News, Analysis and Opinion for Database security

December 02, 2019 02 Dec'19

Exposed Firebase databases hidden by Google search

A security researcher found that Google's search engine hides results for misconfigured Firebase databases that are publicly accessible on the internet.

October 11, 2019 11 Oct'19

Palo Alto Networks launches new version of Demisto SOAR platform

New features to the Demisto platform include a customizable user interface, threat intelligence, database scaling and a mobile app providing chat support and updates for users.

May 31, 2019 31 May'19

Docker vulnerability with no patch could allow root access

A security researcher disclosed a Docker bug that could allow an attacker to gain root-level access to a system. Docker signed off on the disclosure, despite a fix not yet being available.

February 12, 2019 12 Feb'19

MongoDB security head addresses database exposures

Davi Ottenheimer, MongoDB's head of product security, discusses his company's efforts to prevent accidental database exposures and why so many misconfigurations occur.

July 20, 2018 20 Jul'18

Critical Cisco vulnerabilities patched in Policy Suite

News roundup: Critical Cisco vulnerabilities in Policy Suite products were patched this week. Plus, Venmo's API is set to public, exposing a trove of customer data, and more.

December 05, 2017 05 Dec'17

Keyboard data leak exposes millions of personal records

A keyboard data leak by mobile developer Ai.type exposed millions of personal records through misconfigured MongoDB database settings.

May 13, 2016 13 May'16

DHS warns on actively exploited SAP Java vulnerability

DHS US-CERT warns of a patched SAP Java vulnerability from 2010 that has enabled breaches at three dozen global enterprises due to configuration issues.

October 22, 2015 22 Oct'15

Experts say Oracle patches need to be faster

Oracle patches 154 flaws in its quarterly update. Experts said patches need to be released faster, but Oracle stands by its release schedule.

June 02, 2015 02 Jun'15

Insecure mobile cloud backups leave millions of credentials exposed

Researchers find that insecure implementation of cloud backups by mobile apps may affect hundreds of thousands of apps and leave as many as 56 million credentials exposed.

March 04, 2015 04 Mar'15

Maturing NoSQL database security is key to big data analytics

NoSQL database security has taken a backseat to performance in Hadoop-based security big data analytics systems, but that may soon change thanks to growing demand and maturing NoSQL security products.

March 02, 2015 02 Mar'15

Uber database breach source of stolen driver information

Following the theft of data affecting about 50,000 of its drivers, Uber says it has filed a subpoena to obtain GitHub data that may pinpoint the source of its data breach.

October 17, 2014 17 Oct'14

October 2014 Oracle CPU fixes 25 Java vulnerabilities, 154 total flaws

The October 2014 Oracle CPU delivered fixes for 154 unique bugs, with Java vulnerabilities making up the bulk of the most pressing updates.

August 07, 2014 07 Aug'14

Oracle's data redaction security feature riddled with flaws

At Black Hat, David Litchfield skewered Oracle and its approach to security while detailing several flaws in a new Oracle database security feature.

July 18, 2014 18 Jul'14

July 2014 Oracle CPU: Java security problems persist

With another round of patches for several serious Java flaws, Oracle's quarterly CPU showed that Java security problems are not receding.

January 27, 2014 27 Jan'14

Researcher releases critical Oracle Forms and Reports vulnerabilities

A researcher says Oracle hasn't properly addressed long-standing Oracle Forms and Reports flaws, which could be exploited to gain remote access.

January 21, 2014 21 Jan'14

January 2014 Oracle CPU fixes 36 Java vulnerabilities, 144 total

The first Oracle Critical Patch Update of 2014 included fixes for 36 Java vulnerabilities, but only 5 Oracle Database vulnerabilities. Why so few?

August 13, 2012 13 Aug'12

Oracle security advisory addresses Black Hat database flaw disclosure

A privilege escalation flaw, which prominent security researcher David Litchfield disclosed at Black Hat, can be exploited to gain system privileges.

July 26, 2012 26 Jul'12

Black Hat 2012: David Litchfield slams Oracle database indexing

At Black Hat 2012, longtime Oracle thorn David Litchfield presents working exploits targeting Oracle database indexing vulnerabilities.

June 12, 2012 12 Jun'12

Database security assessment vital to password protection, experts say

Hashing and salting passwords help deter cybercriminals from cracking them, but the goal should be to keep attackers out of the database, say security experts.

May 24, 2012 24 May'12

Oracle security patches, InfoSec World 2012 controversy offer important lessons

Editor Eric B. Parizo says controversies involving Oracle security patches and InfoSec World 2012 prove the importance of differing opinions.

May 02, 2012 02 May'12

Analysis: Oracle trips on TNS zero-day workaround

Oracle's refusal to patch a zero-day in its flagship database management system is another example of how it carelessly exposes customers to risk.

May 01, 2012 01 May'12

Oracle won’t patch four-year-old zero-day in TNS listener

Despite the accidental release of attack code for a bug in Oracle’s database, the company won’t change the code for fear of “regression.”

March 23, 2011 23 Mar'11

McAfee strikes first deal under Intel for database monitoring software

The security giant is expanding into the database security market, announcing its intention to acquire Sentrigo. The terms of the deal were not released.

December 10, 2009 10 Dec'09

Database activity monitoring lacks security lift

IBM's acquisition of Guardium does not validate DAM as a viable security market segment. The market has been hyped, says security expert Eric Ogren.

November 30, 2009 30 Nov'09

IBM to acquire database security firm Guardium

Deal reportedly worth $225 million.

September 02, 2009 02 Sep'09

Unpatched vulnerability discovered in Microsoft SQL Server

Database security vendor Sentrigo today released some detail about a flaw discovered a year ago in Microsoft SQL Server that exposes passwords stored in memory as cleartext. Microsoft is not planning to patch this flaw. Sentrigo released a free ...

August 18, 2009 18 Aug'09

SQL injection continues to trouble firms, lead to breaches

Security experts see the secure software development lifecycle improving, but legacy applications and Web server flaws continue to offer a rich treasure trove for attackers.

June 18, 2009 18 Jun'09

Database monitoring, encryption vital in tight economy, Forrester says

A new report from Forrester Research Inc. examines eight database and server data security technologies and recommends small steps that can make a big difference.

February 09, 2009 09 Feb'09

SQL injection attacks targeting Flash, JavaScript errors

Coding errors leave thousands of websites vulnerable, but attackers are starting to target Flash and JavaScript errors for exploitation, experts say.

February 09, 2009 09 Feb'09

Kaspersky website hacked, customer activation codes exposed

Customer email addresses and up to 25,000 activation codes were exposed on a server for 10 days, the antivirus vendor said.

February 04, 2009 04 Feb'09

Fuzzing tool helps Oracle DBAs defend against SQL injection

A new open source fuzzing tool is available to test PL/SQL applications for security vulnerabilities. The free tool was developed by database security vendor Sentrigo.

January 14, 2009 14 Jan'09

Oracle patches dangerous WebLogic, Secure Backup vulnerabilities

Oracle repaired several dangerous flaws in its BEA WebLogic server line and its Secure Backup software that could be exploited by an attacker to gain access to critical files.

January 12, 2009 12 Jan'09

Oracle to release 41 security fixes

Oracle's Critical Patch Update repairs several serious vulnerabilities in Oracle Secure Backup, Oracle Database, Oracle Application Server and its business suite.

December 23, 2008 23 Dec'08

Microsoft warns of SQL Server zero-day

Code is publicly available targeting an unpatched flaw in SQL Server to gain access to critical files and execute malicious code.

October 15, 2008 15 Oct'08

Oracle patches dangerous WebLogic flaw, critical database holes

A severe WebLogic flaw is among 36 security fixes released by Oracle Corp. across its database, middleware and enterprise software products.

October 02, 2008 02 Oct'08

Verizon breach study identifies industry specific threats

Financial firms face the biggest threat from insiders, while security configuration flaws and vulnerable Web apps plague the high-tech, retail and the food and beverage industries.

September 29, 2008 29 Sep'08

Oracle DBAs cite lack of security measures

A new survey conducted by the Independent Oracle Users Group found that many organizations are failing to use database security tools and lock down critical systems.

September 09, 2008 09 Sep'08

Microsoft provides guidance on GDI flaws

Microsoft's Bill Sisk explains why five remote code execution vulnerabilities in GDI+ affect multiple systems and third-party applications.

July 16, 2008 16 Jul'08

NitroSecurity covers its bases with RippleTech deal

NitroSecurity Inc. will integrate log management and database activity monitoring with security incident and event management (SIEM).

July 15, 2008 15 Jul'08

Oracle releases 45 database, application fixes

Oracle released updates to repair dozens of flaws across its product line as part of its quarterly Critical Patch Update.

June 17, 2008 17 Jun'08

Fortinet acquires database vulnerability scanner from IPLocks

Fortinet said that IPLocks' vulnerability scanning technology will help it broaden its portfolio beyond application security.

April 16, 2008 16 Apr'08

Oracle fixes 41 flaws in April CPU

Attackers could exploit several Oracle flaws to compromise the confidentiality and integrity of targeted systems, Symantec said hours after Oracle's April 2008 CPU was released.

January 16, 2008 16 Jan'08

Oracle patches serious holes with latest CPU

Vulnerabilities in Oracle Application Server can be exploited remotely to hijack a system, according to Oracle's latest Critical Patch Update.

August 02, 2007 02 Aug'07

Black Hat 2007: New database forensics tool could aid data breach cases

Database security researcher, David Litchfield of UK-based NGS Software will release a free Forensic Examiners Database Scalpel, he says could aid data breach investigations.

May 31, 2007 31 May'07

Springing leaks: Getting smart about data loss prevention

Companies are showing increased interest in data loss prevention (DLP) products, but they won't work well unless the business needs are understood and well defined.

May 22, 2007 22 May'07

Database authentication, encryption getting priority in some businesses

While more organizations are seeking database authentication and encryption technologies, others are turning to database monitoring to secure data.

May 07, 2007 07 May'07

TJX breach tied to Wi-Fi exploits

The TJX hackers started their assault two years ago by attacking security holes in the retail giant's wireless system outside a Minnesota Marshalls.

March 06, 2007 06 Mar'07

Database security undermined by protocol loopholes, lax defenses

A database security vendor says database client-server protocols are being targeted by attackers. An analyst says enterprises are adding defenses.

February 08, 2007 08 Feb'07

Where's Larry? Ellison calls out sick at RSA Conference

Despite the Oracle CEO's no-show, the database software giant talked up its framework for secure data sharing; meanwhile, CA's CEO called for simplified security products.

February 05, 2007 05 Feb'07

Keynoters speak volumes

Times have changed, and RSA Conference keynote speakers no longer need cryptography and security backgrounds. This year's headliners include several rock stars of the IT industry, along with some newcomers and several old veterans.

August 02, 2006 02 Aug'06

Litchfield: Database security is IT's biggest problem

Black Hat: Database security guru David Litchfield unveils 20-plus IBM Informix flaws that attackers could exploit to create malicious files, gain DBA-level privileges and access sensitive data.

July 17, 2006 17 Jul'06

Oracle owns up to patching problems

Database giant Oracle Corp. has faced mounting criticism of its security patching process during the last two years.

Its quarterly Critical Patch Updates (CPUs) are ...

October 26, 2005 26 Oct'05

Are open source databases more secure?

They may not be. But a new survey suggests more IT shops are taking an interest in open source options, partly because of security holes in mainstream databases.

October 24, 2005 24 Oct'05

Admins grapple with latest Oracle patch puzzle

As database administrators digest Oracle's supersize patch release, security experts warn of unfixed flaws and at least one exploit.

October 11, 2005 11 Oct'05

Active Directory: Keep your domain user accounts in check

Expert Derek Melber signals a warning about securing user accounts in your domain. using Active Directory.

September 27, 2005 27 Sep'05

Active Directory getting critical look from regulators

Auditors are honing in on directory services to see if companies have internal controls now mandated by law.

July 13, 2005 13 Jul'05

Oracle issues patches, but misses the mark, again

Oracle's last volley of patches failed to correct at least one issue it claimed to fix. An expert worries that it could happen again this quarter and wonders when other long-anticipated fixes will be issued.

June 20, 2005 20 Jun'05

BJ's settlement with FTC bodes ill for others

Just one day after the FTC hands down its ruling on the BJ's privacy breach, CardSystems reveals it failed to protect the data of 40 million credit card customers.

May 29, 2005 29 May'05

Flaws in Oracle's Metalink similar to 'Google hacking'

Numerous flaws in Oracle's Metalink Knowledge Base could reveal sensitive customer reports on vulnerabilities and other matters. Other vendors may also be affected.

November 01, 2004 01 Nov'04

E-voting: Have we rushed to market?

Did a rush to market release insecure e-voting machines that could allow the results of tomorrow's election to be challenged?

November 01, 2004 01 Nov'04

Activists fear e-voting security glitches

Political activists and IT experts fear security glitches could affect e-voting machines -- and the outcome of a close presidential race.

August 04, 2004 04 Aug'04

Multiple critical flaws identified in Oracle

Researchers have identified 34 vulnerabilities in Oracle's database; the majority of the flaws are critical.

July 29, 2004 29 Jul'04

Automated SQL injection: What your enterprise needs to know, part 2

The second of a two-part interview with SPI Dynamics CTO Caleb Sima tells what you should fear, why and what you can do to mitigate your risk.

July 26, 2004 26 Jul'04

Automated SQL injection: What your enterprise needs to know

SQL injection exploits may soon be as common as those targeting Windows and Unix flaws, experts say. An estimated 60% of Web applications using dynamic content are likely vulnerable, with devastating consequences for an enterprise. A presentation of...

June 01, 2004 01 Jun'04