Protecting your Oracle data against theft Oracle Database Tips by Donald Burleson

 

This is an excerpt from the forthcoming book ?Oracle 11g New Features? by Steve Karam and Donald K. Burleson.

---

The Internet has proven to be the most powerful way to share information since the first transatlantic cable was laid in 1866, at a staggering cost of over two million dollars.  The transatlantic cable was the first world-wide-web, cutting down the speed of global communications from two days (based on the speed of the Victorian era steamers) down to mere seconds.  The dah-dits of these primitive telegraphs started an information revolution across the world and Morse code was the ACSCII character set of the 19^th century.

Eventually, companies like Western Union started selling telegram capabilities, allowing people to pay by the word to transfer knowledge anywhere on the globe.

Zero cost, zero accountability

The instant access and zero cost of the internet have created a significant threat to any Oracle database that is deployed on the web, especially from poor countries and countries that do not honor copyrights.

Oracle data online is constantly threatened, and data thieves write ?Hoovers? (a Hoover is a data vacuum) to simulate online database transaction to siphon-off valuable information.  Major online Oracle customers such as eBay have had to block Hoovers to prevent data theft, but the crooks just keep on coming, determined to steal your valuable online information.  We also see internal data security issues, such as the costly data loss suffered by Marriott?

?For companies concerned about internal security, the experts recommend monitoring and, if necessary, revising their internal handling of data and access controls. "Stealing tapes is not the most elegant, but one of the most effective attack factors," Oltsik said.

"Many companies think about hacking in terms of getting root access to servers, but if they have weak physical security, someone can just walk out the door with a box of tapes."

But it's the lack of enforceability of intellectual property rights that has changed the landscape of information dissemination.  The proprietary nature of the original World Wide Web was gone, and Western Union has been replaced by a free model with the bandwidth to transfer huge sets of valuable information.  Web thieves can digitize bestselling books and pirate them for instantaneous downloads anywhere on the planet.  Worse yet, internet hackers are now attacking databases and stealing data.

The internet: The 21^st Century thieves market

The theft of intellectual property has become an epidemic, and authors like Steven King lost millions of dollars when his bestselling books were digitized and offered for free on the internet.  Even modest publishers are at risk.  One of my own books, the Oracle Press ?Oracle 10g Application Server Administration Handbook? was stolen and offered for only $6.50 on eBay.  The publisher (McGraw-Hill) did not have the thief arrested or prosecuted.

Forrester Research and Oracle Corporation reports that 80% of Oracle security breaches are "inside jobs" by existing employees.

But the problem is even worse for those to dare to make their Oracle data accessible over the web, and some companies have had their entire database stolen by foreigners. 

But it goes farther than just sub-standard or dicey Oracle support, what happens when you have a data theft problem?  It can cost hundreds of thousands of dollars to facilitate the arrest of web criminals for the theft of intellectual property, and the crooks know that many small companies don't have the financial resources to challenge the thieves.  Unless you are a multi-billion dollar company, the average American publisher had little recourse from international Oracle theft.  As a consequence, crooks steal Oracle data without any fear of capture, arrest and jail.

Sooner or later, the problem may become so bad that traditional publishers will go bankrupt, their high quality information being superseded with reams of garbage, the clutter of 500M blogs.  It will only be with the worldwide enforcement of IP rights that people can be protected from the wholesale theft of their information.

 

The increasing DBA role of data security administrator

More than ever before, the Oracle DBA must understand the many ways that their company data can be stolen.  In my role as an Oracle DBA security administrator, I?ve seen Oracle data stolen is a variety of ways and I?ve published data security guidelines for all remote database access:

• Inside Jobs - Foreign remote DBA providers have stolen entire databases, and created rootkit bots to siphon-off new data, e-mailing it overseas.  In other cases, H1B visa workers may steal Oracle data, shipping it overseas where the law makes it nearly impossible to retrieve.
   
• External threats - Even with the security offered by Oracle, it's possible for someone to create a legitimate database account and create a bot which performs millions of queries, siphoning-off the data.

Most reputable remote DBA providers pride themselves on being honest and straightforward, but there are hundreds of remote DBA providers advertising services on the web, some pf which appear to be dishonest.  For example, one foreign remote DBA provider openly discusses being dishonest with Oracle Technical Support, a very bad idea:

?Well, in all honesty, I do find myself telling Oracle support occasional ?little white lie?. By nature, I am a very truthful person, but I can imagine legitimate (or at least justifiable) reasons to withhold certain details from Oracle Support.?

Inside jobs and Oracle data theft

The trend toward offshoring has proven too great a risk for corporate data, and those ?bargain? remote Oracle DBA providers are sometimes just ?fronts? for a data theft operation.  After an Oracle data theft, many companies are too embarrassed or worried about negative publicity to report the theft, making it hard to arrive at accurate statistics of the scope of the Oracle data theft problem.

It has become an absolute requirement to use Oracle remote DBA wisely, and ensure that your provider resides within your country where you can have the protection of your own data theft laws and no cross-jurisdictional nightmares.

The web is full of suspicious Oracle remote DBA firms, many of whom subcontract their work to countries with unenforceable data theft laws.  There are some tip-offs for spotting Oracle remote DBA providers that are just ?fronts? for data theft rings:

• They do not publish the names, academic qualifications and resumes of their remote DBA staff.
   

• They do not mention their country of origin.

Oracle data managers use foreign Oracle remote DBA services that their own peril.  If you reside within the United States, it's absolutely critical to use a remote DBA provider within your own country where you are protected by data privacy laws, and where you can have recourse in cases of data theft.

You must also take care to keep your Oracle support in your home country and avoid foreign remote DBA support.  This Computerworld article titled Offshore Outsourcing Poses Privacy Perils notes just a few of the perils of entrusting your Oracle database to citizens of foreign nations. 

?Outsourcing jobs to offshore locations can sharply increase data privacy risks and the complexity of managing them, privacy and security professionals said last week.?

The problem is not just media hyperbole, it's quite real, and many companies have lost their mission-critical Oracle data to thieves.

Foreign Oracle data theft

In 2004, my company received a call from a client who was complaining of performance problems on their web database, which was running on a standalone Linux server.  The company was in the business of providing credit information to third-party companies to assess an individual's probability of financial default.

Upon accessing their server it was apparent that something was terribly wrong.  Even when idle, the database was performing I/O operations and the processors were active.

After a Linux expert was consulted, the real issue was discovered.  A time-bomb was activated by a foreign remote provider, and a hidden process was constantly polling the Oracle database, vacuuming up new data, and e-mailing it to an overseas mailbox!

The malicious foreign employee had replaced the standard Linux commands with a root kit, an attack method readily available on the Internet.  In a root kit attack, the Linux commands are replaced with an alias to disguise the presence of the data stealing mechanism. 

This data theft was so devastating that the company was forced into bankruptcy, all because of the lure of cheap foreign Oracle support.  Companies find out, too late that the prosecution for the theft of Oracle data can be next to impossible, as the crooks know that they are safeguarded by an impenetrable tangle of conflicting laws and jurisdictions. 

Due diligence for preventing Oracle data theft

Oracle DBA's have a fiduciary responsibility to their management to take every possible safeguard against Oracle data theft and there are some emerging standards for Oracle database access control:

• Monitor for end-user threats - Many cases of Oracle data theft are my ?legitimate? system users who replay transactions ad infinitum in order to steal the data.  Most companies employ sophisticated tools to audit and cut-off suspicious patterns of Oracle database transactions.
   
• Avoid foreign Oracle support - Time and time again, foreign Oracle developer and DBA providers are stealing Oracle data, knowing that they have little chance of being brought to justice.  Savvy Oracle shops will carefully vet all remote providers and only employ remote support within their own countries. You should only with a trusted vendor who openly publishes the names, backgrounds and qualifications of their personnel.

But it's not all bad news, as companies with large financial resources are seeking justice.

The protection of Oracle data is a significant issue, but there has been some headway in protecting intellectual property rights.  Take the case of Hew Raymond Griffiths, a man who was extradited from Australia to serve a sentence in the USA for piracy, it should be noted that the victim (Microsoft) probably spent a considerable sum of money researching the labyrinthine maze of evidence collection and cross jurisdictional issues.

?Griffiths claimed to be beyond the reach of U.S. law, and today, we have proven otherwise,? said Assistant Attorney General Alice Fisher. 'this extradition represents the Department of Justice's commitment to protect intellectual property rights from those who violate our laws from the other side of the globe.?

?Our agents and prosecutors are working tirelessly to nab intellectual property thieves, even where their crimes transcend international borders,? said U.S. Attorney Chuck Rosenberg.?

In time, we expect to see increasing isolation of Oracle databases as a firewall against external threats and it's clear that all Oracle DBA's must step-up to their duties as the custodian of their companies data.

References:

• Oracle Privacy Security Auditing - Arup Nanda, 2004
• Oracle Forensics - Paul Wright, 2015
• BC Remote DBA security policies

 

 

If you like Oracle tuning, see the book "Oracle Tuning: The Definitive Reference", with 950 pages of tuning tips and scripts.  You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.