Category: Misconfigurations

What Every Database Administrator Should Know About Security

[The following is excerpted from "What Every Database Administrator Should Know About Security," a new report posted this week on Dark Reading's Database Security Tech Center.] To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly. Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is…

Click for complete article >>

De-FUD-ing Privileged User Management

I am proud to write this column for Dark Reading. The biggest reason is I get to share two decades of stuff I’ve seen with databases and security with you, and it starts really good conversations every time I attend security conferences and meet readers face-to-face. I can share perspective, help clarify issues around database threats, and explain the pros and cons of database security products. On occasion, I even get to call BS on things I believe only confuse DBAs and…

Click for complete article >>

Latest DBMS Security Patch Levels – Updated

TeamSHATTER keeps you up to date with the latest DBMS Security Patch levels to ensure you are protected with the latest security fixes. Last updated 3/21/2013   Oracle   Edition Latest Patch Release Date Comments Database 11g R2 Database 11g R1 Database 10g R2 Critical Patch Update January 2013 January 15th 2013   Database 10gR1 Critical Patch Update January 2012 January 17th 2012 Out of support. This was the final patch for 10gR1. Database 9i Critical Patch Update July 2010…

Click for complete article >>

UNCC Breach Was Caused By Misconfiguration Due To Human Error

Posted May 11, 2012 by Tim Whitman in Attack Vectors, Data Breach, Database Security, Education, Misconfigurations with 0 comments

More disturbing information came out Thursday about UNC Charlotte’s online security breach, where hundreds of thousands of social security numbers were compromised. Now, university officials say they know how the exposure happened. “You get scared because your information might be stolen, like credit card number maybe. It’s really scary,” said a UNCC student. Students and staff were told in February that some 350,000 of them could have had their social security numbers and financial information exposed on the internet. Click…

Click for complete article >>

7 Ways Oracle Puts Database Customers At Risk

Posted May 3, 2012 by Tim Whitman in Data Breach, Database Security, Misconfigurations, Oracle, Oracle with 0 comments

Last week Oracle bumped heads with the database security community in a communications blunder that caused a proof of concept to be released for an unpatched four-year-old vulnerability in the database’s TNS Listener service. This week Oracle released a workaround, but still no patch, reigniting critics’ claims that the company is neglecting its database customers with shoddy patching practices. Security professionals believe that Oracle is hurting its database customers through security negligence. Here are their charges. Dark Reading did try…

Click for complete article >>

Oracle Issues Security Advisory For 0-Day Affecting ALL Oracle Database Servers


Summary: Oracle rushes out a security advisory with workarounds for a dangerous Database Server security flaw that dates back to 2008. Oracle is scrambling to contain the damage from a vulnerability disclosure hiccup that led to the release of a dangerous zero-day flaw in its flagship Database Server product. The vulnerability, disclosed by researcher Joxean Koret, after he mistakenly thought it had been fixed by Oracle, allows an attacker to hijack the information exchanged between clients and databases. Click for…

Click for complete article >>

You Can’t Protect What You Don’t Know AboutTeam Shatter Exclusive

The Unknown

It’s 2012. Do you know where your databases are? Most DBA’s will probably say “Sure, my ERP backend is the RAC cluster running on these servers over there, my currency trading Sybase backend is running over there, and my intranet SharePoint server has its content stored on the SQL Server under my desk.” But are these really all the database servers you have in your company? “Well yes, of course, these are all our important databases and we run regular…

Click for complete article >>

TeamSHATTER’s Analysis Of The January 2012 Oracle CPUTeam Shatter Exclusive

Throw In The Towel

Every 3 months I analyze the Oracle CPU with regard to the Oracle Database, but this time it’s different, there is nothing to write about (almost). There are only TWO fixes for the Database. This is the lowest number ever since the CPU program has started in 2005. Oracle, what happened? Did you throw in the towel on DBMS fixes? I know it’s not because the Database is finally fixed for good and is now suddenly secure. TeamSHATTER still has…

Click for complete article >>

A Look Back at the Top Breaches of 2011Team Shatter Exclusive


2011 brought about a hacking renaissance. We were witness to more major data breaches than at any time in history. We were stunned by seemingly endless runs of intense hacking activity. Hacks against Sony yielded over 100,000,000 records. The dramatic journey of the lulz boat – the Lulzsec hacktivist spree- included breaches of US Senate and CIA systems.

Looking back over 2011’s breach activity there are a many that hit databases, but a few stand out.. Here is my list of the 2011 breaches with the biggest impact on database security:

Click for complete article >>

Is Oracle Just Paying Lip Service To Database Security?

Posted December 1, 2011 by Tim Whitman in Attack Vectors, Database Security, General Business, Misconfigurations, Oracle with 0 comments
Oracle paying lip service to database security

Is Oracle just paying lip service to database security? Some researchers within the database community think so, complaining that as the software juggernaut has grown with acquisitions such as the blockbuster Sun deal it hasn’t maintained enough resources to securely develop database products and resolve vulnerabilities disclosed by researchers in a timely fashion. “I would say easy fixes get done pretty quickly, within three to six months, but things that are harder and need some changes in architecture or have…

Click for complete article >>
Powered by