Oracle has some security specific information on the OTN page - http://www.oracle.com/technology/deploy/security/db_security/index.html One you may find particularly useful is the 9iR2 security checklist - http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf (although I couldn't find this linked anywhere on that page...odd) Pete Finnigan, though, is propably the best reference for Oracle security information. He has a comprehensive list of Oracle security references here: http://www.petefinnigan.com/orasec.htm There have been several other good Oracle whitepapers including those written by AppSec, Inc (http://www.appsecinc.com/techdocs/whitepapers/research.html), Integrigy (http://www.integrigy.com/info/Integrigy_OracleDB_Listener_Security.pdf), and NGSSoftware (http://www.nextgenss.com/papers/hpoas.pdf). Happy reading! On 6/29/05, Ginski, Richard J. <rginski@xxxxxxxxxxxxxxxxx> wrote: > Forgive me for this being slightly off topic. We've checked Oracle's > site, including posting to their "Technology Network", and have yet to > find a best practices document for securing Oracle databases. Am I > missing something? ... Or should something this obvious be available on > Oracle's site? Can anyone provide links to such information? > > -----Original Message----- > From: Joshua Wright [mailto:jwright@xxxxxxxxxxx] > Sent: Wednesday, June 29, 2005 10:16 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Auditing Privilged Oracle Passwords - hashattack > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I've put together a tool that can be used to build a table of Oracle > password hashes from a dictionary file for a designated username. > Hashes are calculated by creating a user account similar to the target > account to be audited and repeatedly changing the password with "ALTER > USER" for each dictionary word, storing the hash for each password in a > table. > > Once the table of hashes is built, a simple SELECT can be issued to > determine if the password hash for a target user is a simple dictionary > word: > > SQL> select h.username, h.password, h.hash > 2 from hashattack h, dba_users d > 3 where d.password = h.hash and h.username = 'SYS'; > > USERNAME PASSWORD HASH > - ---------- -------------------- -------------------- > SYS KILTPLEAT 2BBDC477FFB28563 > > SQL> > > > Written in PL/SQL, available at > http://802.11ninja.net/code/hashattack-0.1.tgz, > http://802.11ninja.net/code/hashattack-0.1.tgz.asc > > Comments, questions, concerns welcome. > > - -Josh > - -- > - -Joshua Wright > jwright@xxxxxxxxxxx > > 2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm > fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF > > Today I stumbled across the world's largest hotspot. The SSID is > "linksys". > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (MingW32) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFCwq0QTS8i9jZYpL8RApOqAKCnTqrAwCaqKT3KALl0b8CDRo9I0QCfRKnB > LcY+tDFFcNAeMbsIg7YWe88= > =L/x5 > -----END PGP SIGNATURE----- >
