Ethical Hackers Find Oracle Vulnerability

Data security is always an issue, especially as more and more of our lives exist online.

CNN recently interviewed two hackers Bryan Seely and Ben Caudill, who discovered an unsettling security hole, uncovering intimate details like children’s school records, including detailed bus route information; arrest and prosecution information from a major Midwestern city; and the real names and numbers of intelligence agents visiting a major American port.

Seely and Caudill “ethical hackers.” Seely and Caudill – along with Rhino Security Labs’ lead researcher Dana Taylor – found that a weakness software giant Oracle discovered in 2012 – and provided a fix for – remains a huge vulnerability to any customer that missed or ignored the fix.

Oracle issued a response to the issue:
“We identified this issue two years ago. It was not a product coding defect allowing hackers to bypass security mechanisms. Instead, the product included a configuration setting allowing customers to disable security checks. Oracle identified that customers were leaving this setting open and immediately issued a patch that made the default setting for customers secure. This patch was issued as part of our regularly scheduled Critical Patch Update customers know to apply every quarter. Oracle notified all of our customers directly that they should apply patch. This process is commonplace in the industry,” said Oracle spokesperson Deborah Hellinger.

What’s the moral of the story here? You can’t wait for your software provider to contact YOU about these things – you need to be on top of security updates/fixes/patches, etc. so that your organization is not vulnerable. Being proactive versus reactive will allow you to come out on top!

Leave a Reply

Your email address will not be published. Required fields are marked *