Professional Documents
Culture Documents
2012-Conference - Presentation - UKOUG2012
2012-Conference - Presentation - UKOUG2012
1
Plan
1. Organisational security – business value
2. Max SCN DoS threat actually from 2009 , maintenance issue for high transaction estates
Can forensically verify the above event even if the link is dropped by reading the hex from the SYSTEM01.DBF
See - http://www.oracleforensics.com/wordpress/wp-content/uploads/2012/11/database_link_security.pdf
Paul M. Wright OracleSecurity.Com
12
“Stealth password cracking”vulnerability-2
• Can crack hash without needing to logon
• Stealth (before audit trail starts) 05 logon
– http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-
database-authentication-protocol
– http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-
password-cracking-092012
– http://www.openwall.com/lists/john-users/2012/09/29/2
• Fixed in 11.2.0.3 by reverting back to O3logon
• And Fixed in 12c with new version of the protocol
• Can secure against this by having a complex password
• This is controlled by Oracle profiles and verification-function
– Most important tool to reduce the greatest amount of real risk
• Which account would be the likely target?
Paul M. Wright OracleSecurity.Com
13
SYS security - “Sys is special” - 1
• SYS is Guaranteed target! Always present and un-lockable.
– Password hash can be cracked remotely without logon
– Can be brute forced directly “Orabrute”
• SYS is least defended account in Oracle!
– No profiles on SYS so can’t enforce strong pw
– No failed logon delay - can brute force remotely quickly
– SYS can turn off it’s own audit with oradebug – SYS is Wild!
• Only defence is relying on DBA setting a strong password
• But DBA may not even be using the pw (osdba thru Unix)
• Remote SYS/SYSDBA pws cannot be verified as secure!
• The most important controls on the most important
account are unusable. This is bad and still in 12c!
Paul M. Wright OracleSecurity.Com
14
12c Cloud Consolidation – security risk
• 12c will have native encryption builtin–
– so less external threat….but..
• Consolidation of resources
– Also Many small databases plugged into a larger
centralised server
• -> Greater Internal threat.
– Saboteurism
– Staff collecting together crown jewels before move
– Sys can backdoor future access.
What’s the defence for the SYS account?
One answer is - Stop using SYS.. because it is “magic”?