Tyler Muth’s Blog

Technology with a focus on Oracle, Application Express and Linux

Posts Tagged ‘Security’

Wake Up and Smell Reality

Posted by Tyler Muth on August 5, 2008

In case you missed the news, yet another laptop with unencrypted Personally Identifiable Information (PII) was lost (though this one was found again, news story here).  This type of story is in the news all too often.  If you think I’m overreacting, take a look at this Chronology of Data Breaches.  You might even look for your organization or organizations that have your data.  The intended audience of this blog, DBAs and developers, are often the ones who know the most about how their own organization’s data is stored, so I hope at least a few of you read it and think about security a little bit more.  So, here it goes…

 

  • If you are storing unencrypted PII in your database, WAKE UP!
  • If you are backing up PII without encrypting it, WAKE UP!
  • If you are exporting PII in clear text and sharing it with groups (mainframe extracts come to mind here) WAKE UP!
  • If you have any of your customers unencrypted PII on your laptop, WAKE UP!
  • If you transport unencrypted PII on a flash drive, seriously, WAKE UP!
Did I get your blood pressure up?  I hope so, people tend to remember things when emotion is involved.  I’m not trying to offend anyone, but we all need to take this issue a little more seriously.  So, what can you do?
  • Backups are a prime target, and an easy one to solve.  I blogged about RMAN Encrypted Backups, there’s also Oracle Secure Backup (free for a single machine), as well as a plethora of free or for cost file encryption utilities.
  • If you don’t need the info, DON’T STORE IT in the first place.  
  • If you need to say lookup a record using a Social Security Number, but don’t need to display or edit it, store the hash of an SSN using dbms_crypto.mac.  You can then hash the search term, then do a simple equality search on hash = hash.   
  • Use dbms_crypto to programmatically encrypt data if you can.
  • Use Transparent Data Encryption if you can’t or don’t have time to change the application code.
  • Don’t even think of using SSNs as primary keys.  They’ll end up getting propagated to all child tables, and what are you going to do when someone changes their SSN?
  • Use TrueCrypt to encrypt a volume on your laptop, or even your whole drive.  I’ve been using it on my laptops for 2 years now and it’s always worked flawlessly.  It also works on flashdrives. 
  • Help define policies for protecting sensitive information.
  • Talk to your colleagues and managers about concerns you have.  Just starting a dialog about security is a huge step in the right direction.
  • Pick up a copy of “Effective Oracle Database 10g Security by Design” by David Knox.  Yes, David is a friend of mine.  No, I don’t get ANY money from this book.  Note that of the 10 reviews on Amazon, 9 of them give this book 5 stars!  I’ve read it cover to cover and reference it often, it’s such a great resource.
Other Oracle technologies to consider when thinking about security include 11g Tablespace Encryption, Oracle Database Vault, Virtual Private Database, and many more.

 

Advertisements

Posted in Security | Tagged: , | 1 Comment »

mod_security

Posted by Tyler Muth on June 2, 2008

mod_security is an Apache module designed as a sort of web application firewall. It’s most useful for preventing SQL Injection and Cross Site Scripting (or XSS). If you are a web developer and could not immediately describe both of those concepts to a colleague, stop reading this and go read more about both concepts. In fact, Oracle Server Technologies has a great, free, online course that covers SQL Injection here. These classes of vulnerabilities have become quite popular and are the vectors to many of the latest security breaches. If you’re using APEX, there are a lot of built-in features and default settings that prevent you from coding these vulnerabilities into your applications, but you should really know the threat so you understand the risk of say, turning off the character escaping in APEX reports or of using a concatenated string in a query instead of a bind variable.

I played around with mod_security about a year ago, but since it required compiling an unsupported module into Oracle HTTP Server, I didn’t invest much time in it. I recently installed the 11g Oracle HTTP Server (OHS 10.1.3.3.0) based on Apache 2.0 and noticed that it shipped with mod_security, so I thought this would be a good time to bring it up with the community. The only downside is that the version shipping with OHS is mod_security 1.8.4. This version came out in 2004 and I can’t even find the documentation for it anymore (even via archive.org). So, I used the mod_security 1.9 doc to put together some examples of what you can do. You can also compile mod_security in with previous versions of OHS (make sure you set the PERL5LIB environment variable or it will fail, use the setup instructions from this article on compiling mod_php). I have not tried to remove the old version of mod_security from OHS and compile in a new one… sticking to the supported stuff or now. Also, I have been told that they will be updating the version of mod_security that ships with OHS in future versions.

Configuration

I decided to demonstrate this on Windows since most of my examples are Linux based. I added the following line to ORACLE_HOME\ohs\conf\httpd.conf:

include "C:\oracle\http_home\ohs\conf\mod_security.conf

This file and the rules file can be downloaded here.

Below are a few VERY simple rules to give you an idea of what mod_security does. The rules I included are a little more complex, but hopefully more complete.

SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from"
SecFilter "<[[:space:]]*script"

mod_security will inspect both POST and GET requests before handing the requests off to other modules such as mod_plsql, so these database centric attacks never actually reach the database. It offers many advanced features as well, including the ability to scan uploaded files with anti-virus software before they get past mod_security (documented here). You can control whether or not it returns an error page, or simply logs the event and continues. You can even filter output, say Oracle errors if you’re concerned about an Oracle error exposing details about your schema structure.

In my opinion, mod_security is no substitute for awareness, secure coding practices, and code review. My question to the community is do you think it adds significant value? Do want to read more about it if I were to include it in a more formal publication? Are there changes you would make to my example rules?

Posted in Oracle, Security | Tagged: , , , | 7 Comments »