The security of Oracle databases is at risk because
users do not change the default passwords that ship with the
product.
The warning, by Oracle executives and security experts, came as
the UK Oracle User Group held its annual conference in Birmingham
last week.
Oracle chief executive Larry Ellison said two months ago that
security would be his company's biggest challenge over the next 18
months.
Last week, source code of what is believed to be the first worm
to specifically target Oracle databases was released on the
internet. This threat followed a report in October by US security
research organisation the Sans Institute, which highlighted weak
password encryption in the Oracle database.
Although the worm poses a potentially serious threat, the use of
default passwords on databases is a much more immediate risk,
according to David Litchfield, managing director of security
consultancy NGSSoftware.
"About 15% to 20% of passwords remain in their default state,"
he said. This means a hacker could simply look up the password from
Oracle documentation and log in to a server.
Duncan Harris, senior director, security assurance at Oracle,
agreed with NGSSoftware's findings. "Unfortunately, default
passwords do not get changed," he said.
Many users are still running Oracle 8i, which does not offer
password management control, said Harris.
When users update to Oracle 9i R2, which does have password
management control, they can still be caught out. "When a database
is copied from an earlier version, the default passwords will be
migrated unchanged," said Harris.
Enhanced security measures on Oracle's latest products only work
when users set up a new database, he warned.
Harris said Oracle was aware of the Sans Institute warning about
weaknesses in Oracle's password security but said, "We did not
consider the paper a [comment on] standard vulnerability. It was a
commentary on the architecture."
The company will be working to improve the strength of its
password encryption in future releases, he said.
Oracle User Group chairman, Ronan Miles, said, "It seems that
modern technology may have caught up with the Oracle standard
password mechanism."