Ask Anantha

Steve Callan, stevencallan@hotmail.com Tinker, Tailor, Soldier, Spy comes to mind when the subject of database security comes up. How would you know if there was a mole in your database? A mole, in this context, refers to a malicious user who has hacked Oracle objects to cover his tracks, and much like the mole in John le Carre’s novel, stays hidden from view while causing damage to the system (or other users). Is there a George Smiley we could call upon to root out the mole? A trusting user of Oracle, DBA or otherwise, probably shouldn’t be so, well, trusting. Without extensive checking or safeguards, you really don’t know how secure or locked down user access is. How easy is it to spoof the normal checks of an account’s privileges? The answer is that it is a lot easier than you think. An excellent example of creating and then hiding a user was given in a presentation titled “Oracle Rootkits 2.0” at a Black Hat training conference by Alexander Kornbrust of Red Database Security Gmbh. ...

By Arup Nanda Oracle's row-level security gives users their own virtual private databases. Ensuring appropriate information privacy is a pressing concern for many businesses today, given privacy legislation such as the United States' HIPAA (Health Insurance Portability and Accountability Act), Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, and the EU's Safe Harbour Law. Other privacy mandates, such as Visa's Cardholder Information Security Program (CISP), also require businesses to ensure that access to information is tightly controlled. Oracle has always included the ability to grant (or deny) users access to database objects, but these privileges are defined at the object level—for an entire table, not for specific rows in that table. Although that approach is sufficient for many applications, any application touching on financial, health, or other kinds of personal information usually requires more-discrete controls over access a...