Others – Page 4 – Technology Geek

Basic Database Securiy GuideLines

Posted on April 8, 2013December 23, 2018 by Osama Mustafa in Others

Implementing any Database Security is not easy process which it’s Complex since the security has to be looked at OS Layer, Database, Network , application code, and backup lot of things you need to check if you need secure database you can’t ignore one part of this components.

You need to know even experts/Guru dose not have complete understanding for this list, maybe they have knowledge about it but not that much, But the most important things in securing database ( new one ) or securing application is early understanding security model very early in the development process and how to develop it. you can read the this book “Oracle security: Step-by-step” by Pete Finnigan he mentioned lot of basic steps to secure oracle database.

From a high level perspective, security is always about risk. If you think that your system is impenetrable, think again. Someone else will always be building a better mousetrap.

For example if we asked ourself as DBA About SQL injection one of the TOP ten Threats in Database
it happens because somebody is writing a Web application that accesses your database which mean if this code writes incorrectly, what happened if the hacker get access to your database thru this code.because of this DBA needs to understand who is access to database and make sure the developers are accessing in a secure way.

Internal/External hacker going to search for Holes in your application to get in,as we know there’s one of attack type used called Buffer Overflow because of this you need to keep you system is up to date patched like usual people most of them not doing that since they worried about if that patch will broke their system or application.

Today a lot of people are ignoring the security side of the job. Many companies don’t have the resources. Until you get hacked, and until you lose data, then you think you can get by with minimal security.

I mention before the in my article about Basic steps to secure Oracle Database some of this article provided with examples i will advise today to bookmark this to keep updated with Oracle Security patches lot of tips to talk about and need to share it here as soon as i can.

Thank you
Osama Mustafa

rdesktop: A Remote Desktop Protocol Client

Posted on April 4, 2013December 23, 2018 by Osama Mustafa in Others

rdesktop is an open source client for Windows Remote Desktop Services, capable of natively speaking Remote Desktop Protocol (RDP) in order to present the user’s Windows desktop. rdesktop is known to work with Windows versions such as NT 4 Terminal Server, 2000, XP, 2003, 2003 R2, Vista, 2008, 7, and 2008 R2. Click Here.

You can install the package using yum like the below :

# rpm -qa rdesktop

Regarding to website to connect Windows from linux you need to use -u which indicate for username follows with hostname to be like this

# rdesktop -u Administrator osama

Osama : hostname
Administrator : Username

Useful !!!

Thank you
Osama mustafa

Oracle Database vs Sql Server Security

Posted on April 2, 2013December 23, 2018 by Osama Mustafa in Others

Which one is the more secure ?

the above question asked before and will be asked today and in the future but what is the answer !! Before start asnwering this question you need to discuss somepoints.

as introduction Sql server is database solution product from Microsoft corporation with the following Version list :

SQL Server 2012
SQL Server 2008 R2
SQL Server 2008
SQL Server 2005
SQL Server 2000
SQL Server 7.0

On the other hand we have oracle Database which RDMS ( Relation Database Managment System ) with the following version list :

Oracle7
Oracle8 Database
Oracle8i Database
Oracle9i Database
Oracle Database 10g
Oracle Database 11g

each of database include new features, this features could be related to high availability, database features and secuirty features, I try to be fair in my judgment, Let’s Back to Question Which is More Secure Oracle Database vs Microsoft Sql Server ? and why ?

I read lot of research regarding to this question and most of them caliming that sql server is more secure than Oracle database but why ? oracle is the best database for large organization and can store more date with a great security when i mean great Security there’s lot of solution products from Oracle such as Database vault , Audit Vault , and Data masking. But for small solutions and Orginization most of them use Sql server .

I red this Reports for David Litchfield here. and published in November 2006 and calims hat sql server is more secure than oracle database. also you need to know while you are compare this two database the main difference between them :

Microsoft Sql server is only working on One Platform ( Windows ), easy to manage, Most of the administration thru GUI (very friendly ) , simple to install , Sql server is cost less than oracle ( Cost much more than less ) Licensing fees. all this indicate me to the following :

since sql server is easy to install and administration then the performance is usually fine.
The only way to scale a system built on sql server technology is to add more memory and CPU to the single server hosting the database.
as mention before Sql server Suport Only One Platform.

On the other hand Oracle is Support all plaforms ( Linux , Unix , Windows , HP , AIX and Sun .. and sorry i forgot to mention others ), i will not say it’s easy to install but document are available for free if you follow them you will not be lost, Oracle database is enterprise solutions which mean if you need database that store huge data and support high availability cluster ( sql server dose not support it ) and introduce lot of backup recovery solution, data guard on of them becuase of this it’s expensive and costing the company don’t forget the main reason Oracle DBA salary is more than Sql server which mean the compaines will study this case before looking for solutions.

also to be fair Oracle support talking some time to answering you and solve the issue or database vulnerability , however in sql server support it’s amazing and solve the issue or vulnerability database in 24 hours or less.

since oracle database working for large organization business such as finical and insurance company the aim for any hackers ( i would like to mention here hacker not looking for small company to hack it’s need something will be worth if he getting caught ) it will make it under attack for any hacker in my articles i mentioned there’s no secure system 100% but you can make it harder for any hacker to access to your data and oracle provide with products to do that : Data Valut , Audit Vault , Database firewall and encryption.

Another point i would like to mention here ( take it also as point when you compare ) oracle working on more than platforms.so Focusing on one platform Security will be the same as five/six/… platforms Security ? you should answer on this question not me !!!

Oracle’s capacity to run on large databases, its have many performance improvement features,the performance can include Hardware or database ( sql server only hardware ) which is more secure ?

it’s completely up to you but don’t miss or ignore the point i mentioned before in this article

Thank you
Osama Mustafa

First Look : Dbvisit Standby

Posted on March 29, 2013December 23, 2018 by Osama Mustafa in Others

Dbvisit Standby it’s tool for creating standby database to ensure high availability for Oracle Database, It’s similar for Data Guard but The main differnce i notice in Data Guard you need to have EE ( Oracle Database Enterprise Editions ) But not any more with DbVisit You can Create your Standby Even With SE ( Oracle Database Standard Editions ).

In Last Three days i was testing this Product , and all i can say it’s amazing and easy to use , steps are clear and even when code/Error return the description is so clear, also with Dbvisit You can Have Two way to create Standby : Command line and GUI both are easy and all you have to do is following the steps in the document.

what i notice too support for this product is amazing, Sine i download trail version i revived an email telling me if i need anything all i have to do is sent an email with error code and dbVisit Support team will answering me, Couple of days later they send me another email asking me for my feedback and I am writing this article to ensure my view point is clear, I checked DbVisit Forum and answers was within 1-3 Working days which indicate they have very active supporting team to improve this product.

The Below Figure describe Dbvisit Standby architecture :

There’s no need to mention Creation steps since everything already included in documents but the below will find some screen shot for the installation , Most of the steps done on Primary Database all you have to do on standby 3 steps as i remember :

On Primary Database :

Standby Screen Shot :

Thank you
Osama Mustafa

How to Become Oracle DBA

Posted on March 11, 2013December 23, 2018 by Osama Mustafa in Others

How to become Oracle DBA ?

This question asked on lot of blogs for Guru People , Before start thinking about that question you need to ask yourself some question.

Do you love to work with pressure, Do you Love working for long hours ? Do you use your free time to devour the latest in technology from internet and reports? Do you love to work during weekend ? Last question is Are you able to deal with Sensitive & critical data with no mistake ? If all you answer is Yes,then welcome to Oracle DBA World where the human becoming theory.

Oracle is not easy world and it’s not that hard but you need to know it’s Complex, Just as note Don’t expect to be rich also make your rule is “love what you do and do what you love”.

Recently i saw Threads On OTN Forum where the poster was asking for information about starting his Career as Oracle DBA, I will advice about that and hope it will be useful, if you have any programming language skills it will make your job easier it’s very useful to understand what you see as DBA you work with Development team and negotiate them about performance and their requirement and understand them is the best, On the other hand if you don’t have any Experience you can’t stop here and saying to yourself i can’t become Oracle DBA Start learning and it’s not bad idea to take courses such as SQL-Fundemtals I & II.

Don’t forget another thing start working on your Oracle training and education Reading is not enough it’s only give you concept and the idea behind that thing, Learning operating system administration skills, and what i mean by Operating system not just windows you need to learn about Linux, Unix …. Etc and how to manage them and using command line, learn batch & Shell Scripting is very useful, Don’t forget to take look at Oracle Documentation everytime you can is the first and the best reference all the time, You need to learn about something read from the source don’t start with others articles, and don’t understand me wrong with that everyone has his point but stat with source and see other point to create yours.

There’s also oracle magazine latest technology and Some tips/trick to do something you can subscribe with it,Maybe you don’t understand something so you need someone to explain it to you Oracle OTN Forum is available to you for free, experts and guru will answer you, Books will increase your knowledge and proof your point.

Create your own Vmware and test don’t make something passed without testing, Practical way will proof and increase your knowledge, then let’s make all the above as point :

Attend training courses
Read Books
Read Magazine.
Visit Oracle Documentation site and blogs.
Check OTN Forum
Talk with DBA

Bookmark this website,
Very Useful & Good Starting Point to become Oracle DBA.

long topic to discuss and need of you lot of working, If you want to be a DBA, find one or two methods of acquiring knowledge that you are comfortable with. Take training courses, read books, whatever. and i will update this topic also to become Comprehensive.

Thank you
Osama Mustafa

Oracle Security Case Study

Posted on March 6, 2013December 23, 2018 by Osama Mustafa in Others

Does your security procedure protect your data?

In most of the companies , there is access to Email Systems, Intranet , networks and internet , most of these user are using the application that connected to Database ( assume that it’s Oracle Database).

By Creating Security Procedure to protect database and what this database contain you create hard environment to deal with since the three compentents are availability, integrity and secuirty which mean if you increase the security then integrity will not be on the same level and so on,The Oracle database has several layers of security and provides auditing functionality at each level. most of then mention in Oracle Security Section website.

Password management : One of the basic steps to Enforce user to follow the rules such as : password expiration, limit password reuse, limit the number of failed logon attempts, force password complexity, lock and expire database accounts

Database Auditing to monitor user activity.

Fine Grained Auditing to define specific conditions necessary for an audit record to be generated, resulting in a more meaningful audit trail

Database Resource Manager to set resource limits and quotas on the amount of various system resources available to users

Roles to manage object privileges

Oracle Label Security for more sophisticated row level security

Data Encryption to provide an additional layer of protection

Which Kind Of Security Plan you follow , Do you think the Basic Steps to Secure Database will be enough or should someone enable auditing , install database firewall …. when you answer consider that more security means it will be hard to deal with application and environment.

tell me your case about the security ? what you think ?

Thank you

Osama mustafa

Using Production Data is this Right ?

Posted on March 1, 2013December 23, 2018 by Osama Mustafa in Others

Production Data Contain Sensitive information should not be shared with unauthorized people this data contain financial , Account Number , ATM passwords … , Most of the company contain Developers team to support applications and modify the code as they need it, But the developers need data to test the code, How to get this data, This the Question ?

I seen lot of Company Use Production Data on development database/Test Database because it’s great for testing,really easy and No cost for doing this but is this right ? My View On this Topic No production data is allowed on the development. There’s lot of point to discuss to proof exactly what i mean and if it’s necessary to use it then hide it with multiple ways i will talk about it.

There is a lot more chance that the data may be compromised,This data should be removed and sanitized to make it anonymous / De-personalized.I read lot of articles every article explain something different for example This article support using Prod Data. after reading this blog ask yourself one question how the production make job easier ? by let developer/unauthorized people looking to customer Data !!!! Different point of view Customer want their data to be secure and the employees want to test the code and something easy and real to use.

Check this The Ponemon Institute has come out with some interesting (and scary) data on data security during development and testing.

This chart shows what Breach of data. It shows a lot of sensitive data such as card holder data, customer data, credit card information and business confidential information.

Personally I prefer to use a subset or dummy data use Red-Gate Data Generator,
There’s lot of security issue can be lead by Using Prod data for testing/development such as severely compromise its confidentiality, even leading to legal action.

Take this example Hannaford Brothers,In March, the Maine-based Hannaford Brothers grocery store chain
announced that 4.2 million customer card transactions had been compromised by the hackers. More than 1800 credit card numbers were immediately used for fraudulent transactions.

after all this examples is it Ok to use Prod Data On test ? Do you have a legitimate reason? do you have
Security,Encryption, Firewalls, Breech Detection , Include to that There’s difference Security Rules On prod data and Test Data , Production database For authorized People, Privacy, Auditing, Roles , Privileges lot of conditions to access it. on the other hand Development data Frequently wide open,Dozens of employees have access, Access from many to unlimited places, Home access And you still Want to use Production Data ? Do you programs care or know the difference ?

Some Rules you have to follow :

Make your employees aware of the policies and procedures.
If it is possible to not use production data, take that option.use alternate ways of testing scenarios.
Ensure that production data is masked or scrubbed when it is moved out of the production environment.

if it’s necessary to use your Production Data Then Do it right by scrambling (Scrambling is the function of replacing a character (or byte) of data with a different character (or byte) of data) Oracle Provide you with solutions to do that called data masking By write your own function that will Scramble data for you.
another option could be use is encryption (Encryption is a series of algorithms used to encrypt data into nonsensical characters (not in the English alphabet)). There’s Another way you can hide production data NULL’ing Out,Substitution, Gibberish Generation ….

Finally Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered

Using live data in non-production is either illegal or expensive. For the companies using it illegally, it’s only a matter of time before somebody slips up and the practice is discovered. For the companies paying extra to keep their developers compliant, they’ll find themselves resistant to new development and undercut by companies who’ve used their data in a strategic way. In the long run, the tiny benefit is just not worth the risk. – See more at: http://www.businesscomputingworld.co.uk/are-you-using-live-customer-data-outside-of-your-production-database/#sthash.8r06L9KL.dpuf

Read Ponemon Institute Report

Thank you
Osama Mustafa

Nmap and Oracle – Security Topics

Posted on February 19, 2013December 23, 2018 by Osama Mustafa in Others

The First Question came to my mind when post this topic, What is the relation between NMAP and Oracle ? for the people who doesn’t know what is the NMAP i will talk about it but it will not be enough to give this amazing tool what its deserve .

Nmap is a powerful tool that is capable of generating a multitude of signatures depending on how it is used. However, if we understand the operation of the tool in general, it is easier to recognize its overall signature in network traffic. Dissecting the signature into sub-patterns one can differentiate between fingerprinting attempts that were successful and those that were not. It is important to understand that we have examined only one of the scan types that nmap can perform, the SYN half-open stealth scan. Several other scans are supported by Nmap: Tcp connect, FIN, Xmas, NULL, udp, ping, and even ftp-bounce. Expect to see these in the near future.

There’s lot of features Nmap can provide it to you : Host discovery, Port Scanning , OS detection , Auditing the security of a device by identifying the network connections, and Version detection

They Are two version of this Tools Command line version ( powerful one ) and GUI Version This tools available on Windows and Linux and if you decide to go with Command line you need to be experts to do that since its need lot of practice.

You can check how the GUI and Command line look like in the below pictures :

provides all the information that is needed for a well-informed, full-fledged, precisely targeted assault on a network. Such an attack would have a high probability of success, and would likely go unnoticed by organizations that lack intrusion detection capabilities.

But how can i use Nmap with Oracle, when i do some penetration testing i use this tool as command line to dicover the vulnerability, when oracle database installed on server it‘s allow to use ports in server which maybe cause vulnerability ( the simplest Way to describe ) I cannot post everything about NMAP here since i will need new book to talk about it.

the Below some examples that you could use note that I use command line version, For Example something Called Oracle Query runs a given query against the Oracle database server and returns the results

nmap -p 1521 –script oracle-query –script-args

another one could be used called Oracle hash dump which dump the database password hashes from Oracle and MS-SQL. The results are returned in format suitable and could be store in file.

For Example : CVE-2012-3137 vulnerability,. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. When initiating an authentication attempt as a valid user the server will respond with a session key and salt. Once received the script will disconnect the connection thereby not recording the login attempt. The session key and salt can then be used to brute force the users password, there’s patch to fix this security issue.

To avoid such an issue you should Apply Oracle security Patches, CPU patches , And OS Patches by doing maintenance like this you can minimize Vulnerability that could be happened

Thank you
Osama Mustafa

The Effect of the Weak Password

Posted on January 25, 2013December 23, 2018 by Osama Mustafa in Others

Default/weak passwords.

There is no need to discuss this point any more one of the most Security breaches happened because weak password, can you guess most popular passwords, I provide list for the most common password all the time is your one of them ?

1. password.
2, 123456.
3. 12345678.
4. abc123.
5. qwerty.
6. monkey.
7. letmein.
8. Dragon.
9. 111111.
10. baseball.

Simple steps keep you away in the safe side, No need for software or third party products to change your password in Database 10g, 11g Oracle provide to new features. Noted that what work on 10g is working on 11g.

Oracle Database 10g

In database 10g Oracle provide an example for password verifications functions you can write you own code and you can use
ORACLE_HOME/rdbms/admin/utlpwdmg.sql
This function must be created in SYS schema, when you run the script you enable the following:
•   alters the default parameters for Password Management this mean all the users on the system have Password Management
•   sets the default password resource parameters
•   Function makes the minimum complexity checks like minimum length of the password.

Sqlplus / as sysdba
SQL> @utlpwdmg.sql
Function created.
Profile altered.

Create new user after run the utlpwdmg.sql script.

SQL> create user test identified by test;
create user test identified by test
*
ERROR at line 1:
ORA-28003: password verification for the specified password failed
ORA-20001: Password same as or similar to user

SQL> create user test identified by test_oracle123 ;
User created.

At least we insure that no more easy password, as mention before you can create your own code or trigger.

CREATE OR REPLACE FUNCTION paasword_check (
Username      VARCHAR2,
Password      VARCHAR2,
   Old_password VARCHAR2)
RETURN BOOLEAN AS
BEGIN
IF LENGTH (password) < 10 THEN
    RETURN FALSE;
ELSE
    RETURN TRUE;
END IF;
END password_check;
/

After run the above function under SYS schema you should assign it to specific profile. Let me describe step by step.

1- Create profile

CREATE PROFILE New_profile LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LOCK_TIME 3
PASSWORD_LIFE_TIME 15
PASSWORD_GRACE_TIME 3
PASSWORD_REUSE_TIME 60
PASSWORD_REUSE_MAX 3
/

Check if profile created.

SQL> select profile from dba_profiles where profile = ‘NEW_PROFILE’;

PROFILE
——————————
NEW_PROFILE

2- Assign verify_function to New_profile

SQL> ALTER PROFILE new_profile LIMIT
PASSWORD_VERIFY_FUNCTION verify_function;
Profile altered.

3- Change User profile
SQL> alter user scott profile NEW_profile ;
User altered.

Now you are creating user with verification password and profile to with password conditions, all this to make sure that user will not be able to choose weak password.

You need to generate strong password and nothing came to your mind one of the most amazing website that help you to do that is
http://www.randpass.com/. Just choose length for the password.

Example of Generated password by random password sites:
“eo2toozo”,” gop}geeu”.

Oracle Database 11g

Earlier in 11g Version Oracle Provide new parameter which control case sensitive for Password , I consider this is amazing adding for database , its dose not exists in 10g but you can there’s difference between oracle and ORACLE as Password .

Since this book is concern about oracle security I will post every example I can to prove the best to secure your database.

SQL> show parameter case;

NAME TYPE VALUE
——————————— ———– ——————————
sec_case_sensitive_logon boolean FALSE

By default this parameter is set to TRUE, to ensure securing your password, I include demonstrate to let you understand this parameter as well.

From the above the parameter is set to FALSE

SQL> Create user test identified by test;
User created.

SQL> grant create session to test ;
Grant succeeded.

Let’s try to connect using test user once as “test” and “TEST”

SQL> conn test/test ;
Connected.
SQL> conn test/TEST;
Connected.

There’s no difference Between Sensitivity for the password. But I will set CASE_SENSITIVE Parameter to TRUE and try again After change password for test user.

SQL> alter system set sec_case_sensitive_logon=TRUE scope=memory;
System altered.

SQL> alter user test identified by TEST;
User altered.

Let’s try to connect this time using Test User.

SQL> conn test/test ;
ERROR:
ORA-01017: invalid username/password; logon denied

But Using “TEST”

SQL> conn test/TEST ;
Connected.

This parameter consider as important feature for security, you can create your own complex password to ensure protecting your data, Weak password is one of the most important threats, reduce hacking start with simple basic steps.

Thank you
Osama Mustafa

BarCode Fonts

Posted on January 22, 2013December 23, 2018 by Osama Mustafa in Others

If you look for bar code fonts to make your reports Look more nicer , I uploaded Fonts and you can download them On the Below Link , Hope its useful

BarCode Fonts Download Here

And For Tadqeet Code That Use for Arabic , Called Tafqeet :

Tarqeet You can Dowload it Here

Thank you
Osama Mustafa