Sunday, May 28, 2006

Project Lockdown - Phased approach to securing your Oracle environment

Arup Nanda has written a four-part paper on securing your Oracle environment using a phased approach, Project Lockdown as it is called is available on OTN. I have not yet finished going through all four parts but so far, it is a pretty good write up although there are sections that I thought Arup could expand a little bit more and some that I don't totally agree with.

For example, changing default passwords and how passwords in Oracle are maintained could be expanded to include the fact that the username and clear text password are concatenated together as input for the one-way encryption so that if you set the SYS password as TEMMANAGER then you will get the encrypted value for the SYSTEM default password. I also don't agree with limiting the SYSDBA login as suggested. I think a better way is to forcing the DBAs to have individual accounts and doing a su to the Oracle account. The SYS and SYSTEM database accounts then can be secured by setting the encrypted password value to a constant string that will never be equated to by the encryption algorithm. I talked about this in my previous post.

Anyhow, what I wanted to point out in this entry is that the article is worth the read and a lot of the suggestions are very good suggestions and should be followed wherever possible according to your organization's needs and requirements.

A couple of good sites includes Pete Finningan and the Center for Internet Security

Friday, May 19, 2006

SYS and SYSTEM user accounts

For those of you who are Oracle DBAs (in fact, if you deal with Oracle RDBMS), you know that by default, the SYS and SYSTEM accounts are created when a database is created. You know (or should know) too that Oracle Corp recommends that these accounts should not be used for daily administrative tasks:
"It is suggested that you create at least one additional administrator user, and grant that user the DBA role, to use when performing daily administrative tasks. It is recommended that you do not use SYS and SYSTEM for these purposes."

The other part is to secure SYS and SYSTEM so that no one can access these accounts without first having to change the passwords. The accounts can be secured by setting the encrypted passwords to an uncryptable value by utilizing the undocumented command of ALTER USER IDENTIFIED BY VALUES "password". e.g. ALTER USER SYSTEM IDENTIFIED BY VALUES "unbreakable" would set the encrypted password value to "unbreakable". This effectively prevent brute-force password guessing as there is no way that the cleartext login credentials will be encrypted to the password value specified.

Now, I am curious to know how many organizations are actually following Oracle's recommendations and issuing individual DBA accounts and securing the SYS and SYSTEM accounts. I have had discussions with one of my DBA on these very issues where he insisted that it is almost a daily occurance where he has to be logged as SYSTEM to do his work. My counter arguements had (still are) that SYS and SYSTEM should only be required if there are reconfiguration work that needed to be done where the DBA role does not have the required privileges.

As of today, we are still not further ahead with implementing individual DBA accounts but the plan for me is to push ahead with the change and know that there will be times when it might cause my DBA some additional steps to get certain things done.

Saturday, May 13, 2006

A tribute to Cecilia Zhang

Pic of Cecilia Zhang

Haven't blogged for a long while as I've been pretty busy and actually needed some down time after work. Anyhow, just wanted to pay a tribute to Cecilia Zhang. Cecilia Zhang was a 9 year Toronto girl who was murdered over two years ago. She went missing from her home (taken in the middle of the night from her bedroom) by a very selfish young man who wanted to ransom her for $25K in order to pay for a sham marriage so that he can continue to stay in Canada instead of returning to China after doing poorly in his studies. He has pled guilty to second-degree murder which carries an automatic life and has since been sentenced to 15 years in prison without parole so he will be 38 years old before he can apply for parole. So much for not wanting to lose face.

As a tribute, I'm re-posting the Sherry Xu's victim impact statement at the young man's sentencing hearing. I can only say that I cried and held my kids tight after reading the statement.

My name is Sherry Xu. I was born in China. After my marriage to Raymond Zhang, a beloved daughter was born to us on March 30, 1994 and we named her Dongyue Zhang. Her English name was Cecilia.

I understand that this video recording is very important. I need to tell the judge and all those present how we spent the 161 days and nights since our daughter disappeared and until we discovered she was killed; that's how long Oct. 20, the day Cecilia was taken, is till March 27, the day Cecilia was found: 161 days. From that horrible discovery until today, how we spent these 720 days and nights, that's how many days it's been from March 27, the day Cecilia was found, until today: 720 days and nights, and how our family sank into a deep abyss. But please forgive me; I am unable to do this.

Here's where Sherry broke down wept before gathering herself to continue.

I am unwilling to talk about my pain; unwilling, because even being misunderstood, mistrusted, and slandered is nothing. What kind of pain can compare with the agony of facing death? Cecilia can no longer speak. Who can tell me what kind of pain she had endured? Who can tell me? Cecilia was only nine years old, but she had to face murder totally alone. As a mother, I gave birth to her, but I was unable to protect her, so what face do I have to talk about my own pain? I cannot.

I am unwilling to talk about my pain. I cannot tell the whole world my agony, and allow my beloved family and friends to experience once more the sadness my suffering has brought them. I have lost my only flesh and blood, and her departure has hurt all the hearts of those who loved her; there has been too much suffering in this extended loving family. I can no longer withstand the tears and sobbing of the elderly grandparents, I cannot bear the looks of older brothers and sisters that are filled with sadness and pity. I am fully convinced that happiness can be shared, but pain can only be borne in silence. I am reluctant for my relatives to suffer again, and I cannot bear to watch the sorrow of my beloved and loving relatives. I cannot ever bear to talk about my feelings about Cecilia with my husband, who is the most intimate person that I have in this world. Neither of us had any will left to live after talking about it once in 2004. Therefore, I cannot talk about my pain, because I have no strength left to bear the consequences of being so open.

I only want to say a few words for Cecilia. Spring has arrived. Looking at nature springing back to life, the lovely green lawns and beautiful flowers, kids playing on the lawn; where is my Cecilia, where is she? She can no longer hold my hand, singing children's tunes, the way we used to do as we went home after school. She can no longer run and laugh on the grass; but forever separated from all the wonderful things in this world. Where is she? She is lying in a cold grave, the warmth of spring cannot awaken her; and yet, how she loved life!

In her homework "My Wishes" that she left behind, she told me she loved her school so much that she wished her classroom would appear in her bedroom. But she can longer go to school, and cannot play with her friends. She loved nature so much, she wished for all the animals to become her friends; she wished that human beings can create their own meat for food without killing animals; but the irony is that she herself was cruelly killed by her fellow "human" kind in order to fulfill his greedy desire. She wised the world would be filled with love and equality, and wished that there would be no more killings. But her own right to live in this world was snatched from her. She was only nine years old, nine years old; what kind of life was this?

I did not see her remains as I was advised best not to look at her remains. She was abandoned in the wilderness by her murdered and was covered by snow for 161 days. It was the howling of a wolf that called the attention of the neighbours, and lead to her discovery three days before her birthday. And on that very day, we were waiting for the police and some imposters of the kidnapping to make an exchange; we were fantasizing in vain that on her birthday, she could be returned to our embrace. How cruel is the human heart!

The last I saw of Cecilia was her pair of footprints. A pair of footprints. Pain cannot be conveyed by words. All these cannot be simply expressed by the word "pain".

Cecilia will never come back, she's gone forever. For me, I hope that what people will remember from the trial is her smile, her love and fervert wishes for live and this world; and I wish that no more mothers will lose their children, and hope that there will be no more killers of children. Mothers share the same tears. What in this world can equal life? A mere nine-year old, a life that is full of love; a sweet and wise life; a fragile and innocent life. How many years of imprisonment must a killer serve in order to be equal that???

Sherry then ended her statement with a poem that she'd wrote for Cecilia in the hope that she would be found and returned before her 10th birthday. Cecilia is the only child of Raymond Zhang and Sherry Xu and as a parent of young children, I cannot imagine the horror, fear and helplessness that the Zhangs went through and still are going through. My prayers are with them and best wishes for them as they struggle to get through this very tragic event in their lives.