Application Security // Database Security
01:15 PM
Connect Directly

Dark Reading Radio: Oracle Database Security Hacked

Learn about newly found vulnerabilities in a key database security feature tomorrow in the next episode of Dark Reading Radio.

Renowned Oracle database researcher/hacker David Litchfield has kept the database company honest for years now when it comes to security: No one knows security holes in Oracle databases like Litchfield.

The pressure his research has put on the database giant has yielded security improvements to its software over the past few years, and Litchfield was pleasantly surprised to see the new data redaction feature Oracle recently added to help protect sensitive information stored in the database. Data redaction, which protects sensitive data such as credit card numbers and SSNs in database queries by basically blocking that information from unauthorized eyes, has been widely touted as a major security feature for databases.

But when investigating the new feature, Litchfield discovered that data redaction can actually be abused by attackers to launch bigger attacks against the database. What Litchfield calls a "cool feature" by Oracle can't really protect sensitive database information after all.

Litchfield -- a security researcher with Datacom TSS as well as an avid shark diver who swears most sharks are safe to dive with -- will present his findings at the upcoming Black Hat USA conference in August.

In tomorrow's episode of Dark Reading Radio, I will host Litchfield, who will share with us insights into the holes he found in Oracle data redaction and just what that means to locking down your database. He may even share a shark tale or two as well.

So register now and join us tomorrow at 1:00 p.m. EDT, for "Hacked: Oracle Database Security." Have questions for our guest? Share them in the Comments section below, or bring them along to the show tomorrow. We will be taking questions from the live audience, and Litchfield will join us in a live text chat following the broadcast.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:04:04 AM
Re: Sounds like another good show..
What's neat about this is that Litchfield was impressed by Oracle's adding this feature to protect sensitive information in the database. He likes the concept, but found some major weaknesses in it that would allow someone to bypass it.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 3:50:48 PM
Sounds like another good show..
Unfortunately I'm not going to be able to make the broadcast. Glad that I can tune in after the fact to find out more about the holes in Oracle data redaction .. 
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-05
system/session/drivers/cookie.php in Anchor CMS 0.9.x allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in a cookie.

Published: 2015-10-05
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate ...

Published: 2015-10-05
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 allows remote authenticated users to bypass intended access restrictions and log into arbitrary meetings by leveraging a meeting id and meetin...

Published: 2015-10-05
Heap-based buffer overflow in the parse_string function in libs/esl/src/esl_json.c in FreeSWITCH before 1.4.23 and 1.6.x before 1.6.2 allows remote attackers to execute arbitrary code via a trailing \u in a json string to cJSON_Parse.

Published: 2015-10-05
Unrestricted file upload in GLPI before 0.85.3 allows remote authenticated users to execute arbitrary code by adding a file with an executable extension as an attachment to a new ticket, then accessing it via a direct request to the file in files/_tmp/.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.