, Richard >>> *Cc:* david.robillard@xxxxxxxxx; robertgfreeman@xxxxxxxxx; oracle-l >>> *Subject:* Re: password >>> >>> >>> >>> Only if the person asking for help is genuine and that is the issue - if >>> they are attempting to illegally gain access then we can be prosecuted for >>> helping them. >>> >>> On 24 March 2010 13:03, Goulet, Richard <Richard.Goulet@xxxxxxxxxxx> >>> wrote: >>> >>> Howard, >>> >>> >>> >>> Now I don't know about British law and I'm no attorney so take it >>> with a truck load of salt, but US law does make a distinction between >>> malicious and non-malicious hacking. Meaning that it's illegal to hack a >>> system to gain improper access but OK if it's has a proper business >>> purpose. In the case here I believe it would be looked upon as OK since >>> it's an internal person trying to do their specified job that's doing the >>> hacking because they have no recourse. >>> >>> >>> >>> *Dick Goulet* >>> Senior Oracle DBA/NA Team Lead >>> PAREXEL International >>> >>> >>> >>> >>> ------------------------------ >>> >>> *From:* oracle-l-bounce@xxxxxxxxxxxxx [mailto: >>> oracle-l-bounce@xxxxxxxxxxxxx] *On Behalf Of *Howard Latham >>> *Sent:* Wednesday, March 24, 2010 7:53 AM >>> *To:* david.robillard@xxxxxxxxx >>> *Cc:* robertgfreeman@xxxxxxxxx; oracle-l >>> *Subject:* Re: password >>> >>> Are the members here vetted in anyway? >>> In the UK you can be prosecuted for Aiding a Hacker- And the email here >>> is good for evidence. So lets be careful out there guys. >>> Hey Ive got this great way to crack an Oracle password ......... >>> >>> On 24 March 2010 06:53, David Robillard <david.robillard@xxxxxxxxx> >>> wrote: >>> >>> > In fact, a well done presentation that demonstrates the vulnerability >>> of >>> > an existing database using publicly available hacking tools is often >>> > very eye opening to management types if you are trying to secure a >>> > database and such management types are hesitant to spend the >>> time/money. >>> >>> Hi Robert, >>> >>> Could you please share some URLs to such presentations? >>> >>> Many thanks, >>> >>> David >>> -- >>> David Robillard >>> UNIX team leader & Oracle DBA >>> CISSP, RHCE, SCSA & SCSECA >>> Notarius >>> -- >>> //www.freelists.org/webpage/oracle-l >>> >>> >>> >>> >>> -- >>> Howard A. Latham >>> >>> >>> >>> >>> -- >>> Howard A. Latham >>> >>> Confidentiality Note: This electronic message transmission is intended >>> only for the person or entity to which it is addressed and may contain >>> information that is privileged, confidential or otherwise protected from >>> disclosure. If you have received this transmission, but are not the intended >>> recipient, you are hereby notified that any disclosure, copying, >>> distribution or use of the contents of this information is strictly >>> prohibited. If you have received this e-mail in error, please contact >>> Continuum Performance Systems at {203.245.5000} and delete and destroy the >>> original message and all copies. >>> >> >> >> >> -- >> Howard A. Latham >> >> >> > -- Howard A. Latham