Monday, 25 December 2006

Oracle Password security

On the 27th of November a posting to the DBSEC list at freelists showed
how to gain a users password from a combination of their password hash and a packet capture of their authentication.
http://www.freelists.org/archives/dbsec/11-2006/msg00005.html

There are a significant amount of DBA's in the field who rely on the fact that a high security complex password will make
their Oracle DB secure. Current thinking about rainbow tables
has been that simple passwords on known user names are
beatable but complex passwords with special characters are safe. This is not the case.

There have been a number of ways of gaining access to the password hashes.
Not least of these is the DBSNMP account. Also orapwd utility and many files at the operating system level that are unsecured by default
give access to the hashes.

Having to think about defending against some one with the DBA's
legitimate password is going to be a big change for a lot of peoples
security strategies.

This is going to require closer attention to securing SYS.USER$ table and network communications meaning that privileged SQL*PLUS connections will
now require SSH.

In short, the hashes in user$ should now be regarded as being plain text
when devising a defense plan.

2 comments:

Unknown said...

I like to take this chance to state that I really like your post. It has been a fine source of information for me in my study. Thank you so much.Oracle SQL

Le Mystique said...

Hi! I am a digital marketer. The previous seo guy working for my client left a spammy comment at your blog with the username Soledad Knight which links to my client's site.
Such comments are or might cause serious damage to my client's site with respect to SEO which is why I am request you here by to remove it asap.
If you don't remove it by 11:59 pm, Pacific Standard Time, 3rd January 2014, we will have use Google's Disavow Tool to get back-link removed and, sorry to say this, but Google may not look too nicely upon you either for not having removed the comment. Thanks in advance for your cooperation.