Tag: security

Cassandra Update – Leap Second & JMX Security

2000px-Cassandra_logo.svg

This is a short post about two things that should be on the to-do list for all Cassandra Administrators. The leap second issue and the new JMX default. The Leap Second Before we move on you should learn more about how…

Read More >

Using Ansible to Secure Cloudera Manager Installation on a Hadoop Cluster

Building a secure Hadoop cluster requires protecting a number of services which comprise Hadoop infrastructure. If you are using CDH distribution, then Cloudera Manager (CM) is one of the components that needs to be secured. There is a good step by step guide in CM documentation, and it’s easy to follow for one server, but what when you have hundreds of them? There are different approaches to the problem of managing server’s configuration at scale, but I’d like to focus on Ansible which is a neat framework for parallel commands execution and complex rollouts.

Read More >

HDFS Authentication Puzzle

HDFS authentication model changed in recent releases, but documentation is stale which can lead people into thinking HDFS is using very primitive authentication

Read More >

About MySQL 5.6

I am very excited and thrilled to use the latest release of MySQL 5.6 in production. This is probably the most notable and innovative release from many years, if not ever. I this post I take a detailed look at what is new in MySQL 5.6 and why I think its the best version of MySQL to date

Read More >

Why is Database Security So Hard?

I was recently asked a question by someone who had attended my Shmoocon talk entitled “Why are Databases So Hard to Secure?”. (PDF slides are available). I was going to put this into a more formal structure, but the conversational nature works really well. I would love to see comments reflecting others’ thoughts.

Read More >

It’s Oracle patch time again

It’s yet again time for Oracle’s critical patch update (CPUJAN2008). The update will be released on Tuesday January 15, and as of yet there are no details on exactly what vulnerabilities have been found.

Read More >

Oracle Grid Control: The Importance of Deleting the emkey

Oracle Grid Control documentation warns against leaving the emkey in the Grid Control repository, if it is not removed after it has been copied it is easy to decrypt data, like passwords. Oracle Management Service 10.2 uses several ways to protect these sensitive data, including Virtual Private Database and Password Encryption. To overcome the first one, you have to connect to the database as the SYS user, for the second one, you have to know the encrypted password form, the key, and the associated algorithm. Obviously, the key used to cipher the password is the emkey. So the next question is, “Where are stored the ciphered passwords?”.

Read More >

Exploiting SYSDBA Invoker Rights Using Trigger on Database

This is a follow up on my previous post about SYSDBA keeping invoker rights when calling PL/SQL procedure. Working on the previous test case a bit more I figured that the same anomaly is observed with triggers. So here is one way to get your PL/SQL code called by a SYSDBA. In this case you need to be able to create trigger on database, i. e. need privileges ADMINISTER DATABASE TRIGGER and CREATE TRIGGER.

Read More >