Forwarded From: Nicholas Charles Brawn <ncb05@uow.edu.au>
28May98 UK: FIRMS PASS ON SECURITY.
By Steven Mathieson.
Oracle databases at risk.
Companies are leaving their Oracle databases wide open to being read or
erased over the Internet, by neglecting to activate elementary security
features such as passwords.
Computing found that one universal code, entered into a standard search
engine, brought up Oracle database administration pages for several
companies and universities.
These pages allowed full access to data on the organisations' Oracle
databases, and the power to change passwords or data and even to shut
databases down.
Vulnerable sites included a UK university, a US consultancy, a US telco and
a Dutch research institution.
One Oracle user, who discovered the problem, has been notifying
organisations he claims are at risk. He believes Oracle should publicise
the dangers.
'It should be blindingly obvious, but it obviously isn't,' he said.
Oracle said that password protection was the default option on its Web
server.
'If you choose not to use passwords, that's up to you, but it is very
foolish,' said Kieran Kilmartin, UK product marketing manager for
development tools at Oracle.
Kilmartin added that unprotected administration pages made any vendor's
Internet-accessible product vulnerable.
Chris Cartledge, deputy director of computing services at Sheffield
University, said that he had managed to shut down a test Oracle database at
the university through an Internet page. The Sheffield site was one of
those found by the Web search.
Cartledge added that some organisations did not consider security when
connecting previously closed systems to the Internet. 'This problem is an
obvious hole, but there are continual security alerts,' he said. 'Users
need to apply continual vigilance.'
Rob Hailstone, chief analyst at Bloor Research, agreed that this kind of
problem was common. 'Oracle should make users aware of this very quickly,'
he said.
SAFE AND SOUND - MAKE SURE YOUR SYSTEM IS SECURE
- Password protection is the minimum level of security. Oracle's database
Web server is preconfigured to use password protection - users disabling
this feature are leaving their database open
- Other users allow rogue access by setting up a firewall, then forgetting
to include the administration pages
- Digital ID certification is advisable. Other security measures include
encryption and biometric ID verification
- Users moving from an intranet to the Internet should be careful: lax
security is suddenly exposed to the world.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sat May 30 13:53:53 1998