Application Security // Database Security
7/1/2014
01:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Dark Reading Radio: Oracle Database Security Hacked

Learn about newly found vulnerabilities in a key database security feature tomorrow in the next episode of Dark Reading Radio.

Renowned Oracle database researcher/hacker David Litchfield has kept the database company honest for years now when it comes to security: No one knows security holes in Oracle databases like Litchfield.

The pressure his research has put on the database giant has yielded security improvements to its software over the past few years, and Litchfield was pleasantly surprised to see the new data redaction feature Oracle recently added to help protect sensitive information stored in the database. Data redaction, which protects sensitive data such as credit card numbers and SSNs in database queries by basically blocking that information from unauthorized eyes, has been widely touted as a major security feature for databases.

But when investigating the new feature, Litchfield discovered that data redaction can actually be abused by attackers to launch bigger attacks against the database. What Litchfield calls a "cool feature" by Oracle can't really protect sensitive database information after all.

Litchfield -- a security researcher with Datacom TSS as well as an avid shark diver who swears most sharks are safe to dive with -- will present his findings at the upcoming Black Hat USA conference in August.

In tomorrow's episode of Dark Reading Radio, I will host Litchfield, who will share with us insights into the holes he found in Oracle data redaction and just what that means to locking down your database. He may even share a shark tale or two as well.

So register now and join us tomorrow at 1:00 p.m. EDT, for "Hacked: Oracle Database Security." Have questions for our guest? Share them in the Comments section below, or bring them along to the show tomorrow. We will be taking questions from the live audience, and Litchfield will join us in a live text chat following the broadcast.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:04:04 AM
Re: Sounds like another good show..
What's neat about this is that Litchfield was impressed by Oracle's adding this feature to protect sensitive information in the database. He likes the concept, but found some major weaknesses in it that would allow someone to bypass it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 3:50:48 PM
Sounds like another good show..
Unfortunately I'm not going to be able to make the broadcast. Glad that I can tune in after the fact to find out more about the holes in Oracle data redaction .. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1421
Published: 2014-11-25
mountall 1.54, as used in Ubuntu 14.10, does not properly handle the umask when using the mount utility, which allows local users to bypass intended access restrictions via unspecified vectors.

CVE-2014-7839
Published: 2014-11-25
DocumentProvider in RESTEasy 2.3.7 and 3.0.9 does not configure the (1) external-general-entities or (2) external-parameter-entities features, which allows remote attackers to conduct XML external entity (XXE) attacks via unspecified vectors.

CVE-2014-8001
Published: 2014-11-25
Buffer overflow in decode.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8002
Published: 2014-11-25
Use-after-free vulnerability in decode_slice.cpp in Cisco OpenH264 1.2.0 and earlier allows remote attackers to execute arbitrary code via an encoded media file.

CVE-2014-8004
Published: 2014-11-25
Cisco IOS XR allows remote attackers to cause a denial of service (LISP process reload) by establishing many LISP TCP sessions, aka Bug ID CSCuq90378.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?