Monthly Archives: November 2013

% ANY % privileges and other excessive privileges

Suppose you are a security-minded Oracle DBA and one day a project knocks on your door. They have an application and to run it on an Oracle 11g R2 database, their application user needs a list of 76 database privileges … Continue reading

Posted in Oracle security | Tagged , , , , , , , | Leave a comment

Mining the log writer trace

A while ago I wrote about rediculous log writer waits I have encountered. It turned out to have to do something with caching issues in our storage virtualization implementation. Unfortunately I don’t know the exact details. Storage has still secrets … Continue reading

Posted in Oracle performance tuning | Tagged , , , | 5 Comments

sql_sql_id_html.sql version 1.4

[Update]: there is now a non-Diagnostics Pack version here. [Update]:┬áversion 1.6 is now out. More on this blogpost. A collegue pointed out that sql_sql_id_html.sql doesn’t show binds with the timestamp data type. It turns out that for bind variables with … Continue reading

Posted in Oracle performance tuning, Oracle scripts | Tagged , , , , , | Leave a comment

The incredible speed of dictionary attacks in password cracking

As I wrote last week, I did an Oracle database hacking training. One of the exercises was to get password hashes from sys.user$ (in 10g and before: dba_users) and brute force crack the password with woraauthbf 0.22. In the database … Continue reading

Posted in Oracle security | Tagged , , , , , | 1 Comment

Version 1.3 of sql_sql_id_html.sql and a new script: stats_sql_id_html.sql

[Update]: there is now a non-Diagnostics Pack version here. [Update]:┬áversion 1.6 is now out. More on this blogpost.   Two weeks ago I was asked to help solve urgent performance problems on a large database. What SQL statement caused the … Continue reading

Posted in Oracle performance tuning | Tagged , , | 1 Comment

“Put the NSA in your CC” day?

So by now we know everybody is reading our mail and other communications: the NSA, the British, the Dutch are tapping 10x as much on us Dutch citizens as any other country and I’m guessing 40 other countries are keeping … Continue reading

Posted in Oracle security | Tagged , , , , | Leave a comment

Having a ball with the hacking training

Today I did my third out of four database hacking sessions at work and I have to say it again was a lot of fun. It sure did raise security awareness. My training of four hours consists of the following … Continue reading

Posted in Oracle security | Tagged , , , , , , | 1 Comment