Fri 7 Oct 2011

OOW2011

Posted by Slavik under Uncategorized
No Comments

Another year, another Oracle Open World has passed.
Great times -

  • Meeting friends – lot’s of friends from Israel this year
  • Attending some interesting presentations – especially the less official ones like Tanel’s Exadata internals
  • Seeing the drama – Salesforce, Larry – the soap opera continues
  • The icing on the cake – Sting and Tom Petty concert – was amazing
I really like this conference as it is close to home and very well attended.
A couple of pictures from the event using my crappy iPhone4 camera…
Sting

Sting

Tom Petty

Tom Petty

Tags:

 

Wed 4 May 2011

Hacking exposed presentation and source code

Posted by Slavik under Oracle, security, SQL injection
No Comments

Here is the presentation and demo application I’ve used for the hacking exposed webinar I did on April 14th. The download file includes an eclipse project and instructions under the “etc” folder. It also includes a few scripts I used for blind SQL injection and worm infection.

Tell me what you think…

HackingExposed

Tags: , ,

 

Wed 13 Apr 2011

LizaMoon Threat Brief

Posted by Slavik under breach, SQL injection
No Comments

McAfee just posted a threat brief we created regarding the LizaMoon attack spreading through vulnerable web sites. Thanks to Vadim and our red team for providing the material and Andy for doing the proofing and adding his words of wisdom. As always, the simple way to solve SQL injection is to use bind variables.

On another topic, I’m presenting another “Hacking Exposed” session with McAfee tomorrow (4/14/2011) at 11am PDT. This session is going to demonstrate many techniques used by hackers to exploit SQL injection (with focus on Oracle) including some new blind time-based SQL injection options. Please register, it’s free!

Tags: ,

 

Sun 27 Mar 2011

MySQL.com Database Compromised By Blind SQL Injection

Posted by Slavik under breach, SQL injection
1 Comment

I guess this is somewhat ironical. At least it was nothing simple as in-band SQL Injection via errors or directly. It just goes to show you that any site can be vulnerable to attacks, even guys that write DB engines for a living. On the other hand, I’m sure that the sites were not created by the same guys who work on the database.

The answer to SQL Injection is very simple – use BIND VARIABLES, for Pete’s sake. It will cover 99% of your use-cases and for the other 1%, consider the security implications!

Tags: ,

 

Wed 23 Mar 2011

McAfee Acquires Sentrigo!

Posted by Slavik under sentrigo
[6] Comments

After OEMing our products for 6 months, it seems McAfee agrees that we are doing something important and they want a bigger part of it.  Actually, they want all of it.

As a founder, this is an exciting time for me. It’s a mixed feeling of pride, joy and a bit of sadness. Somewhat similar to your baby leaving home for college (I’d imagine, did not experience it yet). We’ve put huge amounts of time and effort into making what we think is a great product that will help a lot of people.  Now we have the opportunity not only to bring database activity monitoring to more people, but to make the product even better.

I’d like to thank the wonderful Sentrigo employees who made this a reality due to their hard work and dedication. We will continue and build bigger, better solutions for database security!

On a personal note, at least my commute will not change. I can see the McAfee building from my office window just across 101 :-)

Tags:

 

Tue 22 Mar 2011

Three Cloud-Computing Data Security Risks That Can’t be Overlooked

Posted by Slavik under Cloud, security
No Comments

A blog entry I’ve written is published here.

Tags: ,

 

Mon 31 Jan 2011

PlentyOfFish hacked – blames messenger

Posted by Slavik under breach, Passwords, sentrigo
No Comments

This is just too funny – the site owner is accusing the guys that reported the vulnerability of extortion. More details can be found here and here.

And it all started with a simple SQL Injection that can be exploited through the site error messages. I talked about this multiple times in the past.

Of course, the passwords were in clear text and multiple messages from site members to use hashing and not email passwords to users were deleted from the site’s forum.

Tags: ,

 

Thu 27 Jan 2011

YAOPC – Yet Another Oracle Password Cracker

Posted by Slavik under DBA, Oracle, Passwords, Python
[3] Comments

I was preparing a presentation for RMOUG and wanted to show how easy it is to crack Oracle passwords once you get the hashes.

There are a lot of Oracle password crackers out there but I find that using low level C code in a presentation makes the audience leave before you get to the half of the page. Using PL/SQL is a possibility but I wanted a very quick and concise way of showing the relevant code. So, Python to the rescue. But, I did not want to write code that requires installation of the Python Oracle drivers and would be tied to a specific compiled version so I used a simple class I wrote about here to do the DB connection.

The main piece of code is the password calculation which in Python looks like this:

s = hashlib.sha1()
s.update(p)
s.update(salt)
return s.hexdigest().upper()

That’s about it. The rest of the code plays with various options, handles the select from the database, iteration on the dictionary file and splitting the hash from the spare4 field into the hash and salt. I find that using Python allows you to do quick hacks and add more checks to the cracker easily.

So, here is the code. Love to hear your thoughts. Also, if someone can test it on Windows I will be grateful.

PS – if I’ll get permission from Alex, I will post his password file and complete the download package.

Tags: , , ,

 

Thu 18 Nov 2010

UKOUG registration errors

Posted by Slavik under Oracle, technical tips
[3] Comments

I’m flying to UK on the 28th to participate in the UK Oracle user group conference. It’s one of the more technical and interesting conferences out there for Oracle and I love attending.

So, as a speaker, I had to register. While in the process of submitting my details, I got an error from the registration application. Of course the error tells a lot about the registration application technology being used and guess what, it’s not Oracle :-)

Here is the error – what do you think is the back-end technology?

error '80020009'
/ukoug/reg_m.asp

Not to mention that I got my password sent to me in an email (it’s not a generated password, I chose it a while ago). I think no explanation is required as to why this is bad. And also, the form submits the details as GET parameters with my password there on the URL line for everyone to see. Did I mention no SSL?


Tags: ,

 

Wed 6 Oct 2010

I hate revealing error messages

Posted by Slavik under security, technical tips
[3] Comments

As you can see from my previous posts, I hate it when a site has a revealing error message displayed directly to the customer. This time, I got the following when trying to pay my PGE bill:

Message from the NSAPI plugin:

No backend server available for connection: timed out after 10 seconds or idempotent set to OFF.

Build date/time: Dec 7 2006 04:08:43

Change Number: 871803

Hmmm… What can we learn from this? Let’s hear your opinions.

Tags: ,

 

Next Page »