Oracle database threats - LAOUC Webinar

Osama Mustafa
Senior Oracle DBA
Gurus Solutions

Overview
• Introduction
• Why Database security is important ?
• How Database Are hacked ?
• How to Protect against Database Attack ?
• Conclusion
• Reference
• Q&A

Who Am I ?
•
•
•
•
•
•

Certified OCP,OCE,OCS 10g,11g
Oracle ACE
Certified Ethical hacker / LPT
Sun / Linux Certified
Author Of Oracle Penetration testing book
Presenter & Contributor in Oracle Community .
osama.mustafa@gurussolutions.com
@OsamaOracle
http://osamamustafa.blogspot.com
Osama Mustafa

GoogIe Search
Without Oracle

With Oracle

Introduction
• 10 January 2014 Target data theft affected 70 million
customers.
• Data Theft is Becoming Major Threat.
• Data Theft is Bank of gold.
• 90% of companies say they've been hacked.
• Most of the Target Data are Personal Stuff Such as
Credit Card, Account Number, and Passwords.

Introduction
Revising the Top 10 Data Loss Incidents list

Introduction
“Your Personal Data is Worth Pretty Penny, But it All Depends On Who
Wants it” TrendMicro
Average for personal Data Between 0$-1200$
If you want to know how much your Personal Data Worth Check this
Website :
http://www.ft.com/cms/s/2/927ca86e-d29b-11e2-88ed00144feab7de.html#axzz2ukFAZIUF

Introduction
• In 2012 Report from Verizon Data Indicate that 96% of Records breached are
from database.
• Less Than 5% of Security Spend on Data Center (WW Security Products ) .
Data Center
5%

95%

Why Database Security Is Important
• Database is the most important Data Banking :
• Financial Data
• Client/Customer Data
• Corporate/organization Data.

• If the database stop working the company will lose money.
• If the database is getting hacked, imagine what happened to the
company.

Why Database Security Is Important
• Ensure the data is confidential, and prevent any outsourcing
modification.
• Secure database provide an additional benefit which is data
management become more efficient and effective.
• Access to database should be only restricted to authorized people
only unless one thing it’s Public Database.
• Secure Database leads to monitor activity and knows
authorized people.

Laws about Security
• SOX  Sarbanes Oxley
• “protect investors by improving reliability of corporate”

• PCI  Payment Card industry
• Related to Credit card companies such as Visa, Master card.

• GLBA  Gramm Leach Bliley Act
• companies that offer consumers financial products or services like loans.

• DATA  Data Accountability and Trust Act
• security policies and procedures to protect data containing personal
information

How Database are Hacked ?
• As Database Administrator you need to know Threats that can effect
on your database.
• Definition of threats : context of computer security, refers to anything
that has the potential to cause serious harm to a computer system. A
threat is something that may or may not happen, but has the
potential to cause serious damage. Threats can lead to attacks on
computer systems, networks and more.
• Vulnerability: Existence of a weakness design or implementation
error that Existence of a weakness, design, or implementation error
that can lead to an unexpected and undesirable event compromising
the security of the system

Elements Of Security
• Confidentiality :
• The concealment of information or resources.

• Authenticity
• The identification and assurance of the origin of information.

• Integrity
• The trustworthiness of data or resources in terms of preventing improper and
unauthorized changes.

• Availability
• The ability to use the desired information or resource

Triangle of Security

Decide Before Moving The Ball

What The Hacker Do ?
• Gather Information

• Active : Directly Such as social engineering
• Passive : Google search, Social media

• Scanning :

• use some tools for scan vulnerabilities of the system.

• Gaining Access:

• Penetration Phase, continue attacking to explore deeper into the target network.

• Maintaining Access

• Downloading Phase

• Clearing Tracks

“The more the hacker learns about your internal operations means the more likely he will be
intrude and exploit. So be Secure.”

Attack Oracle-Database Server
• Database servers are usually hacked to get the critical information
• Mistakes made by the web designers can reveal the databases of the
server to the hacker
• Finding an Oracle database server on network is done using TCP port
scan
• Once Oracle Database Server has been discovered, First Port of call is
TNS Listener.

Top Threats Effect on Database Server
• Unused Privileges:• When user are Granted Database access Privileges that exceed requirement
of their job these Privileges can lead to major issue if the user was know what
he is doing.
•
•
•
•
•
•
•
•

REVOKE CREATE DATABASE LINK FROM connect;
REVOKE EXECUTE ON utl_tcp FROM public;
REVOKE EXECUTE ON utl_smtp FROM public;
REVOKE EXECUTE ON utl_http FROM public;
REVOKE EXECUTE ON utl_mail FROM public;
REVOKE EXECUTE ON utl_inaddr FROM public;
REVOKE EXECUTE ON utl_file FROM public;
REVOKE EXECUTE ON dbms_java FROm public;

• http://support.oracle.com
• Review database user privileges
• Note 1020286.6 - Script to Create View to Show All User Privs
Note 1050267.6 - SCRIPT: Script to show table privileges for users and roles
Note 1020176.6 - SCRIPT: Script to Generate object privilege GRANTS

• Revoke privileges from PUBLIC where not necessary
• Note 247093.1 - Be Cautious When Revoking Privileges Granted to PUBLIC
Note 234551.1 - PUBLIC Is it a User, a Role, a User Group, a Privilege ?
Note 390225.1 - Execute Privileges Are Reset For Public After Applying Patchset

• Weak Authentication
• Most common Default Password for Database
Username

Password

Sys

Manager

Sys

System

Sys

Oracle

System

Same as sys

Apps

Apps ( EBS User )

scott

tiger

Oracle Default Password List By Pete Finnigan
http://www.petefinnigan.com/default/default_password_list.htm

Voyager Beta worm
• On 20-december 2005 an anonymous poster (kwbbwi@findnot.com )
posted an variant of the Oracle Voyager Worm.
• Read more About this Worm :
• http://www.red-database-security.com/advisory/oracle_worm_voyager.html

• attacks Oracle servers using default accounts and password
• It attempts a TCP connection to TCP Port 1521 Where oracle
connection Service listens.
• If Ok Then Tries Series of Username and password
• System/manager, sys/change_on_install , dbsnmp/dbsnmp, scott/tiger.

• Authenticate Ok , It will create table to transfer payload.

• Denial of service (DoS) :• Common DoS techniques include buffer overflows, data corruption, network
flooding, and resource consumption.
• It is an attack through which a person can render a system unusable or
significantly slow it down for system unusable, or significantly slow it down
for legitimate users, by overloading its resources.
• Attackers may:
• Attempt to flood a network, thereby preventing legitimate network traffic.
• Attempt to disrupt connections between two machines thereby Attempt to disrupt
connections between two machines, thereby preventing access to a service.
• Attempt to prevent a particular individual from accessing a service.
• Attempt to disrupt service to a specific system or person.

• The Impact:• Disabled network
• Disabled organization
• Financial loss
• Loss of goodwill

• DoS Attack Classification:•
•
•
•
•

Smurf :- Generates a large amount of ICMP echo (ping)
Buffer Overflow Attack :- The program writes more information into the buffer.
Ping of death :- Send IP Packets larger than the 65,536 Bytes.
Teardrop :- IP Requires that packet that is too large for next Router.
SYN Attack :- Sends bogus TCP SYN requests to a victim server.

• Examples DoS Attack Tools :•
•
•
•
•
•
•
•
•
•
•

Jolt2
Bubonic.c
Land and LaTierra
Targa
Blast20
Nemesy
Panther2
Crazy Pinger
Some Trouble
UDP Flood
FSMax

• SQL Injection
• type of security exploit in which the attacker "injects" Structured Query
Language (SQL) code through a web form input box to gain Structured Query
Language (SQL) code through a web form input box, to gain access to
resources, or make changes to data
• Programmer use sequential commands with user inputs making it easier for
attackers to inject commands.
• Attacker can do SQL Commands through web application.
• For Example when a user logs onto a web page by using a user name and
password for validation a SQL query is user name and password for validation,
a SQL query is used.
• What I Need  Any Web Browser.

• What Should I look For in SQL Injection ?
• HTML method
• POST  you cannot see any parameters in browser.
• GET

• Check HTML Source Code.
<Form action=search.asp method=post> <input type=hidden name=X value=Z>
</Form>

• Examples
• http:// www.mywebsite.com /index.asp?id=10


If you get this error, then the website is vulnerable to an SQL injection
attack

• But Wait How Can I Test SQL Injection !!!
• Different Way, Different Tools
• Easy Way to use Single Quote in the input

• Examples :
• • blah’ or 1=1—
• Login:blah’ or 1=1—
• • Password:blah’ or 1=1—
http:// www.mywebsite.com /index.asp?id=10

Will be like this
http:// www.mywebsite.com/index.asp?id=blah’ or 1=1--

• Another examples for single quote usage in SQL Injection :
• ‘ or 1=1—
• “ or 1=1—
• ‘ or ‘a’=‘a
• “ or “a”=“a
• ‘) or (‘a’=‘a)
• The hacker breaks into the system by injecting malformed SQL into the query
because the executed query is formed by the concatenation of a fixed string and
values entered by the user:
• string strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "' AND
Password='" + txtPassword.Text + "'";

• If the user enter valid username and password the query strQry will be changed
Like this :
SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password‘

• But The Hacker will not leave weak code Alone and he will enter :' Or 1=1 –

• The New Query Will be
SELECT Count(*) FROM Users WHERE UserName='' Or 1=1 --' AND Password=''

• 1=1 is always true for every row in the table, so assuming there is at least one row
in the table this SQL always return nonzero count of records.

• Weak Audit Trail

Performance impacts.
Determine what is important to be audited.
Limited Resource.
Which Mechanism Of Audit Trail I should Use ?

No End-To-End Auditing

• Whether database auditing is enabled or disabled, Oracle will always audit
certain database actions into the OS audit trail. There is no way to change this
behavior because it is a formal requirement of the security evaluation criteria.
Documents Every DBA Should Read

•
•
•
•
•

NOTE:174340.1 - Audit SYS User Operations (How to Audit SYSDBA)
NOTE:553225.1 - How To Set the AUDIT_SYSLOG_LEVEL Parameter?
NOTE:1299033.1- Master Note For Oracle Database Auditing
Note 174340.1 - Audit SYS User Operations
note 1171314.1 Huge/Large/Excessive Number Of Audit Records Are Being Generated In The
Database
• Note 1509723.1 - Oracle Database Auditing Performance

• Malware
• is software designed to infiltrate or damage a computer system without the
owner's informed consent The expression is a general term used by computer
professionals to mean a variety of forms of hostile, intrusive, or annoying
software or program code.
Report From Verizon Data:“69% breaches incorporated malware”
http://www.wired.com/images_blogs/threatlevel/2012/03/Verizon-DataBreach-Report-2012.pdf

• Malware includes computer viruses, worms, trojan horses, spyware, adware,
most rootkits, and other malicious programs. In law, malware is sometimes
known as a computer contaminant, in various legal codes.

Most Common Ports:Name

Protocol

Ports

Back Office

UDP

31337 Or 31338

Deep Throat

UDP

2140 and 3150

Net Bus

TCP

12345 and 12346

Whack-a-mole

TCP

12361 and 12362

Net Bus 2 Pro

TCP

20034

Girlfriend

TCP

21544

Master Paradise

TCP

3129, 40421, 40422,
40423 and 40426

Windows : netstat –an | findstr <port number>
Linux : netstat –an | grep <port number>

• Storage/Backup Media Exposure
• When data is saved to tape, you want to be confident that data will be
accessible decades from now, as well as tomorrow.
• Backup database storage media is often completely unprotected from attack.
As a result, several high profile security breaches have involved theft of
database backup tapes and hard disks.
• Always Remember Company Data Means Money to another Person.

• Unpatched Database
• Oracle Provide Something Called Critical Patch Updates.
• Critical Patch Updates are collections of security fixes for Oracle products.

• They are released on the Tuesday closest to the 17th day of January, April, July and
October. The next four dates are:
•
•
•
•
•

17th day of January.
15 April 2014
15 July 2014
14 October 2014
20 January 2015

http://www.oracle.com/technetwork/topics/security/alerts-086861.html

• Another Thing should be follow and Monitored which is :
• Security Alerts
• Oracle will issue Security Alerts for vulnerability fixes deemed too critical to wait for distribution in the next Critical Patch
Update

• Unsecure Sensitive Data:• Who has access to company data ?

• Dose the company meet requirement ?
• What Will make the Hacker Rich ?
• What Could damage the reputation of the organization ?

• Limited Education/Trained end users:• Humans are the weakest link in the information security.
• The errors committed by the human elements of an organization remain a major
contributor to data loss incidents worldwide.

• What do we want to accomplish by making users aware of security?
•
•
•
•

Encourage safe usage habits and discourage unsafe behavior
Change user perceptions of information security
Inform users about how to recognize and react to potential threats
Educate users about information security techniques they can use

• Challenges:•
•
•
•

Delivering a desired message to the end-user.
Motivating users to take a personal interest in information security.
Giving end user security awareness a higher priority within organizations.
No Budget in the company for Security Awareness.

How to Secure Database
• What Should I Do to Secure Database ?
• Set a good password policy
• No password reuse.
• Strong passwords

• Keep up to date with security patches
• Check Firewall level

• Trusted Connection Only
• Block Unused Ports

• Encryption

• network level
• SSL

• File Level Such as Backup.
• Database Such As Sensitive Data.

• Monitor Database

• Periodically check for users with database administration privileges

How to Secure Database
• audit your web applications
• Misconfigurations.

• Log as much as possible
• Failed logins.
• Permissions errors

• Your Data is your money protect it.
• Train IT staff on database security.
• Always Ask For Professional Services.

Thanks For LAOUC

osama.mustafa@gurussolutions.com
@OsamaOracle
http://osamamustafa.blogspot.com
Osama Mustafa

Oracle database threats - LAOUC Webinar

More Related Content

What's hot

Viewers also liked

Similar to Oracle database threats - LAOUC Webinar

More from Osama Mustafa

Recently uploaded

Oracle database threats - LAOUC Webinar