#Infosec #ManInTheMiddle #encryption passwords sent in clear text

Did you know when you type commands in sqlplus or sqlcl that include a password; if your network is not encrypted, the password is sent in the clear. In fact, all sql commands are sent in the clear to the database if the network is not encrypted.

Great for a man in the middle attack. Make sure your network is encrypted before you start configuring the Oracle database or sending sql statements for that matter.

c##sec_admin > administer key management set keystore open identified by SecretPassword;

keystore altered.

Blockchain A Primer

Us technical nerds have a way of talking to each other, mostly we understand each other, sometimes we don’t and frequently we throw out buzzwords, thinking everyone must know what we’re talking about. This paper is going to address the subject of blockchain so anyone with a non-technical education can understand what it is and how it works. You may not be able to develop your own blockchain after reading this paper, but you’ll have a good handle on what us nerds are talking about..

There seems to be some confusion about just what blockchain is. Many people I speak with automatically assume blockchain is Bitcoin. First off, Bitcoin (and other cryptocurrencies) are not blockchain and blockchain is not bitcoin. Bitcoin uses the secure data structure of blockchain to protect the data. Now because blockchain was described by Satoshi Nakamoto in 2008 to describe a Peer to Peer electronic cash system, and Bitcoin was the first application to utilize the security aspects of blockchain, this confusion is understandable. Now that we have established that bitcoin is not blockchain and blockchain is not bitcoin, lets address what blockchain is.
Blockchain is a way of linking transactions using a timestamp and cryptologic hash into a linked list to make the data immutable. Yea’ that’s a mouth full. But if you do much reading on blockchain, there have been some enhancements to what we can do besides making data immutable. The power of blockchain lies in, if you change anything in the blockchain, you break the cryptologic hash.

Basic Blockchain with two blocks.

Here we see two blocks that have been joined by block 1’s current hash to block 2’s previous hash. This is a simple linked list. Data is linked to other data by pointing to a unique value of its neighbor. Also a linked list can not have any branches, so in this instance we can not have two pieces of data pointing back to the same unique value of a neighbor.

Let’s start taking this apart, to see what is actually happening and I’m going to start by defining what a hash is, what are the qualities of a good hash, and a tiny bit about how hashes work.

A hash is a one way cryptologic function that produces a value from some input. So if I pass to a hash function, “the rain in Spain falls mainly in the planes.” the SHA256 hash function will produce: 4f5960e9f8aa23073bd14dfe85cce5020530e15f1f7dc4231d16cceb01d09e70. Now if I change one letter of the text to “The rain in Spain falls mainly in the planes.” (just switching the t from lower case to upper case) The SHA256 hash function will produce: 5cadf57561ce0e294dd4c7b982be6ffad0c81281f0d6ab6fa64efccdfaf51061. As you can see two totally different results that don’t even remotely resemble each other. I have read from many respected sources, the SHA256 hash is guaranteed to always return a unique value. This is not exactly a true statement. SHA256 produces an output of finite length, however there are an infinite number of combinations that can be passed to a hash function. Eventually, someone will find a hash collision (when two different inputs produce the same output) but for all practical purposes, it will produce a unique output for any given input.

The last thing you need to understand about hash functions, you should never be able to take the hash and find out what the original input was. That is if I was to give you this hash from SHA256 5cadf57561ce0e294dd4c7b982be6ffad0c81281f0d6ab6fa64efccdfaf51061 you should not be able to figure out what the input is. You may already see the problem with this statement. Because I used this hash in a previous example, you can go back and read what my input was. Because we know the input and we know the hash we can run it through the function to see if the message has changed. If they stay the same, we’re golden, if not, the text was altered.

Difficulty: Tthe time to calculate a hash is amazingly fast, my last test was producing a SHA256 hash on a small input in 0.001001119613647461 seconds,. Yup, that’s pretty quick. So, we actually need a way to slow down the ability to produce a hash so we introduce a difficulty factor to it. We do this by creating an artificial requirement that the hash must start with one or more zeros. In reality you can use anything you want; however the current standard people are using, is starting the hash with 0’s. Each time we increase the difficulty, the time to calculate the hash increases exponentially. So with a difficulty of two zero, the average time to hash is 0.003002166748046875 seconds and a difficulty of three zeros the average time to hash is 0.2151656150817871. A difficulty factor of four and it took 200.69477248191833 seconds to calculate the hash. This is a pretty old computer I’m working on right now, so faster speeds are possible, but you get the point, as the difficulty increases, it becomes much harder to calculate a hash with the required difficulty.

The reason we are adding in a difficulty factor is to slow down the ability to rebuild the blockchain and defeat the security that is built, by linking the data (blocks) with a hash. So, if the speed to calculate the hash is slow, a potential attacker would need much more CPU power then the machines building the blockchain to change some data and then recalculate all the hashes in the blockchain, and then get ahead of the machines building the blockchain.

I promise if your not a techie, this is not that painful. What I want you to see is the technique that I used to calculate the hash with a given difficulty.

def f_calc_hash(self, data, nounce, difficulty):
s_curr_hash = sha256(data.encode()).hexdigest()
while not s_curr_hash.startswith(‘0’*difficulty):
self.nounce += 1
data = data + str(self.nounce)
s_curr_hash = sha256(data.encode()).hexdigest()
return s_curr_hash

This is actually pretty easy to read, we have a function to calculate the hash with the required difficulty. It takes the data we want to hash, a nounce that I’ll get to in a minute and our difficulty factor. It starts by calculating the hash and checks to see if it starts with the required number of 0’s. If it does not, then it adds 1 to the nounce, and puts that number at the beginning of the data we are hashing. Because we have now changed the data, we will get a different hash. We continue adding 1 to the nounce and testing the hash to see if it meets the difficulty requirements. If it does, great, return the hash, if not, keep adding 1 to the nounce and getting the hash again. There is no way you can figure out what nounce to use, therefore, the only way to get a hash with the required difficulty is to use brute force.

So a Nounce is just a variable we use to add to the data we are hashing to get a different hash. That’s all. Where the term nounce came from, I don’t know.

We also add a Timestamp to the transaction to prove when the transaction was created and also in some cases to make sure the transaction is unique and we can get a unique hash for each transaction.

Transactions all go into a Block. You can have one or more transactions in a block, the number is up to you and the requirements for your system.

So let’s use the simple example of a check register. These two transactions can go into a block to be added to the blockchain.

25605 May 2018Gas
05 May 2018Payroll Deposit 

Before we go much further, we need to explain how to weld blocks together using a hash that meets the difficulty requirements.

All blockchains start with a Genesis Block, this serves as the anchor to the blockchain by providing the first hash needed to weld the blocks together. There is one special thing about the genesis block, it does not have a prior hash in its header. There is one other thing about the genesis block you should understand, The data in it may not be of any value. It’s just a seed for the rest of the blockchain. When we have built the genesis block, we get a hash that meets the difficulty requirements and put that in a field called current_hash.The Current_hash is the hash value we get when we calculate the hash with the required difficulty factor using the calculated nounce.

So when we add in block#2, it copies the current hash from the genesis block into the previous hash field. We then hash the block to get the current hash and nounce that meets the difficulty requirements. By joining block# 2 to the genesis block, we now have a blockchain with two blocks. Every block we add to the blockchain, we repeat this process.

Why is the data structure so powerful? Let’s start with the assumption that we have a blockchain with 10,000 blocks. If someone were to change one piece of data, say in block 500, then the current hash in block 500 would not be right anymore. Let’s say our hacker is clever and calculates a new nounce to get a hash that meets the difficulty requirements. Well then the previous hash for block 501 would not match the new hash that was calculated. So, the hacker now has to calculate a nounce for block 501 and to get a hash that meets the difficulty requirements. Then, 502, and 503, on and on. It would require a lot of CPU to recalculate the entire blockchain. If we did not have a difficulty factor built into the blockchain, the speed to calculate a hash is pretty darn quick. That difficulty factor puts a speed limit on just how fast you can write to a blockchain. Pretty darn clever if you ask me.

Anonymity vs Known Users or Public vs Private blockchains. We have the very basics of what a blockchain is, now we can look at a couple of different types of blockchains. First there is a public blockchain where anyone can add data to the blockchain. The typical public blockchain is cryptocurrencies such as Bitcoin. Note: Cryptocurrencies are also frequently called shadow currencies. In cryptocurrencies, anyone can add blocks to the blockchain and make money. Here everyone has a copy of the blockchain and when you add to the blockchain, you provide a proof of work and other nodes in the blockchain check your work. If you met the required difficulty and the nounce is correct, then your block is added, that is unless another node has added more blocks then you. Because we can not have branches on a blockchain, the network uses the node that is longest as the valid blockchain.

When we say branches, that means two or more blocks using the current hash of a previous blocks as their previous hash.

So now that we understand what a public blockchain is, let’s explore what a private blockchain is.

In a private blockchain only computers (nodes) that are invited in can participate. Private blockchains can be used to store medical information that has regulatory protections, supply chain management, and trade between businesses.

In the public blockchain, we used proof of work to add data to the blockchain. In the private blockchain we use Selective Endorsement by using Endorsing nodes. Endorsing nodes are the machines that are authorized to add data to the blockchain. The endorsing nodes can be one node, many nodes, or all the nodes on the private blockchain.

When we have multiple entities on a private blockchain, not everyone is allowed to see all the data in the blockchain. We enforce this by using channels. If you are dealing with financial or healthcare data, you must control who has access to the data. When a government, business, or person joins a private blockchain, they subscribe to a channel. The simplest way to describe a channel is it is a standalone blockchain that is shared betw*een players on the system.

A member of a private blockchain can subscribe to one or more channels. In this example Org1 is subscribed to both channel 1 and channel 2. Org2 is subscribed to channel 1 and Org3 is subscribed to channel 2. Now, the beauty of this is, the data has been segmented. That is to say, nothing in channel 1 can appear or be written to channel 2 and nothing in channel 2 can appear or be written to channel 1. Each of these channels is in fact, a private blockchain.

What can we do with this? Glad you asked, because the information has not been changed, we can use the data in the blockchain to trigger Smart Contracts.

Smart contracts are a way to trigger an event after conditions are met. A simple example of a smart contract would be to send payment to a vendor. This would be accomplished with a simple if .. then .. else statement. In a purchasing blockchain a Smart Contract may exists that says, IF Shipment Received AND Shipment Verified AND Invoice Received AND Matching Purchase Order THEN Pay Invoice. Smart Contract are a good way to speed up the flow of business processes by embedding logic into the blockchain that all parties agree to.

There are conferences and then there’s #BGOUG

Keywords: © 2018 http://vencidimitrov.com;BGOUG_Summer_conference_7-9_june_2018

Of all the conferences that I speak at BGOUG is in the top two for technical content, environment, and all around great people. I’ll let you guess the other one of the top two. Hint, it’s in Poland. 🙂

If you want a great Oracle educational opportunity at a good price point, then come on out. Here is the registration link: http://website.bgoug.online/en/events/details/102.html%3E

The conference will be held at RIU Pravets Resort again. It’s a fantastic venue.

Keywords: © 2018 http://vencidimitrov.com;BGOUG_Summer_conference_7-9_june_2018

New Bank Card Scam #infosec #finsec

Just a couple of comments then I’m going to let this twitter thread speak for it’s self.

  1. The call came from the number on the back of the ATM card and represented themselves as from the Fraud Department at the bank.
  2. The caller asked for the CCV#. Never give that out unless you initiated the transaction. (ie: you called for a service or you are ordering something.)
  3. The caller asked to person to enter their current PIN. Never do that.
  4. https://twitter.com/cabel/status/1043160213635837952?s=21

#POUG2018: That’s a wrap; what a great trip.

Well the Polish Oracle Users Group conference was quite a success. This year they held it in Sopot right on the Baltic Sea. Here are a few of the stand out things about this conference and POUG in general.

  1. The Baltic Sea is cold. It’s just my nature, if there is water, I’m going to get in. When I saw that POUG was holding the conference in Sopot, the first item to make it into my carry on was my swimsuit. I decided to take an early morning swim Wednesday, running across sand that was like talcum powder I dove right in, swam out about 20 meters and decided this water is just effen cold. So, out of the water and into a hot shower to bring my body temperature back to normal. 🙂
  2. When I arrived to the speakers dinner, it looked like a who’s who of people in the Oracle community. These are some of the sharpest minds in the world. Heli was there to speak about machine learning. Bryn was there to talk about wrapping your data in a secure shell. Roger Macnical was there to talk about full table scans and so many more. The educational opportunity was only limited due to having to pick between sessions that were running in parallel.
  3. The food, I had lost about 40 kilos, and after a week in Sopot, I found 5 of those kilos that I had lost. Who knew they went to Poland. 🙂 Really, the food in Poland is fantastic.
  4. The sessions, Timur Akhmadeev did a great presentation of “Defaults, bloody defaults.” That exposed some gaps in my knowledge. It’s always good to learn something new.
  5. The networking, I had been chewing on a problem that I’ve been having with analytics on blockchain, and ran into Christian Berg who is the analytics guru in Switzerland. We don’t get to chat as much as I like; however at the after party, we dove into the problems with running analytics on blockchain data and think we may have come up with a solution. Once we run some test in the lab, and confirm you’ll read more. At POUG, you have the opportunity to chat with experts from all over the world and resolve your issues.
  6. The panel session at the end of the conference. Why do I keep volunteering to sit on panels? This is an opportunity to get opinions on may subjects. This time, the discussion revolved around why learn the internals. Of course you should understand how Oracle works. Now some people take it farther than I do. So when I need to understand something a bit deeper I know there are people I can go to and ask difficult questions; like Kamal Stawiarski. If he does not know the answer; you know he will find the answer and help you out.
  7. The overall organization and execution of the conference. Luiza Nowak rocked it yet again. Luiza is the face, brain, and muscle behind making sure POUG goes smoothly. I’m constantly amazed by her ability to organize a complex conference and keep calm.
  8. The best speakers gift, having a beer named after me.

Thanks guys, I’m looking forward to coming back next year.

Apache Struts 2 vulnerability

Apache Struts 2

The Apache Struts 2 vulnerability may impact you. Proof of concept code has been released on gethub and is actively being discussed in underground forums. No plugins are needed for this exploit. All the attacker needs is put together a url that will give access to the Apache Struts installation.


Discovered by https://www.recordedfuture.com/

Here is a list of potential Oracle products that could be vulnerable. (this list is not exhaustive and I have not had time to validate every entry on this list)

This vulnerability was discovered August 22, 2018, and I have not been able to find a patch for it. Please do your research, if you are using Apache Struts 2, then keep a close eye for the patch, and once the patch is released, install it.

MySQL Enterprise Monitor, versions and prior, and prior, and prior
Oracle Communications Policy Management, versions 11.5, 12.x
Oracle FLEXCUBE Private Banking, versions 2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1
Oracle Financial Services Analytical Applications Infrastructure, versions 7.2, 7.3
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 3.5, 3.5.1, 8.0.0 to 8.0.4
Oracle Financial Services Asset Liability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.0 to 8.0.4
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.0 to 8.0.4
Oracle Financial Services Data Foundation, versions 7.3.0, 7.4.0, 8.0.0 to 8.0.5
Oracle Financial Services Data Integration Hub, versions 8.0.1 to 8.0.4
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Funds Transfer Pricing, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Hedge Management and IFRS Valuations, versions 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services ICAAP Analytics, version 8.0
Oracle Financial Services Institutional Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and Discovery, versions 8.0.0 to 8.0.5
Oracle Financial Services Profitability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
Oracle Financial Services Retail Customer Analytics, versions 8.0.0 to 8.0.5
Oracle Financial Services Retail Performance Analytics, versions 8.0.0 to 8.0.5
Oracle Insurance Data Foundation, versions 8.0.0 to 8.0.5
Oracle Insurance Performance Insight for General Insurance, version 8.0
Oracle Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
Siebel Applications, versions 6.1, 6.2, 7.1
WebLogic Server, versions,,,,,

Critical #Weblogic flaw needs to be patched. #infosec #oracle

The patch is in the July 2018 CPU patch.

What can happen: An attacker can gain control over the Weblogic server without knowing the password.

Affected versions.,,, and

Reference URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893

Known Attacks. There are two proof of concept attacks published on gethub.com. (I’m not posting the links for good reason.) and there are two known active attacks going on in the wild. ISC SANS and Netlab 360 is tracking attacks.

To Do: 1) Block port 7001 internally until patched.

2) Patch Weblogic with the July 2018 CPU patch set.
Patch URL:http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java

Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch.

The exploit is in the Oracle Java VM. Read:  https://nvd.nist.gov/vuln/detail/CVE-2018-3110

This is an easily exploited flaw, that allows a user with low level privileges ( connect with network access via Oracle Net) can completely hijack the Oracle database. 
Affected versions,,, 18

Patch Information: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Upcoming Talks

POUG: 7-8.09.2018 (booked) PL/SQL Secure Coding Practices

ECOUG: 18-19.09.2018 (booked) Holistic Database Security

BGOUG: 16-18.11.2018 (planned) Blockchain a primer. There is a lot of confusion about the blockchain. Blockchain is not crypto currency, block chain is the one part of the technology that makes crypto currency secure. We’ll chat about the technology and how to implement the technology. 

BGOUG: 16-18.11.2018 (planned) The application of blockchain technologies to build faith and trust in the criminal justice system. I’m excited about this one. We are going to go through a case study of securing e-justice systems using blockchain technology.

Oracle Privilege analysis #Quicktip

Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I want to also see all the privileges that are granted on any object. This is good for starting at the user tracking privileges to the object, it’s also good for starting at an object and walking back to the user.
This query does a pivot on the users and roles to get the path to the object and what privileges are associated with that path.

"'USE'" US,
"'READ'" RD,
AND t.grantee != 'SYS'
AND t.grantee != 'SYSTEM'