четверг, 9 ноября 2017 г.

Telegram in application with DB connection

ConquestSS announced that the communication channel Telegram was involved into SQLDetective (SD). It means that PC with installed SD should have opened Internet. As SD works with Oracle DB then application and database settings may be stolen or hacked. For example, SD stores DB connections without encryption, it's possible to store the connection passwords and they are encrypted by very easy method.
So, here are several suggestions for Telegram&SD users:
  • install SD into own folder that differs from standard "%ProgramFiles%\SQLDetective 4.7";
  • don't save passwords on DB connecting;
  • delete the row from the "Last Connections" list that's saved automatically after successful connection;
  • use TNS connection type instead of Direct where Host, Port and SID are available without encryption;
  • don't use Host, Port and SID in TNS names;
  • monitor your DB by DBA tools: DB Examiner, Top Session Locator, Storage Manager, Session Navigator, DB Monitor;
  • check DB settings by object wizards: Profile, User, Role, Schedule, Privileges.

Your Oracle DB may be hacked also after involving the Telegram channel to ClearSQL (CS). Settings of database connections are stored in CS settings in the same way as in SD. CS allows to start SQL*Plus from CS with already connected DB user. Sync feature in CS allows to compile scripts into DB.
So, here are several suggestions for Telegram&CS users:
  • install CS into own folder that differs from standard "%ProgramFiles%\ClearSQL 7.0";
  • don't save passwords on DB connecting;
  • delete the row from the "Last Connections" list that's saved automatically after successful connection;
  • use TNS connection type instead of Direct where Host, Port and SID are available without encryption;
  • don't use Host, Port and SID in TNS names;
  • check the script content before running the Sync actions;
  • exclude the "Write Back" option from Project Job and Schedules;
  • don't store CS Projects in the default "%AppData%\Roaming\ClearSQL\Data" folder, and don't change the "Preferences / General / Folders / Default project location folder:" option;
  • turn off the "Preferences / SQL*Plus / Application Run / Use SQL*Plus executable file in active Oracle Home folder if available" option and create an executable file for SQL*Plus starting by password.



2 комментария:

  1. ConquestSS added the "Let [ProductName] send feature clicks to improve UI&UX " option in the General page of Preferences in SD 4.7 and CS 7 for collecting the user's data and sending all your actions to ConquestSS site. Unfortunately, Preferences in SD 4.7 (published on 3 October, 2017) doesn't have the help topic and no one my question about new option was answered by tech-support team.
    It became clear on 7 March, 2018 when ClearSQL 7 was published and Online Help described the important option. ClearSQL Online Help says: "'Let ClearSQL send feature clicks to improve UI&UX' – when enabled, ClearSQL collects feature usage frequency by counting the number of clicks on toolbar buttons. The collected data is sent to www.conquestsoftwaresolutions.com on ClearSQL startup and on new message and updates/upgrades checks." It means that all user actions are collected and this data is sent to ConquestSS without your confirmation or check. As the option is enabled by default then you should disable the option manually if you don't want to provide Conquest team with your personal info. In other case this data will be sent automatically without any confirmations on next application start (application updating executes every day by default).
    Actions are logged into text file "ExecutedAction.Log" without any protecting. There are no any guarantees about typed passwords or user's selections from production DBs that are logged and sent to ConquestSS. Inline help in "New OSD Message" warns only about visible attached files, but action logs are sent in hidden mode on application updates checking.
    This comment is the important warning for SD users as there is no description of this option in SD Help and you keep connection to business DBs. It's clear that the marketing department of ConquestSS collects this info but it's a problem because sending is hidden and SD, CS users can't check the sending content. It seems that the sending info is not protected. So, ConquestSS products can't keep user data in safe mode according to GDPR (General Data Protection Regulation).

    ОтветитьУдалить
    Ответы
    1. ClearDB Documenter 5 was published on 04/04/2018 with the same "Let [ProductName] send feature clicks to improve UI&UX" option. As it's enabled by default then start CDB at first time when your PC is not connected to Internet and disable the option in "Preferences / General" page.

      Удалить