Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
New Oracle Articles


 Oracle Training
 Oracle Tips

 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security

 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote s
upport
 Remote plans
 Remote
services
 Application Server

 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support

 Remote S
upport  
 Development  

 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


 Oracle Posters
 Oracle Books

 Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 

 

 

Scum publishes hack - Oracle issues emergency patch

31 July 2008

It's sad that the lack of enforcement of international laws causes problems for the Oracle community, but this article notes that a foreign scumbag has just published an Oracle BEA exploit, forcing Oracle to issue an emergency patch release.

There have been rumors that these "exploit chasers" have been known to blackmail Oracle Corporation, threatening to publish a vulnerability unless they are paid cash.

There are many people in the USA who feel that people who publish Oracle exploits are effectively enabling criminals and that they should be charged with aiding an abetting a felon in the commission of a crime.  See my notes here on why these scum should be shot on sight.  In the instant case, it appears that this exploit was published by a German citizen and that Oracle Corporation was not given a chance to pay an extortion fee:

"Unfortunately, the person(s) who published this vulnerability and associated exploit codes did not contact Oracle before publicly disclosing this issue."

This ZDNet article notes that this is the first "emergency" alert since Oracle began issuing Critical Path Updates (CPU's) in 2005.

The nature of this vulnerability only concerns uses of Oracle Weblogic Server (formerly BEA Weblogic) systems that are deployed over the Internet.  The attack is not very sophisticated, a standard buffer overflow attack.

This dirtbag currently remains out of prison for his acts, but like Kevin Mitnick before him, we can only hope that justice comes to those who disregard the safety of data.
 

Publishing vulnerabilities for fame or fortune

While it's clear that all Oracle professionals detest people who aid criminals by publishing vulnerabilities (see how Oracle hackers steal millions), some of them seem to bask in the glory of media reports. 

For example, self-proclaimed Oracle hacker David Litchfield is featured in this article, where he boasts that he has discovered 492,000 exposed database on the web by performing ports scans on database systems, all without the required permission of the system owners or DBA's: 

"Litchfield (right), co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses TCP port 1433 (SQL Server) and 1521 (Oracle) and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers."

As an alleged "white hat hacker", Litchfield would have been expected to warn the owners of these systems, but his acts appear to be more publicity motivated than motivated by any kindness or community altruism. 

Using mass port scans to seek vulnerable database on the web is a common precursor to criminal hacking, and a quick Google search indicates that it is addressed in the British Computer Misuse Act of 1990, a U.K. law which appears to make it a crime to port scan any computer system without explicit authorization.  Under this law, it does not matter whether the system was actually broken in to, the attempt to penetrate the system itself is sufficient.

But what about "intent"?  Does the act of unsolicited port scans, in itself, constitute intent?  In this case it's clear that these massive scans were done with selfish motives, with no regard for the unnecessary Internet traffic generated from millions of packets, nor concerns about the owners of the databases.  After all, the courts put spammers in jail, why not jail the people who clog the web with millions of unsolicited ports scans?

According to Durham University, unauthorized port scans are specifically mention under the English Computer Misuse Act.

"If you use or attempt to use a computer that you are not authorised to use, you are committing an offence under the Computer Misuse Act 1990. If you are in any doubt as to whether you are entitled to use a computer or not, assume that you are not.

Computer misuse is not limited to the traditional image of breaking into computers used by banks or the military. Example of computer misuse include:

Port scanning any system without the owners expressed permission"

If he were charged and found guilty under this UK law, Litchfield could get six months in prison for each of the 492,000 offenses, bringing his total sentence to over 240,000 years in prison. 

While this may seem severe, we must remember that with time-off for good behavior, he could be released in half that time. . . .



 

 
 
��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational