back to article Oracle Cloud says it's not true someone broke into its login servers and stole data

Oracle has straight up denied claims by a miscreant that its public cloud offering has been compromised and information stolen. A crook late last week advertised on an online cyber-crime forum what was alleged to be Oracle Cloud customer security keys and other sensitive data swiped from the IT giant. This material was said to …

  1. Stu J

    Popcorn time

    Oh pleeeeeease can someone affected sue Oracle into the floor for criminal negligence...?

    Providing an insecure service by running instances of your own software, which is riddled with public exploits, and not updating said instances to patch the exploitable bugs?

    Priceless multi-layered levels of negligence.

  2. ovation1357

    Encrypted passwords?

    "The SSO passwords are encrypted, they can be decrypted with the available files,"

    Why on earth are passwords being encrypted rather than hashed?

    I've only seen this in really poor, old (like 20 years old) software.

    People are creatures of habit and there's every chance that a chunk of users are using the same password elsewhere :-|

    1. Doctor Syntax Silver badge

      Re: Encrypted passwords?

      "Why on earth are passwords being encrypted rather than hashed?"

      The two are close enough in meaning for PR speak.

      1. Anonymous Coward
        Anonymous Coward

        Re: Encrypted passwords?

        In marketing speak, they're the same.

        I once delivered basic cybersecurity training for marketing folks around password strength and good password hygiene because they kept getting hacked after password leaks and the difference between hashing and encrypting came up...it went on for an hour...I just gave up. It wasn't worth it. It was like teaching maths to Baldrick.

        1. I could be a dog really Silver badge

          Re: Encrypted passwords?

          Did you go an have a very small casserole ?

          1. Anonymous Coward
            Anonymous Coward

            Re: Encrypted passwords?

            Edmund Techadder: So if I use an algorithm to make some data irreversible, it is hashed. If I use another algorithm that scrambles the data, but the scrambled data can be reassembled using a key, it is encrypted.

            Salesrick: Ok.

            Edmund Techadder: Good, now if I take this data here...*points at some data*...and I turn it into something that cannot be reversed...it is...?

            Salesrick: Some beans.

            Edmund Techadder: You know, for you, the technical revolution that happened over the last century was just something that happened to other people wasn't it Salesrick?

    2. Anonymous Coward
      Anonymous Coward

      Re: Encrypted passwords?

      Probably meant hashed, but that's not a perfect defense. Even with salting, it makes cracking expensive but not impossible. If there are a few particularly high-value targets in there (which seems likely) it's probably worth the trouble to someone.

      1. ovation1357

        Re: Encrypted passwords?

        "Even with salting, it makes cracking expensive but not impossible"

        This blows my mind! Unless there's some known weakness in the salt and/or the hash then the only way to crack this is to brute force it by generating hashes of what, billions? trillions? of possible combinations using the salt which is (or at least should be) unique to that individual password.

        Please correct me if I'm missing something here. I'm struggling to comprehend a scenario where the amount of time and computation would be worth it.

        1. PinchOfSalt

          Re: Encrypted passwords?

          We use compute power to make AI cat videos.

          There's more than enough compute lying around to do this.

          1. MachDiamond Silver badge

            Re: Encrypted passwords?

            "We use compute power to make AI cat videos."

            And virtual porn. Don't forget the porn.

        2. O'Reg Inalsin

          Re: Encrypted passwords?

          According to https://www.hivesystems.com/blog/are-your-passwords-in-the-green :

          A single RTX-4090 can solve an 8 character full random password (including special chars etc) hashed with MD5 in an hour.

          1. collinsl Silver badge

            Re: Encrypted passwords?

            Yes but MD5 is a known weak algorithm and no one would be hashing with it any more, would they? Shirley not? Please tell me not? Please...

        3. teknopaul

          Re: Encrypted passwords?

          I read files available meaning salts are available with the data. So it's just a dictionary attack that s needed. Requires compute, but maybe much.

        4. Anonymous Coward
          Anonymous Coward

          Re: Encrypted passwords?

          Don't struggle, you're considering things correctly. In all probability, it would never be worth it...in all probability, if you did have the resources to crack a hash, the sheer time required alone would make it a waste of resources, because by the time you've cracked the hash, it's probably no longer relevant. It's not really a technical consideration...any one of us here could write a script to systematically bruteforce hashes, it's very possible...easy even...but none of us have the time, resources or inclination to even bother.

          Something being possible, doesn't make it feasible, practical, ethical, probable, profitable or even realistic.

          All the humans on earth could be packed in to fill the Grand Canyon...it's possible...it's just not feasible, practical or even ethical...there are lots of things preventing this situation actually happening...and what would be the point?

          Most password cracking theory exists as thought experiments and maths...that's it...

          The only reason you hear people talking about the "possibility" of hashes being cracked etc is because mathematically the odds are greater than 1...but the realms of mathematical possibility are pretty abstract. I mean, how many values are there between 0 and 1? It could be ten, right? 0.1, 0.2, 0.3 etc etc...could be a lot more if you start at 0.01...or 0.000001...could be infinite...could be zero values and the next value is literally 1, it's arbitrary.

          I mean with cracking a hash, you could get lucky and find it's value in your first go.

          A lot of people know what this hash is:

          6b3a55e0261b0304143f805a24924d0c1c44524821305f31d9277843b8a10f4e

          This hash would be incredibly cheap to crack and you'd do it at virtually zero cost.

          Even if something is 1 in 18 gazillion...it's possible...it's just not likely.

          That said, rainbow tables do exist for cracking password hashes (unsalted ones). So unsalted hashes are probably quite trivial to crack if they are below a certain length and complexity.

        5. kurkosdr

          Re: Encrypted passwords?

          Most humans don't choose random strings as passwords, so there is a certain degree of predictability in most passwords, and as a result, cracking by wordlist is a popular technique for cracking hashed-and-salted passwords. This can crack the majority of hashed-and-salted passwords in a file withing days because it greatly minimizes the combinations tried.

      2. Scene it all

        Re: Encrypted passwords?

        I know of a case where some clever guys were able to "crack" every password for every account on the in-house development network for a certain operating system. The OS was using the hardware CRC instruction to do the "hashing" and the project leaders ignored cries that this was not secure. So a demonstration was in order. The key insight is that it was not necessary to discover the EXACT password, only one that HASHED THE SAME. And doing this for several hundred passwords at once greatly increases the speed of the process. They completed the whole thing in one night and everyone on the network was emailed their own password (or one that worked just as well) the next morning. The hashing algorithm was changed immediately, as was the protection on the password file.

        I can vouch for this being a true story as I was there and received my own password in the mail. I also knew the two "clever guys".

    3. Andrew Scott Bronze badge

      Re: Encrypted passwords?

      Could be they are hashed. lot of people, even people who should know better may look at a hash and declare that it's encrypted information.

      1. el_oscuro

        Re: Encrypted passwords?

        If it is Weblogic, it isn't hashed. It is "encrypted" in a way that can be easily decrypted with a script. No secret key required. And oracle isn't the only one. Microsoft web.config files also contain "encrypted" passwords that can be decrypted if you know how to google the right command.

    4. el_oscuro

      Re: Encrypted passwords?

      Answer: The steaming pile of shit known as Weblogic. So many exploits and ways to do this. For example: https://github.com/maaaaz/weblogicpassworddecryptor.

  3. Doctor Syntax Silver badge

    Maybe it wasn't pilfered from Aoracle. Maybe an LLM just hallucinated it all.

  4. Tron Silver badge

    The Cloud v. 12Tb drives that cost £160.

    The 'internet hoodlums' could have initially demanded a much lower amount from Oracle and then multiplied it dramatically a little later, for a customised resolution.

    1. Fruit and Nutcase Silver badge

      Re: The Cloud v. 12Tb drives that cost £160.

      Maybe the Internet Hoodlums should have contacted the hoodlums in Oracle Licencing.

      Honour amongst hoodlums

  5. Anonymous Coward
    Anonymous Coward

    Java KeyStore files

    If verified true, I would buy it

  6. Mark Exclamation

    I'm torn here. Hackers are scumbags and should be locked up. But Oracle is also a scumbag, and I'm not sure who is worse. There is some delicious irony here.

    1. Richard 12 Silver badge

      With any luck, they'll both lose.

  7. Observ

    That statement and how it is worded makes me thing two things. Details to the words they use and don't are telling.

    So they say the CLOUD environments in (AWS, Azure, Google) weren't compromised but they don't say anything about their on prem systems in a private datacenter and they state someone didn't break in.

    I do know years ago I heard they had an on prem authentication system that was proprietary.

    The second item they state someone did NOT 'break in' - That to me says an employee did something they weren't supposed to. Inside job?

    We will see....

  8. Dave 13

    Uncle Larry

    Uncle Larry never met a customer, competitor or individual he didn't want to sue. He's now got a problem since he doesn't know who to sue. Poor Larry.

  9. DavidWooderson

    This does not look good for Oracle. The evidence from CloudSEK is pretty damning.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like