Pete Finnigan

Subscribe to Pete Finnigan feed Pete Finnigan's weblog is the only weblog dedicated to Oracle security.
Updated: 8 hours 52 min ago

Should We Security Patch Oracle Databases?

Mon, 2021-07-12 22:46
Spoiler: Of course! Security patching of Oracle databases can be a touchy and complex subject for some companies. It is perceived to be complex; companies don’t want the downtime; business is worried that a security patch can break the applications....[Read More]

Posted by Pete On 12/07/21 At 03:33 PM

Categories: Security Blogs

Unwrapping PL/SQL Source Code and Proving the Code is Recovered

Tue, 2021-07-06 20:06
We get asked by people if we can recover customers PL/SQL quite a few times a year. This is because they no longer have access to the original clear text PL/SQL. We can of course get this code back for....[Read More]

Posted by Pete On 06/07/21 At 04:00 PM

Categories: Security Blogs

Redo Log Endian and Magic Number

Thu, 2021-06-24 14:46
It has been a while since the last blog post. I had intended to post more since earlier this year but due to ill health with covid in January and February and now heavy business load we have had little....[Read More]

Posted by Pete On 24/06/21 At 02:15 PM

Categories: Security Blogs

Oracle Security Training Presentations

Tue, 2021-03-16 14:46
Why not make good use of your stay at home time and get excellent very cost effective training in all areas of securing data in your Oracle databases. I have just made live a new set of training dates on....[Read More]

Posted by Pete On 16/03/21 At 02:51 PM

Categories: Security Blogs

Happy 18th Birthday Limited

Wed, 2021-02-17 02:06
It has been an eventful year last year and 2021 started a bit strange due to lockdown. Last Friday our company Limited came of age; it was 18 years old. Wow, it has been a long and interesting journey....[Read More]

Posted by Pete On 16/02/21 At 02:43 PM

Categories: Security Blogs

TCPS Connection With an Oracle Instant Client

Fri, 2020-11-27 09:46
All of our products ( PFCLScan , PFCLCode , PFCLObfuscate and can use an Oracle instant client to connect to the target database(s) or even a full client. It is of course simpler to use an instant client if....[Read More]

Posted by Pete On 27/11/20 At 03:56 PM

Categories: Security Blogs

PL/SQL, AST, DIANA, Attributes and IDL

Tue, 2020-04-07 01:06
I have been wanting to write a detailed post about this subject for a very long time and indeed I have had some notes and screen dumps for some of this for more than 15 years for some parts of....[Read More]

Posted by Pete On 06/04/20 At 08:57 PM

Categories: Security Blogs

PL/SQL Machine Code Trace - event 10928

Thu, 2020-04-02 11:06
I have had an interest in PL/SQL for more around 25 years. I have always liked this great language as its powerful and simple and a great tool for writing code in the database. I wrote my very first PL/SQL....[Read More]

Posted by Pete On 02/04/20 At 01:33 PM

Categories: Security Blogs

Be Careful of What You Include In SQL*Net Security Banners

Wed, 2020-04-01 16:46
A short post today to add a little to the post I made the other day. In that post Add A SQL*Net Security Banner And Audit Notice I talked about using the sqlnet.ora parameters SEC_USER_AUDIT_ACTION_BANNER and SEC_USER_UNAUTHORIZED_ACCESS_BANNER to add security....[Read More]

Posted by Pete On 01/04/20 At 11:50 AM

Categories: Security Blogs

Oracles Free TNS Firewall - VALIDNODE_CHECKING

Tue, 2020-03-31 22:26
I said in a post a couple of days ago that my overall plan to secure an Oracle database; actually my plan is to secure the data in an Oracle database not blindly just secure Oracle. We must focus on....[Read More]

Posted by Pete On 31/03/20 At 12:26 PM

Categories: Security Blogs

Add A SQL*Net Security Banner And Audit Notice

Mon, 2020-03-30 09:46
I would have to say whilst I see security banners on customers Unix boxes when I am allowed to log in as part of a security audit I canot ever remember seeing a security banner when I log into a....[Read More]

Posted by Pete On 30/03/20 At 02:02 PM

Categories: Security Blogs

ORA-28050 - Can I drop the SYSTEM User?

Sat, 2020-03-28 02:46
Two things most annoy me with the Oracle database in terms of securing it and this is the abundance of default users in most Oracle databases that I perform security audits on and also the massive amount of PUBLIC grants....[Read More]

Posted by Pete On 27/03/20 At 06:11 PM

Categories: Security Blogs

Setting Users Impossible Passwords BY VALUES and Schema Only Accounts

Thu, 2020-03-26 14:06
I plan to try and write some Oracle security based blog posts whilst working from home. These promises when I have made them in the past usually end up not coming true due to other work and things getting more....[Read More]

Posted by Pete On 26/03/20 At 02:38 PM

Categories: Security Blogs

CoronaVirus - We are Still Open

Wed, 2020-03-25 19:46
Everyone must now be affected in some way about coronavirus. We had an inkling that Boris Johnson and his government would enact a more severe lock down in the UK. So in anticipation I decided on Monday that we needed....[Read More]

Posted by Pete On 25/03/20 At 01:27 PM

Categories: Security Blogs

XS$NULL - Can we login to it and does it really have no privileges?

Tue, 2020-02-18 15:11
I have read on line about XS$NULL over the years and particularly the documentation that states that it has no privileges. The documentation states the following: An internal account that represents the absence of a user in a session. Because....[Read More]

Posted by Pete On 17/02/20 At 01:09 PM

Categories: Security Blogs

Bug Bounty

Tue, 2020-02-11 18:04
There has been a rise on bug bounty programs and websites that help researchers find and disclose bugs to website and other owners with the hope of a payout from the owner of the vulnerable wesbsites. Some big well known....[Read More]

Posted by Pete On 11/02/20 At 10:09 AM

Categories: Security Blogs

PL/SQL That is not DEFINER or INVOKER rights - BUG?

Sat, 2020-02-01 12:01
Note: Part 2 - PL/SQL Package with no DEFINER or INVOKER rights - Part 2 is available that takes this investigation further I always understood that PL/SQL objects in the database that are not explicitly changed to INVOKER rights....[Read More]

Posted by Pete On 24/01/20 At 03:19 PM

Categories: Security Blogs

PL/SQL Package with no DEFINER or INVOKER rights - Part 2

Sat, 2020-02-01 12:01
I posted about a discovery I made whilst testing for an issue in our PL/SQL code analyser checks in PFCLScan last week as I discovered that the AUTHID column in DBA_PROCEDURES or ALL_PROCEDURES or USER_PROCEDURES can be NULL; this caused....[Read More]

Posted by Pete On 28/01/20 At 03:11 PM

Categories: Security Blogs

Installing Oracle 19c on Linux

Sat, 2019-12-07 20:53
I needed to create a new 19c install yesterday for a test of some customer software and whilst I love Oracle products I have to say that installing the software and database has never been issue free and simple over....[Read More]

Posted by Pete On 06/12/19 At 04:27 PM

Categories: Security Blogs

Oracle Security Training Manuals for Sale

Wed, 2019-11-20 20:50
We have one set of Manuals for the recent training we held here in York and one from 2018. These can be bought as individual books as follows: This manual is from the York class in October 2019 and can....[Read More]

Posted by Pete On 19/11/19 At 03:05 PM

Categories: Security Blogs