Oracle’s turn for security scrutiny

A security paper presented at a network security conference held by the SANs Institute in Los Angeles has warned that an attack on Oracle databases because of “weak” protection for users' passwords could put corporate data at risk of exposure.

A security paper presented at a network security conference held by the SANs Institute in Los Angeles has warned that an attack on Oracle databases because of “weak” protection for users' passwords could put corporate data at risk of exposure.

 

In the critique of Oracle's security practices, Joshua Wright of the SANS Institute and Carlos Cid of Royal Holloway College in London, identified several vulnerabilities, including a weak hashing mechanism and a lack of case preservation where all passwords are converted to uppercase characters before calculating the hash.

 

"By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plain text password from the hash for a known user," Wright and Cid claimed in their paper whch can be found at

www.sans.org/rr/special/index.php?id=oracle_pass

 

Wright and Cid concluded that although there are a number of counter measures that can be taken to protect users’ passwords, such as protecting the password table and enforcing complexity rules for passwords, they urged Oracle customers to communicate their desire for a stronger password hashing mechanism to the company.

 

Let’s hope they do it forcefully. Despite being told about the vulnerability in July, Oracle has said little about the problem so far.

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close