Advertisement
Promo

Security threats Toolkit

More flaws found in Oracle security

Joris Evers CNET News

Published: 28 Oct 2005 07:00 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Attackers could easily uncover Oracle database users' passwords because of a weak protection mechanism, putting corporate data at risk of exposure, experts have warned.

In the latest critique of Oracle's security practices, experts are calling on the software maker to improve the mechanism used to secure passwords for database users. Researchers say they have found a way to recover the plain text password from even very strong, well-written Oracle database passwords within minutes.

The technique Oracle uses to store and encrypt user passwords doesn't provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway College, University of London. Wright gave a presentation on the matter Wednesday at the SANS Network Security conference in Los Angeles.

In the presentation, Wright discussed how passwords are encrypted before being stored in Oracle databases and presented a tool he wrote to uncover passwords, according to a SANS statement. A paper by Wright and Cid is available on the SANS Web site. (Download PDF.)

Wright and Cid identified several vulnerabilities, including a weak hashing mechanism and a lack of case preservation--all passwords are converted to uppercase characters before calculating the hash.

"By exploiting these weaknesses, an adversary with limited resources can mount an attack that would reveal the plain text password from the hash for a known user," Wright and Cid wrote in their paper.

The researchers informed Oracle about their findings in July, but subsequent requests for a response from Oracle have gone unanswered, according to SANS. Oracle also did not respond to a request for comment from CNET News.com.

Oracle users can protect their systems by requiring strong passwords and assigning limited user rights, the researchers said. Users are also encouraged to tell Oracle that it should improve password protection, they wrote.

Oracle is increasingly coming under fire for its security practices. Security researchers have taken the company to task for being slow in fixing security vulnerabilities and providing faulty patches when it does update its software.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
95 out of 182 people found this useful


In association with HP

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:



Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

McKinnon lawyers seek judicial review

Lawyers seeking a judicial review for Nasa hacker Gary McKinnon lodged fresh evidence of his psychiatric state at the High Court on Thursday. Karen Todner, McKinnon's solicitor,... More

1 comment

Beware of keeping your head in the clo...

Information security professionals can look forward to a deepening appreciation for their skills as security continues to be recognised as an essential element for doing business in... More

1 comment

Civil liberties groups attack file-sha...

Civil liberties and digital rights organisations have strongly criticised Lord Mandelson's Digital Economy Bill. Liberty said in a position paper on Tuesday that the bill, part of... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters