Researcher exposes new way to hack Oracle database

Security researcher David Litchfield has released technical details of a new type of attack that could give a hacker access to an Oracle database.

Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said.

Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on 24 April he published a paper with technical details.

In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would only work if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.

Litchfield's attack targets the Procedural Language/SQL programming language used by Oracle developers.

A noted database hacker, Litchfield is best known as the researcher who published details on the bug used in the 2003 SQL Slammer worm, which targeted Microsoft's SQL Server database.

Litchfield wasn't sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios.
"If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code," he said. "The sky is not falling ... but it's certainly something that people should be made aware of."

Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said.

Oracle did not return a call seeking comment.

Author: Robert McMillan @ www.computerworlduk.com

Read more ...

Tucson Electric Power implements Oracle SOA suite

Oracle has announced that Tucson Electric Power Company has implemented its Service-Oriented Architecture suite, a component of Oracle Fusion Middleware, to integrate its various business applications and establish new services with reusable web services.

Using Oracle Service-Oriented Architecture (SOA) suite, Tucson Electric Power Company expects to implement and integrate new applications 36% faster and reduce time spent on supporting and maintaining the system by 50%.

Oracle SOA suite helps eliminate customized application integration requirements, establishing a framework of reusable components that allow Tucson Electric Power Company to simplify integration between additional work management applications and other back office systems - eliminating the requirement for custom, 'hard wired' interfaces.

This integration allowed the organization to streamline work requests sent from Storms to Oracle Projects and to track project costs more efficiently. The Storms application enables the organization to assign field crews to restore electricity service and make repairs caused by storm damage.

Quentin Grady, senior vice president and general manager of utilities at Oracle, said: "Oracle SOA suite delivers value by empowering organizations to create new applications rapidly and establish a flexible application infrastructure that eliminates costly and time-intensive integration requirements."

Source: www.cbronline.com

Read more ...

RC 44 Cagliari Cup: BMW ORACLE Racing competes in first regatta of season

BMW ORACLE Racing competes in the team’s first competition of the 2008 season starting tomorrow at the RC 44 Cagliari Cup in Italy. Skipper Russell Coutts and team owner Larry Ellison are sharing afterguard duties in their first regatta together.

“This is Larry’s first time sailing the RC 44s and he is really enjoying it,” said BMW ORACLE Racing skipper Russell Coutts. “On our first day of training yesterday, we saw 25 knots of fresh sea breeze off the Sardinia coast. We had a great time shaking down the boat and tuning up with some practice starts and drop set maneuvers. Larry is looking forward to helming this week in both the match racing against the pro skippers and in the fleet racing events against the other owner/drivers. It’s a competitive fleet here and promises to be great racing.”

The RC 44 circuit is part of the team’s overall 2008 sailing program. Other team members on board for this regatta include Dirk de Ridder, Ross Halcrow and Brad Webb.

Six other BMW ORACLE Racing crew members are competing here this week on two other entries. James Spithill has Michele Ivaldi and Joey Newton racing with him on board Igor Lah’s RC 44. Max Sirena, Noel Drennan and Daniel Fong are sailing with Ben Ainslie with owner Patrick de Barros. BMW ORACLE Racing sailing coordinator Julien di Biase joins his teammates on board the de Barros entry.

The regatta starts Wednesday 23 April with two days of match racing followed by three days of fleet racing, concluding on Sunday 27 April.

Author: Jane Eagleson @ www.bymnews.com

Read more ...