Black Hat USA 2009 Weekend Training Session

July 25-26

Black Hat USA 2009 Weekday Training Session

July 27-28

Hacking Oracle PL/SQL

Kevin Dunn and Marcus Pinto, NGS Software

Overview:

Never has the need for understanding Oracle database security been so great as it is today as the boundaries between networks become less defined and web applications provide direct inroads through any firewalls and into the backend. This course will teach you how to hack into Oracle database servers; only by truly grasping the mechanics of attacks can a complete and effective defense be built. We will cover all aspects of breaking into Oracle database and application servers covering such topics as:

• Understanding PL/SQL Vulnerabilities
• Cursor Snarfing Vulnerabilities
• PL/SQL Injection
• Auxillary Function Injection
• Cursor Injection Attacks
• Java Injection
• Lateral SQL Injection via SYSDATE and DATE data (*new discovery)
• Abusing Triggers To Gain Control
• Bypassing VPD
• Data exfiltration
• Exploiting Oracle Application Server and mod_plsql

Prerequisites

A prior knowledge of Oracle would be useful but not necessary.

Who Should Take the Course

Anyone interested in Oracle Database Security

Trainers:

NGS Software

NGSSoftware is offering the chance to benefit from the experience of its consultants and award-winning research team. This course teaches how to recognize the insecurities present within common database systems and how these flaws can leave you wide open to attack. It is tailored to teach security consultants, database administrators and IT professionals how hackers discover and exploit vulnerabilities to gain access to your data and further penetrate internal networks. By learning these techniques, we can discover the flaws for ourselves and effectively develop strategies to keep attackers out.

Kevin Dunn is a Senior Consultant for NGSSoftware, responsible for conducting penetration testing and security assessments of customer networks across many different operating environments. Providing consultancy advice for a wide selection of high profile clients has ensured detailed exposure, and assessment of database and network architectures common place within the world’s financial and technology industries. His specialist knowledge combined with hands-on consultancy experience of backend database systems and network infrastructure has lead to him being invited to design, author and present a comprehensive list of training courses for NGS.

Before joining NGS, Kev worked as a Network Vulnerability Analyst for the British Ministry of Defence, securing Military IT infrastructures and providing advice to protect government digital assets. During this time he developed in-house network security training programs that are still in use today, for the education of personnel and to raise the overall level of awareness for network security practices.

Marcus Pinto is a Principal Security Consultant at Next Generation Security Software, where he leads the database security competency. He has eight years’ experience in security consulting and specializes in penetration testing of web applications and supporting architectures. Marcus has worked with numerous banks, retailers, and other enterprises to help secure their web applications, and has provided security consulting to the development projects of several security-critical applications. He has worked extensively with large-scale web application deployments in the financial services industry.

Marcus has developed and presented database and web application training courses at the Black Hat and other security conferences around the world.

Super Early: Ends Mar 15	Early: Ends May 1	Regular: Ends Jul 1	Late: Ends Jul 22	Onsite:
$2000	$2100	$2300	$2500	$2800