Oracle Users Shrug at Security Woes

 
 
By Lisa Vaas  |  Posted 2005-08-02 Email Print this article Print
 
 
 
 
 
 
 

News Analysis: Are they in denial about scary-sounding security flaws, late patches and patches that need patching? No, users say, they're just locked down tight and don't find the bugs as troublesome in reality as they are in headlines.

Along with Cisco Systems Inc., Oracle was a choice whipping boy at last weeks Black Hat USA security conference. Regardless, Oracle users remained nonplussed by revelations about Oracle security both leading up to and coming from the show. "In general, Oracle databases are subject to many fewer security attacks than are Microsoft [Corp.]s database and Microsofts other products," said Howard Fosdick, an independent consultant, president of FCI, and founder and past president of IDUG and CAMP, in an e-mail exchange. "[And] I think most Oracle users would agree that Oracle provides patches in a manner timely to any issues." At issue are not only the security flaws themselves, but also how quickly Oracle patches known vulnerabilities and how well it patches those vulnerabilities.
To wit: At Black Hat, Alexander Kornbrust, founder and CEO of Red-Database-Security GmbH and a security researcher known for exposing Oracle product flaws, planned to demonstrate a simple way to crack the encryption used by Oracle database products.
Kornbrust maintains that DBMS Crypto and DBMS Obfuscation, two encryption features that ship with Oracle database products, can be cracked to reveal sensitive corporate data. In the weeks leading up to the show, Kornbrust also warned that Oracle failed to patch several critical flaws for a period that now exceeds 700 days. On top of that, Oracles CPUs (cumulative patch updates) for April and July both turned out to be flawed and in need of further patching.
The flood of negative news spurred Oracle to emerge from its usual silence on security headlines. Last week, Oracle Chief Security Officer Mary Ann Davidson wrote an article in which she said that self-interested security researchers who publish flaws before patches are available endanger the industry with their thirst for fame. Charles Garry says that database vendors shouldnt kill the messenger when it comes to security flaws. Click here to read more. Oracle users interviewed for this article agreed with Davidson. "As for those researchers who let exploits and exploit code out of the bag … Well, lets just say that hanging, drawing and quartering is too good for them," said Dick Goulet, a senior Oracle DBA and Oracle Certified DBA, in an e-mail exchange. "And so what if it takes the vendor 700 days to patch the hole. It should be up to the vendor to open Pandoras box if they so desire, not these educated idiots. … They found an exploit, whether or not known by the hacker community, [and] why on earth would you want to place everyones data at greater risk by publicizing it? All you fuel is more attempted exploits." While some database experts find Oracle users tranquility a sign that their heads are in the sand, given the flood of negative news, Oracle users say that their databases are generally tucked so carefully behind firewalls and tended to with such care that theres little need for concern. Charles Garry writes that Oracle users are in denial when it comes to security bugs. Click here to read more. "We dont have our databases exposed to the Web, so hacker attacks are not much of a priority," Goulet said. Next page: Bugs are difficult to exploit.



 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel