Databases Reference
In-Depth Information
C H A P T E R 8
Security
By Anton Nielsen
Throughout 2009 and 2010 WikiLeaks published nearly a half-million sensitive or classified US
Government documents. The story of how WikiLeaks obtained these documents and the subsequent
chain of events, from Denial of Service (DoS) attacks to social engineering, reads like a technology
hacking mystery novel. Events are still unfolding, but a deeper look at the techniques, technology, and
policies involved will enlighten anyone interested in how sensitive data can be compromised or even
altered. As far as I know, none of the systems involved in these events used Oracle Application Express,
but the same techniques, combined with poor policies, could certainly be applied to APEX or virtually
any digital technology.
After the terrorist attacks of September 11, 2001, the US Government recognized that its intelligence
community was fragmented and there was little sharing of information between agencies. In response to
this, much more data flowed between agencies, and many more people had access to intelligence
systems. This allowed a US Army private access to sensitive data, which later appeared on WikiLeaks.
Still unknown assailants used a variety of techniques to block access to the WikiLeaks websites and
many organizations blocked their systems from processing donations to WikiLeaks or hosting WikiLeaks
content. At least three of these, Amazon, MasterCard, and Visa, were in turn targeted for Denial of
Service attacks, shutting down their systems and disrupting Internet traffic throughout the world. These
DoS attacks were attributed to the Internet group Anonymous, considered by some to be Internet
freedom fighters and by others Internet vigilantes. A well-respected Internet security firm, HBGary,
indicated that it had uncovered the identities of Anonymous members. Within days the website of
HBGary had been hacked, the Twitter and email accounts of HBGary employees were hijacked, and
ancillary systems were compromised.
This chapter will use the WikiLeaks story as a backdrop to explore how the same or similar
techniques could be applied to an APEX environment. More importantly, this chapter will identify how
to mitigate these threats. The hacking of HBGary demonstrates a more difficult challenge, though:
knowing how to mitigate the threats is not sufficient. HBGary was likely aware of all of the techniques
used against it, lectured and published on the topics, but did not implement many of the precautions in
its own environment. Ensuring an organization follows best practices is a key element to any security
strategy and perhaps the biggest challenge of all.
Tools and Techniques
I have intentionally chosen a well-known security story that is not specific to Oracle Application Express
to demonstrate that security threats transcend the development tool or infrastructure platform. The Ars
Technica website (
http://arstechnica.com
) provided an extensive account of the methods used by
Anonymous to hack HBGary systems. Little in the account discusses specific languages or technologies;
the focus is on higher-level techniques.
