Some of the most experienced database administrators in the world leave their systems open to casual hacking. Hackers aren’t only lonely 13 year olds with bad skin – they could be a co-worker just trying to get his/her job done without getting tangled up in the bureaucratic red tape of change management or data security. It could also be a more malicious co-worker who likes to know things about other co-workers, customers or patients.

The purpose of this article is to show how simple it is to break into most Oracle databases. The point is not to alarm you or alert you to how scary and dangerous I am, but rather to provide justification to take some simple steps to close the easiest security loopholes.

The nature of the problem
Whether immediately after installation or over the years since, you may have noticed a good number of accounts that were created in your Oracle database. If you are running a database version that was created before Oracle9i, then you might see something like this:
SQL> select username from dba_users;
USERNAME
——————————
SYS
SYSTEM
DBSNMP
SCOTT
OUTLN
ORDSYS
ORDPLUGINS
MDSYS
CTXSYS
PERFSTAT
AURORA$JIS$UTILITY$
OSE$HTTP$ADMIN
AURORA$ORB$UNAUTHENTICATED

You didn’t create them and they have nothing to do with the applications that you are running. They are used by the various products comprising the Oracle database server, such as the spatial data option, the Oracle Text option and 9iAS. Even if you don’t intend to use these options, it is still someone’…

Download