Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> Re: Re: Funny sort of question re sys password
> Pete Finnigan <oracle_list_at_peterfinnigan.demon.co.uk> wrote:
> password and then having access as SYS - those methods are not social
> engineering but hacking. I am trying to be vague as its not a good
> idea
> to show people in a public forum how to hack.
Beg to disagree. If hacking techniques (including social engineering) are not made public, there is no way in the world we can expect people to learn how to "harden" their systems. I've learned a lot about how to secure my systems by frequenting hacker exploit sites. It's amazing what can be learned this way. Where I got l0phtcrack among so many others.
The dblinks weakness has been around for a long time and is fixed I believe since 8.0. The command line uid/pwd weakness is common to any other product where one types passwords in the command line. A proper password check must always involve a challenge. Volunteering a password is the quick way to a cracked system. IMHO, it should be fixed by disallowing uid/pwd to be used in the command line. Ie, make SQLPuss and other commands not accept pwd in command line. The log files are a real problem. Proper protection on them is mandatory, but who bothers? I can count on one hand the number of sites I've been to in 15 years that had their log directories protected. The SGA dumping was news to me. A roundabout way, but effective. The SQL injection has been doing the rounds for a while and is not only Oracle's problem. The comms eavesdropping can be countered by using an encoded comm protocol. There are a few now that can be used with Oracle Net. But once again, I can count on one hand the number of sites where I have seen a custom Net setup including encryption. Too hard basket.
April said it in one: increased security should be the default, not the option.
Coming back to the initial concern, I still can't see how someone can claim to crack the Oracle security in 10 minutes. Other than by using external exploits. As far as I know, DES is still 10-minute safe?
> If
> he is the sysadmin and he has an exploit and its not patched then
> someone should be considering his loyalty to your company.
Exactly. That is why I reckon exploits should be discussed openly. Otherwise the potential is there for someone to grab hold of one and do untold damage before others become aware it is possible.
> SQL> alter user scott identified by tiger;
>
> User altered.
>
> and the SQL*Net trace shows:
Yup. So if anyone has access to the trace, security is history.
BTW, thanks for the feedback everyone. Much appreciated.
Cheers
Nuno
@work
-- Archives are at http://www.freelists.org/archives/oracle-l/ FAQ is at http://www.freelists.org/help/fom-serve/cache/1.html -----------------------------------------------------------------Received on Wed Mar 10 2004 - 15:20:37 CST