Tuesday, July 26, 2005

ORACLE SECURITY BYPASSED

Source: Tech World

The standard encryption mechanism used in Oracle's databases can be easily circumvented, according to a German security researcher who last week published details of a number of unpatched security holes in Oracle products. Security expert Alexander Kornbrust will give a presentation at the Black Hat 2005 security conference later this week showing how Oracle's encryption can be broken.

The encryption features that come standard with Oracle's database, called DBMS Crypto and DBMS Obfuscation Toolkit, can be circumvented, he explained. "A lot of people think that if they use this DBMS Crypto, a hacker is not able to decrypt the data, but I found a way to get the keys," said Kornbrust, a business director at Red-Database-Security in Germany. "If a hacker breaks into your database, he's able to retrieve all of the sensitive information like credit card numbers."

The problem lies with the design of Oracle's encryption mechanism and the fact that it stores unencrypted numbers, called keys, in a way that they can be seen by an attacker and then used to read sensitive data.


He suggests a viable solutions where customers can purchase Oracle's Advanced Security software, which includes a feature called Transparent Data Encryption (TDE). TDE uses a second encryption key that is stored in an "Oracle wallet" file outside of the database, and is therefore much harder to crack, according to Needham. "If you got access to the key in the database, you still couldn't decrypt the data, unless you got access to the other key as well," he said.

This is not the first time that Kornbrust, a former Oracle employee whose company provides Oracle security consulting services, has pointed out the failings in Oracle's products. Last week his company published details on six unpatched security vulnerabilities in Oracle's products, claiming that Oracle had not patched them in the two years since it had been first been made aware of the bugs.

It's really strange how the gaint back end "Oracle" has allowed for the existence of security flaws unresolved. This will raise very serious issues in very major financial and other critical sectors.
Category:

No comments: