Donald Burleson Click here for more Oracle News Headlines

Scum publishes hack - Oracle issues emergency patch

31 July 2008

It's sad that the lack of enforcement of international laws causes problems for the Oracle community, but this article notes that a foreign scumbag has just published an Oracle BEA exploit, forcing Oracle to issue an emergency patch release.

There have been rumors that these "exploit chasers" have been known to blackmail Oracle Corporation, threatening to publish a vulnerability unless they are paid cash.

There are many people in the USA who feel that people who publish Oracle exploits are effectively enabling criminals and that they should be charged with aiding an abetting a felon in the commission of a crime.  See my notes here on why these scum should be shot on sight.  In the instant case, it appears that this exploit was published by a German citizen and that Oracle Corporation was not given a chance to pay an extortion fee:

"Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue."

This ZDNet article notes that this is the first "emergency" alert since Oracle began issuing Critical Path Updates (CPU's) in 2005.

The nature of this vulnerability only concerns uses of Oracle Weblogic Server (formerly BEA Weblogic) systems that are deployed over the Internet.  The attack is not very sophisticated, a standard buffer overflow attack.

This dirtbag currently remains out of prison for his acts, but like Kevin Mitnick before him, we can only hope that justice comes to those who disregard the safety of data.
 

Publishing vulnerabilities for fame or fortune

While it's clear that all Oracle professionals detest people who aid criminals by publishing vulnerabilities (see how Oracle hackers steal millions), some of them seem to bask in the glory of media reports. 

For example, self-proclaimed Oracle hacker David Litchfield is featured in this article, where he boasts that he has discovered 492,000 exposed database on the web by performing ports scans on database systems, all without the required permission of the system owners or DBA's: 

"Litchfield (right), co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses — TCP port 1433 (SQL Server) and 1521 (Oracle) — and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers."

As an alleged "white hat hacker", Litchfield would have been expected to warn the owners of these systems, but his acts appear to be more publicity motivated than motivated by any kindness or community altruism. 

Using mass port scans to seek vulnerable database on the web is a common precursor to criminal hacking, and a quick Google search indicates that it is addressed in the British Computer Misuse Act of 1990, a U.K. law which appears to make it a crime to port scan any computer system without explicit authorization.  Under this law, it does not matter whether the system was actually broken in to, the attempt to penetrate the system itself is sufficient.

But what about "intent"?  Does the act of unsolicited port scans, in itself, constitute intent?  In this case it's clear that these massive scans were done with selfish motives, with no regard for the unnecessary Internet traffic generated from millions of packets, nor concerns about the owners of the databases.  After all, the courts put spammers in jail, why not jail the people who clog the web with millions of unsolicited ports scans?

According to Durham University, unauthorized port scans are specifically mention under the English Computer Misuse Act.

"If you use or attempt to use a computer that you are not authorised to use, you are committing an offence under the Computer Misuse Act 1990. If you are in any doubt as to whether you are entitled to use a computer or not, assume that you are not.

Computer misuse is not limited to the traditional image of breaking into computers used by banks or the military. Example of computer misuse include:

Port scanning any system without the owners expressed permission"

If he were charged and found guilty under this UK law, Litchfield could get six months in prison for each of the 492,000 offenses, bringing his total sentence to over 240,000 years in prison. 

While this may seem severe, we must remember that with time-off for good behavior, he could be released in half that time. . . .