Pete Finnigan

Subscribe to Pete Finnigan feed Pete Finnigan
PeteFinnigan.com's weblog is the only weblog dedicated to Oracle security.
Updated: 6 hours 33 min ago

PL/SQL, AST, DIANA, Attributes and IDL

Tue, 2020-04-07 01:06
I have been wanting to write a detailed post about this subject for a very long time and indeed I have had some notes and screen dumps for some of this for more than 15 years for some parts of....[Read More]

Posted by Pete On 06/04/20 At 08:57 PM

Categories: Security Blogs

PL/SQL Machine Code Trace - event 10928

Thu, 2020-04-02 11:06
I have had an interest in PL/SQL for more around 25 years. I have always liked this great language as its powerful and simple and a great tool for writing code in the database. I wrote my very first PL/SQL....[Read More]

Posted by Pete On 02/04/20 At 01:33 PM

Categories: Security Blogs

Be Careful of What You Include In SQL*Net Security Banners

Wed, 2020-04-01 16:46
A short post today to add a little to the post I made the other day. In that post Add A SQL*Net Security Banner And Audit Notice I talked about using the sqlnet.ora parameters SEC_USER_AUDIT_ACTION_BANNER and SEC_USER_UNAUTHORIZED_ACCESS_BANNER to add security....[Read More]

Posted by Pete On 01/04/20 At 11:50 AM

Categories: Security Blogs

Oracles Free TNS Firewall - VALIDNODE_CHECKING

Tue, 2020-03-31 22:26
I said in a post a couple of days ago that my overall plan to secure an Oracle database; actually my plan is to secure the data in an Oracle database not blindly just secure Oracle. We must focus on....[Read More]

Posted by Pete On 31/03/20 At 12:26 PM

Categories: Security Blogs

Add A SQL*Net Security Banner And Audit Notice

Mon, 2020-03-30 09:46
I would have to say whilst I see security banners on customers Unix boxes when I am allowed to log in as part of a security audit I canot ever remember seeing a security banner when I log into a....[Read More]

Posted by Pete On 30/03/20 At 02:02 PM

Categories: Security Blogs

ORA-28050 - Can I drop the SYSTEM User?

Sat, 2020-03-28 02:46
Two things most annoy me with the Oracle database in terms of securing it and this is the abundance of default users in most Oracle databases that I perform security audits on and also the massive amount of PUBLIC grants....[Read More]

Posted by Pete On 27/03/20 At 06:11 PM

Categories: Security Blogs

Setting Users Impossible Passwords BY VALUES and Schema Only Accounts

Thu, 2020-03-26 14:06
I plan to try and write some Oracle security based blog posts whilst working from home. These promises when I have made them in the past usually end up not coming true due to other work and things getting more....[Read More]

Posted by Pete On 26/03/20 At 02:38 PM

Categories: Security Blogs

CoronaVirus - We are Still Open

Wed, 2020-03-25 19:46
Everyone must now be affected in some way about coronavirus. We had an inkling that Boris Johnson and his government would enact a more severe lock down in the UK. So in anticipation I decided on Monday that we needed....[Read More]

Posted by Pete On 25/03/20 At 01:27 PM

Categories: Security Blogs

XS$NULL - Can we login to it and does it really have no privileges?

Tue, 2020-02-18 15:11
I have read on line about XS$NULL over the years and particularly the documentation that states that it has no privileges. The documentation states the following: An internal account that represents the absence of a user in a session. Because....[Read More]

Posted by Pete On 17/02/20 At 01:09 PM

Categories: Security Blogs

Bug Bounty

Tue, 2020-02-11 18:04
There has been a rise on bug bounty programs and websites that help researchers find and disclose bugs to website and other owners with the hope of a payout from the owner of the vulnerable wesbsites. Some big well known....[Read More]

Posted by Pete On 11/02/20 At 10:09 AM

Categories: Security Blogs

PL/SQL That is not DEFINER or INVOKER rights - BUG?

Sat, 2020-02-01 12:01
Note: Part 2 - PL/SQL Package with no DEFINER or INVOKER rights - Part 2 is available that takes this investigation further I always understood that PL/SQL objects in the database that are not explicitly changed to INVOKER rights....[Read More]

Posted by Pete On 24/01/20 At 03:19 PM

Categories: Security Blogs

PL/SQL Package with no DEFINER or INVOKER rights - Part 2

Sat, 2020-02-01 12:01
I posted about a discovery I made whilst testing for an issue in our PL/SQL code analyser checks in PFCLScan last week as I discovered that the AUTHID column in DBA_PROCEDURES or ALL_PROCEDURES or USER_PROCEDURES can be NULL; this caused....[Read More]

Posted by Pete On 28/01/20 At 03:11 PM

Categories: Security Blogs

Installing Oracle 19c on Linux

Sat, 2019-12-07 20:53
I needed to create a new 19c install yesterday for a test of some customer software and whilst I love Oracle products I have to say that installing the software and database has never been issue free and simple over....[Read More]

Posted by Pete On 06/12/19 At 04:27 PM

Categories: Security Blogs

Oracle Security Training Manuals for Sale

Wed, 2019-11-20 20:50
We have one set of Manuals for the recent training we held here in York and one from 2018. These can be bought as individual books as follows: This manual is from the York class in October 2019 and can....[Read More]

Posted by Pete On 19/11/19 At 03:05 PM

Categories: Security Blogs

ORA-01950 Error on a Sequence

Sat, 2019-10-19 15:45
UPDATE: I have updated information for this post and rather than make this one much longer i created a new post - please see ORA-01950 Error on a Sequence - Error on Primary Key Index Wow, its been a while....[Read More]

Posted by Pete On 30/09/19 At 01:42 PM

Categories: Security Blogs

ORA-01950 Error on a Sequence - Error on Primary Key Index

Sat, 2019-10-19 15:45
I posted yesterday a blog about an error on a sequence of ORA-01950 on tablespace USERS - ORA-01950 Error on a Sequence . This was attributed to the sequence by me because that's where the error in Oracle was pointing....[Read More]

Posted by Pete On 01/10/19 At 01:12 PM

Categories: Security Blogs

What Privileges Can you Grant On PL/SQL?

Sat, 2019-10-19 15:45
Oracle has a lot of privileges and models; privileges can be granted to users, roles and also since 12c roles can be granted to PL/SQL code (I will not discuss this aspect here as i will bog separately about grants....[Read More]

Posted by Pete On 08/10/19 At 01:43 PM

Categories: Security Blogs

SELECT ANY DICTIONARY - What Privileges Does it Have - SELECT_CATALOG_ROLE

Sat, 2019-10-19 15:45
There has been a few blog posts over the years discussing what is the difference between SELECT ANY DICTIONARY and the SELECT_CATALOG_ROLE. Hemant posted in 2014 about the difference between SELECT ANY DICTIONARY and SELECT_CATALOG_ROLE . This post was a....[Read More]

Posted by Pete On 11/10/19 At 01:59 PM

Categories: Security Blogs

PFCLScan - Version 3.0

Tue, 2019-09-24 09:26
We are very excited to announce that we are currently working to have version 3.0 of PFCLScan our flagship database security scanner for the Oracle database. We will be ready for sale in September and this development is going really....[Read More]

Posted by Pete On 11/07/19 At 03:33 PM

Categories: Security Blogs

PFCLATK - Audit Trail Toolkit - Checksums

Thu, 2019-06-06 09:46
We have a toolkit called PFCLATK that is used in customer engagements to assist our customers to create comprehensive and useful audit trails for their databases. The toolkit is used in consulting engagements at the moment but will be adding....[Read More]

Posted by Pete On 06/06/19 At 03:08 PM

Categories: Security Blogs

Pages