Category Archives: infosec

#Infosec #ManInTheMiddle #encryption passwords sent in clear text

Posted on December 23, 2018 by rlockard

Did you know when you type commands in sqlplus or sqlcl that include a password; if your network is not encrypted, the password is sent in the clear. In fact, all sql commands are sent in the clear to the … Continue reading

Posted in encryption, infosec | Leave a comment

Blockchain A Primer

Posted on October 22, 2018 by rlockard

Us technical nerds have a way of talking to each other, mostly we understand each other, sometimes we don’t and frequently we throw out buzzwords, thinking everyone must know what we’re talking about. This paper is going to address the … Continue reading

Posted in infosec | Tagged , , , , , , , | Leave a comment

There are conferences and then there’s #BGOUG

Posted on October 18, 2018 by rlockard

Of all the conferences that I speak at BGOUG is in the top two for technical content, environment, and all around great people. I’ll let you guess the other one of the top two. Hint, it’s in Poland. 🙂 If … Continue reading

Posted in infosec | Leave a comment

New Bank Card Scam #infosec #finsec

Posted on September 24, 2018 by rlockard

Just a couple of comments then I’m going to let this twitter thread speak for it’s self. The call came from the number on the back of the ATM card and represented themselves as from the Fraud Department at the bank. … Continue reading

Posted in infosec | Leave a comment

#POUG2018: That’s a wrap; what a great trip.

Posted on September 21, 2018 by rlockard

Well the Polish Oracle Users Group conference was quite a success. This year they held it in Sopot right on the Baltic Sea. Here are a few of the stand out things about this conference and POUG in general. The … Continue reading

Posted in infosec | Leave a comment

Apache Struts 2 vulnerability

Posted on August 30, 2018 by rlockard

Apache Struts 2 The Apache Struts 2 vulnerability may impact you. Proof of concept code has been released on gethub and is actively being discussed in underground forums. No plugins are needed for this exploit. All the attacker needs is … Continue reading

Posted in infosec | Leave a comment

Critical #Weblogic flaw needs to be patched. #infosec #oracle

Posted on August 14, 2018 by rlockard

The patch is in the July 2018 CPU patch. What can happen: An attacker can gain control over the Weblogic server without knowing the password. Affected versions.  10.3.6.0, 12.1.3.0, 12.2.1.2, and 12.2.1.3 Reference URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2893 Known Attacks. There are two … Continue reading

Posted in infosec | Leave a comment

Critical #Oracle Database flaw needs to be patched today. #infosec #exploit #java

Posted on August 14, 2018 by rlockard

Critical Oracle Database flaw needs to be patched. The patch is in the July 2018 CPU patch. The exploit is in the Oracle Java VM. Read:  https://nvd.nist.gov/vuln/detail/CVE-2018-3110 This is an easily exploited flaw, that allows a user with low level … Continue reading

Posted in infosec, Security | Tagged , , , , | Leave a comment

Upcoming Talks

Posted on August 9, 2018 by rlockard

POUG: 7-8.09.2018 (booked) PL/SQL Secure Coding Practices ECOUG: 18-19.09.2018 (booked) Holistic Database Security BGOUG: 16-18.11.2018 (planned) Blockchain a primer. There is a lot of confusion about the blockchain. Blockchain is not crypto currency, block chain is the one part of the … Continue reading

Posted in infosec | Tagged , , , , | Leave a comment

Oracle Privilege analysis #Quicktip

Posted on August 7, 2018 by rlockard

Here is a quick tip on Oracle privilege analysis. Frequently I want to find out all of the ways a user can get to an object for any privilege. DBA_TAB_PRIVS and DBA_ROLE_PRIVS are the two views I go to. I … Continue reading

Posted in infosec | Tagged , , , | Leave a comment

#POUG2018 is right around the corner.

Posted on August 6, 2018 by rlockard

Let’s start with some key facts. I learned this from my High School Civics teacher who made us learn a bit about journalism along with studying the Constitution.  Who: The Polish Oracle Users Group, hosted by some of the most … Continue reading

Posted in Database Stuff, encryption, infosec, Oracle Users Group | Tagged , , , , | Leave a comment

Common mistake when loading data into an #encrypted database.

Posted on August 6, 2018 by rlockard

There is a mistake that I’m seeing frequently. Loading a raw data file into an encrypted database then leaving the data file on an unencrypted device. After loading the data into the database; if you don’t need the data file … Continue reading

Posted in infosec | Tagged , , | Leave a comment

#infosec Name and SSNs sent in the clear.

Posted on June 16, 2018 by rlockard

I’m more than a little disappointed at people not being serious about information security. One of my customers asked me to help load data from a school system into an apex application I designed for some years back. The excel … Continue reading

Posted in infosec | Leave a comment

Outcomes instead of todo lists.

Posted on May 15, 2018 by rlockard

Chatting with a friend this morning, we were talking about todo list and being overwhelmed by everything that needs to get done. After sharing with her mindfulness meditation, that helps me keep the “chattering monkeys” at bay and has improved … Continue reading

Posted in infosec | Leave a comment

Have you downloaded the #OWASP Top 10 for 2017? #infosec

Posted on May 9, 2018 by rlockard

Just a short post, if you design, develop, maintain, or administer applications, you need to read this document. The Ten Most Critical Web Application Security Risks. OWASP TOP 10 2017

Posted in infosec | Leave a comment

Putting #CodeBasedAccessControl to work. #CBAC #Database #infosec #Oracle #TrustedPath

Posted on March 19, 2018 by rlockard

Grab a cup of coffee or a cup of tea. This is not a short post; There is a lot to explain, and many point are repeated. You need to understand all the in’s and out’s of CBAC. However; once … Continue reading

Posted in Code Based Access Control, Database Stuff, infosec, PL/SQL, Security, Trusted Path | Tagged , , , , , , | Leave a comment

The Impossible Password and default accounts. Oracle #LockDown #QuickTip #Infosec

Posted on November 2, 2017 by rlockard

Let’s revisit a customer who was about to go through an IG Audit. There is one finding that always seems to come up. Default accounts with default passwords. I don’t care if the accounts are expired and locked, if the … Continue reading

Posted in infosec, PL/SQL, Security | Tagged , , , , , , | Leave a comment

Code Based Access Control, #securecoding #oracle #plsql #MultipleSchemas

Posted on August 6, 2017 by rlockard

You can download the full code from gethub.com CBAC Simple  This example depends on the HR Demo schema being loaded. We will be building on this example over the next several months to present a full blown application that includes … Continue reading

Posted in infosec, Security, Trusted Path | Tagged | Leave a comment

#GDPR – RIGHT TO ACCESS. Security is a feature #3 Right to Access Part 1 of 2

Posted on June 20, 2017 by rlockard

The GDPR Right to access can get a bit complicated as it covers a few things that provide some challenges for us. What is the purpose of the processing? Lets face it, we process data on people for a number … Continue reading

Posted in Database Stuff, GDPR, infosec, Security | Tagged | Leave a comment

@Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL

Posted on March 8, 2017 by rlockard

In Oracle 12.1 the ACCESSIBLE BY clause was introduced to the PL/SQL language. This gives the developer the ability mark a package, procedure, function, or type with what was allowed to call it. 12.2 gives us fine grained control over … Continue reading

Posted in Database Stuff, infosec, PL/SQL, Security, Trusted Path | Tagged , , , | Comments Off on @Oracle 12.2.0.1 Cool new features to improve security. Part 1 Enhanced Whitelists PL/SQL

PL/SQL Security Coding Practices. Introduction to a better architecture part 1.

Posted on December 10, 2016 by rlockard

I have been seeing this database architecture for over thirty years and it’s high time we stopped using it. Before I go too far, let me tell you I get it, you have pressure to get the application out the … Continue reading

Posted in infosec, Security, Trusted Path | Tagged , , , | Leave a comment

2017 European Security Tour, #Moscow, #London, #Paris, #Helisnki

Posted on December 5, 2016 by rlockard

My 2017 speaking schedule is starting out with a bang. My first stop will be in Moscow Russia where I am trying to arrange a short speaking engagement in conjunction with the Russia Oracle Users Group. Hopefully we can arrange … Continue reading

Posted in Database Stuff, infosec, PL/SQL, Security | Leave a comment

#ORACLE PL/SQL Secure Coding Practices #INFOSEC – Please tell me how your database system is designed @bgoug will get this presentation first

Posted on October 26, 2016 by rlockard

The more you tell me, the more ways I can find I can find to attack your system. All I need is one little sql injection bug and trust me, it is most likely there, you just don’t know it … Continue reading

Posted in infosec, PL/SQL, Security, Trusted Path | Tagged , , | Leave a comment

Turn off the #http #listener in #Oracle #STIG

Posted on September 15, 2016 by rlockard

Locking down a database (applying STIGs) you need to check to see if the listener is running http. If you don’t need the http service, turn it off. Turning off http will reduce the attack surface. Step 1) Is http … Continue reading

Posted in infosec, Life of a Oracle DBA, Security, Trusted Path | Leave a comment

You can use #sqlcl with #mkstore

Posted on September 12, 2016 by rlockard

I was struggling last week getting mkstore and sqlcl to work together. sqlcl is Oracle’s new command line interface. For more on sqlcl see http://www.oracle.com/technetwork/issue-archive/2015/15-sep/o55sql-dev-2692807.html. I have been using sqlcl almost exclusively for the past year and love it. I … Continue reading

Posted in Database Stuff, encryption, infosec | Leave a comment