Barclays' security gaffe: Oracle software behind upgrade fault

[InfoSec News <isn () C4I ORG>]

http://www.silicon.com/bin/bladerunner?REQUNIQ=966240198&REQSESS=2458&3001REQEVENT=&REQINT1=39084&REQSTR1=Text%20News&REQSTR2=Barclays'%20security%20gaffe:%20Oracle%20software%20behind%20upgrade%20fault&REQAUTH=21046

Monday 14th August 2000

Oracle has admitted that its software was behind Barclays' online
security blunder at the start of the month.

silicon.com can exclusively reveal that the failure, which forced the
UK high street bank to temporarily close its site, was caused by an
upgrade to its 'ibank' application - based on Oracle's 8i ebusiness
suite. After the upgrade, some customers were able to read other's
bank details. The revelation forced Barclays to reinstall the original
software.

A spokesperson for Oracle conceded: "The problem was caused by a new
version of ibank - Barclays' banking application which we jointly
developed with them. We worked with them to help build the application
but I am not privy to exactly what went wrong with the system."

Oracle said it has been working closely with the bank to put the fault
right, but it cannot yet give a time when the roots of the problem
will be identified.

A source close to the situation said the problems were caused by
"multiple threading" within the ibank application, a fairly common
procedure that allows multiple jobs to run simultaneously across
processors. This architecture broke down under the pressure of a large
number of customers trying to access the site.

Oracle and Barclays refused to confirm this.

Alexander Kopriwa, international programme director for analyst house
Meta Group, argued the finance sector's reliance on the large software
firms could be their downfall. He said: "They are trying to play it
safe, but are actually shooting themselves in the foot by relying on
companies like Oracle and IBM who have a lot of legacy systems.
Sometimes newer technology would be better, especially with security."

He added that multi-threading environments have been common for a
while, and should be resilient.

Tony Lock, senior analyst at Bloor Research, said the problem looked
like it was due to lack of testing. "As customer volumes rise it is
testing that goes by the wayside. Maybe these security scares will
show companies that high level testing is always worthwhile, even if
it delays implementation," he said.

Oracle refused to name other banking customers who base its ebusiness
strategies on their products, but claimed nine out of ten ecommerce
sites used Oracle in some way.

Barclays declined to comment.

Last week Barclays confirmed it is to take over the Woolwich Bank for
a sum of 5.4bn.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".