back to article Oracle Database 12c's data redaction security smashed live on stage

Oracle’s much-ballyhooed data redaction feature in Database 12c is easy to subvert without needing to use exploit code, attendees at Defcon 22 in Las Vegas have heard. The redaction features in 12c are designed to automatically protect sensitive database material by either totally obscuring column data or partially masking it …

  1. Roo
    Windows

    10/10

    "Microsoft should school Ellison on safeguarding privates, says infosec bod"

    That is a delightful sub-heading. 10/10.

    Have a beer, you earned it. :)

  2. JeffyPoooh Silver badge
    Pint

    THEY'VE ALREADY TAKEN CORRECTIVE ACTION

    They've requested their partner Ask.com to update the browser hijack Ask Toolbar to block all searches related to these vulnerabilities.

    That should fix it.

  3. Anonymous Coward
    Anonymous Coward

    Re: 10/10

    "The result down the line was that patching and flaw detection in Microsoft SQL dropped sharply, and the code security of IIS and Exchange has also been much improved. Oracle should take a leaf out of Redmond’s book when it comes to security, he suggested, and customers should demand change."

    It was a bit more extreme of an impact than that. SQL Server vulnerabilities in the last decade have been single figures, whereas Oracle's DBs have had hundreds...

  4. Wam

    Shocking

  5. Roo
    Windows

    Shocking...

    but also not entirely surprising...

  6. Anonymous Coward
    Anonymous Coward

    expected result

    Oracle bring legal action against security researchers for publicly highlighting major design flaws in their software.

  7. Matt Bryant Silver badge

    But, but, but....

    ....didn't Larry assure us it was 'unbreakable'? ROFL!

  8. Denarius Silver badge
    Alert

    space time continuum stressed again

    Two articles about Microsoft responding properly in the one week. Why is the sky cracking ?

  9. Destroy All Monsters Silver badge
    Big Brother

    Re: space time continuum stressed again

    Chill out. It's just the US bombing again.

  10. Anonymous Coward
    Anonymous Coward

    When big boys get beaten, they can only cry 'Wolf. Nothing much to see here folks.. Kindly move on..

  11. Joerg

    How much is Microsoft paying for all of this ?

    These researchers attacking Oracle and praising Microsoft.. it's clearly more than just fishy, it's obvious that Microsoft is paying them to do this public attack.

  12. Anonymous Coward
    Anonymous Coward

    Re: How much is Microsoft paying for all of this ?

    Well, "the enemy of your enemy is your foe" is probably the reason.

    The researchers hate Microsoft, they just hate Oracle more.

  13. Anonymous Coward
    Anonymous Coward

    RE: Microsoft paying

    Microsoft don't need to get involved in this.

    Having read the PDF linked to in the article the Oracle fault is so glaring it just looks like totally untested code.

  14. Anonymous Coward
    Anonymous Coward

    Re: RE: Microsoft paying

    Having read the PDF linked to in the article the Oracle fault is so glaring it just looks like totally untested code.

    Ever tried reading any of their install scripts?

  15. Anonymous Coward
    Anonymous Coward

    Re: How much is Microsoft paying for all of this ?

    "it's clearly more than just fishy, it's obvious that Microsoft is paying them to do this public attack."

    Take a look at say SQL Server vulnerabilites versus Oracle DB ones and then say Java vulnerabilites versus .Net ones over the last few years. Microsoft have had roughly 2 orders of magnitude fewer holes in their code! You might not want to consider Microsoft secure, but Oracle are far far worse.

  16. Hans 1 Silver badge

    Re: How much is Microsoft paying for all of this ?

    @Joerg

    >These researchers attacking Oracle and praising Microsoft.. it's clearly more than just fishy, it's obvious that Microsoft is paying them to do this public attack.

    Exactly, especially when the "guru" then goes on and specifically quotes the sieves ...

  17. boltar Silver badge

    Re: RE: Microsoft paying

    "Ever tried reading any of their install scripts?"

    Never mind reading them - even trying to use them can be an utter pain if the system doesn't have EXACTLY what the script is expecting in EXACTLY the right place. I'm pretty sure they give the install script writing job to the interns because I simply don't believe they've been written by professionals since they are so utterly appalling.

  18. Anonymous Coward
    Anonymous Coward

    Re: RE: Microsoft paying

    I especially like it when something silently fails, but you can't really tell what it is because they only updated the installer and not the packages.

    Or how every oracle product will come with it's own JVM but whether it's using the one it's bundled with or the one in your environment variables is pot luck a lot of the time.

  19. Anonymous Coward
    Anonymous Coward

    Re: RE: Microsoft paying

    ""Ever tried reading any of their install scripts?""

    When something requires a JAVA JRE just to install itself, I instantly know it's going to be a POS.

  20. Destroy All Monsters Silver badge
    Windows

    I want to go back

    Why did Sun have to get bought by Oracle?

  21. Matt Bryant Silver badge

    Re: Destroyed All Braincell's Re: I want to go back

    "Why did Sun have to get bought by Oracle?" Because all the other big players wouldn't touch the SUN carcass with a barge pole.

  22. boltar Silver badge

    Re: I want to go back

    "Why did Sun have to get bought by Oracle?"

    Because even when the writing was on the wall in 10 foot high flashing neon lights , McNealy and pals still thought people would pay 5 digit prices for their unix workstations and low end servers when x86 + linux/windows had already eaten their lunch and was on to desert. They just about managed to keep making money at the high end but not enough not to need rescuing

    Its a shame because Sun desktop workstations were fantastic pieces of kit back in the day and if Sun had charged sensible prices they could have easily competed with Macs & PCs for graphics intensive apps. But pay 10K for the same sort of performance you could get for 3K with x86 or PowerPC Mac? No one is that stupid.

  23. Destroy All Monsters Silver badge
    Big Brother

    Also, newspeak

    I think I remember the verb "to redact" started to be misused for "to censor" at the time Saddam was worse than Hitler and we Kicking his Ass and then got Mission Accomplished. Why has it moved into standard industry talk now?

    Or is my Alzheimer showing?

  24. Stoneshop Silver badge
    Headmaster

    Re: Also, newspeak

    Redact is the right term here. Look up both words, and compare the definitions.

    Applying the censorship label to cases where some people are not allowed to see some parts of a dataset that other people can see in full is devaluing the term.

  25. Anonymous Coward
    Anonymous Coward

    Hmmm not so sure

    I'm not sure it's an entirely fair criticism. I believe redaction or masking is not meant to 'secure' the data. For that you should be using encryption or other methods.

    The functionality is designed to mask certain data from *applications* not from people who can craft SQL. Masking is inherently insecure against carefully written SQL where someone can write queries like select COLA from TABLEA where COLA like 'A%'

    With this you know the value starts with A (or not), repeat this process manually or script it until you have the data you want. This is not a flaw in the implementation just a fact of life for masking

    It should only be used where the query is fixed (like from an application call) and you want the data to be masked in the application GUI

  26. Bucky 2

    Re: Hmmm not so sure

    I feel like you're thinking of something that I'm not understanding completely.

    For all the use-cases I can come up with, either the application is trustworthy (in which case masking is unnecessary), or the application is not (in which case masking is insufficient).

    If an application is going to display a credit card number in its GUI unless the database is supplying masking (because that query is "fixed"), wouldn't that mean we've got an application which shouldn't be used against that database at all?

    What am I missing?

  27. Anonymous Coward
    Anonymous Coward

    Re: Hmmm not so sure

    If you read the white paper (http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-wp-12c-1896139.pdf), redaction is primarily intended for retrospective use on existing applications. It allows data to be transparently redacted with no change to the application. For example if your application is currently showing data in a GUI that it should no longer display (perhaps because of enhanced regulation) then a single database command can mask that data wherever it is returned to the application, avoiding a potentially much more tricky application change.

    Well done to someone for finding an inference attack that Oracle makes clear it doesn't protect against in it's documentation. From the above pdf (June 2013):

    "Data Redaction does not prevent privileged users from connecting directly to the database and running ad hoc queries that back into pieces of sensitive data ( i.e. it does not stop exhaustive ad hoc queries or other inference attacks)."

    As to the other points, it is best pracitice for applications to connect via a username that has very limited privileges - certainly only DML (no DDL) and only on the necessary tables and often all access will be via a view and so the underlying table is invisible to the application.

  28. Anonymous Coward
    Anonymous Coward

    Re: Hmmm not so sure

    In the scenario where you have followed best practices and you have chosen to use data redaction to meet regulatory compliance.

    What happens if a privilege escalation flaw is discovered that means the techniques to allow access to the sensitive data no longer work?

    Put another way - is data redaction a feature or just a poorly applied coat of security paint that peels off a few months later leaving you with no additional protection?

  29. Tom Chiverton 1

    Re: Hmmm not so sure

    Indeed. Oracle's own docs (http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-wp-12c-1896139.pdf) say "Data Redaction does not prevent

    privileged users from connecting directly to the database and running ad hoc queries that back into pieces of sensitive data ( ie. it does not stop exhaustive ad hoc queries or other inference attack ). "

  30. Down not across

    Re: Hmmm not so sure

    "Data Redaction does not prevent

    privileged users from connecting directly to the database and running ad hoc queries that back into pieces of sensitive data ( ie. it does not stop exhaustive ad hoc queries or other inference attack ). "

    You would need to utilise Oracle Database Vault to stop privileged users seeing sensitive data.

  31. maffski

    Re: Hmmm not so sure

    Except it fundamentally fails at this.

    You have an old app that shows CC numbers - and use redaction to hide them.

    However redacted data is still used in the SQL where clause.

    As evil identify thief I get a job in customer services. And my lunch break is spent performing the following search on the application:

    Customer ID = 'My Target' AND CC Number like '1%' - 0 results

    Customer ID = 'My Target' AND CC Number like '2%' - 1 results

    Customer ID = 'My Target' AND CC Number like '21%' - 0 results

    Redaction is broken - I don't need to see the CC Number to know what it is.

  32. Anonymous Coward
    Anonymous Coward

    Re: Hmmm not so sure

    You would need to utilise Oracle Database Vault to stop privileged users seeing sensitive data.

    Ah, more cost.

  33. Daniel B.

    Whoa!

    Looks like the Vultures are far better than me at picking interesting tracks. I missed the Oracle one!

  34. Anonymous Coward
    Big Brother

    No shit Sherlock ..

    If Oracle has a decent security development lifecycle in place anyone would have found these flaws and stopped them in tracks,”

  35. Anonymous Coward
    Big Brother

    They do seem to be keeping it totatally ... er .. secure ..

    For more information on data redaction:=>Technical Information=> Security Solutions=> Oracle Advanced Security

    "Oracle Advanced Security, a commonly used option with Oracle Database Enterprise Edition, provides two important preventive controls to protect sensitive data at the source including database encryption (Transparent Data Encryption (TDE)) and on-the-fly redaction of display data. TDE stops would-be attackers from bypassing the database and reading sensitive information directly from storage .. ref

  36. Anonymous Coward
    Anonymous Coward

    Uh, that's not what on the fly redaction protects, as has already been mentioned. There are other methods that would be used to secure from the exploit in question.

    I guess I need to change my career path, I could easily start combing through the release notes of some of these large tech companies for things their features don't protect against and then create an exploit of that thing that doesn't protect against my particular method of extracting data and become a "security expert" and make money as Chicken Little.

    Now, it would be so much harder to describe a possible way for a privileged user to access data they should not using some clever SQL and describe how to design the overall environment to protect the data delivering value to the conference attendees, but exploiting a "flaw" that the manufacturer says they don't actually protect in that manner is much easier. Its basically the meatspace version of keyword spam. ORACLE SECURITY FLAW MICROSOFT SQL THESKYISFALLING

  37. EssEll

    Spare me

    So this "security specialist" is pointing out an exploit that Oracle have already said they do not address.

    In related news, fire is hot and water is wet.

  38. Hans 1 Silver badge
    Coat

    This is a load of PR, which why I think it is actually Microsoft PR stunt. This feature is documented as a weak hack to hide stuff in ui's. It is by far the easiest way to hide this stuff from the drones without too much trouble while the application is being re-written. As for the others executing queries ... you wanna execute queries? you first have to find an SQLinjection entry point before you can issue any ... Nobody lets the drones connect to the production database with a client (e.g. SQLPLUS) ... imagine, somebody could have done the following, before the obfuscation:

    spo /tmp/ccdata.txt

    select cardnr, expdt, chrnr from customers;

    spo off

    If you have this type of system (drone can access with other clients), you really need to sue the shit out of the system admin for fraud (this is beyond incompetence).

    Note that this usually is an acceptable implementation for sysadmins with MCSE/MCSD cards, afaik/from what I've seen.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018