Oracle once marketed its database as “unbreakable,” but security researcher David Litchfield has a less inflated opinion of the software.
“God forbid that any of our critical national infrastructure runs on this product,” he said recently on the widely read Bugtraq security mailing list. “Oops it does.”
Security researchers like Litchfield, managing director of Next Generation Security Software, based in Sutton, UK, make their living finding flaws in other people’s software. And, while this can put them at odds with software makers, the relationship between Oracle and people like Litchfield has been particularly bad.
In Litchfield’s case, the problems go back to 2004, when he published details of an unpatched Oracle vulnerability in a presentation written for the Black Hat security conference. By Litchfield’s account, Oracle had given him the go-ahead to discuss the vulnerability, but changed its mind at the last minute. Litchfield changed the topic of his presentation, but he was unable to remove his slides from the conference hand-out.
The next day, the Wall Street Journal wrote about the flaws and, ever since, the relationship between Oracle and the tight network of security researchers who hack its products has been tense.
This antagonism has prevented Oracle from receiving the independent testing and security advice that would have improved its products, says Cesar Cerrudo, chief executive officer of security research firm Argeniss, based in Parana, Argentina. “Oracle has ignored researchers and also attacked them, saying that researchers are the problem,” he says. “The problem is Oracle’s flawed software and Oracle’s amateur handling of security related issues.”
From Oracle’s perspective, researchers like Litchfield profit from the publicity they get for exposing Oracle’s security flaws, but that exposure comes at a price: more risk for Oracle’s customers.
There is often little upside to cooperating with companies that do not understand Oracle and who profit from publishing security vulnerabilities, according to Oracle’s chief security officer, Mary Ann Davidson.
“What I really want is a world where there can be fair and accurate criticism,” she says. “I’m all for dialogue, but you have to establish trust.”
In the past few months, however, there have been a few signs that things may be changing at the Redwood Shores, California, company.
Oracle is becoming better at communicating with the research community, says Darius Wiles, manager of Oracle Security Alerts. Wiles’ team is now working out a new system which will let bug reporters outside the company know they are not being ignored. “Once a month, going forward, we’ll provide them with a list of everything that has not yet been fixed and indicate whether it’s still under investigation or whether it’s been fixed.”
Taking a cue from Microsoft, Oracle has even launched its own security blog and Oracle no longer talks about its products as being unbreakable. Davidson says that the first time she heard the marketing slogan, she thought, “What idiot dreamed this up?”
This outreach is starting to pay off. Earlier this month, Litchfield wrote an uncharacteristically positive Bugtraq posting about the company.
He says that he believes Oracle’s products are becoming more secure and even had some praise for his long-time nemesis, Davidson. “Another thing that struck me was the amount of effort and time that it must have taken to get a lumbering stegosaurus of a beast like Oracle to turn around,” he wrote. “Dare I say it, well done, Mary.”
Though Oracle executives may not like having their company compared to a Jurassic era dinosaur, this is far and away the most complimentary Litchfield has been since the Black Hat presentation.
Still, the database giant is unwilling to go as far as its competitor Microsoft in embracing the so-called “white hat” hackers. Microsoft has invited researchers, including Litchfield and Cerrudo, to its Redmond, Washington, campus for twice-yearly hacker conferences, called Blue Hat.
Microsoft says that Blue Hat helps them make their products more secure, but don’t expect Oracle to invite hackers over to Redwood Shores, California, anytime soon. Such an event is really not necessary, Davidson says. “Microsoft had to go with the hacker love fest model because they’re a big target,” she says.
Davidson believes that Oracle and Microsoft have very different pedigrees when it comes to security. She says that security has been built into the development of Oracle’s products for years now, a by-product of its long history of government use. The US Central Intelligence Agency was one of Oracle’s first customers, she claims.
Oracle’s security team doesn’t simply fix bugs. When a new flaw is discovered, researchers make sure that what they’ve learned also translates into secure coding practices for the development team. “For at least 12 years we have built security into the formal development process,” Davidson says.
While Oracle has improved the security of some products, like the recent Oracle 10g Release 2 database, the company still has a lot of work to do, says Cerrudo.
“They said recently that they will change the way they communicate with researchers, giving more feedback information, but nothing has happened yet,” he says. “Right now the only feedback you get is the day before a patch is released they [tell] you your bug is going to be patched and nothing else.”
For all of the Oracle bugs that have been found, there has never been a widespread Oracle attack like the Slammer worm which disabled Microsoft SQL Server machines worldwide in 2003.
But some observers say that Oracle’s reputation for security has more to do with the fact that the database is typically buried in the bowels of datacentres, and hidden behind corporate firewalls, far from the prying eyes of hackers.
And, while users who have not exposed their databases to queries from outside partners or customers may not be staying up late at night worrying about Oracle’s security, they do have concerns about the future.
“We’re in a nervous state, but we think it’s manageable risk,” says Hal Kuff, a technology services manager with Tessco Technologies, in Hunt Valley, Maryland.
Users must first be inside Tessco’s local area network in order to query the database, Kuff says. “If we were to pursue an Oracle environment, where we invited direct connectivity from outside partners, we would reconsider our security posture.”
As these outside connections become more common, thanks to grid computing and internet applications, outside experts like Litchfield could become important to Oracle, Kuff says.
“As Oracle becomes more pervasive, they should absolutely explore a relationship with the so called ‘white hat’ hackers,” he says.
“The people that are willing to sit down with them at the table are one of their only defences against the people who will not sit down with them at the table.”
The pervasiveness Kuff talks about may be closer than many people realise. Late last year, Litchfield conducted a survey of nearly half a million computer systems on the internet and found nearly as many Oracle databases exposed as he did Microsoft SQL server systems.
Extrapolating from his data, Litchfield estimated there were about 140,000 Oracle servers not firewalled on the internet. There are about 210,000 Microsoft SQL Servers similarly unprotected, he says.
“This is just a myth, that Oracle is in the back-end of nowhere protected by all these firewalls,” he says.
Still, like Microsoft, Oracle has reached a turning point and is clearly making much more secure products, Litchfield says. Finding bugs has become harder with the latest releases of its database and, while Litchfield will undoubtedly remain a thorn in Oracle’s side, he realised earlier this month that the time had finally come to soften his rhetoric.
“I just got weary to be honest,” he says. “You see, they will get to the point of having a secure product at some time — but all without acknowledging that they were dragged to that point kicking and screaming.”