Cloud Computing, Enterprise, Technology Security

Microsoft, Oracle – this is NOT how to sell a secure service

The Black Hat conference is always a source of fun. After all it is a time when the big names get their little secrets exposed. This time around Apple was pretty much embarrassed as several flaws in hardware and software were exposed.

The same thing can be said with issues over on Microsoft?s side of the house. Of course Microsoft has never publicly advertised that they are not vulnerable to attacks and viruses but that is another story.

No, what I found funny this time was a small talk about Oracle. What makes it funny for me was that this was sent to me after a conference call with Oracle. At the time I expressed my concerns for security using Oracle products especially cloud based products. I was pretty much cut off and told that Oracle was extremely secure. It was used by governments and banks. They had secure facilities, and required security clearances.

I wanted to laugh; it was comical the way the sales rep was expounding on the security of Oracle and their Data Center.

It was not until a link to the Black Hat conference was sent my way that I actually did laugh. Here is the quote from the presentation on Oracle.

"Breaking the "Unbreakable" Oracle with Metasploit

Chris Gates Member of the Metasploit Project
Mario Ceballos Developer for the Metasploit Project

Over the years there have been tons of Oracle exploits, SQL Injection vulnerabilities, and post exploitation tricks and tools that had no order, methodology, or standardization, mainly just random .sql files. Additionally, none of the publicly available Pentest Frameworks have the ability to leverage built-in package SQL Injection vulnerabilities for privilege escalation, data extraction, or getting operating system access. In this presentation we are going to present an Oracle Pentesting Methodology and give you all the tools to break the "unbreakable" Oracle as Metasploit auxiliary modules. We’ve created your version and SID enumeration modules, account bruteforcing modules, ported all the public (and not so public) Oracle SQL Injection vulnerabilities into SQLI modules (with IDS evasion examples for 10g/11g), modules for OS interaction, and modules for automating some of our post exploitation tasks."

Now I am sure you see the funny part here. This little piece was the icing on the cake of just how funny the words "secure OS", "malware protection" and of course "data security" are.

Let?s, just for fun, break this down.

First funny item – Pointing to Banks as a source.
Wow this is a big one; anyone familiar with any type of security knows that, in general, banks are extremely vulnerable. Bank of America has been hacked countless times and just about every major credit card company has had data breaches. So telling me that the all too often hacked banks use your products and security is not a wise move.

Second funny item – Saying Governmental agencies use your products.
Another major mistake for anyone with half a brain and the ability to read. NASA, the Pentagon, The FBI, and a long list of other government agencies have also been hacked and experienced data breaches.  If you doubt me just do a quick search and see how many times just this year alone the US government has been hacked.

Third Funny Thing – Stating that you have high security clearances.
Hmmm, again this is for those that have a room temperature IQ. A quick look back in history will show that many people who had high security clearances have broken that trust. Sometimes due to money, sometimes due to a personal dislike of the current government, but whatever the reason they break that trust. After all it is not a low clearance official that has the good information; it is the ones with a top level clearance. Those people are the ones at risk for compromise. Speaking as a former Intelligence Analyst, your fish were often low ranking in order to get to and compromise the higher ranking people with the access to better information. So sorry this one will not cut it either. Especially in tough economic times, when someone might be more willing to take a payment to ensure their mortgage gets paid.

Fourth Funny thing – Saying your OS and products are secure.
There is nothing that is secure, it does not exist. There is security, proactive and passive. They are a front line defense against intrusion. But no method [other than completely disconnecting from external networks] will completely protect you from intrusion. Sure you can hide and try to maintain as low of a profile as possible but how can you do that when your whole business model is ease of access? A Data Center like the one Oracle was bragging about is a HUGE target. When I asked how many attacks per day they have, all I received was silence. Now given that there are ?tons of Oracle exploits? that is a scary thing. All it takes is one overlooked exploit to cause a catastrophic data breach. Just look at what happened to Network Solutions. This is even more concerning with Cloud Computing, the risks there are extreme. The fact that a major breach has not happened is only because it is still in its infancy and not in widely spread usage. But the recent Google Apps breach shows it is very possible.

So all this put together had me laughing at how absurd the claims of security, protection and every other sales pitch used by software companies are. If you want to impress me in the future don?t try to tell me how secure you are. Tell me about how you respond to threats and breaches. Because those threats are there every day, even the average home user gets port scanned about once every week. Businesses get it more often, and someone that has a major presence on the net probably gets them multiple times a minute.

The same thing goes for the software shoveled out to us; do not brag that you are the most secure, or that you are immune to this or that.

Instead tell us how you respond the threats and vulnerabilities that WILL pop up. After all the more you claim to be secure or safe, the more people will go out and get viruses and other malware because they trust what you say. They still believe there is truth in advertising. But I hate to break this to everyone; despite there being laws against false advertising it happens every day and from just about every company escpecially when it comes to IT and technology.

The author of this article is a decorated former US Military Engineer with more than 20 years experience in the Intelligence, Security and Information Technology fields in both civilian and military service.