Hacking Oracle's database will soon get easier
Wednesday, Jul 22, 2009 7:55PM UTC
By Jim Finkle
BOSTON (Reuters) - Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information.
Security experts have developed an easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems, but cybercrooks can use it for hacking.
The tool's authors created it through a controversial open-source software project known as Metasploit, which releases its free software over the Web.
Chris Gates, a security tester who co-developed the Metasploit tool, will unveil it next week at the annual Black Hat conference in Las Vegas, where thousands of security experts and hackers will gather to exchange trade secrets.
"Anyone with no skill and knowledge can download and run it," said Pete Finnigan, an independent consultant who specializes in Oracle security and who advises large corporations and government agencies.
He has not yet studied the Oracle tool but is familiar with other Metasploit software and said it works by automating many of the complicated procedures required to hack into Oracle databases, allowing amateurs to hack into them.
Oracle, which declined to comment, has already issued patches to protect against vulnerabilities that the Metasploit tool targets. But some companies are not diligent in upgrading their software to add the patches, so they are vulnerable to attackers using the new tool. They hire consultants like Gates to help them make sure they are protected.
Metasploit hacks are available for other software programs, including Microsoft Corp's Windows as well as the Firefox and Internet Explorer browsers.
Gates said this is the first Metasploit program to target Oracle's database.
"There is no way to keep these tools out of the hands of people who want to use them for nefarious purposes," said Alan Paller, director of research for the SANS Institute. SANS trains security professionals in areas including use of Metasploit.
Security testers and hackers have previously used other programs to break into Oracle databases, but the new software from Metasploit is easier to operate and runs more quickly than existing options, said Gates.
Metasploit is the most widely used free hacking tool and has a loyal following in the security community.
In addition to letting hackers break into databases over the Internet, the Metasploit tool allows rogue employees to access them from their work PCs.
Workers could break into an Oracle system and secretly steal confidential data such as credit card numbers, give themselves pay raises or make other changes to corporate databases, said Finnigan, who has specialized in Oracle security for eight years.
(Reporting by Jim Finkle; Editing by Richard Chang)