You may want to warn your CIO and IT Security Manager that some bad press about Oracle security will be coming later this week and next week. The annual Black Hat conference in Las Vegas is Wednesday and Thursday of this week. Every year this conference gets significant media exposure -- last year was the controversy regarding Cisco and Michael Lynn. There doesn't seem to be any major headlines this year, so the press may be digging for stories.
A number of Oracle security experts are presenting on various topics and the press is always looking for dirt on Oracle. Here is a quick overview of the Oracle related presentations --
- "How to Unwrap Oracle PL/SQL" by Pete Finnigan - Most DBAs assume that wrapped Oracle code is fairly secure and this is often used to protect sensitive code and encryption keys. This presentation will debunk this myth and show actually how easy it is unwrap the code. The press will jump on this presentation as another example on how Oracle is not secure. I think the true story is that many more bug hunters will now have access to the wrapped source code of standard Oracle packages and in the coming months you will see an increase in the number of Oracle security bug reports.
- "Oracle Rootkits 2.0: The Next Generation" by Alexander Kornbrust - Alex has presented on Oracle rootkits before, but has refined and expanded the Oracle rootkit concept.
- "TBA" by David Litchfield - Again this year David has not released the topic of his talk. At previous conferences, David has released information regarding un-patched Oracle vulnerabilities. It will be interesting to see what presentation topic is this year.