Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Mid-Market CIO Panel: Tips and Techniques for Improving Vendor Relationships
July 15, 4:00 PM - 5:00 PM U.S./Eastern (GMT-4)
We'll highlight relationship priorities and best practices identified in a Council study, and we'll interact with a CIO panel on the approaches they've used to improve strategic vendor partnerships.
Secrets of Successful Vendor Contract Negotiations for the Mid-Market
Sept. 10, 2009, 11:00 AM - 12:00 PM U.S./Eastern (GMT-4)
On this free public Council teleconference, Matthew A. Karlyn, attorney at Foley & Lardner in Boston, will share tips on negotiating tactics and new, creative contract terms to help mid-market CIOs make better deals.
Executive Competencies Assessment Tool
Assess Your Business Leadership Skills with the Council's new benchmarking tool. Rate yourself in change leadership, strategy, customer focus and more.
Learn more about the CIO Executive Council »Apply today for a FREE subscription to CIO Magazine!
April 24, 2008 — IDG News Service —
Security researcher David Litchfield has released technical details of a new type of attack that could give a hacker access to an Oracle database.
Called a lateral SQL injection, the attack could be used to gain database administrator privileges on an Oracle server in order to change or delete data or even install software, Litchfield said in an interview on Thursday.
Litchfield first disclosed this type of attack at the Black Hat Washington conference last February, but on Thursday he published a paper with technical details.
In a SQL injection, attackers create specially crafted search terms that trick the database into running SQL commands. Previously, security experts thought that SQL injections would only work if the attacker was inputting character strings into the database, but Litchfield has shown that the attack can work using new types of data, known as date and number data types.
Litchfield's attack targets the Procedural Language/SQL programming language used by Oracle developers.
A noted database hacker, Litchfield is best known as the researcher who published details on the bug used in the 2003 SQL Slammer worm, which targeted Microsoft's SQL Server database.
Litchfield wasn't sure how widespread lateral SQL injection vulnerabilities are, but he thinks the attack could cause real damage in some scenarios.
"If you happen to be using Oracle and you write your own applications on it, then yes, you could be writing vulnerable code," he said. "The sky is not falling ... but it's certainly something that people should be made aware of."
Database programmers should review their code to be sure it is checking to make sure that all of the data it is processing is legitimate, and not injected SQL commands, he said.
Oracle did not return a call seeking comment.