Oracle’s data redaction feature in Database 12c is easy to hack into
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
August 11, 2014
Oracle’s highly publicized data redaction feature in its Database 12c is very easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have witnessed.
Specifically, the so-called redaction features in 12c are designed to automatically protect sensitive database information by either totally obscuring column data or partially masking it.
For example, recalling just the last four digits of a U.S. social security number when a search query is run would provide the complete SSN.
However, according to David Litchfield, security specialist at Datacomm TSS and the author of The Oracle Hacker’s Handbook, the redaction features are so riddled with basic security flaws that you don’t even need to execute native exploit code to defeat the redaction itself. Some clever SQL coding is all that's needed, we're told.
“If Oracle has an acceptable security development lifecycle in place, anyone would have found these flaws and stopped them in their tracks even before they got out of the gate,” Litchfield told conference attendees.
“Anyone with a minimum of SQL knowledge would have found these bugs very easily,” Litchfield added. He also said that within five minutes of investigating the redactions system, he found serious security flaws in more of the coding.
He demonstrated how with some simple keystrokes an evil employee – or someone able to inject SQL queries remotely – could gain sufficient admin privileges to defeat data redaction, and get access to the data in the system.
He joked at Larry Ellison’s assertion last January that no one had hacked an Oracle database in twenty years. Litchfield claimed that the 2011 Sony PlayStation Network hacking attack that took the network offline for nearly two months was traced back to an Oracle database.
As a security researcher, Litchfield said he always reported flaws to vendors as he found them. But he expressed frustration that Oracle was slow to patch, and when it did get around to issuing fixes they were either broken, incomplete or unreliable.
Typically, Oracle engineers will patch against exploit code, rather than fixing the fundamental security issue, he told the Defcon audience on Friday.
Of course, this isn't a good approach since small changes to exploit code may defeat the new protections.
Litchfield pointed to Microsoft as an example of what could be done in database security. In the wake of the Bill Gates security memo, the entire SQL 2005 development team stopped working and went over old code with a complete security review in order to fully assess the problem and provide a permanent fix.
The result down the line was that patching and flaw detection in Microsoft SQL dropped sharply, and the code security of IIS and Exchange has also been much improved as well.
Oracle should take a page out of Microsoft’s book when it comes to security, he suggested, and customers should demand change.
“If you're running Oracle database servers and don't like the way they work on the security aspect of things, then get on the phone to Oracle, because we really need to get this sorted,” he concluded.
As of today, it's understood that Oracle has not fully patched the security bugs described by Litchfield. The database giant was not immediately available for comment.
In other internet security news
It's widely reported this morning that Russian hackers have stolen over 1.2 billion internet user names and passwords, amassing to what could be the largest collection of stolen credentials in history.
The news was first reported by The New York Times, which cited research from Milwaukee-based Hold Security. The firm didn't reveal the identities of the targeted websites, citing nondisclosure agreements and a desire to prevent existing security vulnerabilities from being more widely exploited than what they are already.
Hold Security founder Alex Holden said that the incident includes credentials gathered from over 420,000 websites-- both smaller sites as well as household names.
The hackers didn't breach any major email providers, however. Holden added that the miscreants made their money by sending out spam for bogus products like weight-loss pills, and had apparently amassed its collection of digital credentials for that relatively innocuous purpose.
"To be clear, it's really not that impactful to the individuals per se, and that's why they were under the radar for so long," Holden said.
"They've ignored all financial information almost completely," he added. But Holden said the kacker's success at amassing passwords demonstrates that weak security and easy-to-guess passwords are all too common on most websites and social media, no matter how popular they are.
The miscreants began collecting user data a few years ago by simply buying it on the black market. Their trove has grown significantly this year thanks to the utilization of an automated program that deeply scans the whole internet to find security vulnerabilities on any website or social media, Holden said.
The reported theft dwarfs the one revealed in 2013 by discount retailer Target, which admitted in December of last year that hackers had stolen credit and debit-card data from well over 110 million accounts.
Since the dawn of the internet, hackers from Russia and Eastern Europe are well known for launching sophisticated cyberattacks for financial gain.
Beyond email spam, organized crime syndicates in the region have engaged in more sophisticated activities like corporate database espionage and the theft of credit-card details.
The extent and the sheer sophistication of the thefts demonstrate that internet users need to better manage their credentials, cybersecurity experts say.
Most people keep the same password for multiple services, such as banking, email and social media accounts. That allows hackers to turn a single password database into a real treasure trove in several cases.
And the problem is rapidly getting worse and wide spread. One simple way to stem the damage is to use two-factor authentication whenever possible to sign into online services, said Eric Cowperthwaite, an executive at network security provider Core Security.
That method requires you to enter a second password, usually generated by your smartphone, upon login.
Jay Kaplan, CEO of cybersecurity company Synack, criticized firms involved for not being alert enough about their own internet security.
"It's likely that most of them don't even realize just how many times they've been compromised," he added.
In other internet security news
It's reported in the blogosphere today that both Symantec and Kaspersky Labs have apparently been removed from China’s list of approved security suppliers for government agencies, as the country continues to tighten up its security against foreign technology companies in the wake of the NSA indiscriminate surveillance revelations in June 2013 by Edward Snowden.
The People’s Daily Newspaper reported first in a tweet that China's procurement agency had ousted Symantec and Kaspersky from its list of suitable antivirus companies.
Instead, the country will only allow government bodies to source security vendors from five approved Chinese companies-- Qihoo 360 Technology, Venustech, CA Jinchen, Beijing Jiangmin and Rising.
Kaspersky Labs didn't return a request for comment, but the company's spokesman in the U.S., Alejandro Arango said-- "We are investigating and engaging in conversations with Chinese authorities about this matter. It's too early for now to go into any additional details at this time."
Overall, in the last year or so, relations between Beijing and Washington have always been a bit tense when it comes to IT security, with the United States frequently accusing Chinese companies of corporate espionage and spying for their government through technology sold in America.
China has never been particularly angry about the allegations but it is even less amused these days after former-NSA-operative-turned-whistleblower Edward Snowden revealed the extent of the US's data snooping.
In June of this year, China dropped Windows 8 as a viable operating system for government use, although this was also linked to the fact that Microsoft pulled support for Windows XP.
China has also instigated a number of antitrust investigations of foreign firms, including Microsoft and Qualcomm.
But Microsoft was the only foreign company that stayed on the list of approved personal computer suppliers, The People’s Daily reported yesterday.
Since the publication of this story earlier this morning, Symantec contacted us to say-- "While we are investigating this report, we would like to clarify that Symantec continues to bid for and win governments projects in China. We have invested significantly in China and are expanding our product development there."
In other internet security news
Cisco said earlier this morning that it has supplied a security patch for a bug in its Open Shortest Path First (OSPF) routers it says offers exploits that could include traffic blackholing or interception.
This is a critical security issue. As Cisco's advisory notes, the vulnerability could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic.
Overall, crafted OSPF packets can be sent to networking devices running the faulty code, and those packets would make the targeted router flush its routing table.
A crafted OSPF Link State Advertisement (LSA) type 1 update can then be propagated through a targeted domain, Cisco warns.
OSPF is designed for managing traffic within an Autonomous System – think of it as an enterprise routing protocol, rather than for links between service providers.
OSPF looks for the best route between source and destination by building a database of link states, and using that topology for routing decisions, hence speeding up the internet as a whole.
The eavesdropping potential arises because an attacker might be able to inject false routing tables into a network including an instruction that the attacker gets to see the traffic before sending it onwards.
Cisco notes that an attacker must accurately determine certain parameters within the LSA database on the target router. This security vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets.
No other LSA type packets can trigger this vulnerability, Cisco added. The bug affects all unfixed versions of Cisco IOS Software, Cisco IOS XE Software, Cisco ASA Software, Cisco PIX Firewalls and Cisco FWSM Software.
In other internet security news
It sure took a while, but Oracle has finally admitted that there is a bug in its new in-memory database option.
The bug is to be reported by the system as being in use when in fact it's not, although the actual risk it poses still remains unclear at this time. Nevertheless, system admins and DB managers are treating this cautiously.
To be sure, database professional Kevin Closson was the first to notice that executing a simple set of PL/SQL commands can seemingly activate Oracle 12c's In-Memory feature, even when that shouldn't be possible.
Yesterday, Oracle product manager Maria Colgan acknowledged that Closson's results could be reproduced, that he had in fact located a bug, and that it will be patched soon. But what does that really mean for Oracle customers?
Here's a recap of the problem, as briefly as we can put it. With the Oracle 220.127.116.11 patch release installed, the database's INMEMORY_QUERY configuration option is enabled by default, just as all new features since Oracle 11g have been enabled by default.
But the INMEMORY_SIZE parameter is set to zero, meaning that no space has been allocated to store the new in-memory tables.
According to Oracle, when it's configured like that, the In-Memory Option is considered disabled, simply because it's not actually usable.
The in-memory tables can't actually be created because there's nowhere to put them in the first place.Tweet Share on Twitter.
Source: Defcon 2014, Las Vegas.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
You can link to the Internet Security web site as much as you like.