By Robert McMillan
6 June, 2006
Oracle once marketed its database as "unbreakable," but security
researcher David Litchfield has a less inflated opinion of the
"God forbid that any of our critical national infrastructure runs on
this product," he said recently on the widely read Bugtraq security
mailing list. "Oops it does."
Security researchers like Litchfield, managing director of Next
Generation Security Software, based in Sutton, UK, make their living
finding flaws in other people's software. And, while this can put them
at odds with software makers, the relationship between Oracle and
people like Litchfield has been particularly bad.
In Litchfield's case, the problems go back to 2004, when he published
details of an unpatched Oracle vulnerability in a presentation written
for the Black Hat security conference. By Litchfield's account, Oracle
had given him the go-ahead to discuss the vulnerability, but changed
its mind at the last minute. Litchfield changed the topic of his
presentation, but he was unable to remove his slides from the
The next day, the Wall Street Journal wrote about the flaws and, ever
since, the relationship between Oracle and the tight network of
security researchers who hack its products has been tense.
This antagonism has prevented Oracle from receiving the independent
testing and security advice that would have improved its products,
says Cesar Cerrudo, chief executive officer of security research firm
Argeniss, based in Parana, Argentina. "Oracle has ignored researchers
and also attacked them, saying that researchers are the problem," he
says. "The problem is Oracle's flawed software and Oracle's amateur
handling of security related issues."
From Oracle's perspective, researchers like Litchfield profit from
the publicity they get for exposing Oracle's security flaws, but that
exposure comes at a price: more risk for Oracle's customers.
There is often little upside to cooperating with companies that do not
understand Oracle and who profit from publishing security
vulnerabilities, according to Oracle's chief security officer, Mary
"What I really want is a world where there can be fair and accurate
criticism," she says. "I'm all for dialogue, but you have to establish
In the past few months, however, there have been a few signs that
things may be changing at the Redwood Shores, California, company.
Oracle is becoming better at communicating with the research
community, says Darius Wiles, manager of Oracle Security Alerts.
Wiles' team is now working out a new system which will let bug
reporters outside the company know they are not being ignored. "Once a
month, going forward, we'll provide them with a list of everything
that has not yet been fixed and indicate whether it's still under
investigation or whether it's been fixed."
Taking a cue from Microsoft, Oracle has even launched its own security
blog and Oracle no longer talks about its products as being
unbreakable. Davidson says that the first time she heard the marketing
slogan, she thought, "What idiot dreamed this up?" This outreach is
starting to pay off. Earlier this month, Litchfield wrote an
uncharacteristically positive Bugtraq posting about the company.
He says that he believes Oracle's products are becoming more secure
and even had some praise for his long-time nemesis, Davidson. "Another
thing that struck me was the amount of effort and time that it must
have taken to get a lumbering stegosaurus of a beast like Oracle to
turn around," he wrote. "Dare I say it, well done, Mary."
Though Oracle executives may not like having their company compared to
a Jurassic era dinosaur, this is far and away the most complimentary
Litchfield has been since the Black Hat presentation.
Still, the database giant is unwilling to go as far as its competitor
Microsoft in embracing the so-called "white hat" hackers. Microsoft
has invited researchers, including Litchfield and Cerrudo, to its
Redmond, Washington, campus for twice-yearly hacker conferences,
called Blue Hat.
Microsoft says that Blue Hat helps them make their products more
secure, but don't expect Oracle to invite hackers over to Redwood
Shores, California, anytime soon. Such an event is really not
necessary, Davidson says. "Microsoft had to go with the hacker love
fest model because they're a big target," she says.
Davidson believes that Oracle and Microsoft have very different
pedigrees when it comes to security. She says that security has been
built into the development of Oracle's products for years now, a
by-product of its long history of government use. The US Central
Intelligence Agency was one of Oracle's first customers, she claims.
Oracle's security team doesn't simply fix bugs. When a new flaw is
discovered, researchers make sure that what they've learned also
translates into secure coding practices for the development team. "For
at least 12 years we have built security into the formal development
process," Davidson says.
While Oracle has improved the security of some products, like the
recent Oracle 10g Release 2 database, the company still has a lot of
work to do, says Cerrudo.
"They said recently that they will change the way they communicate
with researchers, giving more feedback information, but nothing has
happened yet," he says. "Right now the only feedback you get is the
day before a patch is released they [tell] you your bug is going to be
patched and nothing else."
For all of the Oracle bugs that have been found, there has never been
a widespread Oracle attack like the Slammer worm which disabled
Microsoft SQL Server machines worldwide in 2003.
But some observers say that Oracle's reputation for security has more
to do with the fact that the database is typically buried in the
bowels of datacentres, and hidden behind corporate firewalls, far from
the prying eyes of hackers.
And, while users who have not exposed their databases to queries from
outside partners or customers may not be staying up late at night
worrying about Oracle's security, they do have concerns about the
"We're in a nervous state, but we think it's manageable risk," says
Hal Kuff, a technology services manager with Tessco Technologies, in
Hunt Valley, Maryland.
Users must first be inside Tessco's local area network in order to
query the database, Kuff says. "If we were to pursue an Oracle
environment, where we invited direct connectivity from outside
partners, we would reconsider our security posture."
As these outside connections become more common, thanks to grid
computing and internet applications, outside experts like Litchfield
could become important to Oracle, Kuff says.
"As Oracle becomes more pervasive, they should absolutely explore a
relationship with the so called "white hat" hackers," he says.
"The people that are willing to sit down with them at the table are
one of their only defences against the people who will not sit down
with them at the table."
The pervasiveness Kuff talks about may be closer than many people
realise. Late last year, Litchfield conducted a survey of nearly half
a million computer systems on the internet and found nearly as many
Oracle databases exposed as he did Microsoft SQL server systems.
Extrapolating from his data, Litchfield estimated there were about
140,000 Oracle servers not firewalled on the internet. There are about
210,000 Microsoft SQL Servers similarly unprotected, he says.
"This is just a myth, that Oracle is in the back-end of nowhere
protected by all these firewalls," he says.
Still, like Microsoft, Oracle has reached a turning point and is
clearly making much more secure products, Litchfield says. Finding
bugs has become harder with the latest releases of its database and,
while Litchfield will undoubtedly remain a thorn in Oracle's side, he
realised earlier this month that the time had finally come to soften
"I just got weary to be honest," he says. "You see, they will get to
the point of having a secure product at some time - but all without
acknowledging that they were dragged to that point kicking and
Copyright =A9 2005, IDG Communications New Zealand Limited
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.