Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
 New Oracle Articles


 Oracle Training
 Oracle Tips
 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security
 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote support
 Remote plans
 Remote services
 Application Server
 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support
 Remote Support  
 Development  
 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


  Oracle Posters
 Oracle Books
  Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 
 
 
 

Bad Guys make tool to make Oracle hacking easier

Oracle Database Tips by Donald BurlesonJuly 24, 2015

In this Reuters article titled Hacking Oracle's database will soon get easier, we see that the Metasploit tool can be used to hack into Oracle databases,  Chris Gates, the developer of Metasploit notes:

""There is no way to keep these tools out of the hands of people who want to use them for nefarious purposes," said Alan Paller, director of research for the SANS Institute. SANS trains security professionals in areas including use of Metasploit.

Gates seems happy that his new tool can be used by crooks, even though it appears as-if he is aiding and abetting criminals by publishing this tool:

"Security testers and hackers have previously used other programs to break into Oracle databases, but the new software from Metasploit is easier to operate and runs more quickly than existing options"

Metasploit has no legitimate purpose as a "penetration testing tool", since it only seeks database with inept DBA's who have failed to keep current with their security patches, and will, de-facto, not be used by those who might benefit from it.

While Oracle has patches to prevent these exploits, those Oracle shops that have no applied their quarterly Cumulative Patch Updates (CPU's) will be at-risk.

Designed for the typical non-technical criminal (the "stupid" crook), we also have this video, giving criminals a step-by-step guide into hacking an Oracle database.

 

Irresponsible, selfish and possibly criminal

There has long been concern that it's aiding and abetting criminals to openly publish Oracle vulnerabilities where the bad guys are likely to use them.  See these notes on how white hat hacking guides are used to aid and abet criminal hacking.   

In the past, Oracle Corporation has chided some security experts as being "selfish", "irresponsible" and "dangerous" for openly publishing instruction on how-to hack into Oracle databases:

A few hours after Litchfield went public with a technical description of the flaw, including a blow-by-blow demonstration of ease in which an attack could occur,

Oracle lashed back, accusing the British researcher of putting its customers at severe risk for selfish, irresponsible reasons...

Even as he downplayed the severity of the flaw, Harris said Litchfield's decision to go the way of "irresponsible disclosure" was a "dangerous thing to do."

In sum, while this tools only targets irresponsible DBA's, it's not any danger to those shops who have followed due diligence and applied their security patches.

Reader Comments:

"Do you know how many legitimate companies use Metasploit or tools like it? Do you know how many tools are out there like it? Core Impact, Canvas, NeXpose, Qualys, Acunetix, Nikto, just to name a few. Any tool can be used by good guys or bad guys. In fact, using simple redirection on a Unix command line, an attacker can create a remote shell on the system.

Every day, thousands of people set about to finding security flaws in software; some are the good guys, and some are the bad guys. When a good guy finds one, they generally contact the vendor with the details so that a patch can be produced and distributed. Once a patch is released, the party which found the flaw may choose to publish it publicly, for others to study and confirm that nothing has been missed, or to confirm that the patch truly fixes the problem. Most often, in the "put up or shut up" world of information security, there is exploit code released with the flaw so that others can confirm their vulnerability.
Symantec (yes, as in Symantec anti-virus) runs a mailing list so that these flaws can be distributed to anyone who wants to subscribe. It's called "Bugtraq" and it's been around for years. If you think that Metasploit is giving malicious hackers the keys to the kingdom, you're wrong. Metasploit is just the keyring.
Of course, there's lots of debate on how flaws should be disclosed, and I'm sure I know your stance already, but there was a time when security researchers could not publish their work with their name on it for fear of being sued. When a vendor didn't sue, they typically just swept the flaws under the rug, and instead of lots of people being able to use well-known flaws, a smaller group of people were able to use little-known flaws for years at a time, penetrating any system they wished to. How do you think hackers gained an almost magical quality in the eyes of the public? It's because there was nothing to stop them.

Running around like crazy trying to patch your system is a pain, but would you rather just be blind to all the threats out there?  I know I don't." - Dan

 

 
��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2020

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.