Epic Hacking

August 10th, 2012

Why can’t I get rid of the nagging feeling that this guy asked the hacker himself to do it, to get a great story into Wired and everywhere? Staged like this, the story is much better than if he simply reported that it was theoretically possible to remote wipe somebody’s iDevices just by abusing Amazon’s and Apple’s flawed password reset routines.

In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.

via How Apple and Amazon Security Flaws Led to My Epic Hacking.

Maybe it’s because of a flood of recent stories where journalist’s ethics were less than questionable?

Already 3 months gone by? April 2011 Critical Patch Update Released (direct link to Database vulnerabilities). Mostly obscure components that aren’t in widespread use in the DB world, but who knows…

Intel’s McAfee Acquires Sentrigo To Boost Database Security Offerings. That’s not surprising, given that Sentrigo has the best product in that space. Oracle already acquired Secerno last year, so other vendors now have to build their portfolio.

Dave DeWalt, president of McAfee said of the acquisition: McAfee is continuing to broaden its security portfolio to now-secure databases, as well as endpoints, networks, email and web. He added that the company is also announcing a “complete database security platform” which includes products across the McAfee portfolio.

McAfee’s Vulnerability Manager for Databases will automatically  discover all databases on the network, collect a full inventory of  configuration details, and determine if the latest patches have been  applied and scans for vulnerabilities. McAfee’s Database Activity  Monitoring (DAM), not only tracks database changes, but also protects  data from external threats and malicious insiders with real-time alerts  and session termination.

Let’s see what the combined companies are going to bring.

Oracle Database Firewall

March 18th, 2011

Oracle recently released it’s Oracle Database Firewall.

[The] release of Oracle Database Firewall is the culmination of the company’s  acquisition of database security vendor Secerno last year. The product  creates a defensive perimeter around databases by looking at SQL  statements sent to the database through the wire to determine whether to  pass, log, alert, block, or substitute SQL statements based on an  organization’s policies. Users can set whitelist or blacklist policies  to control the product, which is designed to work not only with Oracle  databases, but also other major platforms, such as DB2, SQL Server and  Sybase platforms.

As usual, they claim it’s going to replace all competitor’s remotely similar products, which is now causing quite a controversy among them, nicely summarized by Pete Finnigan in Oracle Database Firewall Controversy.

It’s that time of the year again: January 2011 Oracle Critical Patch Update Released. People using OEM Grid Control on 11g versions and people using RAC on 10g and newer are vulnerable to remote vulnerabilities not requiring authentication, so again quite a serious CPU. Go and patch!

Oracle answer one of the most asked questions around CPUs: What are the criteria used by Oracle to decide whether a vulnerability warrants a fix in the CPU?

NoSQL and Cloud Security

November 15th, 2010

NoSQL and Cloud Security: it’s in a bad shape, says Jeff Darcy, so pretty much single-user only on firewalled machines. Make sure you know what you’re doing!

The Oracle Critical Patch Update October 2010 is out, see the Oracle Security Blog for commentary. Of the 9 Database related vulnerabilities, 7 do not apply if you are on the latest patchset on 10gR2 or 11gR2, a much higher than usual number, and hopefully a good sign for what’s to come. On the other hand that means you should really be on the latest patchset for these, and get off of 10gR1 and 11gR1 urgently, unless you want to keep up the patching cycles.

Project Lockdown updated for 11gR2

September 14th, 2010

Arup Nanda finally updated his Project Lockdown series of Oracle Security articles for 11gR2. Definitely worth a read (and I’m surprised I can’t find an article on my blog about the first version of Project Lockdown – must’ve happened during a low-impact-blogging phase).

Via Alexander Kornbrust.

Oracle CPU July 2010

July 13th, 2010

Oracle’s Critical Patch Update July 2010 is out, with two easy to exploit DoS vulnerabilities in the Database network stack (although one on Windows only), and one critical vulnerability in the OLAP component – let’s just hope that this one opens the DB for attack if OLAP is actually linked in… because I guess most people’s Oracle will not have OLAP built in.

There are three more DB vulnerabilities – check the DB matrix in the appendix for details.

As usual our lucky French Eric Maurice gives the full rundown at the Oracle Security Blog.