News Stay informed about the latest enterprise technology news and product updates.

DBAs should beware the hacker they know

Aaron Newman is co-author of the Oracle Security Handbook and co-founder of New York-based Application Security Inc. Recently he talked with about ways Oracle DBAs can defend themselves against trouble, and he warned that the biggest threats are often closer than you think.

Oracle says grid computing does not pose a greater security risk to users than prior architectures do. Do you agree with that statement?
Grid hasn't fundamentally changed database security as we know it, but once you distribute data over 50 small machines, you now have a lot more avenues of attack. Before, you just had to lock down one machine. Today, you could have 50 machines, so that's going to be a new challenge. If you've got one vulnerability on one machine, you're wide open. The DBA will have to be more diligent and find ways to effectively scale your work up.


Check out our Featured Topic: Ask the Oracle Experts

Check out our Featured Topic: Backup and recovery

To provide feedback on this article, contact Robert Westervelt.

How can an Oracle DBA guard against a SQL injection attack?
When a SQL injection attack occurs, it happens because somebody is writing a Web application that accesses your database. If they write that incorrectly, what happens is that the person on the browser side can cause arbitrary commands. The DBA needs to understand who is accessing their database and work with Web developers and make sure the developers are accessing in a secure way, and not allowing SQL strains to be put together. How much can a company rely on its firewall for protection from attackers?
One major misconception is that if a database is behind a firewall, then there's nothing to worry about. In today's world, we have complex networks. We've got wireless devices and dozens of ways into those networks, so there's no reason to believe that a firewall is protecting you. You need to secure it and consider that anyone can get to it. Why is the Listener service in the Oracle database an important feature, and are there potential problems with this component?
The Listener service is a proxy used to authenticate a user to the database. A user connecting to the database first connects to the Listener, and then the list hands off the user to the database. The issue is that, even if [the] database is locked down, the Listener itself doesn't have an authentication feature.

Most internal and external hackers are going to look for holes here. In the past, we've seen a lot of buffer overflows discovered in the Listener. My recommendations are to stay patched. People are very slow to update patches because they are worried they will break the application. Also, there is a Listener password that you can set up. It's difficult to set it, because you have to hard code it, but it can be done.

What are the different types of vulnerabilities in the Oracle database?
There are buffer overflows in several areas. There are Listener service issues, and in the PL/SQL components we're seeing a lot of SQL injection. We're also seeing a lot of issues with Oracle Application Server, where there are vulnerabilities with the default components that are left on. That's an entirely new beast. And a lot of DBAs are being dragged into being Web administrators, too, so they're facing these issues. One such component is SOAP, a protocol that any Web service uses. It was enabled in Oracle Application Server. If you don't know how to turn this off, anonymous users would be able to upload SOAP applications to your Web server. What is the biggest security threat out there for DBAs today?
In terms of databases, the biggest security issue is really insider threats. You have a lot of hackers out there, and that's what gets publicity these days. But, really, the disgruntled users and disgruntled employees are the problem. They have some permission on your database, versus a hacker who might not get into the database. Global Crossings is a good example of how a disgruntled employee -- who took the internal payroll database home on a hard drive -- caused big problems for the telecommunications company. The employee posted the names, Social Security numbers and birthdates of company employees on his Web site. He may have been one of the factors that helped put them out of business. Why should a DBA care about security?
Today a lot of people are ignoring the security side of the job. Many companies don't have the resources. Until you get hacked, and until you lose everything, then you think you can get by with minimal security.

It's not until the devastation hits that you start being proactive. Most organizations have security officers who manage the risk, because companies are never going to be 100% secure. These officers know network security well, but they don't understand databases, so they don't make fair judgments in that area. More important than your network security and operating system security is your database security.

Dig Deeper on Oracle database security