via DatabaseJournal contributor Rob Gravelle - a well crafted screed, in which, Oracle Corporation's (NasdaqGS: ORCL) MySQL is targeted and security advice, conveyed. Today's Recommended Reading matière.
Security Bloggers Network
ICANN blog
TeamSHATTER
Cryptography News
Ms. Smith
SANS Internet Storm Center, InfoCON: green
May 2013
Search
2013.05.13
2013.05.02
US Retail Banks, Federal Information Security Dust Up
Reports indicae, commercial banking institutions in the United States are peeved with the federal response to data security related attacks (evidence fingers Iranian sources for the specific attacks under scrutiny)...
2013.04.29
Monitoring? We Don't Need No Stinkin' Monitoring...
Interesting commentary by Adrian Lane, Analyst and CTO of Securosis, writing at DarkReading, and targeting the truncated utilization of DAM, the acronym for Database Activity Monitoring. In this case, the widespread lack of proper deployment and implementation of the query blocking mechanisms inherent to nearly all DAM products.
Coupled with the apparent lack of core competency in the DAM arena, clients of the software manufacturers flogging theses products are probably also deficient in at least three other fundamental aspects of DBMS security activity monitoring products: [1] Education / Training within the scope of the products, [2] Scrutiny of the Monitoring Log Output, and [3] probably the key to everything - the ability to read SQL statements.
2013.04.24
Google Fined, Ordered To Cough Up €145K
Reported by Bloomberg's Karin Matusek and edited by Anthony Aarons comes this well-wrought screed focusing on the recent targeted Bundesrepublik Deutschland fine of Google Inc. (NasdaqGS: GOOG), due to privacy violation in the European Union. The key issue here - other than the obvious egregious criminal privacy infractions - is the unbelievably low sum the search leviathan has been ordered to cough up. As it were...
2013.04.16
2013.04.11
SQL Injection, The Litany
via the recently released Veracode State of Software Security Volume 5 Report, SQL Injection flaws are rampant on the interwebs [suprised?], which points to fundamental coding failures brought on by both incompetent development staff plus the oft mentioned cruft.
The entire scenario equates to simple leadership failure; this fail condition is indicated by the inability to enforce both secure development practices and a verifiable training regime.
While the company responsible for the report is in the business of software security scanning and code review, there is efficacy to the document's underlying information...
2013.04.08
2013.04.02
2013.04.01
NASA DBMS External Connectivity Terminated, PRC National Arrested
Reportedly, evidence, detailing intrusions into a United States National Aeronautics and Space Administration [NASA] database management system has forced the Agency to subsequently terminate external connectivity to the system, pending a thorough investigation.
Apparently, a PRC national - Bo Jiang - was arrested by Federal Bureau of Investigation Special Agents, after boarding a plane to Beijing at Dulles International Airport. Jiang had ben working as a contractor at NASA’s Langley Research Center; additional information regarding the arrest of the Chinese national points to false statements, possession of specific items [laptop, external storage devices], et cetera. Statements regarding previous exfiltration of data have been made, regarding this individual's past, perhaps leading to this arrest.
2013.03.19
Oracle OEM Vulnerabilities Detailed
TeamShatter has reported six severe vulnerabilities resident within Oracle Corporation's (NasdaqGS: ORCL) Oracle Enterprise Manager DB Grid Control management facility.
Quite negative news indeed, for the all-encompassing server, daemon, code and database control product, not to mention the huge numbers of deployed bits in both the public and private sectors. Recent Java exploits, piggybacked on these Oracle Enterprise Manager vulns, puts the database leviathan into a tenuous posture of insecure cruft deployment.
Whilst all of the enumerated vulns have been officially patched by the company, a vast ocean of deployments are not being updated, generally due to recalcitrant DBAs and their System Administrator colleagues (thereby displaying misguided rationale, as generally, they're fearful of patchsets targeting Oracle products, due to the severe impact of the crufty bits applied to extant Oracle instances, and the subsequent possibility of significant downtime). - mxh
2013.03.13
2013.03.11
2013.03.08
2013.02.22
2013.02.21
Tanel Poder Releases Latest Oracle Performance Tooling
Meanwhile, in Oracle Database news, Tanel Poder, perhaps one of the most highly respected, yet quitely competent Oracle professionals has released version 4.2 of his well known [and heavily utilized by DBAs in-the-know] Snapper tool targeting Oracle Database performance metrics.
Whilst not necessarily security related his work is both highly rated, feature rich, yet lightweight in DBMS impact, oh, and did I mention available at no charge? If you are in any way related to Oracle DBMS products, you need Snapper 4.x. Keep a sharp eye out for Tanel's seminars, also highly rated.
2013.02.13
Raytheon's RIOT
Sapiens of FUD
via El Reg's Simon Sharwood comes this phenomenal screed evidencing the paucity of subniveal intellect in the so-called 'Social Media' realm...
Whilst social network espionage and data mining has been a function of those networks from day one [anyone that believes this is not the case is sorely misled], state - not too mention corporate - surveillance of those 'networks' , is, of course, a common practice.
After all, 'social media' platforms, Facebook, Twitter, Identi.ca, App.net, et al. being exemplary, are essentially scaleable relational database management systems, with in-built rule sets, of which, store and make available data that can be mined for information gold, as it were.
2012.12.18
Less Is Well, Less.
Phenomenal screed decryting the risign state of database delitantism by erudite Fabain Pascal, at Database Debunkings. The implications to information security are significant, ranging from availability, injection, and to the fundamentally astounding lack of data integrity. Outstanding.
2012.12.14
New Oracle Database Security Benchmarks Released
The Security Benchmarks division (formerly the Center for Internet Security) has released the organization's new benchmark targeting Oracle Corporations' (NasdaqGS: ORCL) Database 11g Release 2. Highly recommended as the 'playbook' for managing security parameters of existing and new Oracle instances.
2012.12.06
Attaque d'Initié: Service de Renseignement de la Confédération
News, of Swiss Federal Intelligence Service (FIS) (Deutsch: Nachrichtendienst des Bundes NDB, Français: Service de Renseignement de la Confédération SRC) warnings issued to the the United States of America and the United Kingdom of Great Britain and Northern Ireland, detaling a data leakage incident perpetrated by a insider. The data: Counterterror in scope.
2012.12.03
2012.11.27
Malus Emergentium
A newly discovered and pernicious SQL Server targeting malware package has emerged, in this case targeting Microsoft Corporation (NasdaqGS: MSFT) SQL Server databases utilizing an OLEDB vector, specifically in the Middle East. Monikered W32.Narilam, this worm appears to function like most other infect code, copying and traversing drives and network file shares.
2012.10.29
Facebook Goes Off The Record
$5.oo for nearly 1 million UIDs revealed during supposedly confidential discssion between social network behemoth Facebook and Czech blogger Bogomil Shopov.
2012.08.15
Battle.net Fallout
News, of successful internal network security attacks, targeting Blizzard Entertainment has percolated up through the detritus of the interweb. Bad news for Battle.net players.
2012.07.13
Dis-Harmony, The Crackage
Not the conventional view of a happy ending - more on the eHarmony dump and crack, with reports of the majority of password objects cracked by Trustwave's SpiderLabs (utlizing two of our favorites - John the Ripper and oclHashcat).
2012.07.12
TOR, Surveilled
Another well crafted screed from the inimitable John Leyden of El Reg - this time detailing the dust-up between and betwixt CyberRoam and the TOR project. Allegations of mass surveillance are rampant, whilst answers are apparently not up to snuff...
2012.07.10
Alleged: Trivial DBMS Deployments Lead To Rooted Routers
Outstanding! Proof positive there are no DBMS deployments that can be construed as insignificant [at least in terms of exploitation].
2012.07.05
2012.07.02
The LinkedIn - Dickensonian Reciprocity
Well crafted tale, worthy of Charles John Huffam Dickens, detailing the fascinating connection between the LinkedIn password fiasco and Charles Dickens. Highly Pickwickian.
2012.06.29
2012.06.26
Zimmermann's USN SEAL Connection
Phil Zimmermann creator of Pretty Good Privacy, in partnership with a selected number of former Department of the Navy SEAL SWCC assets have reportedly crafted a highly effective communications systems, with inherent interesting capabilities...
