Forwarded From: Nicholas Charles Brawn <ncb05at_private> 28May98 UK: FIRMS PASS ON SECURITY. By Steven Mathieson. Oracle databases at risk. Companies are leaving their Oracle databases wide open to being read or erased over the Internet, by neglecting to activate elementary security features such as passwords. Computing found that one universal code, entered into a standard search engine, brought up Oracle database administration pages for several companies and universities. These pages allowed full access to data on the organisations' Oracle databases, and the power to change passwords or data and even to shut databases down. Vulnerable sites included a UK university, a US consultancy, a US telco and a Dutch research institution. One Oracle user, who discovered the problem, has been notifying organisations he claims are at risk. He believes Oracle should publicise the dangers. 'It should be blindingly obvious, but it obviously isn't,' he said. Oracle said that password protection was the default option on its Web server. 'If you choose not to use passwords, that's up to you, but it is very foolish,' said Kieran Kilmartin, UK product marketing manager for development tools at Oracle. Kilmartin added that unprotected administration pages made any vendor's Internet-accessible product vulnerable. Chris Cartledge, deputy director of computing services at Sheffield University, said that he had managed to shut down a test Oracle database at the university through an Internet page. The Sheffield site was one of those found by the Web search. Cartledge added that some organisations did not consider security when connecting previously closed systems to the Internet. 'This problem is an obvious hole, but there are continual security alerts,' he said. 'Users need to apply continual vigilance.' Rob Hailstone, chief analyst at Bloor Research, agreed that this kind of problem was common. 'Oracle should make users aware of this very quickly,' he said. SAFE AND SOUND - MAKE SURE YOUR SYSTEM IS SECURE - Password protection is the minimum level of security. Oracle's database Web server is preconfigured to use password protection - users disabling this feature are leaving their database open - Other users allow rogue access by setting up a firewall, then forgetting to include the administration pages - Digital ID certification is advisable. Other security measures include encryption and biometric ID verification - Users moving from an intranet to the Internet should be careful: lax security is suddenly exposed to the world. -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:35 PDT