| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.server -> Re: Security issue with Oracle 8i
Philip Chee wrote:
> In article <slrnacuebi.mmv.mdelan_at_wallace.lusars.net> mdelan_at_computer.org writes:
> >On Tue, 30 Apr 2002 15:50:31 GMT in <3CCEBD46.6D215379_at_exesolutions.com>,
> >dmorgan_at_exesolutions.com said something similar to:
> >: Philip Chee wrote:
>
> >: > Um, I'm a unix sysadmin and this wouldn't be enough to stop me.
> >: > Assuming I have the time and energy - I do wish someone would invent
> >: > the 28 hour day especially when deadlines loom.
>
> >: I would really appreciate knowing how you would approach this (in
> >: general).
>
> I'm persistent. I read the docs, I read the READMEs, I have been
> known to run strings (unix utility) on Oracle (Financial) binaries
> to see what actual SQL they are actually running [1]. And these
> days there's the Great Ghod Ghoogle to invoke.
>
> [1] Our old Oracle Financials box was decommissioned for Y2K
> reasons but recently someone wanted to run an old report on the old
> system to get some historical data. It didn't return any data
> naturally since the report was trying to find data for 2095 AD. Ran
> strings on the binary. Used a hex editor to change "YY" to "RR".
> By Gosh it worked. Note: I wouldn't recommend this procedure on a
> production system!
>
> >: And why, having been confronted with a request for a password, you
> >: would have any reason to believe a workaround was possible.
>
> Because I'm also an Oracle person? and I read this newsgroup?
>
> >One that immediately comes to mind:
>
> >Wait for someone who knows the password to connect, and attach a
> >debugging tool like truss to their SQL*Plus process before they
> >finish typing the password.
>
> That's hard work. I prefer social engineering.
>
> "Hi I'm the VP (IS). I need all your Oracle passords to carry out
> this security audit I'm doing on your department"
>
> Philip
>
> ---=====================================================================---
> Philip Chee: Tasek Corporation Berhad, P.O.Box 254, 30908 Ipoh, MALAYSIA
> e-mail: philip_at_aleytys.pc.my Voice:+60.5.291.1011 Fax:+60.5.291.9932
> Guard us from the she-wolf and the wolf, and guard us from the thief,
> oh Night, and so be good for us to pass.
> --
> þ 20516.39 þ File Not Found. Loading something that looks similar.
Thanks.
Daniel Morgan Received on Wed May 01 2002 - 11:47:34 CDT
 |
 |