Application Security // Database Security
7/1/2014
01:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Dark Reading Radio: Oracle Database Security Hacked

Learn about newly found vulnerabilities in a key database security feature tomorrow in the next episode of Dark Reading Radio.

Renowned Oracle database researcher/hacker David Litchfield has kept the database company honest for years now when it comes to security: No one knows security holes in Oracle databases like Litchfield.

The pressure his research has put on the database giant has yielded security improvements to its software over the past few years, and Litchfield was pleasantly surprised to see the new data redaction feature Oracle recently added to help protect sensitive information stored in the database. Data redaction, which protects sensitive data such as credit card numbers and SSNs in database queries by basically blocking that information from unauthorized eyes, has been widely touted as a major security feature for databases.

But when investigating the new feature, Litchfield discovered that data redaction can actually be abused by attackers to launch bigger attacks against the database. What Litchfield calls a "cool feature" by Oracle can't really protect sensitive database information after all.

Litchfield -- a security researcher with Datacom TSS as well as an avid shark diver who swears most sharks are safe to dive with -- will present his findings at the upcoming Black Hat USA conference in August.

In tomorrow's episode of Dark Reading Radio, I will host Litchfield, who will share with us insights into the holes he found in Oracle data redaction and just what that means to locking down your database. He may even share a shark tale or two as well.

So register now and join us tomorrow at 1:00 p.m. EDT, for "Hacked: Oracle Database Security." Have questions for our guest? Share them in the Comments section below, or bring them along to the show tomorrow. We will be taking questions from the live audience, and Litchfield will join us in a live text chat following the broadcast.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:04:04 AM
Re: Sounds like another good show..
What's neat about this is that Litchfield was impressed by Oracle's adding this feature to protect sensitive information in the database. He likes the concept, but found some major weaknesses in it that would allow someone to bypass it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 3:50:48 PM
Sounds like another good show..
Unfortunately I'm not going to be able to make the broadcast. Glad that I can tune in after the fact to find out more about the holes in Oracle data redaction .. 
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.