Re: Exciting Oracle News :: Oracle DB Worm Code Published :: Oracle Passwords Crack in Mere Minutes

On Thu, 03 Nov 2005 11:59:43 -0800, hpuxrac wrote:

>
> Sorry Hans don't understand your last remark. Both of the url's cited
> pose dangers for the oracle database community.

Note the cross-posts on the original. Cross-posting to DB2, Informix and MS SQL Server groups indicates this was not intended to inform as much as to incite a flame fest.

And yes, there are dangers. As I've indicated, they totally controllable dangers if one is interested in maintaining security.

1. The potential worm can be stopped cold by locking the default userids or making sure they have non-default passwords. And by not giving execute priviledge to PUBLIC. Both of which can be handled through a simple script, meaning there is no excuse no matter how many DBs are being managed.

Traditional counter-whine: "but that's inconvenient".

2) Cracking the password can be reduced or eliminated by enforcing change of password periodically and placing a lockout on failed attempts. Or by going to enterprise security. All of which are available and are not being used much.

Traditional counter-whine: "but that's inconvenient".

If you leave the keys to your car in the car's door, can you blame the manufacturer if your car is stolen?

Perhaps Oracle should put a warning on the install: "Using default passwords or publishing passwords may lead to unauthorized use." Just like on Marks & Spencer Bread Pudding "Product will be hot after heating." or on packaging for a Rowenta Iron "Do not iron clothes on body."

-- 
Hans Forbrich                           
Canada-wide Oracle training and consulting
mailto: Fuzzy.GreyBeard_at_gmail.com   
*** Top posting guarantees I will not respond further ***