DBSecWorx Blog  
Home / Blog


 
      Products Services Industries Resources Relationships About Us

[30-July-2019]

The truth, the whole truth, and nothing but the truth.






If you believe this pile of rubbish you shouldn't be allowed to touch a keyboard. "Exploit a configuration vulnerability" ROFLMAO.

Yeah, sure, Capital One stored data on 100 million people inside of a configuration vulnerability.

Let's try a small dose of reality.

First the attacker gained access to the network ... how?
Which firm did CapOne hire to perform a pentest that failed to do its job well?
Then the attacker somehow stumbled on login credentials that would provide access to the correct schema.
Does CapOne use Multi-Factor Authentication? How was that compromised?
Then the attacker found her way through thousands of infrastructure components to the right database. How?
Then not a single control prevented the attacker from querying 100,000,000+ rows of data from the right tables and columns.
Then the attacker exfiltrated the data out of CapOne's data center.

And we are asked to believe all of this the result of a single configuration vulnerability. Total rubbish.

Richard D. Fairbank, Capital One's founder, chairman and CEO, has a lot to answer for. But, unfortunately, newsrooms worldwide will abrogate their responsibility and "repeat" not "report". Repeat superficial fluff from a PR desk rather than report on how, for a very small investment, CapOne could have prevented the entire mess.

Safe computing requires diligence.
Safe computing requires well thought out processes and procedures.
Safe computing requires management invest in more than just a firewall.
Safe computing requires defense in depth.
Safe computing requires not relying on sales account execs to solve problems they don't even understand.
If you don't know that data is stored in databases.
If you don't know how to attack a database and compromise a database.
You haven't even a prayer of being able to prevent an attacker from being successful.

CapOne's management failed.
CapOne's IT leadership failed.
And I'll bet there are many members of CapOne's IT technical staff who have been warning their immediate management for years.

Most likely, CapOne's Board will now fail again ... not because they are irresponsible and don't care ... but rather because they will rely on some company to sell them a magic bullet.

Unsolicited advice to CapOne ... if the company you hire can't answer the following question you deserve what you get.
Q: "List and explain all of the security flaws in the Oracle Database DEFAULT profile."
A: I count 17 separate security flaws.
 


[29-July-2019]

Take a close look at the email I just received. It is the second one in the series. Clearly the intent is to get someone to click on the link. There are a couple of things that alerted me with the first message:

  1. I was not expecting a package
  2. The lack of a logo
  3. The lack of label number, phone number, and other information in the body of the email
  4. There was no need for an attachment
  5. The fact that I was present at the location and no sticker was left on the door from the attempted delivery
  6. American companies don't write "29th July" ... an American company would have written July 29, 2019
  7. The fact that the attached file is a .IMG and is 1.2MB ... no status notification requires 1.2MB of anything

The biggest single factor in my not responding to the first attempt to trick me was simply that the information required for me to contact DHL could have been included in the email text ... there was no need for an attachment. The fact that I knew no attempt to deliver and there was no sticker on the door was confirmation.

This email repeats those same mistakes but makes an additional one that is equally egregious. As I type this entry into my blog, and post it to our website, ... 2:30pm on 29 July is 5 hours in the future.


 
Safe computing requires diligence. If you might have been tempted to click on the email you need to study the warnings signs I listed above. A click on the link would have infected your computer.
 

[24-July-2019]


[18-July-2019]

What is it going to take for people to come to what seems like an obvious conclusion. Nothing is free. If you expect to be paid for your work why are you so willing to accept that others write software for you for free? To read the full article [Click Here].
 


[16-July-2019]


[09-July-2019]

Anyone familiar with DBSecWorx knows we are complete unamused by those that think security consists of an expensive firewall, an identity management system, and end-point monitoring. For those that are open to learning from past mistakes ... here is another lesson. At your leisure look up NTLM Brute-Force (CVE-2019-1126) ... and while reviewing the lengthy explanation consider the value of securing data and databases. In all of human history there has never been an impenetrable wall.

[23-June-2019]

[21-June-2019]

Oracle and Backward Compatibility

At almost every Oracle Security Master Class I teach I find multiple students wondering why Oracle doesn't "just fix" some of the more obvious security flaws and other anomalies and I explain that Oracle puts great value in backward compatibility: In not breaking existing customers. One example I use to illustrate that point is that DBA_TAB_PRIVS contains all object privileges ... not just those related to tables as the name implies. As to why there is a view named DBA_TAB_COLS and another named DBA_TAB_COLUMNS ... perhaps that one needs to be addressed by Mr. Ellison.

Tonight while updating the Morgan's Library website I found what must be the most poignant example possible of the value Oracle places on backward compatibility. I couldn't make this up so the following is copied (I added the highlight) from $ORACLE_HOME/rdbms/admin/dbmsssql.sql from version 19c.

-------------
-- Named Datatype CONSTANTS
--
Varchar2_Type                constant pls_integer := 1;
Number_Type                  constant pls_integer := 2;
Long_Type                    constant pls_integer := 8;
Rowid_Type                   constant pls_integer := 11;
Date_Type                    constant pls_integer := 12;
Raw_Type                     constant pls_integer := 23;
Long_Raw_Type                constant pls_integer := 24;
Char_Type                    constant pls_integer := 96;
Binary_Float_Type            constant pls_integer := 100;
Binary_Double_Type           constant pls_integer := 101;
MLSLabel_Type                constant pls_integer := 106;
User_Defined_Type            constant pls_integer := 109;
Ref_Type                     constant pls_integer := 111;
Clob_Type                    constant pls_integer := 112;
Blob_Type                    constant pls_integer := 113;
Bfile_Type                   constant pls_integer := 114;
Timestamp_Type               constant pls_integer := 180;
Timestamp_With_TZ_Type       constant pls_integer := 181;
Interval_Year_to_Month_Type  constant pls_integer := 182;
Interval_Day_To_Second_Type  constant pls_integer := 183;
Urowid_Type                  constant pls_integer := 208;
Timestamp_With_Local_TZ_type constant pls_integer := 231;

-- #(10144724): The typo Binary_Bouble_Type is purposefully retained for
-- backward compatibility.
Binary_Bouble_Type constant pls_integer := 101;

end;
/


It can't get clearer than this. If you want backward compatibility Oracle provides it.

If you want security Oracle provides the database that can be made more secure than any other but not by default with the GUI installation tools like OUI, NETCA, and DBCA. If you want to leverage all of the built-in security abilities of the product you must override the defaults yourself.

An example of one of those default configurations you will want to override to secure your database, one that is as clear as the code above:

SQL> SELECT grantee FROM dba_tab_privs WHERE table_name = 'ALL_SOURCE';

GRANTEE
------------------------------
PUBLIC
DV_SECANALYST


Can anyone explain why a user, with no privilege other than CREATE SESSION, needs to be able to read source code?

We can't so we are working on a product we will be offering later this year that will address this and hundreds of other configuration issues.
 

[19-June-2019]

Oracle Security Alert CVE-2019-2729

Oracle strongly recommends that customers follow the recommended actions noted in the Security Alert.

The Security Alert Advisory is the starting point for relevant information. It includes a summary of the security vulnerability, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.

Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Advisory is available at the following location:

Oracle Critical Patch Updates and Security Alerts:
https://www.oracle.com/SecurityAlerts

Oracle Security Alert for CVE-2019-2729:
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

Thank you,
Customer Support of Oracle Corporation
https://www.oracle.com/us/support/contact/index.html
 

[12-Jun-2019]

We feel no need for comment.

[11-Jun-2019]


Daniel Morgan from
DBSecWorx has been selected to present his "Oracle Security for DBAs and Developers for ODTUG on Tuesday, July 23, 2019 at 12:00 - 13:00 EDT.

To register [Click Here]

[ 10-Jun-2019]

We are experiencing an interesting side effect from going through all of the pages at Morgan's Library and making decisions about which ones have security implications and how to rewrite them from a security point-of-view. We have known GLOGIN.SQL was a threat since reading what Pete Finnigan wrote about it back in 2002-2003. But we had not realized Oracle has done nothing to address it.

We are currently working on a tool that we believe will put an end to this threat and hope to release it to Pete and others for Beta testing before month's end. If it passes its Beta we will announce it here in the Blog, on our home page, and it will become the first resident of our Products page.

If the concept fails we will announce that here and provide background on what we were trying to accomplish and how.

[ 06-Jun-2019]

Why are we posting this report of another breach that could have been easily prevented? Because we want to remind everyone out there that thinks doing what everyone else is doing will protect their organization and their data.

We want to issue a challenge to al of the companies that sell firewalls. Publish the names of all organizations where a breach has exceeded 1 million PII, PHI, or PCI records. Stop telling IT shops "what your product can do" unless you are willing tot acknowledging the number of times your product has failed to do so. Cisco, Palo Alto, Fortinet, Check Point, Symantec, Huawei, Blue Coat, Juniper, Intel, McAfee, publish your failure rate so IT organizations can truly evaluate your offerings.

Our bet: AMCA. has a firewall from one of them as did OPM, Equifax, Sony, etc. etc. etc.

IT shops: There is little value in buying a million dollar lock for the front door when the back door is wide open.

[ 04-Jun-2019]

If the following surprises you ... chances are you have an account on Twitter. :-)

Twitter use decreases student's test scores by 25% to 40% of a standard deviation from the average result. Link

When I was teaching at the University of Washington, I learned very quickly that my student's learning improved if I banned mobile phones and laptops from the classroom during lectures.

Personally, I shut down both my Facebook and Twitter accounts long ago ... don't regret it for an instant. The phrase, if you are trying to remember it, is "Opiate of the Masses."

And, an associated book recommendation, for those that value earnest and intelligent discourse to manufactured angst.



[ 03-Jun-2019]

Another day. Another major breach. Another event where millions of Americans are affected. Guess which generated the greatest amount of new: The breach of 885 million documents and the winner of the Iron Throne?

On the other hand, according to Bloomberg News, First American Financial Corp., one of the largest US title insurance companies, is being sued by a client because "lax security measures put him at risk of identity theft, along with millions of others whose personal information could be easily access through its website." And, again according to Bloomberg, stockholders likely have good reason to be a bit concerned because "First American Financial Corp. tumbled the most in nearly eight years amid concerns that a security flaw in the title insurer may have allowed unauthorized access to more than 885 million records related to mortgage deals going back to 2003.


First American has more than 112 million outstanding shares. Assuming each share lost $3.00 the total cost of the breach, measured in shareholder equity, is $336,000,000. Does anyone believe the data could not have been protected for 2-3% of that amount?

What the Board of Directors should do, but they won't, is fire most if not every member of the corporation's C Level with cause. As this moves forward expect mortgage rates to increase as they "pass the cost of doing business" to their customers.

The customers didn't get upset out the loss of 885 million documents. The customers won't get upset about paying increased costs. But what's more important? A data breach or who's going to die in the next episode of some brain-dead of a TV show?

Link

[ 28-May-2019]

Last week, May 23 and 24 we attended the 2019 Central Ohio InfoSec Summit in Columbus which was an incredibly rich and thought provoking environment at which we met old friends, made new friends, learned, laughed, and came to a somewhat surprising realization. That realization being that everyone talks about "Defense-in-Depth" but all of the focus from both speakers and vendors is on the perimeter. There wasn't a single presentation or vendor that was targeting data and databases with the exception of a few trying to detect bad actions with behavior analytics.
There is nothing wrong with utilizing behavior analytics just as there is nothing wrong with firewalls. They are all essential parts of a Defense-in-Depth strategy. What they miss, unfortunately, is that they don't have the expertise required to know that a call to DBMS_UTILITY.VALIDATE is a safe activity while a call to DBMS_UTILITY.INVALIDATE could be incredibly destructive? Do the behavior analytics know what they are looking at if a call is made to DBMS_UTILITY.EXEC_DDL_STATEMENT? We leave you to consider that there is only one right answer to this questions.
- Blog Principles Principals Contact Us
 
DBSecWorx secures data and databases
 

 Copyright © 2019
DBSecWorx All rights reserved.
 
Privacy & Cookies Policy Privacy Shield Legal