#POUG2018: That’s a wrap; what a great trip.

Well the Polish Oracle Users Group conference was quite a success. This year they held it in Sopot right on the Baltic Sea. Here are a few of the stand out things about this conference and POUG in general.

  1. The Baltic Sea is cold. It’s just my nature, if there is water, I’m going to get in. When I saw that POUG was holding the conference in Sopot, the first item to make it into my carry on was my swimsuit. I decided to take an early morning swim Wednesday, running across sand that was like talcum powder I dove right in, swam out about 20 meters and decided this water is just effen cold. So, out of the water and into a hot shower to bring my body temperature back to normal. 🙂
  2. When I arrived to the speakers dinner, it looked like a who’s who of people in the Oracle community. These are some of the sharpest minds in the world. Heli was there to speak about machine learning. Bryn was there to talk about wrapping your data in a secure shell. Roger Macnical was there to talk about full table scans and so many more. The educational opportunity was only limited due to having to pick between sessions that were running in parallel.
  3. The food, I had lost about 40 kilos, and after a week in Sopot, I found 5 of those kilos that I had lost. Who knew they went to Poland. 🙂 Really, the food in Poland is fantastic.
  4. The sessions, Timur Akhmadeev did a great presentation of “Defaults, bloody defaults.” That exposed some gaps in my knowledge. It’s always good to learn something new.
  5. The networking, I had been chewing on a problem that I’ve been having with analytics on blockchain, and ran into Christian Berg who is the analytics guru in Switzerland. We don’t get to chat as much as I like; however at the after party, we dove into the problems with running analytics on blockchain data and think we may have come up with a solution. Once we run some test in the lab, and confirm you’ll read more. At POUG, you have the opportunity to chat with experts from all over the world and resolve your issues.
  6. The panel session at the end of the conference. Why do I keep volunteering to sit on panels? This is an opportunity to get opinions on may subjects. This time, the discussion revolved around why learn the internals. Of course you should understand how Oracle works. Now some people take it farther than I do. So when I need to understand something a bit deeper I know there are people I can go to and ask difficult questions; like Kamal Stawiarski. If he does not know the answer; you know he will find the answer and help you out.
  7. The overall organization and execution of the conference. Luiza Nowak rocked it yet again. Luiza is the face, brain, and muscle behind making sure POUG goes smoothly. I’m constantly amazed by her ability to organize a complex conference and keep calm.
  8. The best speakers gift, having a beer named after me.

Thanks guys, I’m looking forward to coming back next year.

Apache Struts 2 vulnerability

Apache Struts 2

The Apache Struts 2 vulnerability may impact you. Proof of concept code has been released on gethub and is actively being discussed in underground forums. No plugins are needed for this exploit. All the attacker needs is put together a url that will give access to the Apache Struts installation.

CVE-2018-11776

Discovered by https://www.recordedfuture.com/

Here is a list of potential Oracle products that could be vulnerable. (this list is not exhaustive and I have not had time to validate every entry on this list)

This vulnerability was discovered August 22, 2018, and I have not been able to find a patch for it. Please do your research, if you are using Apache Struts 2, then keep a close eye for the patch, and once the patch is released, install it.

MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and prior
Oracle Communications Policy Management, versions 11.5, 12.x
Oracle FLEXCUBE Private Banking, versions 2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1
Oracle Financial Services Analytical Applications Infrastructure, versions 7.2, 7.3
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 3.5, 3.5.1, 8.0.0 to 8.0.4
Oracle Financial Services Asset Liability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.0 to 8.0.4
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.0 to 8.0.4
Oracle Financial Services Data Foundation, versions 7.3.0, 7.4.0, 8.0.0 to 8.0.5
Oracle Financial Services Data Integration Hub, versions 8.0.1 to 8.0.4
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Funds Transfer Pricing, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Hedge Management and IFRS Valuations, versions 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services ICAAP Analytics, version 8.0
Oracle Financial Services Institutional Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and Discovery, versions 8.0.0 to 8.0.5
Oracle Financial Services Profitability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Retail Customer Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Retail Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Insurance Data Foundation, versions 8.0.0 to 8.0.5
Oracle Insurance Performance Insight for General Insurance, version 8.0
Oracle Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
Siebel Applications, versions 6.1, 6.2, 7.1
WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2, 12.2.1.3

Critical #Weblogic flaw needs to be patched. #infosec #oracle

The patch is in the July 2018 CPU patch.

What can happen: An attacker can gain control over the Weblogic server without knowing the password.

Affected versions.  10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3

Reference URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893

Known Attacks. There are two proof of concept attacks published on gethub.com. (I’m not posting the links for good reason.) and there are two known active attacks going on in the wild. ISC SANS and Netlab 360 is tracking attacks.

To Do: 1) Block port 7001 internally until patched.

2) Patch Weblogic with the July 2018 CPU patch set.
Patch URL:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java

Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch.

The exploit is in the Oracle Java VM. Read:  https://nvd.nist.gov/vuln/detail/CVE-2018-3110

This is an easily exploited flaw, that allows a user with low level privileges ( connect with network access via Oracle Net) can completely hijack the Oracle database. 
Affected versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18

Patch Information: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Upcoming Talks

POUG: 7-8.09.2018 (booked) PL/SQL Secure Coding Practices

ECOUG: 18-19.09.2018 (booked) Holistic Database Security

BGOUG: 16-18.11.2018 (planned) Blockchain a primer. There is a lot of confusion about the blockchain. Blockchain is not crypto currency, block chain is the one part of the technology that makes crypto currency secure. We’ll chat about the technology and how to implement the technology. 

BGOUG: 16-18.11.2018 (planned) The application of blockchain technologies to build faith and trust in the criminal justice system. I’m excited about this one. We are going to go through a case study of securing e-justice systems using blockchain technology.

Oracle Privilege analysis #Quicktip

Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I want to also see all the privileges that are granted on any object. This is good for starting at the user tracking privileges to the object, it’s also good for starting at an object and walking back to the user.
This query does a pivot on the users and roles to get the path to the object and what privileges are associated with that path.
===========================================================================

SELECT OWNER,
TYPE,
TABLE_NAME,
GRANTEE_FROM,
GRANTEE_TO,
"'SELECT'" SEL,
"'UPDATE'" UPD,
"'INSERT'" INS,
"'DELETE'" DEL,
"'EXECUTE'" EXE,
"'FLASHBACK'" FLSH,
"'ON COMMIT REFRESH'" OCR,
"'ALTER'" ALTR,
"'DEQUEUE'" DEQ,
"'INHERIT PRIVILEGES'" IPRV,
"'DEBUG'" DBG,
"'QUERY REWRITE'" QR,
"'USE'" US,
"'READ'" RD,
"'WRITE'" WT,
"'INDEX'" IDX,
"'REFERENCES'" REF
FROM (SELECT R.GRANTEE "GRANTEE_TO",
T.GRANTEE GRANTEE_FROM,
T.GRANTABLE,
T.owner,
T.table_name,
T.TYPE,
T.PRIVILEGE
FROM DBA_TAB_PRIVS T,
DBA_ROLE_PRIVS R
WHERE T.GRANTEE = R.GRANTED_ROLE (+)
AND t.grantee != 'SYS'
AND t.grantee != 'SYSTEM'
AND R.GRANTEE != 'SYS'
AND R.GRANTEE != 'SYSTEM' )
PIVOT (COUNT(PRIVILEGE) FOR PRIVILEGE IN ('SELECT',
'UPDATE',
'INSERT',
'DELETE',
'EXECUTE',
'FLASHBACK',
'ON COMMIT REFRESH',
'ALTER',
'DEQUEUE',
'INHERIT PRIVILEGES',
'DEBUG',
'QUERY REWRITE',
'USE',
'READ',
'WRITE',
'INDEX',
'REFERENCES'))
ORDER BY TABLE_NAME;

#POUG2018 is right around the corner.

http://poug.org/en/edycja/poug-2018/

Let’s start with some key facts. I learned this from my High School Civics teacher who made us learn a bit about journalism along with studying the Constitution. 

Who: The Polish Oracle Users Group, hosted by some of the most awesome people you’ll ever want to get to know. The young lady in the blue jeans is Luiza Nowak; what Luiza says goes, she’s “The Boss.”

This team gets a lot done, they bring in the top speakers from all over the world. They work hard so everything goes smooth, everyone learns, and everyone has a good time.

What: The annual Oracle Users Group Conference. We will be talking about everything from Machine Learning, to Secure Coding and Information Security.

When: 7-8 września 2018, Sopot

Where: Gdańsk Poland. http://zatokasztuki.pl/

Why: That’s a pretty silly question. For me, it’s the opportunity to share what I know with a wide audience. This is one of those conferences where you are not only going to do a serious amount of learning from over 20 of the top speakers in the world. You will also have the opportunity to expand your network. You will definitively have a good time, Kamil will see to that.

How: Get here by plane, train or automobile. I’m told that tickets have already been sold out. But double check with the website, things do change.

When you get here, be sure to bring your thinking cap, your beer mug, and your sense of humor. You’ll need em’. Zobaczcie się za kilka tygodni.

Common mistake when loading data into an #encrypted database.

Hacker attacking internet

There is a mistake that I’m seeing frequently. Loading a raw data file into an encrypted database then leaving the data file on an unencrypted device.

After loading the data into the database; if you don’t need the data file anymore, you should do a secure delete on the file. If you are going to need the data file again, then move the data file to an encrypted device then do a secure delete on the old data file. Better yet, when you bring the data file down, save it straight to an encrypted device and work from that device.

This is an easy thing to fix.

#infosec Name and SSNs sent in the clear.

I’m more than a little disappointed at people not being serious about information security. One of my customers asked me to help load data from a school system into an apex application I designed for some years back. The excel spreadsheet received from the school system has teacher names and social security numbers. The excel file was not encrypted in any way shape or form. I’ll be contacting the school system on Monday to resolve this issue. If it’s not resolved in a short period of time, I’ll be sending the data to their local news paper. This has got to stop.

Outcomes instead of todo lists.

Chatting with a friend this morning, we were talking about todo list and being overwhelmed by everything that needs to get done. After sharing with her mindfulness meditation, that helps me keep the “chattering monkeys” at bay and has improved my focus. I mentioned that I’ve gotten away from todo list and now write out the outcome I want from today. Coming up with an outcome for the day can be quite difficult; but once you get the hang of it; the outcome for today will be self evident.

Back on 3/1 I needed to bring this practice back into focus and wrote this note to myself.

In my outcome for the day, I also establish a performance goal for the day. This performance goal can be related to my physical performance while exercising and/or my performance around people. An example of this would be even though my chair is very comfortable, I will do twenty minutes on the rowing machine and lift weight for thirty minutes. It will also include what distance will I do in those twenty minutes, and what weights / sets will I do in my exercise.

My professional outcomes for the day, may be; Catch the problem in production, before the customer catches it. This way, the customer is not surprised when there is an issue. They get an FYI instead of, them sending my team an email saying there is a problem.

The beauty of this is, when you defined the outcome; what you need to do to get that outcome should become self-evident.