Sunday, February 18, 2007

Oracle Hacker's Handbook

My copy of the Oracle Hacker's Handbook arrived from Amazon a couple of weeks ago (and very promptly too, considering shipping from the US).
Before my review, I'll remind readers that I'm an Oracle developer not a DBA. I have an interest in Oracle security, but it has never been one of my responsibilities.

Firstly, this book makes a couple of references to the Database Hacker's Handbook (which I haven't read). If you are ordering the Oracle book, it's probably worth going for the other too, as I feel that I've missed out on something there. I'll have to save some more pennies. I would have liked to seen a page on what the DHH book covered.

For a person in charge of security for an Oracle database, it won't be a reassuring read. You'll come away wanting to revoke practically every grant in the database after reading about how vulnerabilities in standard Oracle packages can be exploited. SQL injection seems to be the primary theme of the book, recurring in most of the chapters. About the only chapters that don't involve SQL injection are coverage of the network level and of interaction between PL/SQL, SQL and the Operating System.

My main issue with the book is that it doesn't really describe counter measures. It isn't an instruction manual for DBAs on how to secure Oracle (though Oracle supply that here). While the title advertises it as a "Hacker's Handbook", the target would be someone in charge of Oracle security who needs to UNDERSTAND the approaches, weaknesses and exploits and has enough Oracle skills of their own to work out how they might apply to their environment and how they can be countered in that environment. I can safely reassure Nuno that there's no cookie cutter treatment here.

Of course, there will be people who buy it to try to crack open an Oracle database. So one other target is the DBA who wants to get management to take security seriously. Buy the book, wave it in front of them, tell them that anyone cleaning the floors in the building can go and buy this book, that you need to do X,Y and Z to stop them cracking the database... Hey, it MAY work. [To be fair, it wouldn't tell a cleaner how to crack Oracle, but if someone proficient in Oracle had a job as a cleaner....]

My only other criticisms are the pages of code listings and the appendix of default usernames and passwords. Given the code is downloadable, some of the larger listings seem like page fillers. For the appendix, a DBA who hasn't already checked and resolved default username/password issues is not going be buying this book.

For my piece, I learnt -
A bit more more about Oracle's network level (eg you can tell the difference between an eight character password and a nine character password from the network traffic)
That when it comes to mod_plsql applications, you REALLY need to lock things down
Hackers can be devious buggers
DBAs who say No to certain privileges may have good reasons (but they may not)

If you want a book that tells you how to make Oracle safe, this isn't it. If you want a book that tells you that there isn't a 'safe', just a 'safer', then you'll probably appreciate it.

1 comment:

Noons said...

you know what really scares me?

three years ago I downloaded a piece of network hack monitor software for my Linux laptop.

it basically puts the network card in "promiscuous" mode and takes a peek at every packet going by.

if the packet matches a certain set of - configurable - rules, the packet can be captured locally and investigated in full later on.

took me one hour to set the lappie up and capture every password used to login to Oracle at our site.

unencrypted. right there to be used whenever I wanted.

now: how many sites do you - or I or anyone else listening in - know of that actually use encrypted comms in the intranet?

I know of none. anyone else? how about wireless networks in the office, how many of them are using full encryption?

yet, nary a peep on this subject comes out of the official Oracle security sites.

but there are folks worrying aloud about setting dba passwords on data files when logged on as dbas. duh?!...