Message-Id: <10585.114301@fatcity.com> From: "Bowes, Chris" Date: Thu, 10 Aug 2000 16:35:26 -0400 Subject: RE: eweek Oracle base breached using mdsys This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C0030A.83D28B86 Content-Type: text/plain; charset="iso-8859-1" I agree Dr. Kumanov, homework must be done. I was just pointing out that they had worked weeks on the setup (covered in other columns on the website) to make sure there were no holes and they let a default password stay. A check of the manual or a simple select on dba_users after the installations had completed would have shown them what they needed to change. Just goes to show when you let the sysadmins and developers and/or non-dba types do the database administrator work, you get databases that really need administration and lots of it... Anyway, this day is over. Have a happy Friday everyone. --Chris Chris.Bowes@Kosa.com -----Original Message----- From: Nikolay Kumanov [mailto:nkumanov@zgb.bg] Sent: Thursday, August 10, 2000 2:26 PM To: Multiple recipients of list ORACLE-L Subject: RE: eweek Oracle base breached using mdsys I have only WinNT installation guide handy, but in chapter 6, "Reviewing Your Installed Starter Database Contents" it is said "This section describes the user names and passwords included in the starter database. Change the password for user names immediately after installation". And MDSYS user is there. OK, this user isn't granted any roles, but it has all the privileges granted directly. The manual doesn't mention this, so there is a mistake, but still, homework must be done sometimes. /flameproof_suit_on Probably that shows that we must go for databases that have only a single 'SA' account, so that securing them will be easier :}}}}} /flameproof_suit_off Dr. Nikolay Kumanov MIS Manager, Zeitungsgruppe Bulgarien GmbH 47, Tsarigradsko chaussee, Sofia 1504, Bulgaria phone: +(359-2)4339-643, fax: +(359-2)946-1286 mailto:nkumanov@zgb.bg "Show me a completely smooth operation and I'll show you someone who's covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune" -----Original Message----- From: Bowes, Chris [mailto:Chris.Bowes@kosa.com] Sent: Thursday, August 10, 2000 7:19 PM To: Multiple recipients of list ORACLE-L Subject: eweek Oracle base breached using mdsys Don't know if this was posted here or not. It was a hacker test setup. They "worked so hard" to secure the site and left a default password unchanged... http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html and a follow up http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.html --Chris Chris.Bowes@Kosa.com ------_=_NextPart_001_01C0030A.83D28B86 Content-Type: text/html; charset="iso-8859-1" eweek Oracle base breached using mdsys
I agree Dr. Kumanov,  homework must be done.  I was just pointing out that they had worked weeks on the setup (covered in other columns on the website) to make sure there were no holes and they let a default password stay.   A check of the manual or a simple select on dba_users after the installations had completed would have shown them what they needed to change.  Just goes to show when you let the sysadmins and developers and/or non-dba types do the database administrator work, you get databases that really need administration and lots of it...   Anyway, this day is over.  Have a happy Friday everyone.
 
 
--Chris
Chris.Bowes@Kosa.com
 
-----Original Message-----
From: Nikolay Kumanov [mailto:nkumanov@zgb.bg]
Sent: Thursday, August 10, 2000 2:26 PM
To: Multiple recipients of list ORACLE-L
Subject: RE: eweek Oracle base breached using mdsys

I have only WinNT installation guide handy, but in chapter 6, "Reviewing Your Installed Starter Database Contents" it is said "This section describes the user names and passwords included in the starter database. Change the password for user names immediately after installation". And MDSYS user is there. OK, this user isn't granted any roles, but it has all the privileges granted directly. The manual doesn't mention this, so there is a mistake, but still, homework must be done sometimes.
 
/flameproof_suit_on
Probably that shows that we must go for databases that have only a single 'SA' account, so that securing them will be easier :}}}}}
/flameproof_suit_off

Dr. Nikolay Kumanov

MIS Manager, Zeitungsgruppe Bulgarien GmbH
47, Tsarigradsko chaussee, Sofia 1504, Bulgaria
phone: +(359-2)4339-643, fax: +(359-2)946-1286
mailto:nkumanov@zgb.bg

"Show me a completely smooth operation and I'll show you someone who's
covering mistakes. Real boats rock." - Frank Herbert, "Chapterhouse: Dune"

-----Original Message-----
From: Bowes, Chris [mailto:Chris.Bowes@kosa.com]
Sent: Thursday, August 10, 2000 7:19 PM
To: Multiple recipients of list ORACLE-L
Subject: eweek Oracle base breached using mdsys

Don't know if this was posted here or not.  It was a hacker test setup.  They "worked so hard" to secure the site and left a default password unchanged...

http://www.zdnet.com/eweek/stories/general/0,11011,2604981,00.html

and a follow up

http://www.zdnet.com/eweek/stories/general/0,11011,2606344,00.html


--Chris