Tuesday, May 10, 2011

Oracle Metalink security considerations

Recently I found the below message on metalink, metalink is the support network from Oracle where you can get support on your questions and issues with Oracle software (and now also hardware). As it turns out people are trying to get access to the metalink accounts of companies to extract information about the systems and possible ways to gain access. In general the Oracle Support website is considered secure, you appoint a administrator within your organization and this person can authorize people to make use of the support network. Due to this people do tend to share information on this site which in general you would not state on the public internet and share with the rest of the world.

The below message is the message posted by Oracle on Metalink:

Wikipedia defines social engineering as follows::
“Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim. Social Engineering has also been employed by bill collectors, skiptracers, and bounty hunters.”

Oracle has become aware of an increasing number of attempts to get access to My Oracle Support by using social engineering techniques such as impersonating real users / employees of a company – but using a misspelled mail account domain (e.g., john.doe@oracle.com versus john.doe@0racle.com). By impersonating a real user, not only will the fraudulent user get unauthorized access to MOS, but would also be able to access the service requests of the targeted company, which may contain confidential information.

Because customer User Administrators are responsible for approving new users against their company CSI(s), they should be on alert for this growing threat and double-check all users they approve or have approved in the past. In addition, Oracle takes this threat very seriously and will disable any account / user that it identifies as impersonating someone else.

If – as a customer User Administrator – you identify but can’t disable a fraud user, please log a non-technical Service Request and Oracle Support will ensure proper actions are taken.

Thank you,
Your support team

This brings me back on one of the topics I already have discussed internally a couple of times and with customers. What do you want to share with Oracle from a security point of view. Not only talking about what content do you discuss with a support engineer, also what do you have for example Oracle Enterprise Manager upload to Metalink. It is possible to connect Oracle Enterprise Manager to Metalink and have it share information about the systems you are running. This way it will show you information which it retrieves from Metalink on what patches might need to be applied and when you log a service request you can simply select the system you have a question about and the support engineer will have all the information at hand. In the below screenshot you can see how you can connect your Oracle Enterprise Manager. This is a screenshot of an older version, in the latest version some issues might arise. I have been looking into this together with Henk Nap who has posted some information on this on his weblog.

Connecting your systems bring two security risks into the equation. The first is already mentioned by Oracle, what if you post information to Metalink and someone gains access to your companies Metalink account. They will be able to read up on how you do your business and how your systems are configured. In some cases information you do NOT want to share. Second issue is, if you have your Oracle Enterprise Manager connecting to metaling you have to make this connection possible. That means opening some parts of your firewall. You can secure this however in my opinion opening your datacenter and connect it to the public internet, alway a bad idea. Until Oracle comes with some sort of more secure gateway, proxy or something else I am not a very big fan of connecting my systems to metaling directly.

No comments: