Oracle Cloud says it's not true someone broke into its login servers and stole data Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. A crook late last week advertised on an online cyber-crime forum what was alleged to be Oracle Cloud customer security keys and other sensitive data swiped from the IT giant. This material was said to …
Oh pleeeeeease can someone affected sue Oracle into the floor for criminal negligence...?
Providing an insecure service by running instances of your own software, which is riddled with public exploits, and not updating said instances to patch the exploitable bugs?
Priceless multi-layered levels of negligence.
"The SSO passwords are encrypted, they can be decrypted with the available files,"
Why on earth are passwords being encrypted rather than hashed?
I've only seen this in really poor, old (like 20 years old) software.
People are creatures of habit and there's every chance that a chunk of users are using the same password elsewhere :-|
In marketing speak, they're the same.
I once delivered basic cybersecurity training for marketing folks around password strength and good password hygiene because they kept getting hacked after password leaks and the difference between hashing and encrypting came up...it went on for an hour...I just gave up. It wasn't worth it. It was like teaching maths to Baldrick.
Edmund Techadder: So if I use an algorithm to make some data irreversible, it is hashed. If I use another algorithm that scrambles the data, but the scrambled data can be reassembled using a key, it is encrypted.
Salesrick: Ok.
Edmund Techadder: Good, now if I take this data here...*points at some data*...and I turn it into something that cannot be reversed...it is...?
Salesrick: Some beans.
Edmund Techadder: You know, for you, the technical revolution that happened over the last century was just something that happened to other people wasn't it Salesrick?
"Even with salting, it makes cracking expensive but not impossible"
This blows my mind! Unless there's some known weakness in the salt and/or the hash then the only way to crack this is to brute force it by generating hashes of what, billions? trillions? of possible combinations using the salt which is (or at least should be) unique to that individual password.
Please correct me if I'm missing something here. I'm struggling to comprehend a scenario where the amount of time and computation would be worth it.
But only if you can detect success. If you hash an md5 twice and the input is binary, or noone knows you hash twice (or 12348 times)? Md5 is as good as a barrel shift.
It bugs me that people think any use of xxx algo is "insecure", because Ive have had to rewrite chksums that use sha1: it was impossible to explain to security bods and managers what a chksum is.
Don't struggle, you're considering things correctly. In all probability, it would never be worth it...in all probability, if you did have the resources to crack a hash, the sheer time required alone would make it a waste of resources, because by the time you've cracked the hash, it's probably no longer relevant. It's not really a technical consideration...any one of us here could write a script to systematically bruteforce hashes, it's very possible...easy even...but none of us have the time, resources or inclination to even bother.
Something being possible, doesn't make it feasible, practical, ethical, probable, profitable or even realistic.
All the humans on earth could be packed in to fill the Grand Canyon...it's possible...it's just not feasible, practical or even ethical...there are lots of things preventing this situation actually happening...and what would be the point?
Most password cracking theory exists as thought experiments and maths...that's it...
The only reason you hear people talking about the "possibility" of hashes being cracked etc is because mathematically the odds are greater than 1...but the realms of mathematical possibility are pretty abstract. I mean, how many values are there between 0 and 1? It could be ten, right? 0.1, 0.2, 0.3 etc etc...could be a lot more if you start at 0.01...or 0.000001...could be infinite...could be zero values and the next value is literally 1, it's arbitrary.
I mean with cracking a hash, you could get lucky and find it's value in your first go.
A lot of people know what this hash is:
6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e
This hash would be incredibly cheap to crack and you'd do it at virtually zero cost.
Even if something is 1 in 18 gazillion...it's possible...it's just not likely.
That said, rainbow tables do exist for cracking password hashes (unsalted ones). So unsalted hashes are probably quite trivial to crack if they are below a certain length and complexity.
Most humans don't choose random strings as passwords, so there is a certain degree of predictability in most passwords, and as a result, cracking by wordlist is a popular technique for cracking hashed-and-salted passwords. This can crack the majority of hashed-and-salted passwords in a file withing days because it greatly minimizes the combinations tried.
I know of a case where some clever guys were able to "crack" every password for every account on the in-house development network for a certain operating system. The OS was using the hardware CRC instruction to do the "hashing" and the project leaders ignored cries that this was not secure. So a demonstration was in order. The key insight is that it was not necessary to discover the EXACT password, only one that HASHED THE SAME. And doing this for several hundred passwords at once greatly increases the speed of the process. They completed the whole thing in one night and everyone on the network was emailed their own password (or one that worked just as well) the next morning. The hashing algorithm was changed immediately, as was the protection on the password file.
I can vouch for this being a true story as I was there and received my own password in the mail. I also knew the two "clever guys".
If it is Weblogic, it isn't hashed. It is "encrypted" in a way that can be easily decrypted with a script. No secret key required. And oracle isn't the only one. Microsoft web.config files also contain "encrypted" passwords that can be decrypted if you know how to google the right command.
That statement and how it is worded makes me thing two things. Details to the words they use and don't are telling.
So they say the CLOUD environments in (AWS, Azure, Google) weren't compromised but they don't say anything about their on prem systems in a private datacenter and they state someone didn't break in.
I do know years ago I heard they had an on prem authentication system that was proprietary.
The second item they state someone did NOT 'break in' - That to me says an employee did something they weren't supposed to. Inside job?
We will see....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
