Hacking Oracle's Database will get easier

The Economic Times
Hackers will soon gain a powerful new tool for breaking into Oracle Corp's database, the top-selling business software used by companies to store electronic information.

Security experts have developed an easy-to-use, automated software tool that can remotely break into Oracle databases over the Internet to simulate attacks on computer systems, but cyber crooks can use it for hacking.

Metasploit

The tool's authors created it through a controversial open-source software project known as Metasploit, which releases its free software over the Web. This is the first Metasploit program to target Oracle's database.

"Anyone with no skill and knowledge can download and run it," said Pete Finnigan, an independent consultant who specializes in Oracle security and who advises large corporations and government agencies.

Oracle issues patches to protect against vulnerabilities

He has not yet studied the Oracle tool but is familiar with other Metasploit software and said it works by automating many of the complicated procedures required to hack into Oracle databases, allowing amateurs to hack into them.

Oracle, which declined to comment, has already issued patches to protect against vulnerabilities that the Metasploit tool targets. But some companies are not diligent in upgrading their software to add the patches, so they are vulnerable to attackers using the new tool. They hire consultants like Gates to help them make sure they are protected.

Metasploit hacks are available for other software programs

Metasploit hacks are available for other software programs, including Microsoft Corp's Windows as well as the Firefox and Internet Explorer browsers.

"There is no way to keep these tools out of the hands of people who want to use them for nefarious purposes," said Alan Paller, director of research for the SANS Institute. SANS trains security professionals in areas including use of Metasploit.

Metasploit is easier to operate

Security testers and hackers have previously used other programs to break into Oracle databases, but the new software from Metasploit is easier to operate and runs more quickly than existing options.

Metasploit is the most widely used free hacking tool and has a loyal following in the security community.

Rogue employees can access them from their work PCs

In addition to letting hackers break into databases over the Internet, the Metasploit tool allows rogue employees to access them from their work PCs.

Workers could break into an Oracle system and secretly steal confidential data such as credit card numbers, give themselves pay raises or make other changes to corporate databases, said Finnigan, who has specialized in Oracle security for eight years.