Paul M. Wright Publications
Download File
Download File
Publications prior to May 2014
1. Paul's Third new book in progress from Taylor Francis (advance paid and contracted. Taylor Francis have kindly allowed me to defer this book into the future as I now have a daughter to provide for.Was going to be Big Data/hadoop as seen here https://www.amazon.co.uk/Big-Data-Security-Reducing-Integrating/dp/1498738192 ...but we shall see.
2. 2014 - Paul's Second book on Privileged Access Control in Databases and Cloud.
https://www.apress.com/gb/book/9781430262114
https://www.springerprofessional.de/en/protecting-oracle-database-12c/1703368
3. 2013 - Hacktivity Conference presentation, on Oracle 12c Security - Defense and Attack
https://www.youtube.com/watch?v=ZN9MUssS-c8
4. 2013 - Phishing analysis whilst studying for PhD at City University for 10 year anniversary of UKCERT.org.uk - contributed imperical data demonstrating most phishing attacks are more localised than previously thought.
http://www.ukcert.org.uk/10years_analysis.pdf
5. 2013 - contributed new parameter to the Oracle Database globally in 12c i.e. oracle corp US redesigned their database from my feedback.
http://www.oracleforensics.com/wordpress/index.php/2013/07/11/_sys_logon_delay/
Widely cited
http://www.dba-oracle.com/t_sys_logon_delay.htm
https://righettidba.wordpress.com/2016/03/28/such-a-small-change-with-a-big-impact-_sys_logon_delay-on-12c/
5.a Original idea taken from http://www.oracleforensics.com/wordpress/index.php/2012/10/24/sys_throttler-and-distributed-database-forensics/
Also Cited by - Journal of Industrial and Intelligent Information Vol. 1, No. 2, June 2013 (electronic copy included - 5a).
6. 2012-13 - database link research paper done whilst on PhD - contributed varied understanding of database link risks.
http://www.oracleforensics.com/wordpress/wp-content/uploads/2012/11/database_link_security.pdf
Cited by Trivadis in Switzerland in German language.(electronic copy included - 6a).
https://www.trivadis.com/sites/default/files/downloads/05-01-2013_wie_sicher_sind_database_links.pdf
Cited again by Oracle Community
https://community.oracle.com/message/10951663
7. 2012 - UK oracle Users group conference presentation - contributed internal bank view (JP Morgan) on large database estates.
Intelligently Securing a Large, Globally Distributed, Database Estate (electronic copy included).
http://2012.ukoug.org/default.asp?p=9339&dlgact=shwprs&prs_prsid=7736&
http://archive.is/wBlp7
8. 2012 - Article on Database Security - contributed view on insecure admin accounts (commonly hid from auditors).
HAKIN9 Vol7, Issue 10 ISSN 1733-7186
Oracle's Achilees Heel. Attack, defense and forensics response. (electronic copy included).
9. 2012 - CIS Oracle standard editor/author. (electronic copy included)
https://www.cisecurity.org/benchmark/oracle_database/
cited here https://security.uri.edu/files/CIS_Oracle_Database_Server_11_-_11g_R2_Benchmark_v1.0.0.pdf
Electronic copy included.
10. 2010 - First publication on the concept of "Java forensics".
http://www.oracleforensics.com/wordpress/index.php/2010/03/31/java-forensics-in-oracle/
Cited widely as shown below
http://www.petefinnigan.com/weblog/archives/00001316.htm
https://coskan.wordpress.com/page/4/?q=node%2F33
11. Contributed observation that database encryption wallets are not tied to the server (i.e can be used to logon from other servers).
http://www.oracleforensics.com/wordpress/index.php/2010/04/11/oracle-wallet-auto-login-common-misconception-corrected/
Widely cited with comments from Industry experts.
http://www.petefinnigan.com/weblog/archives/00001317.htm
http://www.isaca.org/Blogs/273340/Lists/Posts/ViewPost.aspx?ID=16
https://www.databaseadm.com/article/12448727/Oracle+Wallet+Security+Issue
12. 2010 - Journal Presenation on Database Application Security
ISSD conference 21st May at Westminster Conference Centre.
Electronic Copy and paper copy included.(photographs)
13. 2010 - Journal Article on Database Security Monitoring.
IOUG SELECT Journal Q3 2010, page 27 (see electronic copy included).
Achieving Security Compliancy and Database Transparency Using Database Activity Monitoring Systems.
14. 2010 - Global Presentation on Privilege recording for Sentrigo.
Securely recording the use of Privilege in Oracle Databases (electronic copy included).
For Sentrigo Startup eventually bought by McAfee and then Intel.
15. 2009 - Journal Article on Database Security Monitoring.
Oracle Scene Journal for UKOUG Autumn 2009 edition with electronic copy below and paper copy included.
http://viewer.zmags.com/publication/4615a0ac#/4615a0ac/18
Cited by Finnish Oracle User Group Publication at this URL
http://www.ougf.fi/index.php/en/tiedostoja-3/ukoug-oraclescene/292-oracle-scene-issue-39-autumn-2009
http://archive.is/3rjpk
16. 2009 - Oracle Password Paper published in Japanese in 2009 (see electronic copy included) and previously published below in English 2007-8
https://www.nccgroup.trust/globalassets/our-research/uk/whitepapers/2007/oracle-passwords-and-orabrute.pdf and paper copy included.
17. 2008 - SANS Orlando conference on Java Security Top 10 published below (and available in paper).
http://www.ukcert.org.uk/javasecurity.pdf
18. 2008 – UKOUG Annual Conference
Advanced Oracle Security Development (see electronic copy included).
19. 2008 - Paul discovered and ethically reported a significant privilege escalation in Oracle database to the vendor.
http://www.oracleforensics.com/wordpress/wp-content/uploads/2008/10/create_any_directory_to_sysdba.pdf
Cited widely by many experts and with many citations globally
http://www.petefinnigan.com/weblog/archives/00001213.htm
https://www.securityfocus.com/bid/31738/references
Granted CVE-2008-6065 which is widely cited (too many to list completely but the primary links are below).
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6065
https://nvd.nist.gov/vuln/detail/CVE-2008-6065
http://cve.circl.lu/cve/CVE-2008-6065
https://www.exploit-db.com/exploits/32475/
https://dl.acm.org/citation.cfm?id=1522453 - 2 citations
http://www.computingreviews.com/Review/review_reviewprint.cfm?review_id=137053
https://en.wikipedia.org/wiki/Paul_Wright
(initiated wikipedia article on DB Forensics in 2006 https://en.wikipedia.org/w/index.php?title=Database_forensics&dir=prev&action=history and also wrote the first paper on database forensics here in 2004 https://www.giac.org/paper/gcfa/159/oracle-database-forensics-logminer/105140).
21. Ten Original software vulnerabilities discovered in oracle software (CVEs) and published by Oracle dating back from 2013 to 2007. One of leading security vulnerability researchers in the world contributing to global patch, deployed on hundreds of thousands of machines, resulting in a more secure society.
2016 July - http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/3089849.xml
2015 April - http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/2367958.xml
2014 July - http://www.oracle.com/technetwork/jp/topics/security/cpujul2014-1972956.html?printOnly=1
2014 April - https://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
2013 January - http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841213.xml
2011 July http://www.oracle.com/technetwork/articles/cpujuly2011-313328.html?printOnly=1
2010 July - https://www.oracle.com/technetwork/topics/security/cpujul2010-155308.html
2008 April - http://www.oracle.com/us/support/assurance/cpuapr2008-082075.html
2007 July - https://www.oracle.com/technetwork/topics/security/cpujul2007-087014.html
2007 April - https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html?printOnly=1
http://archive.is/CxuYH (archived search of Oracle's site for the published vulnerability notices that I contributed.
22. Paul Influenced global standards with publication and discussion with UK/US standards representatives of the ITU, to support the keeping of the leap second http://www.ukcert.org.uk/time_security.html
