Author Archives: rlockard
Writing a book. #WhatIDontKnow #quicktip
The book I’m currently working on is a technical book on Database Application Security. While writing, I frequently find myself trying to explain something and I can’t quite come up with a good explanation. This normally indicates I don’t understand … Continue reading
Posted in infosec
Leave a comment
A common #infosec error in @Oracle applications #DBA granted to application account
I’ve been doing this a long time, and there two infosec errors that I keep seeing. Granting DBA to an application and people using the application account. The problem of granting DBA to an application account is compounded when people … Continue reading
@Oracle expdp / impdp #encryption #QuickTip #infosec #CommonMistakes
When using ENCRYPTION_PASSWORD with expdp and impdp, your history file (ie .bash_history) will store the password in plain text and if you’re sending the password over the wire, your network better be encrypted.!!!!!
Posted in infosec
Leave a comment
2018 It was a wild year – Filled up my #passport
It’s been a wild and crazy year. I could write this about all the data breaches we had in 2018, that would be too depressing. Instead I’m going to focus my favorite cities I filled up my passport and now … Continue reading
#Infosec #ManInTheMiddle #encryption passwords sent in clear text
Did you know when you type commands in sqlplus or sqlcl that include a password; if your network is not encrypted, the password is sent in the clear. In fact, all sql commands are sent in the clear to the … Continue reading
Posted in encryption, infosec
Leave a comment
Blockchain A Primer
Us technical nerds have a way of talking to each other, mostly we understand each other, sometimes we don’t and frequently we throw out buzzwords, thinking everyone must know what we’re talking about. This paper is going to address the … Continue reading
There are conferences and then there’s #BGOUG
Of all the conferences that I speak at BGOUG is in the top two for technical content, environment, and all around great people. I’ll let you guess the other one of the top two. Hint, it’s in Poland. 🙂 If … Continue reading
Posted in infosec
Leave a comment
New Bank Card Scam #infosec #finsec
Just a couple of comments then I’m going to let this twitter thread speak for it’s self. The call came from the number on the back of the ATM card and represented themselves as from the Fraud Department at the bank. … Continue reading
Posted in infosec
Leave a comment
#POUG2018: That’s a wrap; what a great trip.
Well the Polish Oracle Users Group conference was quite a success. This year they held it in Sopot right on the Baltic Sea. Here are a few of the stand out things about this conference and POUG in general. The … Continue reading
Posted in infosec
Leave a comment
Apache Struts 2 vulnerability
Apache Struts 2 The Apache Struts 2 vulnerability may impact you. Proof of concept code has been released on gethub and is actively being discussed in underground forums. No plugins are needed for this exploit. All the attacker needs is … Continue reading
Posted in infosec
Leave a comment
Critical #Weblogic flaw needs to be patched. #infosec #oracle
The patch is in the July 2018 CPU patch. What can happen: An attacker can gain control over the Weblogic server without knowing the password. Affected versions. 10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3 Reference URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893 Known Attacks. There are two … Continue reading
Posted in infosec
Leave a comment
Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java
Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch. The exploit is in the Oracle Java VM. Read: https://nvd.nist.gov/vuln/detail/CVE-2018-3110 This is an easily exploited flaw, that allows a user with low level … Continue reading
Upcoming Talks
POUG: 7-8.09.2018 (booked) PL/SQL Secure Coding Practices ECOUG: 18-19.09.2018 (booked) Holistic Database Security BGOUG: 16-18.11.2018 (planned) Blockchain a primer. There is a lot of confusion about the blockchain. Blockchain is not crypto currency, block chain is the one part of the … Continue reading
Oracle Privilege analysis #Quicktip
Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I … Continue reading
#POUG2018 is right around the corner.
Let’s start with some key facts. I learned this from my High School Civics teacher who made us learn a bit about journalism along with studying the Constitution. Who: The Polish Oracle Users Group, hosted by some of the most … Continue reading
Posted in Database Stuff, encryption, infosec, Oracle Users Group
Tagged Gdańsk, Oracle Users Group, Poland, Polish, users group
Leave a comment
Common mistake when loading data into an #encrypted database.
There is a mistake that I’m seeing frequently. Loading a raw data file into an encrypted database then leaving the data file on an unencrypted device. After loading the data into the database; if you don’t need the data file … Continue reading
#infosec Name and SSNs sent in the clear.
I’m more than a little disappointed at people not being serious about information security. One of my customers asked me to help load data from a school system into an apex application I designed for some years back. The excel … Continue reading
Posted in infosec
Leave a comment
Outcomes instead of todo lists.
Chatting with a friend this morning, we were talking about todo list and being overwhelmed by everything that needs to get done. After sharing with her mindfulness meditation, that helps me keep the “chattering monkeys” at bay and has improved … Continue reading
Posted in infosec
Leave a comment
Have you downloaded the #OWASP Top 10 for 2017? #infosec
Just a short post, if you design, develop, maintain, or administer applications, you need to read this document. The Ten Most Critical Web Application Security Risks. OWASP TOP 10 2017
Posted in infosec
Leave a comment
Where am I, Dev, Test, Production? #quicktip #putty #sqlcl
If you’re like me, you frequently have many environments open at the same time in putty, sqlcl, sqldeveloper, or other tools. This happened quite a few years back, I was switching between my dev, test, and production environments, doing some … Continue reading
Posted in Database Stuff
Leave a comment
Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath
Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading
Posted in Code Based Access Control, Database Stuff, infosec, PL/SQL, Security, Trusted Path
Tagged CBAC, Code Based Access Control, infosec, oracle, pl/sql, secure coding, Trusted Path
Leave a comment
Upcoming events
March 21 – 22: I will be speaking at Utah Oracle Users Group Training Days (and getting some Spring Skiing in.) http://utoug.org/TrainingDays I will be speaking on Holistic Database Security and Secure Coding. My Holistic Database Security presentation has come … Continue reading
Posted in Database Stuff
Leave a comment
That’s a really bad idea #audit #infosec #fraud #financialfraud
I’m not even sure how to approach talking about this. One customer with a complex application that is both financial and regulatory was given a backdoor into the system to manually make changes to data without audit or validation. To … Continue reading
#TravelHacks Look at yourself in the mirror, would you give yourself an upgrade?
“I will judge you by how you treat the people who serve you.” I’ve spent a lot of time on social media helping some friends with their travel issues. Mostly I give people little hacks that I learned the hard … Continue reading
Posted in Database Stuff
Tagged Customs, dress, hack, hacks, Immigration, kind, professional, sloppy, Travel, TSA, upgrade
Leave a comment
PGA Memory Operation Events
I’ve been working on putting together some performance test for my secure coding talk coming up at Hotsos and encountered something I can not quite explain. This test case does a bulk select into a type and returns the type … Continue reading