Re: Question re security
Date: Mon, 20 Jan 2014 19:55:28 +1100
Message-ID: <52DCE480.2080907_at_iinet.net.au>
On 20/01/2014 12:11 PM, david_at_databasesecurity.com wrote:
> The hash has never been passed over the wire - I describe in detail
> how authentication works in the Oracle Hacker's Handbook in Chapter 4.
> Here's an online copy:
> http://books.google.com.au/books?id=cDy2_QoQplEC&lpg=PA43&ots=5tygnUMzKQ&dq=oracle%20authentication%20process%20litchfield&pg=PA43#v=onepage&q=oracle%20authentication%20process%20litchfield&f=false
>
Thanks, Unfortunately, that online reference ends before the really
relevant bit is shown.
But the gist is: the hash is not sent online on 1521, nor the pwd.
Something else is.
It can be intercepted and decoded *IF* one knows which port to listen
for, waiting for a "change port" and then follow on.
As such, changing the initial port is a good annoyance value: it makes
finding which port the real "meat" is in slightly harder to find.
In these days of supercomputer-class desktops, it shouldn't be too hard,
though.
I know about all the other secure authentication methods.
Good luck making them work with minimal maintenance in a constantly
changing user universe...
Ah well, what can I say other than: it's Oracle "security": simple for
hackers, a nightmare for those who have to maintain it....
-- Cheers Nuno Souto dbvision_at_iinet.net.au -- http://www.freelists.org/webpage/oracle-lReceived on Mon Jan 20 2014 - 09:55:28 CET