Martins Blog

Trying to explain complex things in simple terms

Archive for the ‘Security’ Category

The art of getting security right-an observation

Posted by Martin Bach on October 7, 2011

A number of high-profile hacks recently (and not so recent) has caught my attention. Well I thought, not such a big problem-I don’t have a PS3 and hence don’t have an account that can be hacked. I was still intrigued that the hackers managed to get hold of the passwords. I may be wrong here, as I haven’t followed the developments not close enough (as I wasn’t affected), but the question I asked myself: how can they be obtained? Surely Sony must have used some sort of encryption for passwords. It’s so far-fetched that anybody stores passwords in clear text somewhere!

Oh well then, Sony has been targeted a number of times and time and time again the security was breached. They only consolation is that the intruders have made it very public when they were successful, otherwise we’d have never learned about the problems Sony has with security.

Now other sites were hacked as well, and somehow I felt the impacts coming closer, such as kernel.org and others.

Hetzner

Oh well the world is a bad place and the bad guys are way ahead of the good ones I thought, for as long as I’m not affected… That held until today when the ISP and infrastructure provider I am hosting my lab at sent an email out that their systems have been compromised and every customer should change all the passwords they have used with their administrative, web based interface as well as accounts on the servers themselves. I was very happy with Hetzner as their EQ8 server offering was a system I used extensively.

What can I say? I’m very not impressed. Again, how can passwords be stored in a system in a way that makes it easy to compromise them? Was that an Excel Sheet? Why can’t passwords be sensibly encrypted so they are just garbage to intruders. I think a global standard has to be put in place similar to the PCI standard which makes password encryption with strong algorithms mandatory. Better still, failing to do so should be fined. In a way that it hurts.

For those who are interested, the website www.hetzner-status.de has the latest. I was considering moving some of my other domains over to them but may have to rethink that strategy.

Clear text passwords in email

But it’s not only the careless storage of sensitive information on one’s own system. How many times did you get emails stating “welcome to service xyz, your username is abc and your password def”. They might as well send your bank details as well including credit card numbers and expiration date.

There has to be a wakeup call in the industry: it is far too simple to outsmart you! Do use strong encryption to protect customer data and identities. Failing to do so can, and maybe one day will cripple the online business of many companies, causing so-called financial analysts to spread panic and sell lots of shares plunging economies into difficult times.

Finally {}

Passwords aren’t a good enough solution to protecting identity and access to ones accounts. IMO there should be better ways of ensuring unauthorized access to your confidential data. What about a finger print reader? Or an iris scan? Sounds James Bond at the moment but if we are to trust the infrastructure again, we need to think of alternatives to passwords. To be secure they are long, clumsy, hard to memorise so you end up using one for almost everything. Also, root kits undermine your home PC and can make almost all online banking a very dangerous game. Trojans are able to undermine security of the iTAN system, yet my bank, HSBC doesn’t offer one of the only safe options for Internet banking: HBCI. Are we just too naïve? A 16 year old schoolboy from Germany performed a “safety audit” for many German banks’ online applications and found that most of them were insecure (XSS the main problem)

Post Scriptum

If anyone knows a reliable, responsible service provider where I can move my domains to, please get in touch!

Posted in Security | 2 Comments »

Check for non-successful connection attempts in listener.log

Posted by Martin Bach on February 9, 2010

This could become a regular question from your security team-can you find out if someone tried to mess with the listener when trying to connect? Often you see hackers target port 1521 and sending random data garbage through the wire. The listener initially accepts the connection but closes it when it doesn’t receive data it expects.

This is another reason why unix/linux is way cooler than Windows.

Let’s assume you need to find if there were any unsuccessful connection entries in the listener.log for a given day. First of all-how do they have to look if they are successful? Typical entries are as follows:

1 08-FEB-2010 04:49:54 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=__jdbc__)(USER=))(SERVICE_NAME=testserv) *
   (ADDRESS=(PROTOCOL=tcp)(HOST=oracleserver)(PORT=4307)) * establish * testserv * 0
2 08-FEB-2010 04:49:55 * service_update * dev1 * 0
3 08-FEB-2010 04:49:57 * service_update * dev3 * 0

The important bit is at the end-the “0” means “normal, successful completion”. If there is a problem, you would therefore assume there is an Oracle error number from the TNS range (>12000).

Awk is the swiss army knife to find such results, and this is how you could use it (apologies in advance for my poor command of awk-if you know a better way please let me know!)

$> grep "08-FEB" listener.log | awk  '{ if ( $NF != 0 ) print $0 }'

The built-in variable NF is the last of all the fields which are enumerated from $1. So in summary, this little snippet does the following:

  1. Find all lines for a given day (here: February 8th) in the $ORACLE_HOME/network/log/listener.log file
  2. Print the lines where the last field is not equal to 0

This can easily be wrapped up into a nagios check to be executed by NRPE-if in case of doubt: simplify (to quote Piet de Visser).

So next time you get output such as:

1 09-FEB-2010 16:25:56 * <unknown connect data> * (ADDRESS=(PROTOCOL=tcp)(HOST=192.168.36.135)
   (PORT=3929)) * establish * <unknown sid> * 12525

… something fishy might be going on. oerr ora <number> gives you more information about what happened.

By the way this is gawk-3.1.5-14.el5 on RHEL 5.3.

Posted in Linux, Oracle, Security | 5 Comments »

Oracle’s secure external password store

Posted by Martin Bach on November 23, 2009

I have written a large number of nagios checks with various degrees of sophistication over the past, most of them perl scripts. The general problem one faces with these is the database login. Regardless of which way you chose, a password will be stored somewhere and nothing is worse than storing the sys password somewhere in cleartext for checking standby datatabases. I only found two ways acceptable:

  • Using the cryptographic API
  • Using Oracle’s secure password store

I freely admit that I never really attended cryptographic courses at the University and neither was I too keen on this as a solution was needed quickly. So sorry, I won’t go into the perl cryptography here (but I found this link useful: http://www.perl.com/pub/a/2001/07/10/crypto.html).

When I saw that RUEI (Real User Experience Insight) uses exactly this to connect to the database, I thought it’s really worth spending time with. The secure password store is also something very few people seem to know about, but bear in mind it’s very basic. If I remember correctly I tested this with DBD::Oracle 1.21 on Linux and Oracle 10.2.0.3 32bit.

An example is more verbose than 1000 lines of text so without further ado here’s a stub that worked:

#!/u01/app/oracle/product/10.2.0/db_1/perl/bin/perl

use strict;
use warnings;
use DBI;

my $dbh=DBI->connect("dbi:Oracle:secureTNSName");

my $sth = $dbh->prepare("select name from v\$database");
$sth->execute;

my $r;

while ($r = $sth->fetchrow_hashref('NAME_lc')) {
 print "$r->{name}\n";
}

$dbh->disconnect if defined $dbh;

The script uses Oracle’s perl which comes with every database, connects to the secure TNS name (note the lack of passwords!), queries and prints the database name. Before this works without a problem a few prerequisites are necessary.

First I created a new directory for my tnsnames.ora and sqlnet.ora files which didn’t interfere with the settings in $ORACLE_HOME/network/admin.

[oracle@devbox001 securePasswordStore]$ export TNS_ADMIN=`pwd`
[oracle@devbox001 securePasswordStore]$ echo $TNS_ADMIN
/home/oracle/martin/securePasswordStore

[oracle@devbox001 securePasswordStore]$ mkstore -wrl `pwd` -create
Enter password:
Enter password again:
[oracle@devbox001 securePasswordStore]$ ls -lrt
total 20
-rw-r--r--    1 oracle   oinstall      163 Jun  5 10:31 tnsnames.ora
-rw-------    1 oracle   oinstall     7912 Jun  5 10:32 ewallet.p12
-rw-------    1 oracle   oinstall     7940 Jun  5 10:32 cwallet.sso

This creates the wallet and secures it with a password. So far the wallet is empty. Let’s add credentials to it:

[oracle@devbox001 securePasswordStore]$ mkstore -wrl `pwd` \
 >  -createCredential secureTNSName martin somePassword
Enter password:
Create credential oracle.security.client.connect_string1

This created a credential for user “martin” with password “somePassword” and an identifier “secureTNSName”. Let’s create the corresponding tns entry, we connect against single instance database “DEV”:

[oracle@devbox001 securePasswordStore]$ vi tnsnames.ora
secureTNSName =
  (DESCRIPTION =
    (ADDRESS_LIST =
      (ADDRESS = (PROTOCOL = TCP)(HOST = devbox001)(PORT = 1521))
    )
    (CONNECT_DATA =
       (SERVICE_NAME = DEV)
    )
 )

[oracle@devbox001 securePasswordStore]$ tnsping secureTNSName

TNS Ping Utility for Linux: Version 10.2.0.3.0 - Production on 05-JUN-2009 10:35:07

Copyright (c) 1997, 2006, Oracle.  All rights reserved.

Used parameter files:

Used TNSNAMES adapter to resolve the alias
Attempting to contact (DESCRIPTION = (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)
  (HOST = devbox001)(PORT = 1521))) (CONNECT_DATA = (SERVICE_NAME = DEV)))
OK (0 msec)

The sqlnet.ora file needs some changes as well, for me it was only the wallet location:

[oracle@devbox001 securePasswordStore]$ cat sqlnet.ora

SQLNET.WALLET_OVERRIDE = TRUE
WALLET_LOCATION =
 (SOURCE=
   (METHOD = FILE)
    (METHOD_DATA = (DIRECTORY=/home/oracle/martin/securePasswordStore)
   )
 )

With that we are now ready to connect! Note that the syntax requires you to specify the TNS name directly after the “/”, no spaces allowed.

[oracle@devbox001 securePasswordStore]$ sqlplus /@secureTNSName

SQL*Plus: Release 10.2.0.3.0 - Production on Fri Jun 5 10:43:33 2009

Copyright (c) 1982, 2006, Oracle.  All Rights Reserved.

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

SQL> show user
USER is "MARTIN"
SQL> select name from v$database;

NAME
---------
DEV

SQL> exit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options

Metalink references:

  • 340559.1 – Using The Secure External Password Store
  • 403744.1 – How to Use an External Password Store With The JDBC Driver

Sometimes it requires a training course to get to know these features, I picked this one up when I did the security training which really is more a course for developers but never mind.

Posted in Oracle, Perl, Security | 8 Comments »