Protecting your Oracle data against theft
Oracle Database Tips by Donald BurlesonConsulting
an excerpt from the forthcoming book ?Oracle
11g New Features? by Steve Karam and Donald K. Burleson.
The Internet has proven to be
the most powerful way to share information since the first transatlantic cable
was laid in 1866, at a staggering cost of over two million dollars. The
transatlantic cable was the first world-wide-web, cutting down the speed of
global communications from two days (based on the speed of the Victorian era
steamers) down to mere seconds. The dah-dits of these primitive telegraphs
started an information revolution across the world and Morse code was the ACSCII
character set of the 19th century.
Eventually, companies like
Western Union started selling telegram capabilities, allowing people to
pay by the word to transfer knowledge anywhere on the globe.
Zero cost, zero
The instant access and zero
cost of the internet have created a significant threat to any Oracle database
that is deployed on the web, especially from poor countries and countries that
do not honor copyrights.
Oracle data online is
constantly threatened, and data thieves write ?Hoovers? (a Hoover is a data
vacuum) to simulate online database transaction to siphon-off valuable
information. Major online Oracle customers such as eBay have had to block
Hoovers to prevent data theft, but the crooks just keep on coming, determined to
steal your valuable online information. We also see internal data security
issues, such as the costly
data loss suffered by Marriott?
?For companies concerned about internal security, the experts recommend
monitoring and, if necessary, revising their internal handling of data and
access controls. "Stealing tapes is not the most elegant, but one of the most
effective attack factors," Oltsik said.
"Many companies think about hacking in terms of getting root access to servers,
but if they have weak physical security, someone can just walk out the door with
a box of tapes."
But it's the lack of
enforceability of intellectual property rights that has changed the landscape of
information dissemination. The proprietary nature of the original World Wide
Web was gone, and Western Union has been replaced by a free model with the
bandwidth to transfer huge sets of valuable information. Web thieves can
digitize bestselling books and pirate them for instantaneous downloads anywhere
on the planet. Worse yet, internet hackers are now attacking databases and
The internet: The 21st
Century thieves market
The theft of intellectual
property has become an epidemic, and authors like Steven King lost millions of
dollars when his bestselling books were digitized and offered for free on the
internet. Even modest publishers are at risk. One of my own books, the Oracle
Press ?Oracle 10g Application Server Administration Handbook? was stolen and
offered for only $6.50 on eBay. The publisher (McGraw-Hill) did not have
the thief arrested or prosecuted.
Forrester Research and Oracle
Corporation reports that 80% of Oracle security breaches are "inside
jobs" by existing employees.
But the problem is even worse
for those to dare to make their Oracle data accessible over the web, and some
companies have had their entire database stolen by foreigners.
But it goes farther than just
sub-standard or dicey Oracle support, what happens when you have a data theft
problem? It can cost hundreds of
thousands of dollars to facilitate the arrest of web criminals for the theft of
intellectual property, and the crooks know that many small companies don't have
the financial resources to challenge the thieves. Unless you are a
multi-billion dollar company, the average American publisher had little recourse
from international Oracle theft. As a consequence, crooks steal Oracle data
without any fear of capture, arrest and jail.
Sooner or later, the problem
may become so bad that traditional publishers will go bankrupt, their high
quality information being superseded with reams of garbage, the clutter of 500M
blogs. It will only be with the worldwide enforcement of IP rights that people
can be protected from the wholesale theft of their information.
The increasing DBA role of
data security administrator
More than ever before, the
Oracle DBA must understand the many ways that their company data can be stolen.
In my role as an Oracle DBA security administrator, I?ve seen Oracle data stolen
is a variety of ways and I?ve published
data security guidelines for all remote database access:
- Inside Jobs - Foreign remote DBA providers have stolen entire databases, and created
rootkit bots to siphon-off new data, e-mailing it overseas. In other cases,
H1B visa workers may steal Oracle data, shipping it overseas where the law
makes it nearly impossible to retrieve.
- External threats - Even with the security offered by Oracle, it's possible for someone to
create a legitimate database account and create a bot which performs
millions of queries, siphoning-off the data.
Most reputable remote DBA
providers pride themselves on being honest and straightforward, but there are
hundreds of remote DBA providers advertising services on the web, some pf which
appear to be dishonest. For example, one foreign remote DBA provider
openly discusses being dishonest with Oracle Technical Support, a very bad idea:
?Well, in all honesty, I
do find myself telling Oracle support occasional ?little white lie?. By
nature, I am a very truthful person, but I can imagine legitimate (or at
least justifiable) reasons to withhold certain details from Oracle Support.?
Inside jobs and Oracle
The trend toward offshoring
has proven too great a risk for corporate data, and those ?bargain? remote
Oracle DBA providers are sometimes just ?fronts? for a data theft operation.
After an Oracle data theft, many companies are too embarrassed or worried about
negative publicity to report the theft, making it hard to arrive at accurate
statistics of the scope of the Oracle data theft problem.
It has become an absolute
requirement to use Oracle remote DBA wisely, and ensure that your provider
resides within your country where you can have the protection of your own data
theft laws and no cross-jurisdictional nightmares.
The web is full of suspicious
Oracle remote DBA firms, many of whom subcontract their work to countries with
unenforceable data theft laws. There are some tip-offs for spotting Oracle
remote DBA providers that are just ?fronts? for data theft rings:
They do not publish the
names, academic qualifications and resumes of their remote DBA staff.
They do not mention their
country of origin.
Oracle data managers use
foreign Oracle remote DBA services that their own peril. If you reside within
the United States, it's absolutely critical to use a remote DBA provider within
your own country where you are protected by data privacy laws, and where you can
have recourse in cases of data theft.
You must also take care to
keep your Oracle support in your home country and avoid foreign remote DBA
Computerworld article titled Offshore Outsourcing Poses Privacy Perils notes
just a few of the perils of entrusting your Oracle database to citizens of
?Outsourcing jobs to offshore locations can sharply increase data privacy risks
and the complexity of managing them, privacy and security professionals said
The problem is not just media
hyperbole, it's quite real, and many companies have lost their mission-critical
Oracle data to thieves.
Foreign Oracle data theft
my company received a call from a client who was complaining of performance
problems on their web database, which was running on a standalone Linux server.
The company was in the business of providing credit information to third-party
companies to assess an individual's probability of financial default.
Upon accessing their server
it was apparent that something was terribly wrong. Even when idle, the database
was performing I/O operations and the processors were active.
After a Linux expert was
consulted, the real issue was discovered. A time-bomb was activated by a
foreign remote provider, and a hidden process was constantly polling the Oracle
database, vacuuming up new data, and e-mailing it to an overseas mailbox!
The malicious foreign
employee had replaced the standard Linux commands with a root kit, an attack
method readily available on the Internet. In a root kit attack, the Linux
commands are replaced with an alias to disguise the presence of the data
This data theft was so
devastating that the company was forced into bankruptcy, all because of the lure
of cheap foreign Oracle support. Companies find out, too late that the
prosecution for the theft of Oracle data can be next to impossible, as the
crooks know that they are safeguarded by an impenetrable tangle of conflicting
laws and jurisdictions.
Due diligence for
preventing Oracle data theft
Oracle DBA's have a fiduciary
responsibility to their management to take every possible safeguard against
Oracle data theft and there are some emerging standards for Oracle database
- Monitor for end-user
threats - Many cases of Oracle data
theft are my ?legitimate? system users who replay transactions ad infinitum
in order to steal the data. Most companies employ sophisticated tools to
audit and cut-off suspicious patterns of Oracle database transactions.
- Avoid foreign Oracle
support - Time and time again,
foreign Oracle developer and DBA providers are stealing Oracle data, knowing
that they have little chance of being brought to justice. Savvy Oracle
shops will carefully vet all remote providers and only employ remote support
within their own countries. You should only with a trusted vendor who openly
publishes the names, backgrounds and qualifications of their personnel.
But it's not all bad news, as
companies with large financial resources are seeking justice.
The protection of Oracle data
is a significant issue, but there has been some headway in protecting
intellectual property rights. Take the case of Hew Raymond Griffiths, a man who
was extradited from Australia to serve a sentence in the USA for piracy, it
should be noted that the victim (Microsoft) probably spent a considerable sum of
money researching the labyrinthine maze of evidence collection and cross
?Griffiths claimed to be beyond the reach of U.S. law, and today, we have proven
otherwise,? said Assistant Attorney General Alice Fisher. 'this extradition
represents the Department of Justice's commitment to protect intellectual
property rights from those who violate our laws from the other side of the
?Our agents and prosecutors are working tirelessly to nab intellectual property
thieves, even where their crimes transcend international borders,? said U.S.
Attorney Chuck Rosenberg.?
In time, we expect to see
increasing isolation of Oracle databases as a firewall against external threats
and it's clear that all Oracle DBA's must step-up to their duties as the
custodian of their companies data.
If you like Oracle tuning, see the book "Oracle
Tuning: The Definitive Reference", with 950 pages of tuning tips and
You can buy it direct from the publisher for 30%-off and get
instant access to the code depot of Oracle tuning scripts.