All the latest UK technology news, reviews and analysis

Oracle flaw puts users' passwords at risk to brute force assault

21 Sep 2012
New Oracle building with logo

A serious vulnerability in an older version of Oracle databases' authentication protocol that leaves some customers passwords vulnerable to hackers has been uncovered.

The vulnerability was revealed by AppSec researcher Esteban Martinez Fayo in a talk at the Ekoparty Security Conference.

Fayo claims that the bug means hackers can crack simple passwords stored on the database in as little as five hours.

Kaspersky researcher David Emm told V3 that to get the passwords, criminals would need to mount a brute force attack.

"Data sent by the server during the login authentication process, i.e. the session key and the salt, is enough to allow an attacker to use a brute-force attack by trying lots of passwords until the correct one is found," he said.

"This tactic is used to obtain a valid password and get access to the database."

Oracle reportedly fixed the bug version 12 of authentication protocol, but currently has no plans to apply the fix to its still widely used version 11.1 protocol.

Emm claimed warned that without the patch hackers would continue to target companies using the vulnerability, adding it was "vital" administrators take steps to reduce their exposure to attacks.

"In this case, it means using the version of the authentication protocol provided by Oracle to fix the problem and making the necessary configuration changes to only allow new versions of this protocol," said Emm.

"So a further step that administrators should take is enforce the use of strong passwords using alpha-numeric plus special characters, so even on ‘vulnerable' systems it would take an attacker a long time to be able to crack a password."

For more insight into some of the major security issues affecting businesses make sure you sign up to the V3 Security Summit taking place on Tuesday 25 September which includes high-level speakers such as Mimecast chief scientist Nathaniel Borenstein and cryptographer Bruce Schneier.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

IT curriculum poll

With coding now compulsory in schools, how important are digital skills for the next generation of school leavers?

Popular Threads

Powered by Disqus
Galaxy S5 vs Galaxy Note 3 video review

Galaxy S5 vs Note 3 video review

We see how Samsung's latest flagship compares to its premier phablet

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

System Support Engineer (Bangkok)

System Support Engineer (Bangkok) Company: Our client...

Computer Science Graduate

Are you due to complete a BSc or MSc degree in Computer...


Web Developer DRUPAL LONDON Immediate start...

C# .Net WPF London £40k - £55k

My client is currently expanding its UK operation...
To send to more than one email address, simply separate each address with a comma.