Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Database Redaction Trivial To Bypass, Says David Litchfield

Posted by timothy on from the let-me-ask-that-another-way dept.

msm1267 (2804139) writes "Researcher David Litchfield is back at it again, dissecting Oracle software looking for critical bugs. At the Black Hat 2014 conference, Litchfield delivered research on a new data redaction service the company added in Oracle 12c. The service is designed to allow administrators to mask sensitive data, such as credit card numbers or health information, during certain operations. But when Litchfield took a close look he found a slew of trivially exploitable vulnerabilities that bypass the data redaction service and trick the system into returning data that should be masked."

14 of 62 comments (clear)

  1. Is the target "hackers"? by i+kan+reed · · Score: 2

    I mean it sounds like this is just to protect sensitive data from the day-to-day work of your regular old DBAs. They aren't trying to look at the data, and hack into the system to examine it. They just shouldn't unnecessarily be exposed to it.

    1. Re:Is the target "hackers"? by Jaime2 · · Score: 4, Insightful

      You mean regular DBAs like the next Edward Snowden? Inside threats are important and are one of the reasons this feature exists. LitchField did what he does best; he showed that the product doesn't quite live up to the marketing material.

    2. Re:Is the target "hackers"? by Sockatume · · Score: 5, Informative

      Exactly.

      Considerations When Using Oracle Data Redaction with Ad Hoc Database Queries

      You may encounter situations where it is necessary to redact sensitive data for ad hoc queries that are performed by database users. For example, in the course of supporting a production application, a user may need to run ad hoc database queries to troubleshoot and fix an urgent problem with the application. This is different from the application-based scenarios described in "Using Oracle Data Redaction with Database Applications", which typically generate a bounded set of SQL queries, use defined database accounts, and have fixed privileges.

      Even though Oracle Data Redaction is not intended to protect against attacks by database users who run ad hoc queries directly against the database, it can hide sensitive data for these ad hoc query scenarios when you couple it with other preventive and detective controls. Because users may have rights to change data, alter the database schema, and circumvent the SQL query interface entirely, it is possible for them to bypass Data Redaction policies in certain circumstances. You can address this problem by restricting database privileges and by coupling Data Redaction with other Oracle Database security tools, as follows:

      Oracle Database Vault can prevent database administrators from performing harmful operations.

      Oracle Audit Vault and Database Firewall can:

      Monitor and block malicious database activities.
      Prevent rows from appearing in query results of non-authorized users.
      Alert you about suspicious activity that was audited by the database.
      Remember that the Oracle Database security tools are designed to be used together to improve overall security. By deploying one or more of these tools as a complement to Oracle Data Redaction, you can securely redact sensitive data even from users who are running ad hoc queries.

      Also, note that Oracle Data Redaction hides sensitive information based on database columns. It works best in scenarios where the sensitivity of the data is determined mainly by the column in which it is stored. When an Oracle database displays query results, Data Redaction redacts the rows of data queried from a given column if an enabled Data Redaction policy is defined for the column and the policy expression evaluates to TRUE; otherwise the column's actual data is displayed.

      http://docs.oracle.com/databas...

      --
      No kidding!!! What do you say at this point?
    3. Re:Is the target "hackers"? by i+kan+reed · · Score: 3, Insightful

      It's the same rule for computers as other systems:

      At some level you have to trust the people who run your systems. Quis cosdet ipsos custodes, ya know?

    4. Re:Is the target "hackers"? by greg1104 · · Score: 2

      That does highlight this feature is ultimately intended to provide extra security for regular users; it's not targeted at administrators at all. When the "hack" to bypass the feature is so simple, functionally that means that Oracle Data Redaction drops to no extra query level security whatsoever in the fact of things of SQL injection. If I were an Oracle customer, I'd ask for a refund plus significant damages.

      I'll admit it: just saying that made me laugh. Good luck with that lawsuit given their license contract. "We pay for a license so we have someone to sue if things go wrong" is my favorite of the silly things some people say when advocating commercial software. Only in Soviet Russia do you sue Oracle.

    5. Re:Is the target "hackers"? by TheCarp · · Score: 2

      Except "We pay for a license so we have someone to sue" really means "we want someone to blame". You are right, the idea of an actual lawsuit over anything anyone says that about is true.... however, they will use the someone to blame, both to their customers, and for employees to their managers, managers to their directors etc.

      What its really comes down to is they want to be able to say "We are working with support right now" so they don't have to take the heat for not knowing what the issue is right away, even if its unreasonable for them to.

      --
      "I opened my eyes, and everything went dark again"
  2. Re:Put in a separate table by boristdog · · Score: 4, Insightful

    No, passwords, SSNs, PINs and Credit Card numbers should be hashed before inserting into any table. There is NO reason for anyone to save that data unhashed.

    To compare data, just hash what the customer enters and compare the hashes. Why is this so hard for 99.9% of companies to understand?

  3. In the industry... by phillk6751 · · Score: 4, Interesting

    As a developer in the industry here I can honestly say nobody in our industry would be dumb enough to use this tool. Security is very important, and i'm sure PCI compliance would be a huge issue. Unless under a dual-control situation and 4-5 physical doors from the outside world, no un-masked CC# exists except on physical card. Yes, it would be nice for that service for software developers to use as a tool for display....like in my case, to provide cleansed data to the screen without manually cleansing data....but the issue is that PCI will dictate where that data can exist, and if it's uncleansed and accessible to a DB admin or software dev, there's too much visibility. They look at it from the standpoint that if a single person has access by themselves then they're likely to steal them. I don't see why they would automatically allow search within masked bytes (at least if it's ultra sensitive).....I can understand if maybe there's a setting like (sensitive to search) so that CC#'s couldn't be brute forced, however a search for a person's last name where all but the first letter are masked would probably be okay.

    1. Re:In the industry... by Rob+Riggs · · Score: 4, Insightful

      As a developer in the industry here I can honestly say nobody in our industry would be dumb enough to use this tool.

      Bullshit. As a (former) developer in the industry (still a developer; no longer in the industry) I can honestly say plenty of people in your industry would be dumb enough to use this tool. Especially when some wide-eyed "Oracle DBA(sm)" tells them "I heard about it at Oracle World -- of course it's secure." Seriously -- it is not like retailers hire the best and the brightest. And virtually every online retailer I deal with keeps my CC information on file. Most of them are hard-working, understaffed developers just trying to get the job done and do the bare minimum to meet PCI compliance -- because that is what management wants.

      --
      the growth in cynicism and rebellion has not been without cause
  4. Re:Put in a separate table by Jaime2 · · Score: 5, Informative

    In the payment card industry, this is called a token, not a hash. The difference is that a hash can be algorithmically generated from the source material, while a token cannot. Because there is no forward link outside the entity that generated the token to go from card to token, the tokens can be different at each merchant, making a loss of token much less of a problem than a loss of hashes would be. It's also 100% infeasible to break the token generating algorithm since there isn't one. In my experience, tokens are simply generated sequentially (skipping those that don't pass Luhn check). Another beauty of tokens is that they can pass validity checks for credit card numbers, so they can be handed to third-party software and treated just like card numbers, but without the risk of breach.

  5. Re:Put in a separate table by Capslock118 · · Score: 2

    No, passwords, SSNs, PINs and Credit Card numbers should be hashed before inserting into any table. There is NO reason for anyone to save that data unhashed.

    To compare data, just hash what the customer enters and compare the hashes. Why is this so hard for 99.9% of companies to understand?

    ACH processing requires sending bank account information to the ACH along with how much to bill the individual. Many other forms of automated payment processing formats also require credit card numbers sent - this is all happening with flat files. If you expect credit card numbers to be hashed in your database, then you need to convince the receiving end of that data that they do not need the source to send that data.

  6. Re:Put in a separate table by Zero__Kelvin · · Score: 4, Interesting

    If the card company accepts hashes then having the hash is no different than having the card number. In other words, no, it isn't nor should it be, done that way.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  7. Re:Put in a separate table by bws111 · · Score: 2

    Exactly. Look at it this way: your credit card number already IS a hash of your and your banks identities. That doesn't magically make it secure.

  8. Re:Put in a separate table by davester666 · · Score: 3, Funny

    /users.html

    --
    Sleep your way to a whiter smile...date a dentist!