 |
|
Oracle Tips by Burleson |
Chapter 2 Introduction
to Oracle Security
Some, like modern human beings, often use it to
make a statement! Whatever the mechanism, the intent is to portray
an impression different from the fact, or at least the perception on
the surface.
In database systems, methods are sometimes used
to masquerade the true meaning of a table or a field of a table. For
instance, the table to store credit card numbers of customers is
perhaps the most attractive for attackers, so the table may be named
processing_info, which is logically correct. The table does aid in
processing, but the name hides the true meaning of the table from
the casual user. A user who has no knowledge of the application but
somehow gains access to the data dictionary may try to find tables
related to credit card information by using a query similar to this:
select table_name
from dba_tables
SEE
CODE DEPOT FOR FULL SCRIPT
A hacker will not be able to track down the
table processing_info with this query. Of course, the hacker may
know of this trick and may look for columns that look like credit
card numbers.
select column_name, table_name
from dba_tab_columns
SEE
CODE DEPOT FOR FULL SCRIPT
To foil the attempts of
this relentless attacker, the columns of the table should also be
masqueraded
The above text is
an excerpt from:
Oracle Privacy Security Auditing
The
Final Word on Oracle Security
This is the only authoritative
book on Oracle Security, Oracle Privacy, and Oracle Auditing written
by two of the world’s leading Oracle Security experts.
This indispensable book is only $39.95 and has an
immediate download of working security scripts:
http://rampant-books.com/book_2003_2_audit.htm |
