(Credit:
Oracle)
During their presentation at the Black Hat and Defcon hacker conferences next week in Las Vegas, security experts will release a tool that can be used to break into Oracle databases.
Chris Gates and Mario Ceballos will present Oracle Pentesting Methodology and give out "all the tools to break the 'unbreakable' Oracle as Metasploit auxiliary modules," according to a summary of their presentation on the Defcon Web site.
The tools are designed to help companies determine whether their systems are vulnerable, Gates said in an e-mail response to questions from CNET News. "There wasn't a good set of (free) tools for auditing Oracle databases," he said.
Gates said he did not contact Oracle about his presentation because none of the exploits or exploitation methods are new and information about ways to mitigate the attacks has been public for some time.
"If administrators haven't applied the patches, then the databases were/are vulnerable," he said when asked if the release of his tool will expose companies running Oracle databases to attack. "Plenty of other tools exist to do exactly what we are releasing. These tools just help streamline the penetration testing process."
Gates is a member of the Metasploit project, an open-source platform used for developing, testing, and using exploit code and sharing information related to finding vulnerabilities.
"Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access," the presentation summary says.
"We've created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks," the summary says.
An Oracle spokesperson said the company had no comment.
Updated at 2 p.m. PDT with comment from Gates.
Online information cards or I-cards such as this one from Equifax may one day be used instead of passwords to access Web sites.
Equifax on Thursday introduced it's first information card or I-card, Equifax Over 18 card. I-cards are envisioned to be the online equivalent of a driver's license, passport, or similar ID. The basic idea is that customers would have an electronic wallet with various information cards that would allow customers to bypass typing in user names and passwords.
In this case, the Equifax card proves--via a trusted third party--that you are over 18 when accessing specially marked Web sites. "With fraud and identity theft on the rise, companies need better, more secure ways to conduct transactions online and take their identity management practices to the next level," said Steve Ely, president of Equifax Personal Information Solutions, in a statement.
In June Equifax was among a handful of companies behind the new Information Card Foundation. Other companies include Google, Microsoft, Novell, Oracle, and PayPal. For example, Microsoft's new Geneva project relies upon ICF standards. The Equifax card is one of the first I-cards based on the ICF standard that users can sign up and use.
In the near future, the foundation hopes that I-cards will contain personal data such as profile, purchase preference, payment, or verified identity information, as well as password information. Kim Cameron, an identity and access architect for Microsoft, told CNET News in June that the cards really do improve online security. "There's this endless digital baptism of filling in forms and logging in everywhere, and it creates a wonderful environment for the criminal element through phishing attacks and what have you because on the Internet no one does know you are a dog."
To produce the card, Equifax worked with Parity, an information management company that last month announced an online card site based on open ID card standards.
Those interested in trying out the I-card can sign up with Equifax or use Parity's Azigo I-card management software to enable one-click sign-in and identity verification. One demo site for the service requires an Equifax Over 18 I-card just to watch the video (alas, no nudity here, just an explanation of the card's uses).
In the 1990s and early 2000s, Oracle dabbled in the identity space with database access controls and a network directory. But it really wasn't considered a player in this space.
This changed in 2005 when Oracle acquired its way into identity management with the purchase of Oblix and Thor Technologies. Even with these acquisitions, many industry watchers never thought that Oracle could buy its way into the market and weave disparate products into an integrated suite.
Once again, common wisdom was completely wrong. While others struggle or abandon this space, Oracle has vaulted to a leadership position. In fact, my sources tell me they see Oracle in every large deal these days. The fact is that Oracle saw the identity management space as strategic and invested accordingly to become a market leader because:
• Identity management is a business--not an IT--initiative. Back in the 1990s, identity management was all about technology tools to manage user provisioning and security. Now it's about mapping employees and outsiders to business processes, managing user roles, and meeting regulatory compliance mandates. When identity management evolved from a set of IT tools to a business application, deal sizes skyrocketed.
• Identity management is middleware. Oracle wants to own identity middleware just like it wants to own application integration middleware. Identity is the glue between users, applications, and distributed systems.
• Identity management projects can be huge. Identity management is like ERP in that it means years of process definition, role creation, custom development, and systems integration. This is right up Oracle's alley.
Oracle isn't alone in this space. IBM still kills it on product and services. Identity is one of CA's healthiest businesses. Novell has great technology, and Microsoft is a sleeping giant. These guys won't lie down, but Oracle went from nowhere to become a market leader in three years. That won't change in the future.
- prev
- 1
- next
