Forgot your password?
typodupeerror
Oracle Databases Security

Oracle Database Redaction Trivial To Bypass, Says David Litchfield 62

Posted by timothy
from the let-me-ask-that-another-way dept.
msm1267 (2804139) writes "Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked."
This discussion has been archived. No new comments can be posted.

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

Comments Filter:
  • by boristdog (133725) on Thursday August 07, 2014 @11:02AM (#47622669)

    No, passwords, SSNs, PINs and Credit Card numbers should be hashed before inserting into any table. There is NO reason for anyone to save that data unhashed.

    To compare data, just hash what the customer enters and compare the hashes. Why is this so hard for 99.9% of companies to understand?

  • by Jaime2 (824950) on Thursday August 07, 2014 @11:13AM (#47622781)
    You mean regular DBAs like the next Edward Snowden? Inside threats are important and are one of the reasons this feature exists. LitchField did what he does best; he showed that the product doesn't quite live up to the marketing material.
  • by i kan reed (749298) on Thursday August 07, 2014 @11:27AM (#47622923) Homepage Journal

    It's the same rule for computers as other systems:

    At some level you have to trust the people who run your systems. Quis cosdet ipsos custodes, ya know?

  • by Rob Riggs (6418) on Thursday August 07, 2014 @12:20PM (#47623373) Homepage Journal

    As a developer in the industry here I can honestly say nobody in our industry would be dumb enough to use this tool.

    Bullshit. As a (former) developer in the industry (still a developer; no longer in the industry) I can honestly say plenty of people in your industry would be dumb enough to use this tool. Especially when some wide-eyed "Oracle DBA(sm)" tells them "I heard about it at Oracle World -- of course it's secure." Seriously -- it is not like retailers hire the best and the brightest. And virtually every online retailer I deal with keeps my CC information on file. Most of them are hard-working, understaffed developers just trying to get the job done and do the bare minimum to meet PCI compliance -- because that is what management wants.

"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_

Working...