Earlier this month, I did a Lunch-n-Learn presentation for the Northwest Oracle User Group.
To secure your Oracle databases, you need to secure the underlying operating system. Security experts agree that minimizing the software installed on your system will improve your security; it’s fewer places for hackers to penetrate your systems. So, how hard is it to run Oracle 12c and 11gR2 databases on Linux with the minimum RPMs installed? Come see! Come learn about the Linux minimum RPM installation, Linux firewalls, and how that affects running your Oracle databases. You will be pleasantly surprised.
See my Resources page for the presentation.
At the Fall 2014 Northwest Oracle User Group conference, I did a presentation about Oracle Enterprise Manager 12c.
OEM 12c has a much different architecture than 11g, and it is *so* much better. ITIL-like event management, pluggable target types, a new security model, etc. Wow – not just a face lift! Come and see Oracle’s latest monitoring and management technology and hear about best practices for implementing.
See my Resources page for the presentation.
UPDATE: an exploit tool for Heartbleed has been published on the Packet Store Security hacker website. Lovely. It is called the Bleed Out Heartbleed Command Line Tool.
Oracle has just emailed it’s community about it. Here is the notice: Security Alert for OpenSSL vulnerability, Heartbleed for CVE-2014-0160. Oracle’s alert says:
Due to the severity and the reported exploitation of CVE-2014-0160 “in the wild,” Oracle strongly recommends applying the patches as soon as possible.
The New York Times article Heartbleed Internet Security Flaw Used in Attack describes an attack the day after the Heartbleed bug was made public. That didn’t take very long! Related to that incident, information security company Mandiant has a blog entry saying:
Mandiant incident responders have already identified successful attacks in the wild by targeted threat actors.
And, to top it off, the New York Times article Heartbleed Highlights a Contradiction in the Web is a very troubling and accurate article highlighting some very serious issues with open source: the funding (or more accurately, lack of funding), and the quality assurance process. It is an indictment against anyone who uses open source software, but does not contribute to the project (like me). Mea Culpa. But, I have lots of company: there are lots of for-profit companies that use open source technologies in their commercial products, but do not contribute.
Heartbleed is the rage. Everybody is talking about it. OK, ok. So, I need to write something. Here is the results of my research about Heartbleed:
Some good non-technical details are here: Avoiding Heartbleed Hype, What To Do To Stay Safe
An article about a possible conflict of interest related to this issue: Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed. Hhhhmmmmm….
Some people are wondering if the NSA was involved: The Switchboard: Has the NSA been snooping with Heartbleed?
Who knows? Remember that the Internet is a public network. Be careful what you say and do in public.
What you should do:
Read the entire Forbes article. It is pretty good, and exposes some of the hype: Avoiding Heartbleed Hype, What To Do To Stay Safe
Make sure your computers, smartphones, and tablets are patched.
Apple products do not have the vulnerability, so they don’t need to be patched.
I can’t figure out if Windows products need a patch or not. Probably should, just in case.
If you are running Windows XP, you should consider upgrading or switching because there are no more patches for Windows XP: Windows XP is a bigger hacker threat than Heartbleed. I personally believe this is a worse security problem than Heartbleed.
There may be a reason why Heartbleed news came out shortly after the sunset of Windows XP: Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed. Hhhhmmmmm….
If you are running Windows XP, and are tired of paying for new software, you could check out Ubuntu. It won’t run Windows programs, but it is a very friendly version of Linux, and almost all of the software on it is free, including Thurderbird email, and the LibreOffice office suite (word processing, spreadsheet, and presentation software, supposedly compatible with their MS Office counterparts).
After the dust settles, plan to do some password changes and credit card number changes. Here is the easiest way:
1) Get a new credit card.
2) Review your old credit card statement, and make a list of all automated charges.
3) Go to the websites to change the credit card number for the automated charges.
- Make sure the website is not vulnerable. The Forbes article tells you how (They may have a public statement on their website, or you can contact them to check.)
- Change your password.
- Enter your new credit card number.
- Save your changes.
4) Repeat until you’ve fixed all the sites where you have automated charges.
5) Cancel your old credit card.
If you have a hard time thinking up a new password, you can get a password manager to do it for you: The Best Password Managers
If you use a mobile device (tablet, smartphone), make sure whatever password manager you choose has mobile support.
When you want to go to a new site, that doesn’t know your new credit card number, just do step 3.
It’s a pain, but that way, it doesn’t matter if anyone knows your old credit card number or not – it’s not valid anymore.
The people who found the vulnerability give a great amount of detail here: The Heartbleed Bug
Of course, heartbleed.com may be subject to a conflict of interest: Former Chief Security Officer for Microsoft the Chairman of the Board of Firm Behind Heartbleed.
Another really excellent technical article: Everything you need to know about the Heartbleed SSL bug
It’s a pain for people who manage servers:
On the server side, a lot of people are racing around, trying to figure out if their products and websites are vulnerable, and scrambling to install fixed versions of software. Older products and websites are not affected. We actually have one client (who shall remain nameless) that installed an older version of their VPN gateway, so they would not be vulnerable. For people who are managing servers and websites, it is a big deal and a big pain.
This came through the bugtraq mailing list yesterday.
Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the ‘People You May Know’ mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users.
With attacks being on the rise, Facebook is often targeted by hackers for the information it possesses. Users rely on Facebook to maintain their privacy to the best of Facebook’s ability.
To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a ‘see all’ button for convenience. The people suggested at this point are the friends of the user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private.
For full technical information see www.quotium.com/research/advisories/Facebook_Vulnerability_Discloses_Private_Friends_list.php
FB responded that:”If you don’t have friends on Facebook and send a friend request to someone who’s chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone’s complete friend list.” However, research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls.
Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope Facebook will change its mind and this flaw will be addressed.
Irene Abezgauz, VP Product Management at Quotium and Seeker Research Center leader is credited with the discovery of this vulnerability.
I was attending the NorthWest Oracle Users Group meeting on Monday. At the beginning of the conference, there was the usual conference business and announcements. The speaker announced that the 1:00 PM technical talk was cancelled due to illness. I looked at the schedule, and thought: Dang. There is nothing else that I want to attend at 1:00 PM. What am I going to do? Probably some of the other people at the conference felt the same way too.
Then, I had a crazy idea. Why not create a database security presentation, and present it at 1:00 PM? I suggested it to my colleague Kelly Gallagher. Kelly is on the board of the NWOUG. She thought it was a great idea. What is the title? How to Protect your Oracle Database from Hackers. Oops. Now, I was on the hook for creating and delivering a presentation about database security in less than 4 hours.
Well, I did it. Here is the presentation. Some people seemed interested. Anyways, here is the presentation. Kelly said three people commented, and said the presentation was excellent.
I wish I would have had more prep time… 🙂
Today, I was working on an issue at a client site. I was given a Windows domain account and a personal certificate to login to their VPN. I don’t know how the Windows domain account was created, but I’m assuming that it was nothing special.
Once I connected to VPN, I Remote Desktop’ed into the Windows server with my Windows domain credentials, and started working the issue. I began looking around. I found some errors, and had some emails back and forth with the client to work the problem. Eventually, I discovered that I was working on the wrong server. Oops.
I was grousing over the fact that the client hadn’t given me the correct server info or account login info, when all of a sudden, it hit me: without the correct server or login info, I was able to login to a Windows server, and do work. Could I login to ANY Windows machine with those Windows domain credentials?
Well, it turns out that the answer may be YES, unless additional explicit setup is performed by your Windows administrator. In fact, it not only affects Windows machines, but potentially, any server or service you have authenticated by Microsoft Active Directory (AD):
- Windows machines.
- Linux machines.
- Oracle Hyperion installs.
- Oracle Business Intelligence EE.
- Oracle E-Business Suite.
- Oracle RDBMS (for enterprise users).
- Oracle Fusion Middleware.
- Web servers in general.
For Windows machines in general, you need to consider:
- Authentication: Windows domain accounts.
- Access Control: Some additional access control mechanism (unless you want all Windows domain users to be able to access all your Windows machines).
Not only does it affect Windows, but I can also affect anything that relies on Microsoft Active Directory for authentication. All software and operating systems want to integrate with Microsoft Active Directory for authentication. It’s wonderful – you get to use the same username and password everywhere, have a central point of administration for account management, etc.
But, to make a secure Microsoft Active Directory integration, you need to consider:
- Authentication: Integration with Microsoft Active Directory for authentication.
- Secure communication: SSL on the connection between your service and your Microsoft Active Directory domain controller, otherwise, you may be transmitting passwords in cleartext over the network, depending on how the authentication occurs.
- Access Control: Some additional access control mechanism (unless you want all Windows domain users to be able to access your service).
I think the main message is that you need to separate the concepts of authentication and access control, and remember that by default, Microsoft Active Directory only takes care of the authentication part. It does not, by default, take care of the access control part, and the access control part is really critical too.
Some things that you integrate with Microsoft Active Directory may not grant access for an authenticated user, unless there is also explicit access configured. That would be good. So, the problem does not affect everything. It only affects those things that, by default, grant access for authenticated Windows domain users (like Windows machines…).
I am not a Windows expert, so I contacted the Internet Storm Center for clarification. Some very kind folks at the Internet Storm Center responded. In the order received:
From Guy Bruneau:
I’m no expert on Window AD account restriction but I know you can restrict access to certain boxes via AD. Other Handlers that administer Windows server might answer your question with more details.
From Mark H:
Hey Jeff, It is normal behavior in Windows world, but you do not have to live with the default behavior. What we usually do is change what devices the account can log onto. In AD you can specify exactly which servers the account can log onto. That restricts these kinds of issues and you would have only been able to work on that one device.
From Rob VandenBrink:
You typically need to grant RDP access, but in a lot of cases the users are domain admins, so access isn’t a problem. There are multiple access control methods – a few are outlined here:
But your other observation is spot on – if you have a working account, it’s a great foothold – it’s very common to find “normal” AD users with all sorts of permissions they shouldn’t have.
From Russ McRee:
Granular access and provisioning can (should) absolutely be achieved with Active Directory. Users and machines can be encapsulated in Organizational Units (OUs) and permission established for specific systems granted via membership in security groups. Sound like the folks who gave you access have a flat unstructured domain environment where in everyone with an account has access to everything. Easy to do, sadly common, but not recommended.
From Chris Mohan:
>>>I am curious: do normal MS administrators consider limiting access when they create MS AD accounts?
It should be standard practice is to define an account that has access only the resources the party has to interact with. That understanding is part of any Ms training and documentation on the topic. I can attest it’s drilled in to anyone taking Ms training, qualifications or that’s read any of the Ms best practice papers.
>>>If MS AD authentication = access, then having an MS AD account grants you a lot of access.
Only if misconfigured by the administrator to allow excessive, unnecessary permissions. Sadly this is a general problem, seen commonly across the IT space. Someone running a system or network handing out admin/Root level access “because it’s easier that way” or they simply don’t understand the risk of providing that level of control.
I’d submit that the administrators of that environment hadn’t followed standard, basic security practices for least privileges and limited, defined access, if they only meant for you to work on one server, rather than a group of them. I’d gently bring this up with the client as they may not be aware of this security misstep.
My colleague at Jibe Consulting, Pete Beebe, our Windows admin, wrote this:
No unless the domain administrator explicitly allowed ‘log on to server’ permissions for the AD account that you were using. Normally the ‘log on to server’ policy is included in the Remote Desktop Connection security group. If an account (other than administrator) is not added to the proper security group then logon access to the server is denied. As noted by your later e-mail, it is also possible to explicitly define the server(s) that an AD account can logon to. This combined with the local policy setting (for non-domain servers) and Group policy setting (for Domain member servers) would determine the accessibility of the AD account you’re using while on their network.
I also received a response from David at the Microsoft Security Response Center:
Presumably the client created an AD account with access to more than one server. Unless they specifically lock you out of other machines on that domain, you will have access.
So, consider carefully how you setup Windows domain accounts and security. You may be accidentally allowing more access that you bargained for.
P.S. If you’re a Windows administrator, and you see something that needs correction or clarification, please add a comment!
“You can fool some of the people all of the time, and all of the people some of the time,
but you can not fool all of the people all of the time.”
What is ARP spoofing, and why do I care? If you’re old enough, you might remember the TV show “To Tell The Truth.” The show features a panel of four celebrities attempting to correctly identify a described contestant who has an unusual occupation or experience. This central character is accompanied by two impostors who pretend to be the central character. The celebrity panelists question the three contestants; the impostors are allowed to lie but the central character is sworn “to tell the truth”. After questioning, the panel attempts to identify which of the three challengers is telling the truth and is thus the central character.
Your computer is like one of the celebrities in “To Tell The Truth”. To communicate on your home network, your computer needs to know how to talk to your wireless router. So, it broadcasts a question on your network: “Hey, router: Where you you?”. In computerese, the question looks like: “Who has IP address 192.168.1.1. Tell 192.168.1.11”. In Wireshark, it looks like this:
After your computer broadcasts the question, it listens for an answer. Normally, your wireless router will answer “Here I am!!”. In computerese, the answer looks like “192.168.1.1 is at 28:c6:8e:a4:3c:71”.
In a way, this is a little bit like “To Tell The Truth”. Pretend you are one of the celebrities. There is a mystery guest, and two imposters. The mystery guest is Abe Lincoln, and both imposters are dressed up to look like Abe Lincoln. They all have beards, and a tall stove-pipe hat. Their voices are all the same. How would you tell the real Abe Lincoln from the imposters? You would ask probing questions, right?
For your computer, it is actually harder to tell. Your computer can’t see the contestants. It can’t ask any probing questions. The only thing your computer can ask is: Which one of you is Abe Lincoln? Now, under normal circumstances, only the real Abe Lincoln will answer “I am the real Abe Lincoln”. And, you would begin a conversation with one of the greatest presidents the USA has ever had.
However, if there is a hacker on your network, they can also answer “I am the real Abe Lincoln”. The unfortunate part is that your computer can’t verify identities, so it just has to assume that the conversation it is beginning to have is with the real Abe Lincoln. That is what ARP spoofing is all about. It is getting your computer to talk to the hackers computer, instead of to your wireless router.
Suppose you now browse to your bank’s website. The hacker can forward your browser traffic to the bank’s website, and become a “Man In The Middle”, someone between you and your bank. This sort of attack is called a “Man In The Middle” attack. Using a program called SSL Strip, the hacker can intercept and decode your SSL traffic, then forward your browser requests to your REAL bank. Or, if you are shopping, the hacker can send it to Amazon.com, etc. (SSL Strip doesn’t actually decode the SSL traffic, but the net effect is the same.) Once the hacker intercepts your credit card number or bank account information, you’re in real trouble.
What can you do to prevent this? The SSL Strip program starts with an ARP spoofing attack, so let’s make ARP spoofing harder. How do we do that? There is a good webpage that talks about his very thing: “HOWTO : Protect you from being ARP spoofing.” It also has links to videos that show how to do these attacks (lovely). The author, Samiux, has some good pointers for avoiding ARP spoofing. For Windows and Linux, he points you to “XArp – Advanced ARP Spoofing Detection.”
The author of XArp is Dr. Christoph P. Mayer. His presentation “Securing ARP: An overview of threats, approaches, and solutions” is the most thorough analysis I have seen related to ARP spoofing. Dr. Mayer has a very comprehensive description of what ARP spoofing is, the various types of ARP spoofing, a large number of possible techniques to combat it, strengths and weaknesses of the individual techniques, and a suggestion that you obtain his program XArp. On his website, you can download a free version of XArp (fewer features) or you can buy XArp Professional (more features).
Another research paper on this topic is: “Securing Wireless Networks from ARP Cache Poisoning,” by Roney Philip, San Jose State University. Roney actually writes wireless router firmware to protect against ARP spoofing.
Cicso has a very good paper, “ARP Poisoning Attack and Mitigation Techniques,” that describes two security features of the Cisco Catalyst 6500 Series Switches: DHCP Snooping and Dynamic ARP Inspection (DAI). I don’t know if you have to turn them on or if they are automatically enabled.
Symantec Endpoint Protection, an enterprise-class security suite, has an option to protect against ARP spoofing, but you have to turn it on:
What to do:
1) Make sure your wireless router is configured to support WPA2-AES, and that you have a very strong password.
2) Review the webpage “HOWTO : Protect you from being ARP spoofing” for programs you can install that will help protect against ARP spoofing.
3) If you’re connected to a public wireless network, don’t do any online banking, or make any online purchases. The public network you are connecting to might be a hackers laptop.
4) At your office, refer your network administrators to this page. They probably already know all this (and more), but it will serve as a gentle reminder that protection doesn’t do you any good if you don’t turn it on.
What is a security sandbox? Think about the type of sandbox that kids play in. It is small, safe environment where kids can play with just the toys in the sandbox, and they’re temporarily contained so that they can’t touch anything outside the sandbox (unless they leave the sandbox).
In computer security, there is a concept called the principle of least privilege. What this means is that, when you run a program, it is only given the privileges that it needs to do its job, and no more. For example, Quicken doesn’t need to read your recipe file, and your cooking program doesn’t need to read your Quicken file. This is important. Why? Because if you download a cooking program, because it looks useful and innocent, but is actually malicious, it could send all your files to HACKERS_R_US.COM. We certainly don’t want that. So, we need to implement the principle of least privilege.
How can we keep our possible malicious programs from accessing our Quicken file? Let me stretch the sandbox analogy a little more. Let’s say that the things in the sandbox are files that our program can access, and let’s say that the little kiddo is our program.
Let’s create two separate security sandboxes. One sandbox will be for Quicken, and the other sandbox will be for our example malicious program.
There are two different sandboxes. The files in one sandbox can only be accessed by the program that runs in that sandbox. If a program runs in a different sandbox, then it can’t see files outside of its own sandbox.
That, in a nutshell, is what a security sandbox is. It is just a “box” that a program can run it, that limits what that program can see and do. It is a way to implement the principle of least privilege.
Another way to look at it: The Mac OS X Developer Library has a webpage called About App Sandbox. It’s a pretty helpful diagram:
On the left-hand side, when you run your app without a sandbox, it can access all system resources and all user data on your computer. On the right-hand side, when you run your app in a sandbox, it can only access the resource and user data that it is supposed to access, and no more.
This is great, right? Well, it would be great, except that in Windows 8 and Mac OS X Mountain Lion (10.8) or later, the sandboxes are voluntary. On the right-hand side, you have an app that can only play in their own sandbox. On the left-hand side, you have an app that can play outside the sandboxes, and also inside ALL the sandboxes.
Programs running outside of a sandbox defeat all the security measures that we were trying to put into place by implementing sandboxes in the first place. This is a side-effect of the basic security model of Windows, Mac OS X, and Linux that opens everyone up to security threats.
To learn more about security sandboxes, read:
A few months ago, I had a problem with one of my Virtual Machines (VMs), so I fired up Wireshark, and started capturing traffic. At first I thought I was seeing things. There was a bunch of traffic that was not originating on the VM; it was originating on the host OS. That seemed mighty odd. So I did some research.
Apparently, in a Windows VM, you can put the NIC into promiscuous mode, and you can see network traffic on the host. Not only that, you can see network traffic originating on other VMs! Bill Claybrook, a contributor to SearchVMWare, explains the purpose of promiscuous mode:
Promiscuous mode allows a virtual network device — such as a network adapter or virtual network interface card (vNIC) — to intercept and access data in a virtual network packet, including packets intended for other vNICs. If promiscuous mode is disabled, a vNIC will normally drop a packet that’s addressed to a different MAC address. Not all hypervisors allow promiscuous mode (e.g., Microsoft Hyper-V), while other do, such as VMware vSphere.
Claybrook goes on to suggest that you disable promiscuous mode from all your virtual servers. But that’s easier said than done. In fact, for the VMware Workstation (VMware’s hosted virtualization solution), running on Windows, the network adapters have promiscuous mode set on, and you can’t change it.
I’m not the only one having this problem. One user in a support community writes:
“And yes it seems in Workstation for PC promiscuous mode is permanently switched on. And that there is no way to switch it off! I wonder how this effects security?”
The answer is that it compromises your system’s security. A Virtual Machine is not quite the isolated security sandboxthat I thought it was. Edward Haletky, another contributor for SearchVMWare, concludes that– because some systems require promiscuous mode, and because the mitigation steps aren’t foolproof– the best thing to do is implement a rigorous auditing process and strong firewalls:
“Nothing can replace auditing changes to your infrastructure on a regular basis. Several companies have products that do this: Tripwire and Configuresoft. Other companies have tools to prevent traffic to and from the VM in question by placing a virtual jail around the VM: Catbird and Reflex Security… No matter which tool you choose, the use of promiscuous mode enabled port groups implies the need to increase auditing and your own diligent observations.”