Authentication is an integral part of security. If authentication or passwords are insufficient, all further security measures are obsolete. But how do you ensure that passwords are complex? We will explain the different password hashes and show how to make sure authentication is secure.
How to Install Windows 8 Consumer Preview in VirtualBoxKuwait10
To install Windows 8 Consumer Preview in VirtualBox, download VirtualBox and the Windows 8 ISO image, create a new virtual machine in VirtualBox, configure the machine settings and storage, browse to select the ISO image file, then proceed with Windows 8 setup by entering the product key.
A network connects two or more computers together to transmit and receive data. There are two main types of networks: local area networks (LANs) which are confined to a single geographical area, and wide area networks (WANs) which connect distant computers over a larger area and can include multiple LANs. Network topology describes the layout of a network and includes physical and logical descriptions. Common network topologies include bus, ring, and star configurations. Devices like routers, hubs, switches, and cables are needed to connect computers in a network. Routers determine the path for data packets between networks, while hubs simply connect multiple devices but don't direct traffic. Files and folders can be shared between computers on a network
This is a slide show to help you troubleshoot some computer problems that you may run into. Follow the slides and steps and you could resolve any of these problems without having to sit on hold for hours.
I made this with my 3 partners for my CEC marks in 3rd sem of MCA. It includes information about HCI, definition, types, how it works, queries of it etc.
One can get idea easily about HCI after refering this presentation.
This PPT will show complete steps on how to install Windows 10 into a virtual machine such as VirtualBox. It covers everything from the initial creation of the VM to the final Windows setup screens after installation.
This document provides tips for troubleshooting common computer issues. It covers general troubleshooting steps like checking connections and rebooting. It then addresses specific issues like power problems, display issues, mouse/keyboard problems, freezing/crashing, printer problems, sound issues, network connectivity errors, login errors, and the blue screen of death. It concludes with tips for prevention and maintenance like periodic rebooting, cleaning files and folders, and using the proper channels for tech support requests.
Computer System Servicing Prelim Examination 2018Adrian Buban
This document contains a 50-item multiple choice test on entrepreneurship, computers, and workplace health and safety. The test was administered to students at Horacio dela Costa High School in Caloocan City, Philippines as part of a class on globalizing Filipino skills and competencies. It covers topics like characteristics of entrepreneurs, basic needs, choosing a business location, types of computers, and identifying proper health and safety procedures. The answer key at the end provides the correct response for each multiple choice question.
This lecture covers various methods for prototyping and testing user interfaces, including paper prototyping, wireframing, and usability testing techniques like heuristic evaluation and cognitive walkthrough. Low-fidelity prototyping allows for early user feedback, while high-fidelity prototyping tests detailed tasks and processes. The lecture also discusses iterative design, with prototypes refined based on user testing to develop the final design.
How to Install Windows 8 Consumer Preview in VirtualBoxKuwait10
To install Windows 8 Consumer Preview in VirtualBox, download VirtualBox and the Windows 8 ISO image, create a new virtual machine in VirtualBox, configure the machine settings and storage, browse to select the ISO image file, then proceed with Windows 8 setup by entering the product key.
A network connects two or more computers together to transmit and receive data. There are two main types of networks: local area networks (LANs) which are confined to a single geographical area, and wide area networks (WANs) which connect distant computers over a larger area and can include multiple LANs. Network topology describes the layout of a network and includes physical and logical descriptions. Common network topologies include bus, ring, and star configurations. Devices like routers, hubs, switches, and cables are needed to connect computers in a network. Routers determine the path for data packets between networks, while hubs simply connect multiple devices but don't direct traffic. Files and folders can be shared between computers on a network
This is a slide show to help you troubleshoot some computer problems that you may run into. Follow the slides and steps and you could resolve any of these problems without having to sit on hold for hours.
I made this with my 3 partners for my CEC marks in 3rd sem of MCA. It includes information about HCI, definition, types, how it works, queries of it etc.
One can get idea easily about HCI after refering this presentation.
This PPT will show complete steps on how to install Windows 10 into a virtual machine such as VirtualBox. It covers everything from the initial creation of the VM to the final Windows setup screens after installation.
This document provides tips for troubleshooting common computer issues. It covers general troubleshooting steps like checking connections and rebooting. It then addresses specific issues like power problems, display issues, mouse/keyboard problems, freezing/crashing, printer problems, sound issues, network connectivity errors, login errors, and the blue screen of death. It concludes with tips for prevention and maintenance like periodic rebooting, cleaning files and folders, and using the proper channels for tech support requests.
Computer System Servicing Prelim Examination 2018Adrian Buban
This document contains a 50-item multiple choice test on entrepreneurship, computers, and workplace health and safety. The test was administered to students at Horacio dela Costa High School in Caloocan City, Philippines as part of a class on globalizing Filipino skills and competencies. It covers topics like characteristics of entrepreneurs, basic needs, choosing a business location, types of computers, and identifying proper health and safety procedures. The answer key at the end provides the correct response for each multiple choice question.
This lecture covers various methods for prototyping and testing user interfaces, including paper prototyping, wireframing, and usability testing techniques like heuristic evaluation and cognitive walkthrough. Low-fidelity prototyping allows for early user feedback, while high-fidelity prototyping tests detailed tasks and processes. The lecture also discusses iterative design, with prototypes refined based on user testing to develop the final design.
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
Authentication is an integral part of database security. If authentication or passwords are insufficient or inadequate, all further security measures are generally useless. But how do you ensure that passwords are complex and authentication is secure? In this presentation, the password hashes will be explained and it will be shown how to make sure passwords and authentication are state of the art. Focusing on the current versions of the Oracle database, the following topics will be discussed:
- Oracle database authentication
- Password verification and hashes
- Where can I find password hashes?
- Check and password hashes.
- Discussion of various risks related to authentication.
- Discussion of password policies and strong passwords.
- Customer Use Case in the DB Vault environment "ups we have forgotten the passwords".
The presentation will be supplemented by corresponding examples and live demos.
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
This document summarizes a presentation on securing Oracle passwords. It discusses Oracle's password hashing algorithms over different versions from 10g to 12c. It describes Oracle's logon process and how passwords are encrypted and verified. It highlights some challenges with Oracle passwords like weaknesses in hash functions, compatibility issues, and risks in the login process. It emphasizes the importance of properly configuring password versions and hashes when upgrading or migrating databases.
This document provides instructions for installing Oracle XE with ORDS and configuring it to run on Apache Tomcat or Oracle Glassfish Server. It discusses the benefits of using ORDS over mod_plsql, including increased functionality and flexibility. It then provides step-by-step guides for installing Glassfish Server, Apache Tomcat Server, setting up ORDS, and configuring each web server with ORDS. Key steps include deploying the ords.war and i.war files, and accessing APEX over ORDS at specific URLs for each server.
The document summarizes new features in Oracle Database 12c from Oracle 11g that would help a DBA currently using 11g. It lists and briefly describes features such as the READ privilege, temporary undo, online data file move, DDL logging, and many others. The objectives are to make the DBA aware of useful 12c features when working with a 12c database and to discuss each feature at a high level within 90 seconds.
This document summarizes a presentation on database authentication methods and security. It discusses different hashing algorithms used by Oracle over time, password cracking calculations, and various authentication methods including native Oracle authentication, secure wallet stores, LDAP/OID, Kerberos integration with Active Directory, and Kerberos configuration in Oracle 12c. Key topics covered include hashing algorithms, password strength, external user security, and single sign-on authentication protocols.
This document provides an overview of Always Encrypted in Microsoft SQL Server 2016, which allows customers to securely store sensitive data outside of their trust boundary while protecting data from highly privileged users. Key capabilities of Always Encrypted include client-side encryption of sensitive data using keys never provided to the database system and support for queries on encrypted data, with minimal application changes required.
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...Alex Zaballa
Oracle Database 12c includes many new tuning features for developers and DBAs. Some key features include:
- Multitenant architecture allows multiple pluggable databases to consolidate workloads on a single database instance for improved utilization and administration.
- In-memory column store enables real-time analytics on frequently accessed data held entirely in memory for faster performance.
- New SQL syntax like FETCH FIRST for row limiting and offsetting provides more readable and intuitive replacements for previous techniques.
- Adaptive query optimization allows queries to utilize different execution plans like switching between nested loops and hash joins based on runtime statistics for improved performance.
Securing oracle e-business suite 12.1 and 12.2 technology infrastructurevasuballa
The document discusses options for securing Oracle E-Business Suite 12.1 and 12.2, including: defining whitelists of allowed JSPs and redirects; cookie domain scoping; password hashing upgrades; TLS encryption; DMZ configuration; and encrypting SQL traffic. It provides details on configuration files and profiles for hardening various aspects of the applications. The presenter is a principal consultant with experience securing Oracle E-Business Suite.
12cR1 new features. I have tried to cover all new features of 12cR1 and many more may be missing. These are all my own views and do not necessarily reflect the views of Oracle. Requesting all visitors to comment on it to improve further.
This document provides a summary of updates to MySQL between October 2021 and May 2021. It discusses three releases of MySQL 8.0 (versions 8.0.23, 8.0.24, and 8.0.25) and new features including invisible columns, asynchronous replication connection failover, improved load/dump functionality in MySQL Shell, and the new MySQL Database Service on Oracle Cloud Infrastructure with HeatWave for accelerated analytics.
DOAG Security Day 2016 Enterprise Security ReloadedLoopback.ORG
The document discusses security at the DOAG Security Day conference on March 17, 2016. It includes an agenda for the conference with topics on database security, password hashes, LDAP directory integration, PKI authentication, enterprise user security (EUS), Oracle Unified Directory (OUD) and Kerberos authentication. Tables show default Oracle database accounts and passwords. Diagrams illustrate Kerberos and PKI authentication workflows between clients, databases and directories.
The document is a presentation in French on the new features of MySQL 8.0. It discusses improvements to SQL functionality with Common Table Expressions, Window Functions, and LATERAL queries. It also covers new JSON functions and indexing, improved performance, and new management features in areas like replication, security, and error logging. The presentation provides examples and emphasizes that MySQL now supports both transactional SQL and NoSQL operations on JSON data, combining the benefits of both approaches.
Securing your MySQL / MariaDB Server dataColin Charles
Co-presented alongside Ronald Bradford, this covers MySQL, Percona Server, and MariaDB Server (since the latter occasionally can be different enough). Go thru insecure practices, focus on communication security, connection security, data security, user accounts and server access security.
This document discusses improving Oracle 12c database security. It begins with introducing the speaker and their background. The document then covers maintaining updated Oracle software and components, building appropriate security policies, authentication, authorization, encryption, auditing, and dividing security responsibilities. Specific techniques covered include using password verification functions, profile management, privilege analysis features in Oracle 12c, and properly configuring authentication and authorization settings. The overall message is that database security requires maintaining software updates, implementing strong authentication and authorization policies, and regularly analyzing and optimizing access privileges.
DB2 Express-C is a free version of the DB2 database server from IBM. It has no usage or deployment limits and can run on Windows, Linux, Mac OS X, and Solaris operating systems. Minimum requirements are 256MB of RAM but it is recommended to have at least 1GB. DB2 Express-C provides basic database functionality and sits below the paid DB2 Workgroup and Enterprise editions in terms of features. It uses concurrency controls like locking and transactions to allow for multi-user access to the database.
Oracle database and hardware were reaching end of support and needed to be migrated from an on-premise HP-UX server to AWS RDS. Key considerations for the migration included verifying Oracle license types supported on AWS RDS, supported database versions, available migration methods like Data Pump and Export/Import, storage space needed for data dumps, and potential downtime. The document outlined the steps to configure GoldenGate for a zero downtime migration of the 300GB Oracle database to AWS RDS, including installing and configuring GoldenGate on the on-premise and EC2 systems, setting up the extract and manager processes, and replicating the initial data.
Oracle 12c comes with a new Security offer, and a set of new features related to. By default, Oracle is not very well secured but it comes with a lot of tools and options to improve the security inside the database. The presentation will show to attendees that building a strong security policy based on 4 security topics can improve the data security. These ones are Authentication, Authorization, Encryption and Audit. Each of these four topics will be detailed by presenting Oracle 12c new security features, for example: privilege analysis, transparent network encryption and checksumming, unified auditing etc. Finally, a presentation on Database Vault will be made to show how a "divide and conquer" policy can improve the global security of Oracle databases.
Oracle Database Vault has been on the market for a few years now. The product has been constantly improved over the years. But where is it worthwhile to use it? Which security measures can be implemented with it? And from whom does DB Vault protect me at all? In this presentation, the technical possibilities of Database Vault 19c / 21c will be explained in addition to the experiences from two customer projects. We will try to show where the use of Database Vault is worthwhile under certain circumstances and under which conditions it is not. This also includes whether protection against snakes and thieves is ensured. PS: I asked my children what kind of presentation I should submit.The answers were snakes, thieves and cheetahs…
MariaDB MaxScale is a database proxy that provides scalability, high availability, and data streaming capabilities for MariaDB and MySQL databases. It acts as a load balancer and router to distribute queries across database servers. MaxScale supports services like read/write splitting, query caching, and security features like selective data masking. It can monitor replication lag and route queries accordingly. MaxScale uses a plugin architecture and its core remains stateless to provide flexibility and high performance.
Webinar: MariaDB Provides the Solution to Ease Multi-Source ReplicationWagner Bianchi
MariaDB provides the solution to ease Multi-Source Replication aimed to show up the main characteristics of the
feature that was lunched together with MariaDB 10.0.1.
Click, click, click and I have already built my infrastructure in the cloud. But do you still know what you have built afterwards? With Infrastructure as Code or Terraform, cloud resources can be built, changed and deleted again relatively easily. This is ideal for dynamically building test and lab environments. But how do you make sure that a wrong command in the Terraform configuration does not dismantle the whole infrastructure again or shoot the costs up to astronomical heights? Where is the boundary between IaC testing and the actual release tests on the generated systems? Using Accenture Lab and training environments as an example, I will show various aspects around deploying cloud based infrastructures with Terraform. This course presentation will be complemented with demos and examples.
IaC MeetUp Active Directory Setup for Oracle Security LABStefan Oehrli
There is always that one problem that you want to analyze or that new feature that you briefly want to test. But often you lack a corresponding LAB environment. Especially if several systems and services like MS Active Directory have to be tested in combination. In this presentation we will show how IaC, scripts etc. can be used to create LAB environments quickly and easily. We will show how to configure VMs with Vagrant to test specific topics like Oracle Database Integration with Active Directory. In addition to Vagrant, we will also take a brief look at Docker Containers and Terraform Deployment on OCI, and see how you can create a corresponding LAB environment with moderate effort. The presentation will be complemented by corresponding demos and examples.
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
Authentication is an integral part of database security. If authentication or passwords are insufficient or inadequate, all further security measures are generally useless. But how do you ensure that passwords are complex and authentication is secure? In this presentation, the password hashes will be explained and it will be shown how to make sure passwords and authentication are state of the art. Focusing on the current versions of the Oracle database, the following topics will be discussed:
- Oracle database authentication
- Password verification and hashes
- Where can I find password hashes?
- Check and password hashes.
- Discussion of various risks related to authentication.
- Discussion of password policies and strong passwords.
- Customer Use Case in the DB Vault environment "ups we have forgotten the passwords".
The presentation will be supplemented by corresponding examples and live demos.
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
This document summarizes a presentation on securing Oracle passwords. It discusses Oracle's password hashing algorithms over different versions from 10g to 12c. It describes Oracle's logon process and how passwords are encrypted and verified. It highlights some challenges with Oracle passwords like weaknesses in hash functions, compatibility issues, and risks in the login process. It emphasizes the importance of properly configuring password versions and hashes when upgrading or migrating databases.
This document provides instructions for installing Oracle XE with ORDS and configuring it to run on Apache Tomcat or Oracle Glassfish Server. It discusses the benefits of using ORDS over mod_plsql, including increased functionality and flexibility. It then provides step-by-step guides for installing Glassfish Server, Apache Tomcat Server, setting up ORDS, and configuring each web server with ORDS. Key steps include deploying the ords.war and i.war files, and accessing APEX over ORDS at specific URLs for each server.
The document summarizes new features in Oracle Database 12c from Oracle 11g that would help a DBA currently using 11g. It lists and briefly describes features such as the READ privilege, temporary undo, online data file move, DDL logging, and many others. The objectives are to make the DBA aware of useful 12c features when working with a 12c database and to discuss each feature at a high level within 90 seconds.
This document summarizes a presentation on database authentication methods and security. It discusses different hashing algorithms used by Oracle over time, password cracking calculations, and various authentication methods including native Oracle authentication, secure wallet stores, LDAP/OID, Kerberos integration with Active Directory, and Kerberos configuration in Oracle 12c. Key topics covered include hashing algorithms, password strength, external user security, and single sign-on authentication protocols.
This document provides an overview of Always Encrypted in Microsoft SQL Server 2016, which allows customers to securely store sensitive data outside of their trust boundary while protecting data from highly privileged users. Key capabilities of Always Encrypted include client-side encryption of sensitive data using keys never provided to the database system and support for queries on encrypted data, with minimal application changes required.
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...Alex Zaballa
Oracle Database 12c includes many new tuning features for developers and DBAs. Some key features include:
- Multitenant architecture allows multiple pluggable databases to consolidate workloads on a single database instance for improved utilization and administration.
- In-memory column store enables real-time analytics on frequently accessed data held entirely in memory for faster performance.
- New SQL syntax like FETCH FIRST for row limiting and offsetting provides more readable and intuitive replacements for previous techniques.
- Adaptive query optimization allows queries to utilize different execution plans like switching between nested loops and hash joins based on runtime statistics for improved performance.
Securing oracle e-business suite 12.1 and 12.2 technology infrastructurevasuballa
The document discusses options for securing Oracle E-Business Suite 12.1 and 12.2, including: defining whitelists of allowed JSPs and redirects; cookie domain scoping; password hashing upgrades; TLS encryption; DMZ configuration; and encrypting SQL traffic. It provides details on configuration files and profiles for hardening various aspects of the applications. The presenter is a principal consultant with experience securing Oracle E-Business Suite.
12cR1 new features. I have tried to cover all new features of 12cR1 and many more may be missing. These are all my own views and do not necessarily reflect the views of Oracle. Requesting all visitors to comment on it to improve further.
This document provides a summary of updates to MySQL between October 2021 and May 2021. It discusses three releases of MySQL 8.0 (versions 8.0.23, 8.0.24, and 8.0.25) and new features including invisible columns, asynchronous replication connection failover, improved load/dump functionality in MySQL Shell, and the new MySQL Database Service on Oracle Cloud Infrastructure with HeatWave for accelerated analytics.
DOAG Security Day 2016 Enterprise Security ReloadedLoopback.ORG
The document discusses security at the DOAG Security Day conference on March 17, 2016. It includes an agenda for the conference with topics on database security, password hashes, LDAP directory integration, PKI authentication, enterprise user security (EUS), Oracle Unified Directory (OUD) and Kerberos authentication. Tables show default Oracle database accounts and passwords. Diagrams illustrate Kerberos and PKI authentication workflows between clients, databases and directories.
The document is a presentation in French on the new features of MySQL 8.0. It discusses improvements to SQL functionality with Common Table Expressions, Window Functions, and LATERAL queries. It also covers new JSON functions and indexing, improved performance, and new management features in areas like replication, security, and error logging. The presentation provides examples and emphasizes that MySQL now supports both transactional SQL and NoSQL operations on JSON data, combining the benefits of both approaches.
Securing your MySQL / MariaDB Server dataColin Charles
Co-presented alongside Ronald Bradford, this covers MySQL, Percona Server, and MariaDB Server (since the latter occasionally can be different enough). Go thru insecure practices, focus on communication security, connection security, data security, user accounts and server access security.
This document discusses improving Oracle 12c database security. It begins with introducing the speaker and their background. The document then covers maintaining updated Oracle software and components, building appropriate security policies, authentication, authorization, encryption, auditing, and dividing security responsibilities. Specific techniques covered include using password verification functions, profile management, privilege analysis features in Oracle 12c, and properly configuring authentication and authorization settings. The overall message is that database security requires maintaining software updates, implementing strong authentication and authorization policies, and regularly analyzing and optimizing access privileges.
DB2 Express-C is a free version of the DB2 database server from IBM. It has no usage or deployment limits and can run on Windows, Linux, Mac OS X, and Solaris operating systems. Minimum requirements are 256MB of RAM but it is recommended to have at least 1GB. DB2 Express-C provides basic database functionality and sits below the paid DB2 Workgroup and Enterprise editions in terms of features. It uses concurrency controls like locking and transactions to allow for multi-user access to the database.
Oracle database and hardware were reaching end of support and needed to be migrated from an on-premise HP-UX server to AWS RDS. Key considerations for the migration included verifying Oracle license types supported on AWS RDS, supported database versions, available migration methods like Data Pump and Export/Import, storage space needed for data dumps, and potential downtime. The document outlined the steps to configure GoldenGate for a zero downtime migration of the 300GB Oracle database to AWS RDS, including installing and configuring GoldenGate on the on-premise and EC2 systems, setting up the extract and manager processes, and replicating the initial data.
Oracle 12c comes with a new Security offer, and a set of new features related to. By default, Oracle is not very well secured but it comes with a lot of tools and options to improve the security inside the database. The presentation will show to attendees that building a strong security policy based on 4 security topics can improve the data security. These ones are Authentication, Authorization, Encryption and Audit. Each of these four topics will be detailed by presenting Oracle 12c new security features, for example: privilege analysis, transparent network encryption and checksumming, unified auditing etc. Finally, a presentation on Database Vault will be made to show how a "divide and conquer" policy can improve the global security of Oracle databases.
Oracle Database Vault has been on the market for a few years now. The product has been constantly improved over the years. But where is it worthwhile to use it? Which security measures can be implemented with it? And from whom does DB Vault protect me at all? In this presentation, the technical possibilities of Database Vault 19c / 21c will be explained in addition to the experiences from two customer projects. We will try to show where the use of Database Vault is worthwhile under certain circumstances and under which conditions it is not. This also includes whether protection against snakes and thieves is ensured. PS: I asked my children what kind of presentation I should submit.The answers were snakes, thieves and cheetahs…
MariaDB MaxScale is a database proxy that provides scalability, high availability, and data streaming capabilities for MariaDB and MySQL databases. It acts as a load balancer and router to distribute queries across database servers. MaxScale supports services like read/write splitting, query caching, and security features like selective data masking. It can monitor replication lag and route queries accordingly. MaxScale uses a plugin architecture and its core remains stateless to provide flexibility and high performance.
Webinar: MariaDB Provides the Solution to Ease Multi-Source ReplicationWagner Bianchi
MariaDB provides the solution to ease Multi-Source Replication aimed to show up the main characteristics of the
feature that was lunched together with MariaDB 10.0.1.
Click, click, click and I have already built my infrastructure in the cloud. But do you still know what you have built afterwards? With Infrastructure as Code or Terraform, cloud resources can be built, changed and deleted again relatively easily. This is ideal for dynamically building test and lab environments. But how do you make sure that a wrong command in the Terraform configuration does not dismantle the whole infrastructure again or shoot the costs up to astronomical heights? Where is the boundary between IaC testing and the actual release tests on the generated systems? Using Accenture Lab and training environments as an example, I will show various aspects around deploying cloud based infrastructures with Terraform. This course presentation will be complemented with demos and examples.
IaC MeetUp Active Directory Setup for Oracle Security LABStefan Oehrli
There is always that one problem that you want to analyze or that new feature that you briefly want to test. But often you lack a corresponding LAB environment. Especially if several systems and services like MS Active Directory have to be tested in combination. In this presentation we will show how IaC, scripts etc. can be used to create LAB environments quickly and easily. We will show how to configure VMs with Vagrant to test specific topics like Oracle Database Integration with Active Directory. In addition to Vagrant, we will also take a brief look at Docker Containers and Terraform Deployment on OCI, and see how you can create a corresponding LAB environment with moderate effort. The presentation will be complemented by corresponding demos and examples.
SOUG Day Oracle 21c New Security FeaturesStefan Oehrli
With the Innovation Release 21c Oracle has introduced one or the other security feature. These include small improvements that make DB operation more secure and easier. But also completely new concepts like DB Nest, which introduce a new approach for databases, how DB security can be implemented in multitenant.
SOUG PDB Security, Isolation and DB Nest 20cStefan Oehrli
Lockdown Profile, PDB_OS_CREDENTIALS and other measures to enhance security and isolation of multitenant databases are available since Oracle 12c. Unfortunately only a part of the desired measures can be technically implemented. With the latest release of Oracle 20c a new features called DB Nest has been introduced. DB Nest introduced an other approach to security in PDBs. In this presentation we will discuss the new approach and its possibilities to increase database security of PDBs. The presentation will be completed by corresponding examples and live demos.
The document discusses using Terraform to automate deployment of resources in Oracle Cloud Infrastructure (OCI). It begins with an introduction to Terraform and its components like providers, modules, and backends. It then covers initial steps for setting up Terraform for OCI including installing Terraform, configuring the OCI provider, and running basic commands. The document outlines next steps like using Terraform to build small OCI infrastructures and combining configurations. It introduces using modules to define reusable infrastructure components. Finally, it provides an example of a Trivadis module for deploying a training lab environment on OCI.
DOAG Oracle Unified Audit in Multitenant EnvironmentsStefan Oehrli
Oracle Audit is a well-known and proven database functionality. Or maybe not? What does auditing look like in combination with Oracle Multitenant Databases? Does database and Unified Audit work analogous to existing configurations? In the context of this presentation the auditing in the environment of container databases will be examined more closely. It will be shown what has to be considered and how an auditing concept has to be adapted to the new architecture. With focus on the current versions of the Oracle database, specific problems and workarounds in the area of Unified Audit will be shown. The presentation will be complemented by corresponding examples and live demos.
SOUG Oracle Unified Audit for Multitenant DatabasesStefan Oehrli
Oracle Audit is a proven database functionality. Or maybe not? How does auditing look like in combination with Oracle Multitenant DBs? Does DB and Unified Audit work analogous to existing configurations? In the context of this lecture audit in Container DBs (19c/20c) will be discussed more closely. We will shown where to pay attention and how to adapt an audit concept to the new architecture. Specific problems and workarounds will be shown. The presentation will be complemented by demos.
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesStefan Oehrli
Security is one of the key challenges for on-premises and cloud based databases nowadays. However, the appropriate security and hardening measures generally only make sense if authentication and authorization have already been implemented with appropriate care. Instead of the decentralized administration of users, privileges and roles in each database, it is easier and more secure to manage them centrally. The latest version of Oracle offers different possibilities to implement this requirement. With focus on the current versions of Oracle Database the following topics are discussed among others:
• Password verifier and strong authentication like Kerberos and SSL.
• Options for central user administration of Oracle databases.
• Oracle EUS versus CMU
• Integration of Oracle Database 19c with Active Directory Services
• Sample setup of an Oracle database with Active Directory Integration via Centrally Managed User (CMU)
The presentation is complemented by appropriate examples and live demos.
UKOUG TechFest PDB Isolation and SecurityStefan Oehrli
The same principles and measures of database security can be implemented in container databases as in normal single-tenant environments. However, if the container databases are to be used securely by various tenants with more or less high system privileges, additional security measures are required. Especially if access to the operating system is granted directly or indirectly with JVM, external tables, scheduler jobs or directories. The aim of this presentation is to evaluate database security in the focus of container databases and to discuss appropriate measures. This includes the use of lockdown profiles, PDB_OS_CREDENTIALS and various other measures and features. Where useful, the presentation is complemented by appropriate examples and demos. As far as possible, it is also shown how Oracle handles these problems in its cloud solutions (e.g. Autonomous Database).
Security is one of the key challenges for on-premises and cloud based databases today. But the appropriate security and hardening measures usually only make sense if authentication and authorisation have already been implemented with appropriate care. Instead of decentralised administration, where users, rights and roles are managed in each database, it is clearer and more secure to manage them centrally. The latest version of Oracle offers different possibilities to implement this requirement.
Oracle unterstützt seit längerem die Nutzung von Docker für die Oracle Datenbanken. In der Theorie wird mit einem einfacher docker run aus einem Docker Image ein Container instanziiert. Doch wieso ist der DB Container nicht in wenigen Sekunden bereit? Wo kommt mein Oracle DB Image überhaupt her und was geschieht, wenn der Container wieder gestoppt wird? Dieser Vortrag erläutert, wie Oracle DBs in einem Docker Image installiert, konfiguriert und anschliessend als Container betrieben werden.
Oracle has long supported the use of Docker for Oracle databases. In theory, a simple docker run instantiates a container from a docker image. But why isn't the DB container ready in a few seconds? Where does my Oracle DB image come from and what happens if the container is stopped again? This talk explains how Oracle DBs are installed, configured and then operated as containers in a Docker Image.
Sicherheit ist heutzutage eine der zentralen Herausforderungen für On-Premises und Cloud basierte Datenbanken. Doch die entsprechenden Sicherheits- und Härtungsmassnahmen sind in der Regel nur sinnvoll, wenn bereits die Authentifizierung und Autorisierung mit entsprechender Sorgfalt umgesetzt wurde. Anstelle der dezentralen Verwaltung der Benutzer, Rechte und Rollen in jeder Datenbank ist es dabei übersichtlicher und vor allem sicherer, diese zentral zu verwalten. Die aktuellste Version von Oracle bietet hierbei verschiedene Möglichkeiten diese Anforderung umzusetzen. Mit Fokus auf die aktuellen Versionen von Oracle Database 18c / 19c wird die Integration mit Centrally Managed User und Active Directory Services erarbeitet.
Oracle does support Docker for a couple of products since a while. In theory, a simple "docker run" instantiates a container from a docker image. But why isn't the DB container ready in a few seconds? Where does my Oracle DB image come from and what happens if the container is stopped again? The functional scope as well as the size of Oracle database container presuppose that one or the other thoughts about the use and the operation are made in advance. This includes topics such as data persistence, licensing and other operational aspects. This presentation explains how Oracle databases can be installed, configured and operated as containers in a Docker Image.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
AUSOUG Oracle Password Security
1. 1 11th November 2021
4.30 PM AEDT
Security Best Practice: Oracle passwords, but
secure!
Stefan Oehrli
Big Data/Analytics/Security/EPM & BI Summit
Event
Partners
3. 3 HALLO, GRÜESSECH, HI!
§ Since 1997 active in various IT areas
§ More than 24 years of experience in Oracle databases
§ Focus: Protecting data and operating databases securely
o Security assessments and reviews
o Database security concepts and their implementation
o Oracle Backup & Recovery concepts and troubleshooting
o Oracle Enterprise User and Advanced Security, DB Vault, …
o Oracle Directory Services
§ Co-author of the book The Oracle DBA (Hanser, 2016/07)
STEFAN OEHRLI
PLATFORM ARCHITECT
9. 11 BUT HONESTLY, ARE PASSWORDS STILL AN ISSUE?
§ Password based authentication is still one of the
most used methods → Flexibility
§ A large number of DB, Clients or Apps require
legacy hashes / protocols → Compatibility
§ Password Verification Functions do not keep
pace with CPU evolvements → Standards
§ The standards of the vendors are usually not the
securest → Security Hardening
§ Software, hashes and protocols reveal security
flaws over time
Secure authentication is crucial, otherwise
further security measures are questionable
11. 13 WHAT IS A HASH FUNCTION?
§ Mathematical algorithm to map data of any size to a
bit array of a fixed length
§ It is deterministic
§ Quick to compute hash for any given message
§ One-way function
§ Infeasible to generate a message that yields a given
hash value
§ Infeasible to find two different messages with the
same hash value → Collision
§ Known Cryptographic Hash Algorithms
o MD5
o SHA-1
o SHA-2 i.e., SHA-256 and SHA-512
12. 14 ORACLE PASSWORD HASH FUNCTIONS
§ Oracle 10g Hash Function
o Based on DES and an Oracle specific algorithm
o Case insensitive and weak password Salt => Username
§ MD5 based Hash Function
o used for digest authentication in XDB
§ Oracle 11g Hash Function
o Based on the SHA1 hash algorithm
o SHA1 is no longer considered safe (since 2005 see Wikipedia SHA-1)
o Supports case sensitive and multibyte character passwords
§ Oracle 12c Hash Function
o based on a de-optimized algorithm involving PBKDF2 and SHA-512
o Supports case sensitive and multibyte character passwords
§ Recommendation: Only use Oracle 12c Hash Function
13. 15 ORACLE 10G PASSWORD VERIFIER
CREATE USER syste IDENTIFIED BY mmanager;
User created.
ALTER USER system IDENTIFIED BY manager;
User altered.
SELECT name, password FROM sys.user$ WHERE name LIKE 'SYSTE%';
USERNAME PASSWORD
------------------------------ ------------------------------
SYSTEM D4DF7931AB130E37
SYSTE D4DF7931AB130E37
§ Passwords of local users are stored as 8-byte password hashes in base table SYS.USER$
§ This algorithm has several weaknesses
1. Weak password salt => user namey
14. 16 ORACLE 10G PASSWORD VERIFIER
ALTER USER system IDENTIFIED BY ManAger;
User altered.
SELECT name, password FROM sys.user$ WHERE name LIKE 'SYSTEM';
USERNAME PASSWORD
------------------------------ ------------------------------
SYSTEM D4DF7931AB130E37
§ This algorithm has several weaknesses
2. Not case sensitive
3. Based on a legacy and proprietary hash function
15. 17 ORACLE 10G PASSWORD ALGORITHM
Weak Hash Algorithm
1. Associate the user with the password to a clear
text string
2. Convert clear text to upper case letters
3. Convert clear text to a Unicode string
4. Encryption of the clear text with DES CBC and a
fixed key 0x0123456789ABCDEF If necessary
the clear text 0 is padded to the next even
block
5. Additional encryption of the clear text with DES
CBC Here the last block of step 4 is used as the
key. The last block is then used as the hash
value
17. 19 ORACLE 11G PASSWORD VERIFIER
SELECT name, regexp_substr(spare4,'((S:.+);|(S:.+))',1,1,'i’,1) HASH
FROM user$ WHERE name='TEST’;
NAME HASH
---------- --------------------------------------------------------------
TEST S:885B3ACB933CCBEF42DA4455BC4F1597E823F144A37F22B76F48F0CFFC52
§ Based on SHA-1 and supports Case Sensitive and Multibyte Character Passwords
Actually everything that your character set offers
But special characters requires quotes e.g. " "
§ Password hash is stored in column SPARE4 in base table SYS.USER$
Hash value does have the prefix S:
sys.user$spare4 = SHA1(pwd concat with salt) concat with salt
§ The hash function is a simple SHA-1 function
18. 20 EXAMPLE ORACLE 11G PASSWORD ALGORITHM
ALTER USER test IDENTIFIED BY Welcome1;
SELECT name,
substr(regexp_substr(spare4,'((S:.+);|(S:.+));',1,1,'i',1), 1,40 ) HASH,
substr(regexp_substr(spare4,'((S:.+);|(S:.+));',1,1,'i',1), 41) SALT
FROM user$ WHERE name='TEST’;
NAME HASH SALT
---------- ---------------------------------------- --------------------
TEST 885B3ACB933CCBEF42DA4455BC4F1597E823F144 A37F22B76F48F0CFFC52
SELECT sys.dbms_crypto.hash(utl_raw.cast_to_raw('Welcome1')||
hextoraw('A37F22B76F48F0CFFC52'),3) HASH FROM dual;
HASH
----------------------------------------
885B3ACB933CCBEF42DA4455BC4F1597E823F144
19. 21 ORACLE 12C PASSWORD VERIFIER
SELECT name, regexp_substr(spare4,'((T:.+);|(T:.+))',1,1,'i',1) HASH
FROM user$ WHERE name='TEST';
NAME HASH
----- --------------------------------------------------------------------
TEST T:1902FCD14B0096A5F6E44E2C0B87747911879173740A0FC8D8D346532731FE46A2
72123A0C53D79BDF26AB4FABAEEEF2964DEAE00B4626696C6CBE2ABEF753006B8D0E
3DFA2CB0480115E8457AE954E6
§ Based on a de-optimized algorithm involving PBKDF2 and SHA-512
o See Oracle® Database Security Guide 19c About the 12C Version of the Password Hash
§ Supports Case Sensitive and Multibyte Character Passwords
§ Password hash is stored in column SPARE4 in base table SYS.USER$
o Hash value does have the prefix T:
§ Oracle 12c Password Hash is supported by Client / Server Oracle Release 11.2.0.3
20. 22 WHICH PASSWORD VERIFIER IS AVAILABLE
SELECT username,password_versions FROM dba_users
WHERE username LIKE 'USER_%' ORDER BY 1;
USERNAME PASSWORD_VERSIONS
------------------------- -----------------
USER_10G 10G
USER_11G 11G
USER_12C 12C
USER_ALL 10G 11G 12C
§ Query PASSWORD_VERSIONS from DBA_USERS
§ Effective hash values stored in USER$
o Oracle 10g Hash column PASSWORD
o Oracle 11g Hash column SPARE4 Prefix S:
o Oracle 12c Hash column SPARE4 Prefix T:
22. 24 ORACLE LOGON PROCESS
§ Establish initial connection i.e. TNS name
resolution, connection request to listener, etc.
§ Negotiate session- and optional encryption keys
§ Initiate authentication either ...
o Password base for DB, CMU, EUS, Proxy or
orapwd file authentication
o External / OS based for OS, Kerberos,
Radius, SSL or admin privileges e.g. SYSDBA
§ Password based authentication is always done
on
the DB i.e. password hashes have to be available
to the database
o SYS.USER$ or orapwd file
o EUS/CMU relevant LDAP attributes e.g.
userPassword, orclCommonAttribute
23. 25 ORACLE LOGIN PROCESS O3LOGON/O5LOGON
Client sends user name
• Database fetches password hash
from SYS.USER$
• Generates session key (random)
• Encrypts key with hash
• Generates hash from password
• Decrypts session key
• Encrypts password with session key
• Decrypts password with session
key
• Generates password hash with this
• Compares hash with SYS.USER$
• Sends result
Login successful?
User name
Status
Password (encrypt.)
Session Key / Salt
24. 26 AUTHENTICATION PROTOCOL
§ Login protocol is defined by the sqlnet.ora configuration
o SQLNET.ALLOWED_LOGON_VERSION_SERVER (default 12)
o SQLNET.ALLOWED_LOGON_VERSION_CLIENT (default 11)
§ Here "version" refers to the version of the login protocol, not the database version
§ Appropriate password versions / hashes must be available
o See DBA_USERS.PASSWORD_VERSIONS
§ Default value of ALLOWED_LOGON_VERSION_SERVER
o Up to Oracle 12.1.0.2 => 8 all hashes are created
o From Oracle 12.2.0.1 => 12 only 11c and 12c hashes are created
§ Recommended setting for ALLOWED_LOGON_VERSION_SERVER is 12a
o Only the 12c Password Verifier is used
25. 27 OVERVIEW AUTHENTICATION PROTOCOL
§ Authentication Registration protocols version and the limitations / capabilities
o ALV = SQLNET.ALLOWED_LOGON_VERSION_SERVER/CLIENT
ALV Password
Version
Client
ability
Meaning
12a 12c O7L_MR Only Oracle 12.1.0x clients
12 11g, 12c O7L_NP Only clients with CPUOct 2012
11 10g, 11g, 12c O5L Oracle 10g and later, DBs older than 11.2.0.3
or without CPUOct 2012 must use 10g
passwords
10 10g, 11g, 12c O5L
9 10g, 11g, 12c O4L Oracle 9i and newer
8 10g, 11g, 12c O3L Oracle 8i and older
27. 29 PROTOCOL AND PASSWORD HASHES
SQL> ALTER USER scott IDENTIFIED BY values
'S:22D8239017006EBDE054108BF367F225B5E731D12C91A3BEB31FA28D4A38';
§ Corresponding password versions / hashes must be available
o See DBA_USERS.PASSWORD_VERSIONS
§ If the version is not greater/equal, the connection is terminated
o ORA-28040: No matching authentication protocol
§ If the corresponding hash is missing, the connection is terminated
o ORA-01017: invalid username/password; logon denied
§ By setting/deleting the corresponding hashes, you can indirectly control which logon protocol is used
28. 30 WEAKNESSES IN THE PASSWORD SYSTEM
§ Password hashes are all over the place
o Not everywhere, but in enough places
o Miscellaneous base tables in the data dictionary
o orapwd file used for remote login as administrative user
§ If the hashes are known, dictionary, rule or brute force based attacks are possible
§ Limitation and vulnerabilities of password hash functions
o E.g. known hash collisions
§ Character restriction (no upper/lower case up to and including Oracle 10g, in principle no special
characters allowed)
o Partial compatibility problems with different tools
29. 31 RISKS OF THE ORACLE LOGIN PROCESS
§ Is the login process secure?
§ User name passes through the network unencrypted
§ But no password, no password hash
§ Password is automatically encrypted between client and server via AES
§ If password hash known, session key could be decrypted
§ Vulnerability found for password verifier using SHA-1 in October 2012
o Security vulnerability in login process CVE-2012-3137
o Clients and servers need to be patched and password reset
o Information in MOS Note 1492721.1 and 1493990.1
o Hint: Every Client which is not patched or using legacy logon process is still affected from this
vulnerability
30. 32 CONFIGURATION – ORA-01017 OR ORA-28040
§ False Configurations can lead to issues, mostly to ORA-01017 or ORA-28040
o E.g. set SEC_CASE_SENSITIVE_LOGON=FALSE and ALLOWED_LOGON_VERSION_SERVER>=12
§ Database Migrations using expdp/impdp import users as they are
o Can lead to wrong / missing password verifiers
o Source DB has only 10g hashes but target requires 11g or 12c password verifiers
o MOS Note 2289453.1 ORA-39384 Warning: User <USERNAME> Has been locked …
o Post by Mike Dietrich What happens to PASSWORD_VERSIONS during an upgrade to Oracle 12.2?
§ Applications limiting password character pool
o Some applications cannot handle certain special characters, umlauts etc.
o $ " @ # can be challenging to escape properly
§ Client Libraries (OCI, JDBC,…) not coping with new hash algorithms
o Legacy issue from Oracle 10g to 11g transition
o Client occasionally simply converted the password to uppercase
32. 34 PASSWORD PROFILES
§ Since Oracle8 it is possible to create password profiles and assign them to users
§ Password profiles define the criteria for passwords
o complexity with a password check function
o Number of incorrect logins, number, lock and grace time
o Validity period of passwords
o Password history
§ Oracle provides a script utlpwdmg.sql to configure password profiles and functions
o The script is updated with every Oracle release
o The script is not executed depending on the Release / Create method
o It includes profiles based on CIS and Database STIG recommendations
§ Password verification function can be created using Oracle functions:
o ora_string_distance Calculation of the difference between two strings according to the
Levenshtein distance
o ora_complexity_check Checking the password complexity of a string
33. 35 GOOD IDEA TO SPECIFY COMPLEXITY RULES?
Example Password Rule
§ Password with digits, upper and lower case letters
§ 8-character password length
§ At least 1 capital letter
§ At least 1 lower case letter
§ At least 1 digit
The Problem
§ Number of characters 26+26+10=62
§ Combinations for 8-character password 628
§ Minus the special cases:
o Digits only 108
o Letters only 528
o Upper and lower case only 268 + 268
About a quarter less combinations!
Effective Combinations
75.32%
Digits only 0%
Upper case only 0.10%
Lower case only 0.10%
Characters only 24.48%
PASSWORDS
34. 36 BUT WHAT ARE GOOD PASSWORDS?
Not easy to answer anyway, if there is an answer at
least. A few principles and good practices:
§ Passwords must be easy to “remember” either
by you or your password manager
§ Pool of unique characters should be as large as
possible ... and feasible J
§ Maximum manageable length should be
selected
o The longer, the better J
§ Password should not be based on common
words, names or know passwords i.e. password
dictionary
§ Do not follow any obvious rules
§ Password should have high entropy
35. 37 PASSWORD ENTROPY
§ Entropy is a measurement of how unpredictable a password 𝐸 = 𝐿𝑜𝑔! 𝑅"
o 𝑅"
= number of possible passwords
o E = password entropy in bits
o R = pool of unique character
o L = number of character i.e. password length
§ Entropy for the example before 𝐸 = 𝐿𝑜𝑔! 62#
= 47.6 bits
§ Today's GPU can calculate several million hashes per second
o MacBook Pro 2020 400MH/s for Oracle 10g
o 36 - 59 bits used to be reasonable secure
§ Safe Password? It depends…
o … on how the password is generated (random is not always that random)
o … on a possible attack method e.g. Welcome1 meets the password rule
37. 39 CHECK THE PASSWORDS!
SELECT username FROM dba_users_with_defpwd;
USERNAME
----------
CTXSYS
SCOTT
§ The view DBA_USERS_WITH_DEFPWD can be used to easily check whether the default passwords of users
created by Oracle have been changed
§ Alternative checking of the known hash with appropriate tools
o DBMS_CRYPTO to calculate the hash manually
o Password Crack Tools like Hashcat, John the Ripper and others
38. 40 PASSWORD VERIFICATION USING TOOLS
§ Tools Hashcat and John the Ripper do support a wide range of known password hashes
o Including all hash functions used by Oracle e.g. 10g, 11g, 12c
§ GPU power is a crucial factor when calculating hash values
o Tools do use CPU and GPU to calculate hashes where GPU
o Whereby GPU are faster by factors
§ Different attack methods are possible:
o Dictionary based – testing passwords from wordlist e.g. 5-10 Mio
o Rule based – Extend wordlist by rules e.g. flip chars, add numbers etc.
o Brute force – Calculate every combination out of a character pool
§ The tools are basically free and publicly available
o Relatively well documented and No darknet experience required J
§ The use might be illegal depending on country and region
o Depends on the purpose of use
41. 43 WHAT IS GENERALLY POSSIBLE?
Performance for other hash values differs
Power of my MacBook pro not enough?
§ No need to rent a Cray-2
§ Just buy a decent graphic card or two
i.e., for game not office usage J
§ Set up a compute instance in a cloud
o All cloud vendors have options for GPU support
Hash Type MB Pro 2018 MB Pro 2020 Nvidia GTX 1080 TI
MD5 4’921.4 MH/s 11’240.0 MH/s 31’103.4 MH/s
SHA-1 1’783.2 MH/s 4’296.9 MH/s 11’374.1 MH/s
Oracle 7+ 133.9 MH/s 414.0 MH/s 1’320.0 MH/s
Oracle 11+ 1’766.6 MH/s 4’283.2 MH/s 11’222.5 MH/s
Oracle 12+ 4390 H/s 3698 H/s 150.2 kH/s
43. 45 GOOD PRACTICE
Keep your Oracle Clients and Server up to date
§ Stay updated by following Critical Patch Updates, Security Alerts and Bulletins
§ Install security fixes in a reasonable time frame
Consider using strong Authentication
§ Kerberos and SSL based Authentication
Don’t use legacy password verifier
§ Use Oracle password file version 12.2
§ Explicitly configure ALLOWED_LOGON_VERSION_SERVER to 12a and exclusively use 12c hash values
§ Start using PBKDF2 SHA-512 for directory-based password authentication with EUS and CMU
§ Art. 32 GDPR Security of processing
MD5, SHA-1 and Oracle 10g password verifiers are definitely not state of the art any more
44. 46 GOOD PRACTICE
Revise your password policies
§ NIST, CIS, STIG and other standards are
continuously adjusted
§ Does the complexity rule still make sense or
does it just reduce the amount of possibilities
User awareness training
§ Make sure your user know the principle of
good and bad
§ Use of phase phrase rather than password
45. 47 GOOD PRACTICE
Reduce the attack vector
§ Limit access to password hash values
o e.g., password files, SYS.USER$ and other base tables
§ Know where you have password hash values
o e.g., in application tables
§ Implement general database hardening
o Oracle Database Lockdown
o Oracle® Database Security Guide 19c
o CIS Oracle Database Benchmark 19c
o DoD Oracle Database 12c STIG - Ver 1, Rel 18
§ Once again training of security awareness…
47. 49 CONCLUSION
§ There is no absolute security nor secure
passwords
o Computing power evolves
§ Revise your password rule
§ Keep software up to date
o That means server and clients
§ Don’t use legacy configuration
o 10g/11g hashes
o SEC_CASE_SENSITIVE_LOGON
§ Consider using strong authentication
o Kerberos or SSL Source: xkcd https://xkcd.com/538
48. TOGETHER WE ARE
#1 PARTNER FOR BUSINESSES TO
HARNESS THE POWER OF DATA
FOR A SMARTER LIFE
49. 51 GOODBYE…
§ E-Mail stefan.oehrli@trivadis.com
§ LinkedIn https://www.linkedin.com/in/stefanoehrli/
§ Blog www.oradba.ch
§ Twitter @stefanoehrli
STEFAN OEHRLI
PLATFORM ARCHITECT