All the latest UK technology news, reviews and analysis


Oracle flaw puts users' passwords at risk to brute force assault

21 Sep 2012
New Oracle building with logo

A serious vulnerability in an older version of Oracle databases' authentication protocol that leaves some customers passwords vulnerable to hackers has been uncovered.

The vulnerability was revealed by AppSec researcher Esteban Martinez Fayo in a talk at the Ekoparty Security Conference.

Fayo claims that the bug means hackers can crack simple passwords stored on the database in as little as five hours.

Kaspersky researcher David Emm told V3 that to get the passwords, criminals would need to mount a brute force attack.

"Data sent by the server during the login authentication process, i.e. the session key and the salt, is enough to allow an attacker to use a brute-force attack by trying lots of passwords until the correct one is found," he said.

"This tactic is used to obtain a valid password and get access to the database."

Oracle reportedly fixed the bug version 12 of authentication protocol, but currently has no plans to apply the fix to its still widely used version 11.1 protocol.

Emm claimed warned that without the patch hackers would continue to target companies using the vulnerability, adding it was "vital" administrators take steps to reduce their exposure to attacks.

"In this case, it means using the version of the authentication protocol provided by Oracle to fix the problem and making the necessary configuration changes to only allow new versions of this protocol," said Emm.

"So a further step that administrators should take is enforce the use of strong passwords using alpha-numeric plus special characters, so even on ‘vulnerable' systems it would take an attacker a long time to be able to crack a password."

For more insight into some of the major security issues affecting businesses make sure you sign up to the V3 Security Summit taking place on Tuesday 25 September which includes high-level speakers such as Mimecast chief scientist Nathaniel Borenstein and cryptographer Bruce Schneier.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 7 end of mainstream support

What are your plans for when Microsoft ends mainstream support for Windows 7 in January 2015?
10%
9%
3%
64%
14%

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Design and Infrastructure Consultant

Design and Infrastructure Consultant Based in Birmingham...

Senior UNIX Engineer - Contract

A Senior UNIX / Linux Engineer is required for an initial...

Technical Support Engineer (XenApp) 2 year FTC

2nd line, 3rd line, Housing, Support, ICT, Housing...

Technical Project Manager

Urgent Contract Vacancy 6 months minimum Technical...
To send to more than one email address, simply separate each address with a comma.