Information Security News mailing list archives
Barclays' security gaffe: Oracle software behind upgrade fault
From: InfoSec News <isn () C4I ORG>
Date: Mon, 14 Aug 2000 03:03:51 -0500
http://www.silicon.com/bin/bladerunner?REQUNIQ=966240198&REQSESS=2458&3001REQEVENT=&REQINT1=39084&REQSTR1=Text%20News&REQSTR2=Barclays'%20security%20gaffe:%20Oracle%20software%20behind%20upgrade%20fault&REQAUTH=21046 Monday 14th August 2000 Oracle has admitted that its software was behind Barclays' online security blunder at the start of the month. silicon.com can exclusively reveal that the failure, which forced the UK high street bank to temporarily close its site, was caused by an upgrade to its 'ibank' application - based on Oracle's 8i ebusiness suite. After the upgrade, some customers were able to read other's bank details. The revelation forced Barclays to reinstall the original software. A spokesperson for Oracle conceded: "The problem was caused by a new version of ibank - Barclays' banking application which we jointly developed with them. We worked with them to help build the application but I am not privy to exactly what went wrong with the system." Oracle said it has been working closely with the bank to put the fault right, but it cannot yet give a time when the roots of the problem will be identified. A source close to the situation said the problems were caused by "multiple threading" within the ibank application, a fairly common procedure that allows multiple jobs to run simultaneously across processors. This architecture broke down under the pressure of a large number of customers trying to access the site. Oracle and Barclays refused to confirm this. Alexander Kopriwa, international programme director for analyst house Meta Group, argued the finance sector's reliance on the large software firms could be their downfall. He said: "They are trying to play it safe, but are actually shooting themselves in the foot by relying on companies like Oracle and IBM who have a lot of legacy systems. Sometimes newer technology would be better, especially with security." He added that multi-threading environments have been common for a while, and should be resilient. Tony Lock, senior analyst at Bloor Research, said the problem looked like it was due to lack of testing. "As customer volumes rise it is testing that goes by the wayside. Maybe these security scares will show companies that high level testing is always worthwhile, even if it delays implementation," he said. Oracle refused to name other banking customers who base its ebusiness strategies on their products, but claimed nine out of ten ecommerce sites used Oracle in some way. Barclays declined to comment. Last week Barclays confirmed it is to take over the Woolwich Bank for a sum of 5.4bn. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Barclays' security gaffe: Oracle software behind upgrade fault InfoSec News (Aug 14)