Saturday, January 28, 2006

Kung Hei Fatt Choy

Happy Chinese New Year...the year of the dog. I would guessed that most folks would have followed the debate between David Litchfield and Oracle. It's a shame, really. I don't like the fact that the security researchers are releasing details of vulnerbilities immediately after a patch release much less before they are fixed.

Yeah I know the logic behind it and that the hard-cored hackers already know about the vulnerbilities, etc. The fact remains that the customers (like my employer) are at risk and will be at greater risk now that it is guaranteed that every hackers and lackeys know about the vulnerbility. What is this about Alex K releasing a version 2.0 of his rootkit where
"The new version will allow attackers to disguise malicious elements without modifying the database views, Kornbrust said. Also, evidence of the hack will disappear whenever the database is restarted, Kornbrust said."

Okay, what is the purpose of the rootkit, then? This is akin to saying that you are designing a tool (not for the sole purpose of destroying or killing someone) but never did put in the necessary safeguards to ensure that the tool cannot be misused by accident (at least guns have safety locks that has to be dis-engaged before they can be fired). Can my employer sue Red Database Security if the rootkit was utilized by a hacker to cover their tracks after setting up backdoors and data logger?

Edited: Feb 2/06
As RN pointed out in his comment, that I had misunderstood the nature of rootkit. My apologies and my thanks to RN. I've edited the entry to clarify what I really meant to say. My original statement was "Can my employer sue Red Database Security if the rootkit was utilized by someone to hack into their databases?" which was totally incorrect as the nature of a rootkit


Bill S. said...

I am having a hard time figuring out what the distinction is between people who develop hacking "tools" and hackers themselves. I don't get it, why does anyone think this is going to help a vendor make their product bulletproof? All it does is make it harder for those I/T folks charged with security to get things done. They spend all their time patching and just when there is light at the end of the tunnel, someone shuts off the light!

Anonymous said...


it seems you don't understand what a rootkit is. A rootkit itself never "hacks" a database. It's just a kind of camouflage, nothing else.

A rootkit is installed AFTER your database or operating system was hacked. Databases are hacked because the database software (like Oracle) is unsecure and/or the configuration is unsecure.

Can you or your employer sue Oracle because they fixed the DB18 bug which allows every (!) user in every database (8-10g Rel.2) to become DBA so late (After several years open to ANY hacker CPU January 2006)?

BTW, an exploit for DB18 is available here:

Security researchers help to make software more secure (in the long run). Large vendors are to lazy and to stingy to search for security bugs.