This is part 2 of a series of posts aiming to analyze the real world security challenge of the Oracle database. Part 1 discussed the potential risks to the database, and this part will discuss the methods likely to be employed by each individual to compromise the data. So How will the breach occur? While …
Author Archive: eyalk
Oracle Database Security – Part 1
Securing any system is a complex task, but the Oracle database poses special challenges. This series of posts aims to analyze the problem and come to conclusions about what can and should be done in real world environments. The first step in security analysis is risk assessment, so part 1 will focus on: Who poses …
Oracle Terminal
DBAs sometimes need to be logged into the UNIX machine the database is running on. Unfortunately, this is not always a simple thing to accomplish. The two most common reasons are that either you forgot the password to the Oracle account, or you just don’t have it due to separation of duties. In either case, …
BlueCross BlueShield
On Friday, October 2, 2009 at approximately 6:13pm, someone stole 57 hard drives from a network closet in a BlueCross BlueShield office in Chattanooga, TN. See the original notification issued by BlueCross BlueShield here. The drives contained unencrypted audio files of over 1 million customer support calls totaling 50,000 hours of conversation, along with 300,000 …
Does Compliance mean Compliant?
I read an article in Bank info Security about a breach into a restaurant in Texas located on Interstate 45 between Houston and Dallas. Someone seems to have gotten into the restaurants point of sale systems through a 3rd party vendor. It is interesting that everyone is a potential target these days, and small business …
Anonymous, LulzSec: Heroes or Villains?
I just read a post on Gov Info Security with the same title. While I find that post to be a little without focus, I think the subject is a good one and deserves attention. You can read an example of their mischief in this post I think there are a handful of good things …
Security State of the Government
I read a survey today about about the state of government security as perceived by more than 200 government IT security professionals. I found the results to be very interesting. The survey shows concern is mostly about inside problems. The further outside the threat is, the less it is considered a threat. I find this …
FFIEC – Database auditing
I have to admit that I was very pleasantly surprised by the clarity of the information provided by the FFIEC and its availability. For those that don’t know what the FFIEC is, it is The Federal Financial Institutions Examination Council (FFIEC). The FFIEC was established by Congress in 1979 to prescribe uniform principles, standards, and …
IRS database audit
In May 2011 the Treasury Inspector General for Tax Administration (TIGTA) published its finding of an audit of the IRS databases conducted during most of 2010. This audit was only for the IRS databases and you can read the full report Here. The report discovered what I would consider fundamental security problems in the IRS …