Dragan on Security

This xkcd SQL injection attack cartoon is really funny.

Visit xkcd from time to time. It is really good webcomic of romance, sarcasm, math, and language. xkcd updates every Monday, Wednesday, and Friday.

Thanks to Gojko for bringing this to my attention.

Oracle 11g password algorithm is revealed. It’s based on SHA-1. The Hacker’s Choice (THC) says:

vonjeek/THC is proud to release the first full blown cracker for Oracle 11g. This tool can crack passwords which are encrypted using Oracle’s latest SHA1 based password protection algorithm.

You can download vonjeek/THC tool here. This page has an interesting title: “unbreakable” Oracle uncertified associate.

Also there is story on Pete Finnigan’s Oracle security weblog (here).

It was 2002 when Oracle Corp. Chairman and Chief Executive Officer Larry Ellison said that Oracle software remains unbreakable and mocked a memo sent by arch rival Bill Gates stressing to Microsoft Corp’s employees the importance of security in the company’s products. See an article from that time here. But, upon the time, this wasn’t proven as totally true. There were many security breaches and many patches (post is here).

These days Oracle announced “Oracle Unbreakable Linux” (see more here). Word “unbreakable” should mean, among other things, something about security of Unbreakable Linux. It will be interesting to follow will this be proved.

My suggestion is: DO NOT use words “absolutely secure” and “unbreakable” in security terms never ever.

This is third post on the same topic that I’m writing in one week time (see previous posts here and here). But battle that happens is worth it. New article titled “Microsoft beats Oracle in security showdown”, written by Tom Sanders appeared on vnunet.com web site. It mentions David Litchfield’s (NGS Software) report and also Eric Ogren (EMG) report. Alexander Kornbrust, chief executive at Red Database Security, said on the Full Disclosure security mailing list that the comparison between the Oracle and Microsoft products is unfair. Oracle has far more features providing attackers with more places to target, according to Kornbrust.

Read full article here.

In recent post on this blog, I mentioned that Enterprise Strategy Group released a research paper comparing the security of Microsoft SQL Server with Oracle and MySQL. This news has been posted on Michael Howard’s blog and many people criticized there the data used in the report titled “Microsoft SQL Server Runs the Security Table”.

David Litchfield has done some of his own research, and created a report comparing SQL Server and Oracle, titled “Which database is more secure? Oracle vs. Microsoft“. You can read full report here.

Enterprise Strategy Group just released a research paper comparing the security of Microsoft SQL Server with Oracle and MySQL:

Abstract: The rate of security vulnerabilities documented in the National Vulnerability Database for the major database vendors is noteworthy for the stark contrast between Microsoft, MySQL and Oracle. ESG believes that Microsoft’s investments in secure development processes are responsible for the impressive
results in SQL Server quality. ESG considers Microsoft, with proper execution, to be years ahead of Oracle and MySQL in producing secure and reliable database products.

This paper has been published at Microsoft web site (here).