May 1st, 2003, 04:38 PM
What Happened to "Unbreakable"?
Here is a quote from David Lichtfield on this new vulnerability:
That quote may be a tad alarmist though. The mitigating factors are that to perform the attack you must first be authenticated to the database which means having a valid username and password. If security best practices are followed in the first place the potential for exploitation of this attack should be minimized.
Every supported version of Oracle, running on any operating system is vulnerable to this attack, which can be leveraged by even low-privileged users to gain complete control of the database.
Here is the bulletin from Oracle: Security Alert
May 1st, 2003, 04:50 PM
at first, i thought you were talking about the movie "unbreakable," as i always thought that it would have a sequel....
anyway, as far as oracle and DB stuff goes in general, any DBA paying attention should be on top of the admin access. It's the end-users with authenticated, yet minimal access to the Database that have to be worried about. Simple passes like "user," "password" or the big four "love sex secret God" as well as kids birthdays and stuff (even initials and birthdays are easy to guess) need to be changed.
one thing most people tend to forget. if you give someone your password, even temporarily, that isn't the admin, make sure you change it afterward. too may passwords are easy to remember, and they may be 'tempted to use yours later on.
i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.
May 1st, 2003, 06:27 PM
Anyone keeping count on oracle9i vulnerabilities since they advertised it as unbreakable?
I guess it's like that "trust microsoft windows to keep your data secure" ad that was ordered off for false adverdisement! [http://www.itweb.co.za/sections/busi...Section&O=FPSH]
Credit travels up, blame travels down -- The Boss