Bug hunter David Litchfield says the Oracle community shouldn't be so smug when it comes to database security. He represents NGS Software, which has serviced Oracle in the past and Microsoft at present.
Litchfield, a noted bug hunter, has made it his mission to tell the world that database software is insecure -- Oracle's database software in particular. Litchfield has been vocal in his criticism of Oracle, even calling for the resignation of Oracle Chief Security Officer Mary Ann Davidson.
For too long, Oracle and its customers have stuck their heads in the sand when it comes to security, according to Litchfield. And Oracle has taken the wrong approach to address mounting security concerns, he argues.
Litchfield, co-founder of Next Generation Security Software in the UK, is on a crusade. In January he published The Oracle Hacker's Handbook. The book, according to its cover, offers readers a complete arsenal to assess and defend Oracle systems.
While dissing Oracle, Litchfield is cheerleading for Microsoft. He has publicly stated that SQL Server 2005, the latest version of Microsoft's database software, is secure. This statement must hurt at Oracle, a Microsoft arch rival, which has already seen a significant piece of the database market go to the Redmond, Washington-based software giant.
At last week's Black Hat DC event, Litchfield discussed a new attack technique that increases the severity of certain vulnerabilities in Oracle's database software. He sat down with ZDNet Australia sister site CNET News.com at the event to explain why such disclosures are necessary.
Q: Why are you into database security? There's so much other software out there.
Litchfield: Because that's where the crown jewels are for any organisation. Every organisation on this planet has a database and that's where the lifeblood of that organisation exists. Where better to secure it than at the source. We can secure it at the perimeter, but with vulnerabilities like SQL injection, that security is completely undone.
Despite having a firewall, despite having the Web server locked down, an SQL injection flaw in your Web app takes us all the way through to the back end of the database server. If that database is not using the principle of least privilege or is not fully patched, then we can gain full access to the database server and suck out all your data. The database has to be secured. The problem is that nobody has ever really dealt with the back end until recently. It has always been about securing the perimeter.
Lately you have especially been looking closely at Oracle's databases. Is there a specific reason that you're looking at Oracle more than Microsoft or IBM?
Litchfield: Yes. SQL Server 2005 is secure. [Microsoft has] solved the problem. Oracle is in the process of solving that problem. IBM, I have looked at DB2 and Informix and sent them a bunch of bugs, probably about 50, ranging from buffer overflows to privilege escalation issues. But IBM's security response was mature. In the most recent past, the Oracle security response was not so mature. They have been combative, as opposed to: "This guy is just trying to make our products more secure." But it is getting better. Oracle is beginning to understand that we're fighting on the same side, just from different perspectives.
When a vendor like Oracle becomes more combative, you become more combative as well?
Litchfield: I will. It is unfortunate that it happens that way, but if you have to defend yourself, then you should defend yourself. I would rather be working, like I do with Microsoft and IBM, with their security response team. We've got good relationships with Microsoft and IBM. What better way to get things done than have a good relationship, as opposed to sniping at each other from the gutter.
My relationship has gotten slightly better with Oracle, and they understand that it's not so much a battle of wills. I'm trying to make them aware of these problems in their database because it affects me indirectly. If someone breaks into that database server and steals my information, then I'm paying for it, not Oracle.
Some might think that it's some sort of an extortion game that's being played.
Litchfield: I've never asked Oracle for money. If people think that, they are ill-informed.
And Microsoft doesn't pay you to say SQL Server 2005 is secure.
Litchfield: I'm not being paid by Microsoft to say they're secure, and if anyone is going find a bug in SQL Server 2005, it better be me. It would undermine my ability to be able to say in the future that a product is secure if bugs are found by anyone else. So, if there are bugs in SQL Server 2005, I hope I'm the one who finds them, and I'm looking.
4%
4%
