Monthly Archives: October, 2005

“Complete failure of Oracle security response..”

From: David Litchfield (davidl @
To: bugtraq @, ntbugtraq @
Date: Thu, 6 Jan 2005 16:01:26 -0000
Subject: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

Dear security community and Oracle users,
Many of my customers run Oracle. Much of the U.K. Critical National Infrastructure relies on Oracle; indeed this is true for many other countries as well. I know that there’s a lot of private information about me stored in Oracle databases out there. I have good reason, like most of us, to be concerned about Oracle security; I want Oracle to be secure because, in a very real way, it helps maintain my own personal security. As such, I am writing this open letter

From: Cesar (cesarc56 @y
To: David Litchfield (davidl @, bugtraq @, tbugtraq @
Date: Thu, 6 Oct 2005 11:41:33 -0700 (PDT)
Subject: Re: Opinion: Complete failure of Oracle security response and utter neglect of their responsibility to their customers

I support David 100% and I would like to add a few comments (I can’t avoid doing this :)):

I remember reading an article where Larry Ellison said that Oracle database server were used by FBI, CIA, USSR goverment, etc. he referenced that as saying our software is the most secure, top goverment agencies from the most powerful nations use it. If you hear or read that it sounds great and if you were looking for a database server at that moment maybe you would run to buy Oracle software, the same when you hear and read Oracle Unbreakable everywhere. What Larry Ellison says it is very easy to say but it is also very difficult to prove. It seems that this kind of statements have been useful for Oracle since the company continues doing the same, “just talking”. I can say that we at Argeniss break Oracle database server all the time, we are tired of breaking Oracle, it’s so easy, Oracle software is full of security vulnerabilities and this is nothing new, most security researchers know about this and also the bad guys who are actively exploiting the vulnerabilities. But I can say this and I can also prove it, we have found more than a hundred vulnerabilities and we can show them to people. I wonder if Larry Ellison can prove all the statements he says or Oracle people say.


The economy of phishing

The economy of phishing: A survey of the operations of the phishing market

Phishing is the fraudulent acquisition of personal information by tricking an individual into believing the attacker is a trustworthy entity. This paper is the result of a detailed analysis of 3,900,000 phishing e-mails, 220,000 messages collected from 13 key phishing-related chat rooms, 13,000 chat rooms and 48,000 users, which were spidered across six chat networks and 4,400 compromised hosts used in botnets. Phishing e-mails are only a small aspect of the overall phishing economy and until now, the only aspect seen by the most people. The phishing economy is a decentralized and self-organized social network of merchants and consumers governed by laws of supply and demand.

This paper presents the findings from this research as well as an analysis of the phishing infrastructure.

Disclosure of risk is an ethical dilemma

Disclosure of risk is an ethical dilemma
Published: September 20 2005 16:54 | Last updated: September 20 2005 16:54

When Donald Rumsfeld spoke of “known knowns”, “known unknowns” and “unknown unknowns” the world laughed. But the concepts he outlined are familiar to risk managers.

Computer security knowns and unknowns correspond to risks within systems. A risk exists when a system has a vulnerability and a mechanism exists to exploit it.

Vulnerabilities that can be exploited are quantifiable risks (known knowns), while for those for which there is no exploitation (known unknowns) the impact is unquantifiable.


Software Bugs: To Disclose or Not to Disclose

Software Bugs: To Disclose or Not to Disclose
October 3, 2005
Kenneth van Wyk

It’s the age-old battle of security: to disclose or not to disclose software defects.

The proverbial pendulum of opinion has been swinging back and forth on this issue for decades, and it’s not likely to stop any time soon. The issue reappeared just recently when an ISS employee was prohibited from speaking at a conference on the topic of a security vulnerability in Cisco’s IOS operating system.

Here’s my take on it…


Kenneth van Wyk, a 19-year veteran of IT security, is the prinicpal [sic] consultant for KRvW Associates, LLC. The co-author of two security-related books, he has worked at CERT, as well as at the U.S. Department of Defense.