Oracle Security Blog http://www.integrigy.com/oracle-security-blog A weblog about Oracle Security, especially the Oracle E-Business Suite 11i and the Oracle Database, written by Integrigy's Chief Technology Officer Stephen Kost daily 1 Oracle Security Blog http://www.integrigy.com/oracle-security-blog http://www.integrigy.com/favicon.ico OAUG eLearning: Oracle Critical Patch Update April 2008 http://www.integrigy.com/oracle-security-blog/archive/2008/04/30/oracle-cpu-april-2008-elearning This quarters Oracle Critical Patch Update (CPU) was released on Tuesday, April 15th.   In order to provide a better understanding of the CPU, I will be presenting an Oracle Applications Users Group (OAUG) eLearning session on Thursday.  The presentation will focus on the impact to Oracle E-Business Suite environments.

Thursday, May 1 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the April 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

 

]]> 2008-04-30T07:04:26-05:00 2008-04-30T07:04:26-05:00 Stephen Kost Oracle E-Business Suite Oracle Critical Patch Update Oracle Critical Patch Update - April 2008 - E-Business Suite Impact http://www.integrigy.com/oracle-security-blog/archive/2008/04/23/oracle-cpu-april-2008

Oracle released the fourteenth Critical Patch Update (CPU) last week.  This quarter is the same as the previous thirteen with many patches and long hours in order to get all the security patches applied in a timely manner.  Around 20 of the 41vulnerabilities fixed impact the Oracle E-Business Suite.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

Integrigy discovered 8 of the 11 Oracle E-Business Suite vulnerabilities, which were reported to Oracle in November 2007.

This quarter does have a higher than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority. 

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for the database and ATG_PF.H RUP5, or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - April 2008 - E-Business Suite Impact

Oracle Critical Patch Update - April 2008 - Version Support Matrix

I will be presenting an OAUG eLearning Community Thursdays session on Thursday, May 1 giving additional information on the CPU and its impact on your Oracle Applications implementation.  OAUG members can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=5/1/2008

]]> 2008-04-23T16:42:58-05:00 2008-04-23T16:42:58-05:00 Stephen Kost Oracle E-Business Suite Oracle Critical Patch Update Integrigy COLLABORATE 08 Presentations On-line http://www.integrigy.com/oracle-security-blog/archive/2008/04/18/collaborate08-presentations
I presented 3 sessions between IOUG and OAUG, which were all well attended with over 150 people per session.  I guess security is really starting to become ingrained at many organizations.  I was somewhat surprised at the number of organizations relatively current with CPU patches based on the informal and highly unscientific "show of hands" surveys.

The PowerPoint presentations from my 3 sessions can be downloaded here -

Oracle Applications Users Group (OAUG)


Oracle E-Business Suite Critical Patch Updates: Insight and Understanding

Independent Oracle Users Group (IOUG)


Oracle Database Critical Patch Updates: Unwrapped

Real-life Database Security Mistakes

 

]]> 2008-04-18T13:40:38-05:00 2008-04-18T13:41:19-05:00 Stephen Kost Oracle COLLABORATE Oracle Database Oracle Critical Patch Update Oracle E-Business Suite Critical Patch Update April 2008 Pre-Release Analysis http://www.integrigy.com/oracle-security-blog/archive/2008/04/14/cpu-april-2008-prerelease pre-release announcement for the upcoming April 2008 Oracle Critical Patch Update (CPU) -

  • Overall, 41 security vulnerabilities are fixed in this CPU, which is an average number well within the range of previous CPUs (Jan-08=26, Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • This is the first CPU that includes fixes for Siebel.
  • The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 for major platforms
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
  • The major CPU version support changes for April 2008 are -
      • Database version 10.2.0.2 is only supported for Solaris x86 and VMS
      • Oracle E-Business Suite 11i will require ATG RUP5 or RUP6
  • Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the January 2008 CPU note (Metalink Note ID 466757.1), patches for database version 10.1.0.5 on several platforms will be available only upon request for the April 2008 CPU.  For the Oracle Application Server, many platforms have "On Request" patches across all versions, especially 9.0.4.3.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database
  • There are 17 database vulnerabilities and two are remotely exploitable without authentication.  Since APEX, Net Services, Authentication, and UltraSearch are included as affected components, it will be very interesting to see where the remotely exploitable vulnerabilities lie.
  • At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.6, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
  • According to the January 2008 CPU notes, there is very limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the April 2008 CPU: Solaris X86 and VMS.

Oracle Application Server
  • There are 3 new Oracle Applications vulnerabilities, all of which are remotely exploitable without authentication.  Two impact the Oracle Application server components Oracle Dynamic Monitoring Service and Oracle Portal.  The third vulnerability is in Oracle Jinitiator, which is a client installed product.

Oracle E-Business Suite 11i and R12
  • 7 of the 11 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework and AOL, so all implementations should consider most of these patches as important.

Planning Impact
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released. ]]> 2008-04-14T12:46:40-05:00 2008-04-14T12:46:40-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle E-Business Suite "Hundreds of Oracle Products" http://www.integrigy.com/oracle-security-blog/archive/2008/04/14/oracle-hundreds-of-products pre-release announcement for the April 2008 Critical Patch Update, one line in particular did catch my attention. I know Oracle has purchased many companies in the past few years.  So how many products does Oracle have?  Well, the CPU pre-release announcement states that --

"This Critical Patch Update contains 41 security fixes across hundreds of Oracle products."

I am assuming every Oracle E-Business Suite module counts as a separate product and potentially every database component, so there would be several hundred.  I wonder if Oracle has an official count of products somewhere.  There are 642 products listed in the Bug Search in Metalink.

Just something to think about when you are reviewing a CPU as it includes fixes for over 600 Oracle products.
]]> 2008-04-14T12:29:38-05:00 2008-04-14T12:29:38-05:00 Stephen Kost Oracle COLLABORATE 08 Presentations http://www.integrigy.com/oracle-security-blog/archive/2008/04/08/collaborate08
Integrigy's CTO, Stephen Kost, will be presenting three technical sessions, participating on a panel, and co-presenting in pre/post conference workshops.

Oracle Applications Users Group (OAUG)


Oracle Critical Patch Updates: Insight and Understanding
Tuesday, April 15, 2008
3:30 PM-4:30 PM

Securing the Oracle E-Business Suite Best Practices Panel
Moderated by Randy Giefer of Solution Beacon
Monday, April 14, 2008
8:00 AM-9:00 AM

Independent Oracle Users Group (IOUG)


120: Oracle Critical Patch Updates Unwrapped
Wednesday, April 16, 2008
1:30 PM - 2:30 PM

383: Real-life Database Security Mistakes
Thursday, April 17, 2008
11:00 AM - 12:00 PM

Pre and Post Conference OAUG Workshops


In conjunction with Jeff Hare of ERP Seminars, Stephen Kost is presenting a 1 hour session on Oracle Applications security at the "Oracle E-Business Suite Internal Controls and Security" pre and post conference workshops.  Integrigy is pleased to be collaborating with Jeff Hare on these workshops as he is one of the world's leading experts on Oracle Applications internal controls. 

Internal Controls and Security Best Practices in an Oracle Applications Environment
  • Sunday, April 13 9:00 a.m. - 5:00 p.m.
  • Thursday, April 17 9:00 a.m. - 5:00 p.m.
This workshop is an additional fee and requires a separate registration.  More information on the workshops is available on the OAUG COLLABORATE Website.

See you in Denver! ]]> 2008-04-08T15:01:31-05:00 2008-04-08T21:08:53-05:00 Stephen Kost Oracle COLLABORATE Oracle E-Business Suite Oracle Database Oracle Critical Patch Updates Database Patchset Support http://www.integrigy.com/oracle-security-blog/archive/2008/04/08/oracle-cpu-database-patchsets Metalink Note ID 360470.1) -

"As a general rule, Critical Patch Updates (CPUs) are created for the last two patch sets of Server Technologies releases during the period when a release is in Premier Support (under the Lifetime Support Policy) or Error Correction Support (ECS). However, in the case where the latest patch set of a release has been available for more than 1 year, CPUs will be provided only for the most recent patch set for that release. Once a release enters its Extended Support (under the Lifetime Support Policy) or Extended Maintenance Support (EMS) period, CPUs are created only for the last patch set of that release."

The "Database, FMW, and OCS Software Error Correction Support Policy Version 2.1" (Metalink Note ID 209768.1) provides more details on the CPU support policy, since there are a number of exceptions or deviations in the policy based on platforms and extended support.  Appendix A gives exact timing for patchset support for the database and Fusion middleware, which is 1 year from the release of the most current patchset.  For database versions under Extended Support, CPU patches will be available for the terminal patchset until Extended Support period ends.

Based on Oracle's policy, all organizations as a matter of policy should apply a database patchset at least annually in order to apply CPU patches on a timely basis.  Oracle maintains strict adherence to this policy with few exceptions.  With the release of 10.2.0.4 in February/March 2008 for Linux and other platforms, CPU support for 10.2.0.3 should be ending March 2009 -- this means no April 2009 CPU for 10.2.0.3.  This support timeline can be problematic for some databases as the application may not allow or certify the newest patchset for a number of months, thus cutting this year to a few months in some cases.

(This may be difficult for many organizations to fathom since many have not yet applied April 2007 nor upgraded from 10.2.0.2.) ]]> 2008-04-08T13:47:02-05:00 2008-04-08T13:50:25-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle Critical Patch Updates - Types of Fixes in Database Patches http://www.integrigy.com/oracle-security-blog/archive/2008/04/08/cpu-database-patch-fixes
With the introduction of the "n-apply" patch structure for 10.2.0.3 in the July 2007 CPU, Oracle's policy changed for 10.2.0.3 and later patchsets in that non-security fixes are no longer included in the CPU patches.  From Metalink Note ID 209768.1 Software Error Correction Policy 2.1 -

Starting with Database patch set 10.2.0.3, CPUs have security fixes and any pre-requisite non-security fixes, but no longer contain non-security fixes introduced to resolve patch conflicts.  Even though Oracle intends to include mainly security fixes in CPUs, we may decide to include high-priority non-security fixes. We will always identify them in the CPU documentation.

This policy is for non-Windows platforms as the Windows CPU database patches are still released as patch bundles (e.g., Patch 16).

The disadvantage of this new policy is that some customers will experience a greater number of patch conflicts requiring merge patches.  The "n-apply" patch structure does allow for partial patch installation which reduces the overall exposure and fixes most of the security bugs while waiting for Oracle to create a merge patch. ]]> 2008-04-08T11:26:07-05:00 2008-04-08T11:26:07-05:00 Stephen Kost Oracle Database Oracle Critical Patch Update Oracle Exploits http://www.integrigy.com/oracle-security-blog/archive/2008/01/31/oracle-exploits
A topic of conversation whenever discussing Oracle security vulnerabilities is the complexity of exploiting such vulnerabilities.  Most Oracle professionals only have a cursory understanding of buffer overflows, SQL injection, cross site scripting (XSS), privilege escalation, etc., thus believe it is difficult to exploit many of the security bugs fixed in Oracle Critical Patch Updates.  Most Oracle vulnerabilities are very difficult to exploit solely based on the information delivered by Oracle.  Significant research, deep knowledge of the Oracle product, dissection of patches, and time are required to develop a new exploit.  Although, after developing a few exploits, the process becomes much easier and an experienced professional may be able to develop a fully functional exploit in a matter of hours.

However, all is not lost for the newbie, novice attacker.  Fortunately for those looking to reap ill-gotten fortunes from security-lax corporations, security researches routinely publish detailed exploit code for at least a handful of the security bugs fixed each quarter.  Any Oracle developer could easily execute almost all these published exploits.  With even limited knowledge of SQL and Oracle, possibly an accounts payables clerk who did a little homework could exploit some of these vulnerabilities.  (For those of you who think the accounts payable clerk example is far fetched should read the Secret Service's Banking and Financial Sector "Insider Threat Study".)

The published exploit code is not on some obscure web site, rather it is frequently published on a number of reputable web sites and popular mailing lists.  Simple Google searches will have numerous hits on phrases like 'oracle exploits'.  A recent trend has been to even incorporate evasion techniques into the exploit code, just in case an organization has deployed a database intrusion prevention system.

Two well organized sites with many published exploits are -

  • Red Database Security
http://www.red-database-security.com/exploits/oracle_exploits.html

  • milw0rm
http://www.milw0rm.com/local.php
http://www.milw0rm.com/search.php?dong=oracle (direct Oracle search)

Both these sites are worth a visit to understand how simple it is to use many of these published exploits and how important it is to properly protect databases, application servers, and applications. ]]> 2008-01-31T22:22:02-06:00 2008-01-31T22:22:02-06:00 Stephen Kost Oracle Oracle Critical Patch Update OAUG eLearning: Oracle Critical Patch Update January 2008 http://www.integrigy.com/oracle-security-blog/archive/2008/01/16/oracle-cpu-january-2008-elearning
Thursday, January 17 at 9:00 am and 5:00 pm U.S. Eastern Time

"Every quarter, Oracle releases a Critical Patch Update (CPU) that fixes a hundred or so security bugs in all the Oracle products including the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. These patches are large, complex, and often difficult to understand for the Oracle E-Business since multiple patches are required with some being cumulative and others needing prerequisites. This eLearning session will focus on the January 2008 CPU and the impact on E-Business Suite environments. Topics will include a review of the security vulnerabilities fixed in the CPU, an analysis of the required CPU patches, and a discussion of a high-level patch strategy."

This session is available free to OAUG members and you can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=1/1/2008 ]]> 2008-01-16T17:24:21-06:00 2008-01-16T17:24:21-06:00 Stephen Kost Oracle Critical Patch Update Oracle Critical Patch Update - January 2008 - E-Business Suite Impact http://www.integrigy.com/oracle-security-blog/archive/2008/01/15/oracle-cpu-january-2008 Oracle released the thirteenth Critical Patch Update (CPU) today.  This quarter is the same as the previous twelve with many patches and long hours in order to get all the security patches applied in a timely manner.  17 of the 27 vulnerabilities fixed impact Oracle E-Business Suite 11i.  Fortunately like the last few quarters, this quarter there are no new Oracle Application Server or Developer 6i patches required for the Oracle E-Business Suite 11i.

There is a significant Oracle Jinitiator patch that fixes a previously discussed vulnerability.  The key part about upgrading Jinitiator is that all previous versions must be removed from the client PC since every new version of Jinitiator is a unique install and does not remove the previous version.

For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.4 patch.

This quarter does have a lower than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, although even if it was just one vulnerability the database security patch should still be a priority. 

Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3 for the database and RUP4, RUP5, or RUP6 for the Oracle E-Business Suite 11i.

More information about the vulnerabilities and detailed recommendations on patching and testing is available at -

Oracle Oracle Critical Patch Update - January 2008 - E-Business Suite Impact

Oracle Critical Patch Update - January 2008 - Version Support Matrix

I will be presenting an OAUG eLearning Community Thursdays session this Thursday January 17th giving additional information on the CPU and its impact on your Oracle Applications implementation.  OAUG members can sign-up for the session at -

http://secure.meetingexpectations.com/oaug/eLearning/elSchedule.aspx?DayOfWeek=5&mtd=10/1/2007

]]> 2008-01-15T23:05:11-06:00 2008-01-15T23:05:11-06:00 Stephen Kost Oracle E-Business Suite Oracle Critical Patch Update Critical Patch Update January 2008 Pre-Release Analysis http://www.integrigy.com/oracle-security-blog/archive/2008/01/10/cpu-january-2008-prerelease pre-release announcement for the upcoming January 2008 Oracle Critical Patch Update (CPU) -

  • Overall, 27 security vulnerabilities are fixed in this CPU, which is the lowest number of bugs fixed since the original CPU released in January 2005 that fixed 25 bugs (Oct-07=51, Jul-07=45, Apr-07=36, Jan-07=51, Oct-06=101, Jul-06=62, Apr-06=34, Jan-06=80).
  • This is the first CPU that includes fixes for Oracle 11g (11.1.0.6).
  • The product and vulnerability mix appears to be similar to previous CPUs.  All CPU supported Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and Oracle E-Business Suite versions are included.  The list of supported versions is getting very short and should be carefully reviewed to determine if version upgrades are required prior to applying the CPU security patches -
        • Database = 9.2.0.8, 10.1.0.5, 10.2.0.2, and 10.2.0.3, 11.1.0.6
        • Application Server = 9.0.4.3, 10.1.2, and 10.1.3
        • E-Business Suite = 11.5.9, 11.5.10.x, and 12.0.x
  • Oracle instituted a new policy with the July 2007 CPU in that platforms with few downloads of CPU patches will not have patches proactively created -- the CPU patches will only be available upon request.  According to the October 2007 CPU note (Metalink Note ID 455287.1), patches for 10.1.0.5 on several platforms will be available only upon request for the January 2008 CPU.  The database note for the January 2008 CPU will have a section titled "Planned Patches for Next CPU Release" that should be carefully reviewed to determine if your platform/version will be an "On Request" patch in the next release.

Oracle Database
  • There are 8 database vulnerabilities and none are remotely exploitable.
  • At least one of the database security vulnerabilities has a CVSS 2.0 metric of 6.5, which for database vulnerabilities should be considered high risk.  This typically means anyone with a valid database session is able to compromise the entire database, but is unable to achieve root operating system access.
  • According to the October 2007 CPU notes, there is only limited platform support for 10.2.0.2.  Only the following platforms are supported for 10.2.0.2 by the January 2008 CPU: AIX 5L, HP Itanium, HP/UX, IBM zLinux, Linux x86-64, Linux Itanium, and Linux on Power.  Key missing platforms include all Solaris and Windows operating systems.

Oracle Application Server
  • 5 of the 6 vulnerabilities are remotely exploitable without authentication, although none impact the Oracle HTTP Server (Apache).
  • A previously disclosed Jinitiator bug is fixed and the key to fixing this bug is removal of previous Jinitiator versions from all client PCs as well as upgrading Jinitiator on the application servers.  Whenever possible, Jinitiator should be upgraded to at least 1.3.1.29 or replaced with the Sun Java Plug-in.

Oracle E-Business Suite 11i and R12
  • 3 of the 7 vulnerabilities in the Oracle E-Business Suite are remotely exploitable without authentication.  Most of the vulnerabilities are in core components like OA Framework, so all implementations should consider most of these patches as critical.
  • 11.5.8 is no longer supported, therefore, there is no CPU support.  April 2008 will be the last CPU for 11.5.9.

Planning Impact
  • As with all previous CPUs, this quarter's security patches should be deemed critical and you should adhere to the established procedures and timing used for previous CPUs.

Note: The pre-release announcement is removed when the CPU is released. ]]> 2008-01-10T16:42:30-06:00 2008-01-10T16:42:30-06:00 Stephen Kost Oracle Critical Patch Update Critical Patch Update January 2008 E-Mail Reminder http://www.integrigy.com/oracle-security-blog/archive/2008/01/10/cpu-january-2008-email CPU web page.  This e-mail is only a reminder that the next CPU will be released on January 15, 2008 (sometime after noon Pacific Time).

What is missing from the e-mail is that on Thursday January 10th, Oracle will release a pre-announcement of the upcoming CPU with some details as to the number of security bugs fixed and the maximum severity of the bugs fixed for each product set.  This pre-announcement does provide limited insight, but generally won't change many organizations plans unless there is something dramatic and out of the ordinary fixed.  It is most useful for Oracle Application Server and Oracle E-Business Suite customers as there is variability to the components fixed and a specific CPU may not impact security critical components like Single-Signon or EBS Internet modules.

From: Oracle Security Alerts [mailto:replies@oracle-mail.com]
Sent: Thursday, January 10, 2008 12:25 AM
To: Kost, Stephen
Subject: Oracle Critical Patch Update January 2008

January 9th, 2008
Oracle Critical Patch Update January 2008

Dear Oracle customer,

The Critical Patch Update for January 2008 is planned to be released on January 15, 2008. Oracle strongly recommends applying the patches as soon as possible.

The Critical Patch Update Advisory is the starting point for relevant information. It includes the list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities for each product suite, and links to other important documents. Supported products that are not listed in the "Supported Products and Components Affected" section of the advisory do not require new patches to be applied.

Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.

The Critical Patch Update Advisory is available at any of the following locations:

Oracle Technology Network: http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle, PeopleSoft and JD Edwards products: http://www.peoplesoft.com/corp/en/support/security_index.jsp

The next four Critical Patch Update release dates are:

April 15, 2008
July 15, 2008
October 14, 2008
January 13, 2009

Sincerely, Oracle Security Alerts


(Thanks to Randy for pointing out this e-mail) ]]> 2008-01-10T08:58:54-06:00 2008-01-10T08:58:54-06:00 Stephen Kost Oracle Critical Patch Update Friendly Breaches? Not with Oracle IRM and URM, except at Oracle http://www.integrigy.com/oracle-security-blog/archive/2007/12/13/oracle-friendly-breach
Today, Billy Cripe of the Oracle Fusion Enterprise Content Management blog discussed Oracle's Information Rights Management (IRM, formerly SealedMedia) and Universal Records Management (URM) products.  The IRM product is used to encrypt sensitive information everywhere including desktops, e-mail, file servers, etc.

The ironic part is that today the Breach Blog posted information on a security breach at Oracle due to a lost laptop.  A few weeks ago Oracle disclosed to the New Hampshire Attorney General that a lost Oracle laptop contained confidential information on 123 employees at recently acquired Lodestar.  Since the New Hampshire privacy statue requires notification when sensitive data is not encrypted, I have to assume the data was unencrypted on the laptop and Oracle IRM was not being used. ]]> 2007-12-13T17:00:06-06:00 2007-12-13T17:00:06-06:00 Stephen Kost Hashing Credit Card Numbers: Revisited Again http://www.integrigy.com/oracle-security-blog/archive/2007/12/11/hashing-credit-card-numbers-again revisit the estimates I provided in our white paper on brute forcing credit card hashes since new techniques were published that can speed the brute forcing up by at least a factor of 5 using off-the-shelf video cards.  Well, a month later I am having to revise the estimates again.  Nick Breese of New Zealand has published a paper at Kiwicon on using a PlayStation 3 to crack hashes.  His estimates are about 1.4 billion hashes per second for MD5.  Our proof of concept code running at about 2 million hashes per second seems kind of slow now.  Probably at least 2 billion hashes per second is feasible in the near future with readily available hardware and source code.

Storing credit cards using a simple single pass of a hash algorithm, even when salted, is fool-hardy.  It is just too easy to brute force the credit card numbers if the hashes are compromised.  Based on the potential value of the card numbers, there is more than enough financial incentive to buy a $500 PlayStation 3 and develop a little code.

When hashing credit card number, the hashing must be carefully designed to protect against brute forcing by using strongest available cryptographic hash functions, large salt values, and multiple iterations. ]]> 2007-12-11T21:31:41-06:00 2007-12-11T21:31:41-06:00 Stephen Kost PCI