[ISN] Firms Pass on Security

From: mea culpa (jerichoat_private)
Date: Fri May 29 1998 - 23:15:31 PDT

  • Next message: mea culpa: "[ISN] Network Cracking Turns Meaner With Fracking ..."

    Forwarded From: Nicholas Charles Brawn <ncb05at_private>
    By Steven Mathieson.
    Oracle databases at risk.
    Companies are leaving their Oracle databases wide open to being read or
    erased over the Internet, by neglecting to activate elementary security
    features such as passwords.
    Computing found that one universal code, entered into a standard search
    engine, brought up Oracle database administration pages for several
    companies and universities.
    These pages allowed full access to data on the organisations' Oracle
    databases, and the power to change passwords or data and even to shut
    databases down.
    Vulnerable sites included a UK university, a US consultancy, a US telco and
    a Dutch research institution.
    One Oracle user, who discovered the problem, has been notifying
    organisations he claims are at risk. He believes Oracle should publicise
    the dangers.
    'It should be blindingly obvious, but it obviously isn't,' he said.
    Oracle said that password protection was the default option on its Web
    'If you choose not to use passwords, that's up to you, but it is very
    foolish,' said Kieran Kilmartin, UK product marketing manager for
    development tools at Oracle.
    Kilmartin added that unprotected administration pages made any vendor's
    Internet-accessible product vulnerable.
    Chris Cartledge, deputy director of computing services at Sheffield
    University, said that he had managed to shut down a test Oracle database at
    the university through an Internet page. The Sheffield site was one of
    those found by the Web search.
    Cartledge added that some organisations did not consider security when
    connecting previously closed systems to the Internet. 'This problem is an
    obvious hole, but there are continual security alerts,' he said. 'Users
    need to apply continual vigilance.'
    Rob Hailstone, chief analyst at Bloor Research, agreed that this kind of
    problem was common. 'Oracle should make users aware of this very quickly,'
    he said.
    - Password protection is the minimum level of security. Oracle's database
    Web server is preconfigured to use password protection - users disabling
    this feature are leaving their database open
    - Other users allow rogue access by setting up a firewall, then forgetting
    to include the administration pages
    - Digital ID certification is advisable. Other security measures include
    encryption and biometric ID verification
    - Users moving from an intranet to the Internet should be careful: lax
    security is suddenly exposed to the world. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:35 PDT