Enterprises using Linux operating systems to run servers or desktops may want to consider hiring specialists to prevent actions initiated by the "less" command.
In addition, Linux users should also be aware that they have been targeted by a dangerous cyberespionage operation that is believed to be headquartered in Russia. If these two threats go unacknowledged, enterprises that use Linux may sustain grievous data breaches.
A bug in the "less" command
The vulnerability concerning less was detailed by Lucian Constantin, a contributor to Computerworld. Constantin noted that less presents itself as a "harmless" instruction that enables users to view the contents of files downloaded from the Web. However, using the less directive could also allow perpetrators to execute code remotely.
Less is typically used to view information without having to load files into a computer's memory, a huge help for those simply browsing documents on the Internet. However, lesspipe is a script that automatically accesses third-party tools to process files with miscellaneous extensions such as .pdf, .gz, .xpi, and so on.
One such tool, cpio file archiving, could enable a cybercriminal to initiate an arbitrary code execution exploit. Essentially, this would give him or her control over a machine, enabling them to manipulate it at will. This particularly bug was discovered by Michal Zalewski, a Google security engineer.
"While it's a single bug in cpio, I have no doubt that many of the other lesspipe programs are equally problematic or worse," said Zalewski, as quoted by Constantin.
Taking aim and firing
The less command isn't the only thing Linux users should be concerned with. In a separate piece for PCWorld, Constantin noted that Russian cyberespionage group Epic Turla has directed its attention toward infiltrating machines running Linux.
Kaspersky Lab asserted Epic Turla is taking advantage of cd00r, an open-source backdoor program that was created in 2000. This particular tool enables users to initiate arbitrary directives, as well as "listen" to commands received via a transmission control protocol, or user datagram protocol – the perfect function that makes it a dangerous espionage asset.
"It can't be discovered via netstat, a commonly used administrative tool," said Kaspersky researchers, as quoted by Constantin. "We suspect that this component was running for years at a victim site, but do not have concrete data to support that statement just yet."
If Linux users want to secure their systems, consulting with specialists certified in the OS may not be a bad idea.
The post Linux users may need experts to reinforce malware detection functions appeared first on Remote DBA Experts.
Volume and velocity are two words analysts are associating with health care data, motivating CIOs to assess the scalability and security of their current database infrastructures.
Protecting the sensitive information contained within electronic health records has always been a concern, but the greatest issue at hand is that some health care providers don't have the personnel, assets or time required to effective manage and defend their databases. These concerns may incite mass adoption of outsourced database administration services.
Greater volume at a faster rate
CIO.com's Kenneth Corbin referenced a report conducted by EMC and research firm IDC, which discovered that the amount of health information is expected to increase 48 percent on an annual basis for the foreseeable future. In 2013, 153 exabytes of health care data existed. By 2020, that figure is anticipated to expand to 2,314 exabytes.
EMC and IDC analysts proposed a scenario in which all of that information was stored on a stack of tablets. Referencing the 2020 statistic, they asserted that stack would be more than 82,000 miles high, reaching a third of the way to the moon. DC Health Insights Research Vice President Lynne Dunbrack maintained that health care companies can prepare for this explosion of data by identifying who owns the information and classifying it.
"Understanding what the data means is key to making data governance and interoperability work, and is essential for analytics, big data initiatives and quality reporting initiatives, among other things," wrote Dunbrack in an email, as quoted by Corbin.
More data means greater security concerns
As hospitals, insurance providers, clinics and other such organizations implement EHR software and increase their data storage capacities, it can be imagined that hackers will place the health care industry at the top of their list of targets. Health care records contain a plethora of valuable data, from Social Security numbers to checking account information.
Health IT Security cited the problems Aventura Hospital and Medical Center in South Florida have encountered. Over the past two years, the institution has sustained three data breaches, one of which was caused by a vendor's employee who stole information on an estimated 82,000 patients. Worst of all, the worker was an employee of Valesco Ventures, Aventura's Health Insurance Portability and Accountability Act business associate.
With this particular instance in mind, finding a database administration service with trustworthy employees is essential. In addition, contracting a company that can provide remote database monitoring 24/7/365 is a must – there can be no compromises.
The post Data management challenges, concerns for health care companies appeared first on Remote DBA Experts.
A new functionality, introduced with SQL Server 2014, enables to store data files from a SQL Server database in Windows Azure Storage. In this posting, I will show how it works.
Accessing Azure Storage
The Azure Storage account is named “dbiservices”, and is composed of the “datafiles” container. This container does not contain blobs yet.
If you are not familiar with the Windows Azure Storage terms, you should read this Introduction to Microsoft Azure Storage.
In my example, I want to grant to share an access to my “datafiles” container without having to expose my account key. I teherfore need to generate a Shared Access Signature.
Shared Access Signature Generation
For this part, I will use a Third Party tool called Azure Storage Explorer.
As soon as you have installed and launched this software, you must register you Storage Account:
You must enter your Storage account name and your Storage account key. The key has been erased voluntary in this example.
As a Best Practice, I advise to enter your Secondary Access Key and not your Primary Access Key. Indeed, the Secondary Access Key is commonly used as a temporary key, and can be regenerated if necessary.
To generate my Shared Access Signature, I have to edit the Security of my container:
I select the permissions and the duration linked to my Shared Access Signature:
I generate a Shared Access Signature available one week with all permissions. The Shared Access Signature generated is an URI related to the container. I voluntary deleted partially the URI.
You need to copy the URI from “sv=” to the end.
I need to create a new Credential in SQL Server Management Studio:
The name of my Credential is the URI location of my container, and the Password is the Shared Access Signature previously created.
Creating a database with Data Files in Azure Storage
I will perform two examples: first I will create a new database directly in Azure Storage, then I will migrate an existing database to Azure Storage.
Hybrid database creation
I execute a script to create a database with its data files in Azure Storage:
If we refresh the “datafiles” container in Azure Storage explorer, we can see the datafiles previously created:
On-premise database creation
Now, I execute a script to create an on-premise database:
Then, I take the database offline:
I upload the data files in Azure Storage using Azure Storage Explorer tool:
Then, we need to alter the onpremisedb database to reference the datafiles moved to the Azure Storage:
And now, I bring the database online:
But the following error occurred:
To understand the origin of the problem, let’s see the datafiles in the Azure Storage Explorer:
This new feature offers some advantages such as high availability or easy migration.
But on the other hand, you cannot use it on a existing database, which is a serious drawback.
Furthermore, I do not believe that this feature would be used with on-premsie SQL Server databases, due to the latency. But I think it can be used with a virtual machine running in Azure.
See Mark Hurd's Open Letter to Next-Gen Business Leaders
This is the index to a series of articles I’ve been writing for redgate, published on their AllThingsOracle site, about generating and reading execution plans. I’ve completed a few articles that haven’t yet been published, but I’ll add their URLs when they’re available.
I don’t really know how many parts it’s going to end up as – there’s an awful lot that that you could say about reading execution plans, even when you’re trying to cover just the basics; every time I’ve started writing an episode in the series it’s turned into two episodes. I’ve delivered 10 parts to redgate so far; the active URLs below are the ones that they are currently online.
- Part 1 – Finding plans
- Part 2 – Things to see
- part 3 – “The Rule”
- part 4 – Timing and Precision
- part 5 – First Child variations
- Part 6 – Pushed Subqueries
- Part 7 – Query Blocks and View Operators
- Part 8 – Cost, time, etc. (the predictions)
- Part 9 – Multiplication
- Part 10 – Guesswork
- Part 11 – Actuals (Rowsource execution stats)
- Part 12 – Cardinality Feedback
- Part 13 – SQL Trace and tkprof
- Part 14 – SQL Monitor
Chapter 11 is about to be published, so I’ve popped this catalogue to the top of the stack. Episode 12 is written, but waiting for its final proof read.
This week we’re happy to have Oracle WebCenter expert Mitchell Palski join us for a Q&A as he discusses strategies and best practices for how to Process Automate Business Solutions.
Q: So, what exactly are Process Automation Solutions and why are they important?
Today’s organizations face increasing business pressures due to:
- Constantly changing competitors
- Stricter regulations
- Faster pace of innovation
- Customer demand for better customer service
- Seamless collaboration among all stakeholders
- Deep insights for making better business decisions
- An unprecedented level of agility and operational excellence
Q: How does Process Automation Enable the Digital Business? A Digital Business extensively uses information technology and the vast amount of business data that it collects in an intelligent fashion. Data intelligence enables an organization to adopt new and innovative business models that:
- Reduce cost
- Increase efficiency
- Improve customer experience
Q: What types of technologies are available to help deliver Process Automation Solutions? Oracle helps your enterprise excel in process management by delivering a comprehensive, industry-leading BPM suite.
The Oracle BPM Suite includes:
- Business user-friendly modeling and optimization tools
- Tools for system integration
- Business activity monitoring dashboards
- Rich task and case management capabilities for end users
The Oracle Business Process Management Suite (Oracle BPM Suite) enables intelligent and adaptive business processes for both structured, automated flows as well as dynamic, collaborative case management.
Q: If an organization chooses to implement this type of solution, what are some of the benefits they can expect to receive? Look at the pain points of your business processes as they stand today. What complaints do you hear? Where do you lose money?
Do you suffer from a lack of process automation that leads to inevitable mistakes and delays to service delivery? Fat finger errors that cost your organization penalties and fees?
Do you struggle with undocumented processes that are difficult to define and refine? What about confusion between your business and IT teams? How does your organization go about modeling and implanting critical processes?
How do you even evaluate the effectiveness of your processes? If they are manual and/or paper-based you probably do it qualitatively. How does that qualitative feedback translate into justifiable business decisions?
Oracle BPM Suite provides your organization with the tools to:
- Realize faster time-to-value when implementing business processes
- Real-time information through rich process analytics
- Business architecture modeling tools for fast process definition
- Industry proven templates and tools for superior case management solutions
- Simple work management through business-centric tools
When I started InteliVideo, it seemed SO clear to me that we had developed an amazing offering that everyone would tell all of their friends about us. It was also clear to me that all of my friends who were in the training business (doing training in person or virtually - via WebEx) would choose to start offering their training through our platform. After all, they have a brand, they have a customer base and they want to provide their training to their customers. They certainly don't want to put their training into YouTube and serve it up for free. They certainly don't want their customer to watch their training and then at the end of the video for them to see 10 of their competitors videos to choose from. This seemed so obvious to me. But...it clearly wasn't clear to them because they didn't flock to our platform - even though I offered it to them repeatedly.
After all, I knew just how easy it was for me to create my content (i.e. record a video lesson), bundle up a series of lessons into a product, set a price and away I went, selling my training online. I knew just how excited and energized many of my students were to be able to watch my training. They could watch it one time or 1000 times - at their own learning pace. I could see their progress! In fact, I knew that many of students came to me and asked for additional custom lessons, which I charged them a consulting fee to produce for them (i.e. $200 for one lesson). I set up the lesson at $200 in the platform (without any videos in it), asked them to pay for the lesson, then I recorded it and attached it to the product...and reduced the price of the lesson for future purchasers to $15-25. In other words, I created new content for a fee AND I was able to sell it time and time again.
You see, I've written 6 technical books (on average about 1000 pages each) that took 6-12 month of my life to write. Sure, it generates credibility in a subject area, but it doesn't generate a lot of direct revenue. Whereas recording and then selling a video-based course requires less than one one hundredth of the effort of writing a book for the same, actually better output.
Where am I going with all of this? Well...after trying to convince 1000s of small business owners that they should use our platform, offering them free trials to see just how easy it is, talking endlessly about what's in it for them, we concluded that this futile effort of virality is insanity. The common definition I hear for insanity is doing the same thing and expecting different results. We continued to try to convince people - sure with more convincing messages - but the "conversion rate" (the number of people who signed up and were successful) was not good.
When we stopped and looked at who are real customers are that generate real revenue, we quickly discovered that they are what we might refer to as elephants. Big companies who completely understand how to develop, curate, sell, and ultimately deliver valuable content to their customers...who buy from them time and time again.
So we changed our approach and our website to communicate to the elephants. This new approach will go live today. The "old approach" will show up as a "Small Business" link at the bottom of the page. The new approach explains the deeper details of integration, APIs and things that are important to the larger companies who know to sell their valuable content.
We've had GREAT success with our elephants and we're VERY excited about where they are taking us! We have a TON of new functionality that we continue to roll out each week. We have integrated with a number of shopping carts. We've created a new template system that will allow us to create a completely different look and feel for each of our clients. We're launching a whole new series of brandable apps in the next few weeks. We completely understand just how important our apps are to our success and have spent a fortune recreating our apps from the ground up.
It's been an exceptionally gifted ride over the last year. We finalized our series A round this summer. Startups are an adrenaline junkie's dream job. One day you're riding high on your laurels of success and the next day you're wondering how you're going to get to a cash flow positive position. All the while, life, real life goes on. Your family continues to age, grow up, build their own businesses and maybe you're not out having as much "fun" as you might like to. For me that translates to not riding my dirt bike or snowmobile as much as I would like. But I'm having fun in the business - that's the tradeoff.
That's what I call opportunity cost. Each day you could be doing what you're doing or something else. Take a minute to think about the cost of what you're doing right now. Should you be hunting virality or elephants?
It happens that I was busy with the email-adapter myself, and it would be nice to have neatly formatted email. It took me some time, but I managed to do it.
It basically consist of:
- Define an outbound email adapter config, with Opaque element. This expects an Base64 encoded payload, which enables you to put in everything you want (given it is valid for your receiver)
- Create an HTML payload as a string, simply by concatenating all the html code, your content and probaly variable-content.
- Use an embedded java activity to unencode the XML encodings and Base64 encode it.
- Copy the Base64 encoded payload to the opaque message payload, fill in the subject and the to-email-adres
- Invoke the email adapter, with the following properties on the invoke activity:
- jca.ums.to -> based on a variable
- jca.ums.subject -> based on a variable
- jca.ums.msg.content-type -> based on an expression: "text/html"
Read the complete how-to here.
When I have time, in a later stage I'll update this message to transfer the content to this page.
I’m very pleased to announce that the Call for Papers for the Rittman Mead BI Forum 2015 is now open, with abstract submissions open to January 18th 2015. As in previous years the BI Forum will run over consecutive weeks in Brighton, UK and Atlanta, GA, with the provisional dates and venues as below:
- Brighton, UK : Hotel Seattle, Brighton, UK : May 6th – 8th 2015
- Atlanta, GA : Renaissance Atlanta Midtown Hotel, Atlanta, USA : May 13th-15th 2015
Now on it’s seventh year, the Rittman Mead BI Forum is the only conference dedicated entirely to Oracle Business Intelligence, Oracle Business Analytics and the technologies and processes that support it – data warehousing, data analysis, data visualisation, big data and OLAP analysis. We’re looking for session around tips & techniques, project case-studies and success stories, and sessions where you’ve taken Oracle’s BI products and used them in new and innovative ways. Each year we select around eight-to-ten speakers for each event along with keynote speakers and a masterclass session, with speaker choices driven by attendee votes at the end of January, and editorial input from myself, Jon Mead and Charles Elliott and Jordan Meyer.
Last year we had a big focus on cloud, and a masterclass and several sessions on bringing Hadoop and big data to the world of OBIEE. This year we’re interested in project stories and experiences around cloud and Hadoop, and we’re keen to hear about any Oracle BI Apps 11g implementations or migrations from the earlier 7.9.x releases. Getting back to basics we’re always interested in sessions around OBIEE, Essbase and data warehouse data modelling, and we’d particularly like to encourage session abstracts on data visualization, BI project methodologies and the incorporation of unstructured, semi-structured and external (public) data sources into your BI dashboards. For an idea of the types of presentations that have been selected in the past, check out the BI Forum 2014, 2013 and 2012 homepages, or feel free to get in touch via email at firstname.lastname@example.org.
The Call for Papers entry form is here, and we’re looking for speakers for Brighton, Atlanta, or both venues if you can speak at both. All session this year will be 45 minutes long, all we’ll be publishing submissions and inviting potential attendees to vote on their favourite sessions towards the end of January. Other than that – have a think about abstract ideas now, and make sure you get them in by January 18th 2015.
When upgrading the Oracle E-Business Suite database to Oracle Database 12c (12.1), there are a number of security considerations and steps that should be included in the upgrade procedure. Oracle Support Note ID 1524398.1 Interoperability Notes EBS 12.0 or 12.1 with RDBMS 12cR1 details the upgrade steps. Here, we will document steps that should be included or modified to improve database security. All references to steps are the steps in Note ID 1524398.1.Step 8
"While not mandatory for the interoperability of Oracle E-Business Suite with the Oracle Database, customers may choose to apply Database Patch Set Updates (PSU) on their Oracle E-Business Suite Database ...".
After any database upgrade, the latest CPU patch (either PSU or SPU) should always be applied. The database upgrade only has the latest CPU patch available at the time of release of the database upgrade patch. In the case of 184.108.40.206, the database upgrade will be current as of July 2013 and be missing the latest five CPU patches. Database upgrade patches reset the CPU level - so even if you had applied the latest CPU patch prior to the upgrade, the upgrade will revert the CPU patch level to July 2013.
From a security perspective, the latest PSU patch should be considered mandatory.Step 11
It is important to note from a security perspective that Database Vault must be disable during the upgrade process. Any protections enabled in Database Vault intended for DBAs will be disabled during the upgrade.Step 15
The DMSYS schema is no longer used with Oracle E-Business Suite and can be safely dropped. We recommended you drop the schema as part of this step to reduce the attack surface of the database and remove unused components. Use the following SQL to remove the DMSYS user --
DROP USER DMSYS CASCADE;Step 16
As part of the upgrade, it is a good time to review security related initialization parameters are set correctly. Verify the following parameters are set -
o7_dictionary_accessibility = FALSE audit_trail = <set to a value other than none> sec_case_sensitive_logon = TRUE (patch 12964564 may have to be applied)Step 20
For Oracle E-Business Suite 12.1, the sqlnet_ifile.ora should contain the following parameter to correspond with the initialization parameter sec_case_sensitive_login = true -
SQLNET.ALLOWED_LOGON_VERSION_SERVER = 10
Tags: Oracle E-Business SuiteDBA
My favourite language is hard to pin point; is it C or is it PL/SQL? My first language was C and I love the elegance and expression of C. Our product PFCLScan has its main functionallity written in C. The....[Read More]
Posted by Pete On 23/07/14 At 08:44 PM
We were asked by a customer whether PFCLScan can generate SQL reports instead of the normal HTML, PDF, MS Word reports so that they could potentially scan all of the databases in their estate and then insert either high level....[Read More]
Posted by Pete On 25/06/14 At 09:41 AM
Yesterday we released the new version 2.0 of our product PFCLObfuscate . This is a tool that allows you to automatically protect the intellectual property in your PL/SQL code (your design secrets) using obfuscation and now in version 2.0 we....[Read More]
Posted by Pete On 17/04/14 At 03:56 PM
I will be co-chairing/hosting a twitter chat on Thursday 6th March at 7pm UK time with Confio. The details are here . The chat is done over twitter so it is a little like the Oracle security round table sessions....[Read More]
Posted by Pete On 05/03/14 At 10:17 AM
We are going to start a reseller program for PFCLScan and we have started the plannng and recruitment process for this program. I have just posted a short blog on the PFCLScan website titled " PFCLScan Reseller Program ". If....[Read More]
Posted by Pete On 29/10/13 At 01:05 PM
We released version 1.3 of PFCLScan our enterprise database security scanner for Oracle a week ago. I have just posted a blog entry on the PFCLScan product site blog that describes some of the highlights of the over 220 new....[Read More]
Posted by Pete On 18/10/13 At 02:36 PM
We have just updated PFCLScan our companies database security scanner for Oracle databases to version 1.2 and added some new features and some new contents and more. We are working to release another service update also in the next couple....[Read More]
Posted by Pete On 04/09/13 At 02:45 PM
It has been a few weeks since my last blog post but don't worry I am still interested to blog about Oracle 12c database security and indeed have nearly 700 pages of notes in MS Word related to 12c security....[Read More]
Posted by Pete On 28/08/13 At 05:04 PM