nCircle.com >> 360 Security

« Fear and Loathing in InfoSec | Main | SCADAGard SIG To Be Established »

What's that David? Another SQL Trick?

David Litchfield put on a great presentation, despite conditions that would have made lesser speakers cry. The audio was so terrible that at one point he decided to convey his message through interpretive dance. I suppose poor audio setup is one price you pay for being speaker number 1 at a 2 day con.

Litchfield presented a new technique of SQL inference that shows some serious promise. By making properly formed, but horribly flawed SQL requests you can slowly read through the DB back end of SQL injection prone Web Apps.

His syntax examples started out pretty straight forward and seemingly easy to replicate - then they started getting freakishly cool - then when he hit informix my eyes started to really hurt.

The 2nd presentation he did was about how completely shit Oracle security and software support is. When it comes right down to it, he called them on being completely incompetent on providing even token support for their high rolling customers. As I see it, Oracle has some completely delusional perception of where it stands in the IT realm and why it has such godlike status. Oracle provides some pretty high price and high performance Database software - good for them. They also have a scheduled security update policy that will deliver the most timely and efficient protection to their subscribers - good for them. Well having spent several days of my life installing their high end software, and another day obtaining and installing their patches, I really enjoyed Litchfield pointing out how completely half assed their security patches really were. Update 68 stands as a benchmark in the field of security updates gone wrong. Oracle has been repeatedly criticized for downplaying the severity of this psuedo-service pack. Update 68 has files that have to copied by hand, scripts that need to individually executed and then to top it off, most of the time parts of it fail! Verifying that you are now safe and fully patched is almost impossible.

Seeing as how most of the vulnerabilities that Oracle patches quarterly are discovered by Mr. Litchfield, they might as well just let him create the security patch himself and be done with it. Oracle's arrogant attitude towards the world makes it almost poetic when thousands of people flock to the city of sin just to point and laugh at them.

Posted by graver on July 29, 2005 11:08 AM |

Search


About

This page contains a single entry from the blog posted on July 29, 2005 11:08 AM.

The previous post in this blog was Fear and Loathing in InfoSec.

The next post in this blog is SCADAGard SIG To Be Established.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]