During its latest patch day, Oracle said that a critical hole in the Oracle database had been fixed. The discoverer of the hole, responding to this, went ahead and published the vulnerability details. Although the vulnerability affects almost all Oracle installations in production use, however, there isn’t actually a patch for these versions. Oracle database administrators themselves should therefore take immediate action to protect their systems.

Oracle credited Joxean Koret at the bottom of its Critical Patch Updates for April(CPU) documentation. When the security expert asked the company why he had been credited, Oracle replied that it was in acknowledgement of his report of a critical security hole in 2008, and that the hole had now been fixed. Koret therefore proceeded to publish details about the vulnerability, explained how it can be exploited and recommended that users install the latest CPU patches to protect their systems. However, it then turned out that there aren’t actually any patches for any of the currently available Oracle database versions. The security fixes that were described by Oracle refer to the “main code line” only, which is the as yet unreleased Oracle 12. However, as virtually all installations in production use are affected, the vast majority of Oracle administrators have been left out in the cold and must take immediate action themselves.

READ MORE …

Personal data of those registered with the Three Rivers Park District’s reservation database has been compromised. It’s unclear exactly how many usernames and passwords were accessed, but the park district stresses credit card numbers and other identifying information has not been hacked. The Landing in Shakopee is part of the Three Rivers Park District.

“That data is stored on an external system by a national credit card provider whose system is secure,” Three Rivers Park District Superintendent Cris Gears said Friday.

Gears went on to say that the park district has “reviewed and bolstered our firewalls, and our technical staff and outside consultants have advised us that the system is safe.”

READ MORE …

The UK’s private sector accounted for more than a third of all reported data breaches over 11 months, but less than 1% of the resulting fines, according to a Freedom of Information request.

The data was issued by the Information Commissioner’s Office after a request by satellite system-maker Viasat.

It shows five fines totalling £790,000 were imposed on the public sector and one £1,000 penalty on a private firm.

The ICO said that it could only impose fines if strict criteria had been met.

READ MORE …

[Excerpted from "Securing the Data Warehouse," a new report posted this week on Dark Reading's Database Security Tech Center.]

Sony. RSA. Epsilon. Aside from major security breaches, what do these companies have in common? They were all victimized by hackers looking to access large storehouses of corporate data.

Shielding such data from attacks must be a chief priority for any enterprise security team. That means guarding the house in which data resides: the database — or, in a growing number of instances, the data warehouse.

With the amount of data in organizations increasing daily, many enterprises are building data warehouses to centralize the information flowing through their business into useful repositories. From a business and IT standpoint, this makes perfect sense and simplifies data management.

From a security standpoint, however, the model opens up a new set of challenges that requires smart planning and the effective implementation of many of the same security best practices used with databases.

READ MORE …

Details:
Oracle Database provides OCIPasswordChange API to change user passwords.
This API can be used while a user is logged on as well as before the
authentication process is completed, this is because it can be used for
accounts that have the password expired so that the user is able to
change an expired password for a new one.
It was observed that this API can be used to change the password of
users that are locked.  The purpose of locking an account is to
deactivate it once it has received too many failed logins attempts or
when no login is expected.  If it is allowed to change the password of a
locked account it is not correctly protecting it because brute force can
be applied on an account to change its password and eventually it will
get changed to a known password. The attacker will be able to log in
using the account only once it is unlocked.

http://seclists.org/fulldisclosure/2012/Apr/214

Oracle yesterday released 88 security fixes for vulnerabilities — including several that allow for remote access without authentication — across its portfolio as part of its quarterly Critical Patch Update.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said in its CPU advisory.

The company issued a Security Alert after its last quarterly patch, on January 31, to address a denial of service vulnerability in multiple Oracle products due to hashing collisions. CVE-2011-5035 impacted Oracle WebLogic Server, Oracle Application Server (component: Oracle Container for J2EE/OC4J) and Oracle iPlanet Web Server, allow for remote exploitation without authentication.

READ MORE …

Sure, database security may be incomplete without database activity monitoring or encryption technology in place. But most security practitioners worth their salt know that more often than not, the effectiveness of a database security program rests just as much outside of a database environment as within.

The fact is that today’s data stores are usually exposed as a result of poor security in the infrastructure layers beyond the database. The biggest three culprits: insecure Web applications tapped into the database, poorly administrated machine accounts with high amounts of database privileges, and misconfigured (or nonexistent) network segments.

1. Insecure Web Applications
In spite of the work of groups like OWASP to disseminate coding best practices during the past few years, the fact is that there are still millions of vulnerable Web applications live on the Internet — and where do these apps lead their users? Why, to back-end databases, of course.

READ MORE …

Formulate a Database Security Strategy
Although most organizations are taking stronger measures to protect their data, significant gaps still exist at the very core – their databases. Many don’t have a comprehensive database security strategy to defend against sophisticated attacks, track sensitive data, or even meet emerging regulatory requirements. Read this Forrester paper to help you formulate a database security strategy.

Five Calls to Make When Developing a Mobile Learning Strategy
With smartphones becoming commonplace and new mobile devices such as tablets skyrocketing in popularity, the interest in mobile learning has begun to heat up as well. Many organizations see the promise of mobile learning, but actual implementations are still rare. Is now the time to take the plunge into mobile learning or should you wait for a more stable mobile landscape to emerge? It’s important for organizations to focus on some basic issues before making this decision.

READ MORE …

A bi-annual survey of 250 healthcare organizations shows that the percentage experiencing a patient data breach is up. And with the growth in electronic records-keeping, more of those problems are originating from laptops and mobile devices rather than a human slip-up in handling paper documents.

“Use of new technologies, in particular mobile devices in the workplace, have skyrocketed, creating new operational efficiencies and security vulnerabilities,” noted the survey report, entitled the “2012 HIMSS Analytics Report: Security of Patient Data.” The organization Healthcare Information and Management Systems Society also pointed out, “As mobile devices proliferate in exam rooms and administrative areas, so do the associated vectors of potential attack. Adding to this are the risks from employee negligence and organizational policies that have not kept pace with ever-changing technology.”

The survey, commissioned by Kroll Advisory Solutions, asked chief information officers, health information managers, chief privacy officers and chief security officers working at 250 hospitals and medical centers about the number of data breaches they knew about over the past 12 months.

READ MORE …

Late last year, I discussed some of the evolutionary changes to database activity monitoring systems. Vendors are bundling in new features that both expand the reach beyond relational databases as well as incorporate new techniques to analyze transactions. But the really interesting stuff is the new methods of security policy enforcement, all of which are predicated on a “reverse proxy” deployment model.

Let’s dig in to the technology a bit more, and then I’ll describe some of the options that are being provided.

A reverse proxy system sits in front of the database, collecting incoming requests from users and applications. Each inbound query is analyzed, and those that don’t violate a security or compliance policy are forwarded to the database. And, in some cases, the database output is scanned for sensitive data. Nothing new here, but this is now viable because false positives and poor reliability issues are now under control. Poor analysis methods would halt legitimate queries, wreaking havoc with application servers, often causing them to hang, time out, or simply crash. Query whitelisting, lexical analysis techniques, and content analysis go a long way to improving these efforts, as does the general maturity of the platforms after a decade or more in development.

READ MORE …