One of our managers at my former employer was not amused. You might say he was appalled. I wrote on our company blog a post (in Dutch) about how to use the Java exploit in the Oracle database, recently shown by David Litchfield in 2010. This manager was very sure our customers would not understand my point of view, spreading this danger to everyone who wanted to know. My point was: if DBA’s know what dangers are lurking around their (unpatched) Oracle databases, they might understand why patching and least privilege policies were necessary.
At that time I was thinking “then you might not want to know about my next project”. I was working on a hacking course for DBA’s. The year before some of our managers asked me to do a session about Oracle security. Four students turned up. But as I started telling them about security measures, I quickly found out they didn’t know why all these measures actually were necessary. I was thinking a security awareness session was more useful. But how to sell a security awareness training to paying customers? Would you go to such a session, knowing this would go out of your training budget?
I came up with a course called “Hack Your Own Database”. It was a workshop of one day in which students got an overview of hacking methods that might be useful to attack a badly protected Oracle database: SQL injection, port scanning, usage of an excess of privileges and access to the OS and of course that Java exploit. Luckily most managers thought it would be okay to teach this. Invitations were send to our customers.
Business wise it was a great success. I did the session four times with in total 40 students. What I liked about it, was that it had the effect I hoped it would get. Alread during lunch I often heared collegues of the same companies, that did this training together, talk about what they would check first the next day. The best of all, I rarely had to explain anymore why you had to take these (often time consuming) security measures. Students were very aware of the dangers of database hacking now.
Database security in general used to be a worry I always had. Because I knew what was possible if a database wasn’t properly protected. Now 40 students knew and hopefully they have spread the word. I’m almost sure most of them did. That was why this course was so apealing: it wasn’t just that hacking is fun. It is. But a lot of DBA’s have no real, honest idea why to add these security tasks to their already busy schedule. The course answered a big unanswered question none dared or bothered to ask.
And the manager that my story began with? He later moved to another company, but I later heared that he had said he was wrong about the hacking issue and he congratulated us with the success.