EWeek, as usual, is doing its best to raise alarm bells re: Oracle security, this time in regard to a published worm that is designed to take advantage of the use of default usernames and passwords. The article does at least correctly point out that this work exploits DBA-created password schemes, not Oracle technology per se.
DBAs, remember to always, always change all default passwords after installation!
We are working with Oracle ACE and security expert Arup Nanda to publish a rather comprehensive guide to locking-down production databases when tight deadlines (a day, a week, a month, etc,) are involved (and when aren't they, really?). In fact, Arup's very first recommendation is to identify and remove default passwords from production databases!
Look for this multi-part guide to publish sometime this quarter.
