A SIMPLE SECURITY APPROACH IV Author JP Vijaykumar Oracle DBA Written 11-22-11 ----------------------------------------------------------------------C shells,Korn shells, Bourne shells, Sea

shells Thanks Dennis. You are nulli secundus. ----------------------------------------------------------------------I had one table with highly sensitive and confidential data. At any cost, I have to safe guard the data in this table. Every day, we read in the news about data being stolen from highly secure databases in defence, govenment and finacial establishments. Why these agencies are failing to protect the sensitive and confidential data. They are doing their best to protect data. But the hackers are highly intelligent to crack into anything and literally everything.Nothing can stop the m. Also, now a days, security breaches from insiders is on the rise. So how can I protect my data with less cost and make sure that my data is 100% safe and secure. I had 10 anonymous accounts, worth a billion dollars to be protected. I always d o online transactions and I am very careful not to leave my account details in the hands of hackers. Here is how I want to protect my data. These are my anynymous bank accounts' details: ANONYMOUS BANK ITY ACCOUNT NAME --------------HANUMANCHALEESA ADITHYAHRUDAYAM SRIMADBAGAVATAM DWARAKATIRUMALA SRIVENKATESWARA GYANAPRASUNAMBA RAMANADHAPURAMU VENKATANARAYANA SEETHARAMASWAMY LAXMINARASIMHAM ANONYMOUS BANK ANONYMOUS BANK ANONYMOUS BANK ANONYMOUS SECUR ACCOUNT NUMBER --------------111111111111111 222222222222222 333333333333333 444444444444444 555555555555555 666666666666666 777777777777777 888888888888888 999999999999999 123456789012345 ACCOUNT PASSWORD -------------JRAMAMOHANRAO-MAHALAXMIGORTHI PARAMABATTARIKA VINEELA-VEEKSHA JAYSUBBALAKSHMI THRIPURASUNDARY SIRARTHRUCOTTON MEENAXISUNDARAM SAVITRISUNDARAM UNDIAGRAHAARAMU ACCOUNT PIN -----------000000000012345 000000000023456 000000000034567 000000000045678 000000000056789 000000000067890 000000000078901 000000000089012 000000000090123 000000000010234 QUESTION'S ANSWER -----------KAKINADAPORT--KOTABOMMALI---SRUNGAVARAPUKOT SRUNGAVRUKSHAMU TAGARAPUVALASAWATERLOO------NORMANDY------RANASTHALAMU--VEERAGHATTAMU-KURUKSHETRAMU--

I will load the data into a table. drop table master_account_jp1; create table master_account_jp1(col1 varchar2(15),col2 varchar2(15),col3 varchar 2(15), col4 varchar2(15),col5 varchar2(15)) tablespace users; insert into master_account_jp1 values ('HANUMANCHALEESA','111111111111111','JRAM

AMOHANRAO--','000000000012345','KAKINADAPORT---'); insert into master_account_jp1 values ('ADITHYAHRUDAYAM','222222222222222','MAHA LAXMIGORTHI','000000000023456','KOTABOMMALI----'); insert into master_account_jp1 values ('SRIMADBAGAVATAM','333333333333333','PARA MABATTARIKA','000000000034567','SRUNGAVARAPUKOT'); insert into master_account_jp1 values ('DWARAKATIRUMALA','444444444444444','VINE ELA-VEEKSHA','000000000045678','SRUNGAVRUKSHAMU'); insert into master_account_jp1 values ('SRIVENKATESWARA','555555555555555','JAYS UBBALAKSHMI','000000000056789','TAGARAPUVALASA-'); insert into master_account_jp1 values ('GYANAPRASUNAMBA','666666666666666','THRI PURASUNDARY','000000000067890','WATERLOO-------'); insert into master_account_jp1 values ('RAMANADHAPURAMU','777777777777777','SIRA RTHRUCOTTON','000000000078901','NORMANDY-------'); insert into master_account_jp1 values ('VENKATANARAYANA','888888888888888','MEEN AXISUNDARAM','000000000089012','RANASTHALAMU---'); insert into master_account_jp1 values ('SEETHARAMASWAMY','999999999999999','SAVI TRISUNDARAM','000000000090123','VEERAGHATTAMU--'); insert into master_account_jp1 values ('LAXMINARASIMHAM','123456789012345','UNDI AGRAHAARAMU','000000000010234','KURUKSHETRAMU--'); commit; select * from master_account_jp1; I love idioms and phrases. devide et impera - meaning devide and rule. This phra se is from Latin. Now I scramble the data. drop table master_account_jp2; create table master_account_jp2(col1 number, col2 varchar2(5)) tablespace users; set serverout on size 1000000 timing on declare v_str varchar2(5); begin for c1 in (select * from master_account_jp1) loop for i in 1..15 loop v_str:=''; v_str:=substr(c1.col1,i,1) substr(c1.col2,i,1) substr(c1.col3,i,1) substr(c1. col4,i,1) substr(c1.col5,i,1); dbms_output.put_line(i ' ' v_str); insert into master_account_jp2 values(i,v_str); commit; end loop; dbms_output.put_line('----------------'); end loop; end; / 1 H1J0K 2 A1R0A 3 N1A0K 4 U1M0I 5 M1A0N 6 A1M0A 7 N1O0D 8 C1H0A 9 H1A0P 10 A1N0O 11 L1R1R

12 E1A2T 13 E1O314 S1-415 A1-5---------------1 A2M0K 2 D2A0O 3 I2H0T 4 T2A0A 5 H2L0B 6 Y2A0O 7 A2X0M 8 H2M0M 9 R2I0A 10 U2G0L 11 D2O2I 12 A2R313 Y2T414 A2H515 M2I6---------------1 S3P0S 2 R3A0R 3 I3R0U 4 M3A0N 5 A3M0G 6 D3A0A 7 B3B0V 8 A3A0A 9 G3T0R 10 A3T0A 11 V3A3P 12 A3R4U 13 T3I5K 14 A3K6O 15 M3A7T ---------------1 D4V0S 2 W4I0R 3 A4N0U 4 R4E0N 5 A4E0G 6 K4L0A 7 A4A0V 8 T4-0R 9 I4V0U 10 R4E0K 11 U4E4S 12 M4K5H 13 A4S6A 14 L4H7M 15 A4A8U ---------------1 S5J0T 2 R5A0A 3 I5Y0G 4 V5S0A 5 E5U0R 6 N5B0A 7 K5B0P

8 A5A0U 9 T5L0V 10 E5A0A 11 S5K5L 12 W5S6A 13 A5H7S 14 R5M8A 15 A5I9---------------1 G6T0W 2 Y6H0A 3 A6R0T 4 N6I0E 5 A6P0R 6 P6U0L 7 R6R0O 8 A6A0O 9 S6S010 U6U011 N6N612 A6D713 M6A814 B6R915 A6Y0---------------1 R7S0N 2 A7I0O 3 M7R0R 4 A7A0M 5 N7R0A 6 A7T0N 7 D7H0D 8 H7R0Y 9 A7U010 P7C011 U7O712 R7T813 A7T914 M7O015 U7N1---------------1 V8M0R 2 E8E0A 3 N8E0N 4 K8N0A 5 A8A0S 6 T8X0T 7 A8I0H 8 N8S0A 9 A8U0L 10 R8N0A 11 A8D8M 12 Y8A9U 13 A8R014 N8A115 A8M2---------------1 S9S0V 2 E9A0E 3 E9V0E

4 T9I0R 5 H9T0A 6 A9R0G 7 R9I0H 8 A9S0A 9 M9U0T 10 A9N0T 11 S9D9A 12 W9A0M 13 A9R1U 14 M9A215 Y9M3---------------1 L1U0K 2 A2N0U 3 X3D0R 4 M4I0U 5 I5A0K 6 N6G0S 7 A7R0H 8 R8A0E 9 A9H0T 10 S0A0R 11 I1A1A 12 M2R0M 13 H3A2U 14 A4M315 M5U4---------------PL/SQL procedure successfully completed. select * from master_account_jp2; Now I segregate the data. set serverout on size 1000000 timing on declare begin for i in 1..15 loop --execute immediate 'drop table scramble_account_jp' i; execute immediate 'create table scramble_account_jp' i ' as select rownum row_num,t.* from (select * from master_account_jp2 where col1=' i ') t' ; end loop; end; / PL/SQL procedure successfully completed. select * from scramble_account_jp1; ROW_NUM COL1 COL2 ---------- ---------- ----1 1 H1J0K 2 1 A2M0K 3 1 S3P0S 4 1 D4V0S 5 1 S5J0T

6 7 8 9 10 10 rows selected.

1 1 1 1 1

G6T0W R7S0N V8M0R S9S0V L1U0K

select * from scramble_account_jp15; ROW_NUM COL1 COL2 ---------- ---------- ----1 15 A1-52 15 M2I63 15 M3A7T 4 15 A4A8U 5 15 A5I96 15 A6Y07 15 U7N18 15 A8M29 15 Y9M310 15 M5U410 rows selected. At this point, I will drop the master tables(master_account_jp1 and master_accou nt_jp2). To unscramble the data, I run the following procedure. set serverout on size 1000000 timing on declare v_num number; begin for i in 1..5 loop v_num:=i; for c1 in (select a.row_num,substr(a.col2,v_num,1) substr(b.col2,v_num,1) substr(c.col2,v_num,1) substr(d.col2,v_num,1) substr(e.col2,v_num,1) substr(f.col2,v_num,1) substr(g.col2,v_num,1) substr(h.col2,v_num,1) substr(i.col2,v_num,1) substr(j.col2,v_num,1) substr(k.col2,v_num,1) substr(l.col2,v_num,1) substr(m.col2,v_num,1) substr(n.col2,v_num,1) substr(o.col2,v_num,1) string from scramble_account_jp1 a, scramble_account_jp2 b, scramble_account_jp3 c, scramble_account_jp4 d, scramble_account_jp5 e, scramble_account_jp6 f, scramble_account_jp7 g,

scramble_account_jp8 h, scramble_account_jp9 i, scramble_account_jp10 j, scramble_account_jp11 k, scramble_account_jp12 l, scramble_account_jp13 m, scramble_account_jp14 n, scramble_account_jp15 o where a.row_num = b.row_num and a.row_num = c.row_num and a.row_num = d.row_num and a.row_num = e.row_num and a.row_num = f.row_num and a.row_num = g.row_num and a.row_num = h.row_num and a.row_num = i.row_num and a.row_num = j.row_num and a.row_num = k.row_num and a.row_num = l.row_num and a.row_num = m.row_num and a.row_num = n.row_num and a.row_num = o.row_num order by 1) loop dbms_output.put_line(c1.string); end loop; end loop; end; / HANUMANCHALEESA ADITHYAHRUDAYAM SRIMADBAGAVATAM DWARAKATIRUMALA SRIVENKATESWARA GYANAPRASUNAMBA RAMANADHAPURAMU VENKATANARAYANA SEETHARAMASWAMY LAXMINARASIMHAM 111111111111111 222222222222222 333333333333333 444444444444444 555555555555555 666666666666666 777777777777777 888888888888888 999999999999999 123456789012345 JRAMAMOHANRAO-MAHALAXMIGORTHI PARAMABATTARIKA VINEELA-VEEKSHA JAYSUBBALAKSHMI THRIPURASUNDARY SIRARTHRUCOTTON MEENAXISUNDARAM SAVITRISUNDARAM UNDIAGRAHAARAMU 000000000012345 000000000023456

000000000034567 000000000045678 000000000056789 000000000067890 000000000078901 000000000089012 000000000090123 000000000010234 KAKINADAPORT--KOTABOMMALI---SRUNGAVARAPUKOT SRUNGAVRUKSHAMU TAGARAPUVALASAWATERLOO------NORMANDY------RANASTHALAMU--VEERAGHATTAMU-KURUKSHETRAMU-PL/SQL procedure successfully completed. --To clean the demo tables from the schema, I use this query: set pagesize 50 linesize 120 select 'drop table ' table_name ';' from dba_tables where table_name like '%JP%' and table_name <> 'OBJPRIV$'; I can further complicate the decyphering task of my cryptic code using: Data Encryption Moving tables to remote databases and creating db links Synonyms External tables/ Os level manipulation of file permissions Materialized views to generate the final info on adhoc basis. Moving the final procedure/views to generate the account info into a new db and generate dynamic db links only when required and drop when not in use. And the rest. In such a situation, the successful hacker will ONLY get a part of the confident ial info. Not the full picture. ------------------------------------------------------REFERENCES http://www.cnn.com/2011/10/14/tech/innovation/dennis-ritchie-obit-bell-labs/inde x.html?hpt=hp_bn6 http://www.merriam-webster.com/dictionary/divide%20et%20impera http://translate.google.com/translate?hl=en&sl=ro&u=http://ro.wikipedia.org/wiki /Divide_et_impera_%28informatic%25C4%2583%29&ei=fPuaTp-fCMSysALg8LDXBA&sa=X&oi=t ranslate&ct=result&resnum=1&ved=0CBwQ7gEwAA&prev=/search%3Fq%3Ddivide%2Bet%2Bimp era%2Bc%252B%252B%26hl%3Den%26biw%3D1280%26bih%3D707%26prmd%3Dimvnsb http://wikileaks.org/ http://thehackernews.com/ http://www.dbasupport.com/oracle/ora10g/SecurityApproach01.shtml http://www.dbasupport.com/oracle/ora10g/SecurityApproach02.shtml http://www.scribd.com/doc/72458367/A-Simple-Security-Approach-III http://www.dbasupport.com/oracle/ora10g/synonyms.shtml http://www.databasejournal.com/scripts/article.php/3678311