A security paper presented at a
network security conference held by the SANs Institute in Los
Angeles has warned that an attack on Oracle databases because of
“weak” protection for users' passwords could put corporate data at
risk of exposure.
In thecritique of Oracle's
security practices, Joshua
Wright of the SANS Institute and Carlos Cid of Royal Holloway
College in London, identified several vulnerabilities, including a
weak hashing mechanism and a lack of case preservation where all
passwords are converted to uppercase characters before calculating
the hash.
"By exploiting these weaknesses, an
adversary with limited resources can mount an attack that would
reveal the plain text password from the hash for a known user,"
Wright and Cid claimed in their paper whch can be found
at
www.sans.org/rr/special/index.php?id=oracle_pass
Wright and Cid concluded that although
there are a number of counter measures that can be taken to protect
users’ passwords, such as protecting the password table and
enforcing complexity rules for passwords, they urged Oracle
customers to communicate their desire for a stronger password
hashing mechanism to the company.
Let’s hope they do it forcefully.
Despite being told about the vulnerability in July, Oracle has said
little about the problem so far.