All the latest UK technology news, reviews and analysis


Oracle flaw puts users' passwords at risk to brute force assault

21 Sep 2012
New Oracle building with logo

A serious vulnerability in an older version of Oracle databases' authentication protocol that leaves some customers passwords vulnerable to hackers has been uncovered.

The vulnerability was revealed by AppSec researcher Esteban Martinez Fayo in a talk at the Ekoparty Security Conference.

Fayo claims that the bug means hackers can crack simple passwords stored on the database in as little as five hours.

Kaspersky researcher David Emm told V3 that to get the passwords, criminals would need to mount a brute force attack.

"Data sent by the server during the login authentication process, i.e. the session key and the salt, is enough to allow an attacker to use a brute-force attack by trying lots of passwords until the correct one is found," he said.

"This tactic is used to obtain a valid password and get access to the database."

Oracle reportedly fixed the bug version 12 of authentication protocol, but currently has no plans to apply the fix to its still widely used version 11.1 protocol.

Emm claimed warned that without the patch hackers would continue to target companies using the vulnerability, adding it was "vital" administrators take steps to reduce their exposure to attacks.

"In this case, it means using the version of the authentication protocol provided by Oracle to fix the problem and making the necessary configuration changes to only allow new versions of this protocol," said Emm.

"So a further step that administrators should take is enforce the use of strong passwords using alpha-numeric plus special characters, so even on ‘vulnerable' systems it would take an attacker a long time to be able to crack a password."

For more insight into some of the major security issues affecting businesses make sure you sign up to the V3 Security Summit taking place on Tuesday 25 September which includes high-level speakers such as Mimecast chief scientist Nathaniel Borenstein and cryptographer Bruce Schneier.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

BYOD vs CYOD vs BYOC poll

Which approach is your firm taking to managing employees' mobile devices?
23%
14%
4%
15%
32%
12%

Popular Threads

Powered by Disqus
Galaxy S5 vs iPhone 5S vs Nexus 5 showdown

Galaxy S5 vs iPhone 5S vs Nexus 5

We speed test three of the most popular smartphones

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv33

Data protection: the key challenges

Deduplication is a foundational technology for efficient backup and recovery

rdc2

iPad makes its mark in the enterprise

The iPad can become a supercharged unified communications endpoint, allowing users to enhance their productivity

Software Development Engineer

Develop: Customise: Configure. Maximise your technical...

IT Systems Administrator

Abscissa.Com Limited trades as Jokers’ Masquerade, a...

PHP Team Lead

Holmes Media is seeking an experienced and highly motivated...

Network Engineer

Our Company: CGG (http://www.cgg.com/) is a fully...
To send to more than one email address, simply separate each address with a comma.