Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Anyone have a copy of DUL ??

Re: Anyone have a copy of DUL ??

From: Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk>
Date: Thu, 18 Sep 2003 14:49:47 -0800
Message-ID: <F001.005D069C.20030918144947@fatcity.com>


Hi Peter

Glad to hear that there are controls in Oracle for use of DUL, I was thinking of a case where i heard that one guy rang up the backup storage company for a large company and requested a set of backup tapes be left at reception at the company and he just walked in off the street and took them. Mitnik tells similar stories in his book.

Thanks for the internal Oracle insight Peter,

kind regards

Pete

In article <F001.005D0650.20030918100953_at_fatcity.com>, Peter Gram <peter.gram_at_miracleas.dk> writes
>Hi Pete
>
>I have used Dul many times at customer sites when I was employed by
>Oracle Denmark.
>
>Every time the customer management had to verify by phone and fax that
>they understood
>the full impact of using Dul.
>
>Oracle have disclaimer that explains the problems with missing
>transaction consistency of the
>data saved by Dul and the security issues.
>
>The customer has to sign and fax the disclaimer back to Oracle before we
>came on site .-)
>
>After I left Oracle several people ask me if would write a Dul and I
>declined.
>
>I'm of the opinion that Dul should stay behind the Oracle firewall.
>
>/peter
>
>
>Pete Finnigan wrote:
>
>>Hi Mark
>>
>>I agree with you Mark, even if its supplied by Oracle technicians - it
>>is as you say possible to by-pass security completely. Does anyone in
>>Oracle check that the field support personnel dispatched to a site ( in
>>urgency ) are dumping data for the owner of it? -
>>
>>I covered the issue of DUL with regards to security is the SANS Oracle
>>security step-by-step book - action 6.5.1
>>
>>kind regards
>>
>>Pete
>>
>>In article <F001.005D0632.20030918083501_at_fatcity.com>, Mark Leith
>><mark_at_cool-tools.co.uk> writes
>>
>>
>>>One problem I see with giving this away "free" is that you will be supplying
>>>a tool that allows you to extract data from the database, bypassing all
>>>inbuilt security. A BIG "no no". I suppose that also applies to this kind of
>>>tool even under a paid license structure.
>>>
>>>
>>>
>

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Pete Finnigan
  INET: oracle_list_at_peterfinnigan.demon.co.uk

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Thu Sep 18 2003 - 17:49:47 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US