Speaker: Esteban Martínez Fayó
Oracle Database Vault was launched a few years ago to put a limit on DBAs unlimited power especially over highly confidential data where it is required by regulations. This presentation will show how this add-on product for Oracle Database performs on this difficult task, first giving an introduction to DB Vault and what protections does it brings, then showing with many examples how it is possible to bypass the protections provided. The attacks demonstrated include getting operating system access to disable DB Vault, SQL Injection and impersonation techniques to bypass DB Vault protections and how it is possible using simple exploits to circumvent DB Vault. These attack examples are accompanied by recommendations on how to protect from them. Also the presentation shows some issues with native database auditing and has a section with additional recommendations to secure DB Vault and conclusions.
For presentations, whitepapers or audio version of the Defcon 18 presentations visit: http://defcon.org/html/links/dc-archives/dc-18-archive.html