Version: 2008

October 27, 2005 4:05 PM PDT

Oracle password system comes under fire

  • 10 comments
Attackers could easily uncover Oracle database users' passwords because of a weak protection mechanism, putting corporate data at risk of exposure, experts have warned.

In the latest critique of Oracle's security practices, experts are calling on the software maker to improve the mechanism used to secure passwords for database users. Researchers say they have found a way to recover the plain text password from even very strong, well-written Oracle database passwords within minutes.

The technique Oracle uses to store and encrypt user passwords doesn't provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway college, University of London. Wright gave a presentation on the matter Wednesday at the SANS Network Security conference in Los Angeles.

In the presentation, Wright discussed how passwords are encrypted before being stored in Oracle databases and presented a tool he wrote to uncover passwords, according to a SANS statement. A paper by Wright and Cid is available on the SANS Web site. (Download PDF.)

Wright and Cid identified several vulnerabilities, including a weak hashing mechanism and a lack of case preservation--all passwords are converted to uppercase characters before calculating the hash.

"By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plain text password from the hash for a known user," Wright and Cid wrote in their paper.

The researchers informed Oracle about their findings in July, but subsequent requests for a response from Oracle have gone unanswered, according to SANS. Oracle also did not respond to a request for comment from CNET News.com.

Oracle users can protect their systems by requiring strong passwords and assigning limited user rights, the researchers said. Users are also encouraged to tell Oracle that it should improve password protection, they wrote.

Redwood Shores, Calif.-based Oracle is increasingly coming under fire for its security practices. Security researchers have taken the company to task for being slow in fixing security vulnerabilities and providing faulty patches when it does update its software.

See more CNET content tagged:
Oracle Corp., Oracle Database, SANS Institute, password, researcher

Add a Comment (Log in or register) (10 Comments)
  • prev
  • 1
  • next
So much for the unbreakable claim
by October 27, 2005 6:20 PM PDT
Hah! So much for Mary Ann Davidson's criticisms of security researchers. How can you go mouthing off at others for finding flaws in your software, when this is the kind of software you're producing?

Bahh!
Reply to this comment
So much for the unbreakable claim
by October 27, 2005 6:20 PM PDT
Hah! So much for Mary Ann Davidson's criticisms of security researchers. How can you go mouthing off at others for finding flaws in your software, when this is the kind of software you're producing?

Bahh!
Reply to this comment
ORACLE IS UNBREAKABLE
by mcepat October 27, 2005 7:47 PM PDT
maybe expensive but apparently not breakable
Reply to this comment
ORACLE IS UNBREAKABLE
by mcepat October 27, 2005 7:47 PM PDT
maybe expensive but apparently not breakable
Reply to this comment
Oracle Getting Slammed
by BogusName October 28, 2005 6:16 AM PDT
Wow, i don't know if CNET has it in for Oracle or what. I bet if you look at the top app vendors you will see similar vulnerabilities.
Reply to this comment
Oracle needs to streamline the update process
by October 28, 2005 6:53 AM PDT
I suppose any major vendor - who's major claim to fame is security, expose themselves to criticism when major vulnerabilities are discovered.

Oracle needs to simplify the update process. The most recent update for 10G App server comes with 19 pages of procedures that reference other procedures to install a critical patch. That is insane.
Oracle Getting Slammed
by BogusName October 28, 2005 6:16 AM PDT
Wow, i don't know if CNET has it in for Oracle or what. I bet if you look at the top app vendors you will see similar vulnerabilities.
Reply to this comment
Oracle needs to streamline the update process
by October 28, 2005 6:53 AM PDT
I suppose any major vendor - who's major claim to fame is security, expose themselves to criticism when major vulnerabilities are discovered.

Oracle needs to simplify the update process. The most recent update for 10G App server comes with 19 pages of procedures that reference other procedures to install a critical patch. That is insane.
Tell me about it
by BogusName October 28, 2005 9:44 AM PDT
I've got to install 9 patches.

I bet the majority simply ignore these CPUs.
Reply to this comment
Tell me about it
by BogusName October 28, 2005 9:44 AM PDT
I've got to install 9 patches.

I bet the majority simply ignore these CPUs.
Reply to this comment
(10 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets

Market news, charts, SEC filings, and more

Related quotes

Oracle (0.08%) 0.02 24.97
Dow Jones Industrials (0.26%) 26.98 10,547.08
S&P 500 (0.12%) 1.30 1,127.78
NASDAQ (0.24%) 5.39 2,291.08
CNET TECH (0.26%) 4.25 1,662.16
  Symbol Lookup
advertisement

Inside CNET News

Scroll Left Scroll Right