Application Security // Database Security
7/1/2014
01:15 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Dark Reading Radio: Oracle Database Security Hacked

Learn about newly found vulnerabilities in a key database security feature tomorrow in the next episode of Dark Reading Radio.

Renowned Oracle database researcher/hacker David Litchfield has kept the database company honest for years now when it comes to security: No one knows security holes in Oracle databases like Litchfield.

The pressure his research has put on the database giant has yielded security improvements to its software over the past few years, and Litchfield was pleasantly surprised to see the new data redaction feature Oracle recently added to help protect sensitive information stored in the database. Data redaction, which protects sensitive data such as credit card numbers and SSNs in database queries by basically blocking that information from unauthorized eyes, has been widely touted as a major security feature for databases.

But when investigating the new feature, Litchfield discovered that data redaction can actually be abused by attackers to launch bigger attacks against the database. What Litchfield calls a "cool feature" by Oracle can't really protect sensitive database information after all.

Litchfield -- a security researcher with Datacom TSS as well as an avid shark diver who swears most sharks are safe to dive with -- will present his findings at the upcoming Black Hat USA conference in August.

In tomorrow's episode of Dark Reading Radio, I will host Litchfield, who will share with us insights into the holes he found in Oracle data redaction and just what that means to locking down your database. He may even share a shark tale or two as well.

So register now and join us tomorrow at 1:00 p.m. EDT, for "Hacked: Oracle Database Security." Have questions for our guest? Share them in the Comments section below, or bring them along to the show tomorrow. We will be taking questions from the live audience, and Litchfield will join us in a live text chat following the broadcast.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
7/2/2014 | 10:04:04 AM
Re: Sounds like another good show..
What's neat about this is that Litchfield was impressed by Oracle's adding this feature to protect sensitive information in the database. He likes the concept, but found some major weaknesses in it that would allow someone to bypass it.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/1/2014 | 3:50:48 PM
Sounds like another good show..
Unfortunately I'm not going to be able to make the broadcast. Glad that I can tune in after the fact to find out more about the holes in Oracle data redaction .. 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Must Reads - September 25, 2014
Dark Reading's new Must Reads is a compendium of our best recent coverage of identity and access management. Learn about access control in the age of HTML5, how to improve authentication, why Active Directory is dead, and more.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5485
Published: 2014-09-30
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface.

CVE-2012-5486
Published: 2014-09-30
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.

CVE-2012-5487
Published: 2014-09-30
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.

CVE-2012-5488
Published: 2014-09-30
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.

CVE-2012-5489
Published: 2014-09-30
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
In our next Dark Reading Radio broadcast, we’ll take a close look at some of the latest research and practices in application security.