How often is Access security breached?

Re: How often is Access security breached?

"David W. Fenton" <dXXXfenton@bwa y.net.invalid> wrote in message
[color=blue]
> You're either satisfied with the level of protection you've
> implemented for the operating environment in question or you're
> not. Reports from other developers won't really change the balance
> of that equation.[/color]

Well we've just had an extremely long thread where I've been told at length
that Access security is very weak.

So if Dan Developer were to say - 'I develop small Access/Jet apps for SME's
installed on 5-50 user LANs concentrating on the widget industry. I've never
heard of any security problems with any of my apps', that sort of comment
might at least let me know whether the discussion we've just had was atall
worthwhile.

I think that something that's been missed is the huge difference between
data theft (but existing data left intact) and unauthorised changes/damage
to the 'real' data. They're obviously related but are a different set of
risks, which will clearly have very different implications depending upon
the nature of the business.

Yours, Mike MacSween

Re: How often is Access security breached?

Mike,

I never heard of a security problem with any of the apps I worked on, many
of which were completely unsecured and others of which were secured using
Access security. But, my clients were primarily concerned about the data
and, in most cases, that was secured at the server DB in a Client-Server
environment.

Neither they nor I were particularly concerned with someone stealing the
application -- I worked on "bespoke apps" for specific clients and they
were all used "in-house". And, for the ones (quite a few) done in Access
2.0, there was no way to even minimally secure queries, forms, reports,
macros, and modules. I'm sure Michka, Peter, David and others will verify
that Access 2.0 security had a hole big enough to fly the Mir through. (The
Mir was the very large Soviet space station contemporary with Access 2.0,
now burned up on renetry when its orbit decayed. Access 2.0, though, is
still around, security hole and all.)

Larry Linson




"Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote in message
news:3fb95970$0 $52888$5a6aecb4 @news.aaisp.net .uk...[color=blue]
> "David W. Fenton" <dXXXfenton@bwa y.net.invalid> wrote in message
>[color=green]
> > You're either satisfied with the level of protection you've
> > implemented for the operating environment in question or you're
> > not. Reports from other developers won't really change the balance
> > of that equation.[/color]
>
> Well we've just had an extremely long thread where I've been told at[/color]
length[color=blue]
> that Access security is very weak.
>
> So if Dan Developer were to say - 'I develop small Access/Jet apps for[/color]
SME's[color=blue]
> installed on 5-50 user LANs concentrating on the widget industry. I've[/color]
never[color=blue]
> heard of any security problems with any of my apps', that sort of comment
> might at least let me know whether the discussion we've just had was atall
> worthwhile.
>
> I think that something that's been missed is the huge difference between
> data theft (but existing data left intact) and unauthorised changes/damage
> to the 'real' data. They're obviously related but are a different set of
> risks, which will clearly have very different implications depending upon
> the nature of the business.
>
> Yours, Mike MacSween
>
>[/color]

Re: How often is Access security breached?


On Tue, 18 Nov 2003 00:07:10 GMT, "Larry Linson"
<bouncer@localh ost.not> wrote in comp.databases. ms-access:
[color=blue]
>I'm sure Michka, Peter, David and others will verify
>that Access 2.0 security had a hole big enough to fly the Mir through.[/color]

Sure.

Access 2.0's security flaw made use of the security system completely
optional. You could set up security as per the instructions, and it
would appear to work (ie, tests would appear to successfully require
privileged user status for many types of operations), but the security
could be completely bypassed (ie, not cracked, but simply not used at
all) by a certain simple technique. This affected non-data objects
more than data objects, but data objects had their flaws too.

Peter Miller
_______________ _______________ _______________ _______________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051

Re: How often is Access security breached?

Oh, also, even though I was not aware of it, those applications could have
been penetrated many times, and both the application and the data stolen.
But, the one on which I did the most work from 1995 - 2000 was so tailored
to the client and the information that was so vital to them was so useless
to anyone else that I can't imagine anyone _would have bothered_.

Re: How often is Access security breached?

"Peter Miller" wrote
[color=blue]
> . . .the security could be completely bypassed
> (ie, not cracked, but simply not used at all) by
> a certain simple technique. This affected non-
> data objects more than data objects, but data
> objects had their flaws too.[/color]

Yes, the fabled "CopyObject flaw" was what I had in mind -- the one that
wasn't acknowledged until _someone_ got so frustrated that he posted it
right here (1994-1995, I seem to recall). I know I have the code tucked
away, but probably even recall both the technique and code.

I only used it a few times, and even then, just to prove the point to
disbelieving colleagues. It was fun to see their jaws drop when they watched
me get an unsecured copy of all their precious objects that they had gone to
such lengths to protect and that they thought so well protected.

If that code was posted in 1995, it may still be findable in Google; seems
to me that there was a later repost when someone couldn't find the original
in Deja News.

The discussion over that posting was where I first became really acquainted
with Michael Kaplan and Peter Miller -- who had opposing positions on the
subject of whether posting it was the right thing to do.

Larry Linson

Re: How often is Access security breached?

mike.macsween.n ospam@btinterne t.com (Mike MacSween) wrote in
<3fb95970$0$528 88$5a6aecb4@new s.aaisp.net.uk> :
[color=blue]
>"David W. Fenton" <dXXXfenton@bwa y.net.invalid> wrote in message
>[color=green]
>> You're either satisfied with the level of protection you've
>> implemented for the operating environment in question or you're
>> not. Reports from other developers won't really change the
>> balance of that equation.[/color]
>
>Well we've just had an extremely long thread where I've been told
>at length that Access security is very weak.[/color]

But you already knew that.
[color=blue]
>So if Dan Developer were to say - 'I develop small Access/Jet apps
>for SME's installed on 5-50 user LANs concentrating on the widget
>industry. I've never heard of any security problems with any of my
>apps', that sort of comment might at least let me know whether the
>discussion we've just had was atall worthwhile.[/color]

No, because you're developing your application for a completely
different purpose, for an entirely different industry and for a
different client. There is no reason to assume that there's
anything transferrable from the other contexts.
[color=blue]
>I think that something that's been missed is the huge difference
>between data theft (but existing data left intact) and
>unauthorised changes/damage to the 'real' data. They're obviously
>related but are a different set of risks, which will clearly have
>very different implications depending upon the nature of the
>business.[/color]

One thing that may not be clear is that Peter made a point about
Wayne's advice -- it would be much more valuable if the encoding
took account of data within the record. If, for instance, the PK of
the grade record were used as a seed value for the encryption of
the grade, there could only ever be one correct encoding for each
record in the grade table. You couldn't copy a grade because the PK
would, of necessity, be different, and therefore the result of the
grade calculation would be different.

It might be possible to encode in a manner that made it immediately
obvious that the record had been tampered with, say a check digit
that was calculated using the PK or something like that.

If you go that route (though I wouldn't) I highly recommend that
you consider this issue.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

Re: How often is Access security breached?

"Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote...
[color=blue][color=green]
> > Using Access/Jet security is a LOT like leaving your fly unzipped. It
> > might be good to think about that a bit before you keep coming here
> > and waving your "privates" err..... "private solutions" around.[/color]
>
> Wouldn't be the first time! Are you saying I'm making a fool of myself?
> Because I'm naive enough to ask a straightforward question and make it[/color]
clear[color=blue]
> that I am unsure of some of the issues here? Or is it just an[/color]
unwillingness[color=blue]
> to go along with the 'accepted widsom' without question that is considered
> such a gaff.[/color]

No, not at all. It is more the disdain for the people who point out the
flaws in the nature of the approach, or the "well tell me whats wrong with
it, then" type of response.

If they can get to it at all (which they must, to use it, right? <g>), then
they can get in. And its a lot easier than you are willing to accept. It is
your refusal to believe this than bothers me.

Remember that King Canute *knew* he could not sweep back the tide; he was
just trying to show his advisors that they were not thinking clearly
enough....
[color=blue]
> If you mean the other thing then there's been at least one technique which
> I've hinted at but not actually revealed, precisely to avoid the[/color]
attentions[color=blue]
> of a particularly savvy hacker who types 'Access, security, Mike MacSween'
> into a search engine.[/color]

If it were only that simple to avoid....


--
MichKa [MS]
NLS Collation/Locale/Keyboard Development
Globalization Infrastructure and Font Technologies

This posting is provided "AS IS" with
no warranties, and confers no rights.

Re: How often is Access security breached?

"Michael (michka) Kaplan [MS]" <michkap@online .microsoft.com> wrote in
message news:3fba3046$1 @news.microsoft .com...[color=blue]
> "Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote...
>[color=green][color=darkred]
> > > Using Access/Jet security is a LOT like leaving your fly unzipped. It
> > > might be good to think about that a bit before you keep coming here
> > > and waving your "privates" err..... "private solutions" around.[/color]
> >
> > Wouldn't be the first time! Are you saying I'm making a fool of myself?
> > Because I'm naive enough to ask a straightforward question and make it[/color]
> clear[color=green]
> > that I am unsure of some of the issues here? Or is it just an[/color]
> unwillingness[color=green]
> > to go along with the 'accepted widsom' without question that is[/color][/color]
considered[color=blue][color=green]
> > such a gaff.[/color]
>
> No, not at all. It is more the disdain for the people who point out the
> flaws in the nature of the approach, or the "well tell me whats wrong with
> it, then" type of response.[/color]

I hope that I haven't treated posters with greater knowledge than I with
disdain. However I find blunt 'all I can tell you is you're wrong' responses
unhelpful. If I come up with an idea I DOwant to be told what's wrong with
it.
[color=blue]
> If they can get to it at all (which they must, to use it, right? <g>),[/color]
then[color=blue]
> they can get in. And its a lot easier than you are willing to accept. It[/color]
is[color=blue]
> your refusal to believe this than bothers me.[/color]

It may well bother you. I think that there is clearly a huge difference
between, lets say, a data file stored on an unsecured Windows 95 machine
with an obvious name in an obviously named directory, perhaps with a desktop
shortcut to it, and a FE/BE split with the BE on a server running under
windows 2000+ with strong passwords enforced, Jet security, some of the
ideas suggested for DIY 'security' etc. etc. It's harder to get unauthorised
access to the latter than the former. That is obvious. And it's all I'm
saying. IT IS POSSIBLE TO MAKE IT PROGRESSIVELY HARDER TO GAIN UNAUTHORISED
ACCESS TO AN ACCESS DATABASE. I don't know why you and Peter seem unable to
accept what is to me a clear truth. You can make it harder. That's all. And
that's all I'm discussing here. All I can conclude is we aren't talking
about the same thing.
[color=blue]
> Remember that King Canute *knew* he could not sweep back the tide; he was
> just trying to show his advisors that they were not thinking clearly
> enough....[/color]

Yes, most people get that wrong don't they?

Yours, Mike MacSween

Re: How often is Access security breached?

Mike MacSween wrote:[color=blue]
> "Michael (michka) Kaplan [MS]" <michkap@online .microsoft.com> wrote in
> message news:3fba3046$1 @news.microsoft .com...[color=green]
>> "Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote...
>>[color=darkred]
>>>> Using Access/Jet security is a LOT like leaving your fly unzipped.
>>>> It might be good to think about that a bit before you keep coming
>>>> here and waving your "privates" err..... "private solutions"
>>>> around.
>>>
>>> Wouldn't be the first time! Are you saying I'm making a fool of
>>> myself? Because I'm naive enough to ask a straightforward question
>>> and make it clear that I am unsure of some of the issues here? Or
>>> is it just an unwillingness to go along with the 'accepted widsom'
>>> without question that is[/color][/color]
> considered[color=green][color=darkred]
>>> such a gaff.[/color]
>>
>> No, not at all. It is more the disdain for the people who point out
>> the flaws in the nature of the approach, or the "well tell me whats
>> wrong with it, then" type of response.[/color]
>
> I hope that I haven't treated posters with greater knowledge than I
> with disdain. However I find blunt 'all I can tell you is you're
> wrong' responses unhelpful. If I come up with an idea I DOwant to be
> told what's wrong with it.
>[color=green]
>> If they can get to it at all (which they must, to use it, right?
>> <g>),[/color]
> then[color=green]
>> they can get in. And its a lot easier than you are willing to
>> accept. It[/color]
> is[color=green]
>> your refusal to believe this than bothers me.[/color]
>
> It may well bother you. I think that there is clearly a huge
> difference between, lets say, a data file stored on an unsecured
> Windows 95 machine with an obvious name in an obviously named
> directory, perhaps with a desktop shortcut to it, and a FE/BE split
> with the BE on a server running under windows 2000+ with strong
> passwords enforced, Jet security, some of the ideas suggested for DIY
> 'security' etc. etc. It's harder to get unauthorised access to the
> latter than the former. That is obvious. And it's all I'm saying. IT
> IS POSSIBLE TO MAKE IT PROGRESSIVELY HARDER TO GAIN UNAUTHORISED
> ACCESS TO AN ACCESS DATABASE. I don't know why you and Peter seem
> unable to accept what is to me a clear truth. You can make it harder.
> That's all. And that's all I'm discussing here. All I can conclude is
> we aren't talking about the same thing.
>[color=green]
>> Remember that King Canute *knew* he could not sweep back the tide;
>> he was just trying to show his advisors that they were not thinking
>> clearly enough....[/color]
>
> Yes, most people get that wrong don't they?
>[/color]

While I'm enjoying this thread might I interject with this question - should
programmers, be they Access people or whatever, embrace DRM (digital rights
management) and Microsoft's Palladium idea and suchlike, with the view that
it offers developers and publishers *potentially* greater control of who
owns and uses their software?
I reckon most folk would think that DRM is a bad thing if it's forced onto
them but would programmers be seduced if it saved them the grief of trying
to ensure authorised use of their work?
And maybe DRM might be employed to make apps harder to hack into? I have no
idea, just putting the idea out there.

Apparently Microsoft want to make DRM a *core* part of the next version of
Windows. This article on the subject is quite interesting

Re: How often is Access security breached?

"Mike MacSween" wrote[color=blue]
> Further to 'Security - more complex than I thought'
>
> Has anybody ever seen any studies? Or anecdotal evidence? Done any studies
> themselves? Done any lab testing - you know - 10 users asked to get past
> Access (or other) security?
>
> It'd be interesting to know. And no, I don't have any prejudices.
>
> Yours, Mike MacSween[/color]

I haven't read the other monster thread on this. But I will pipe in
to give my own perspective.


Access security will fool most of your users into believing it is 100%
secure. Which is fine. Access security will, in many cases, foil
users' attempts to bypass it. However, you should always be wary
about the remainder: those who are NOT fooled, and those who ARE
willing to go to some lengths to bypass your security. It IS possible
to do so, 100% of the time, with any amount of (Access/JET-based)
security.

So, you then ask, should I use Access/JET security or store my data in
a server-based DBMS? Let's go on an example-by-example basis, and
build our rules from the examples:

Contains names and SSN's--probably not. Your users can copy the file
and crack it, gaining all the names/SSNs. Will it profit your users?
Very unlikely. How many SSNs are you storing? A million? A hundred?
Ten? How many users do you have to trust? Two? Fifty? Four
thousand (okay, not with an Access backend, but you get the idea)?

Contains employee salary information--no. Users have too much to gain
by cracking security.

Storing information that can be externally verified , such as
timesheet info (may be verified by looking at the signed, paper
timesheets)--yes, I don't see what a user can gain by changing their
time, or someone else's time.


Thus the rule: The cost of breaching security SHOULD AT ALL TIMES be
more than the potential benefit of breaching security. If a user can
possibly profit with $1000 (rough guesstimate) worth of information,
don't store the information in Access/JET tables, which can be
breached with the crack program and the cracker's time, let's estimate
$150. If it costs several bajillion dollars' worth of your employee
time to rebuild the backend MDB from a backup after an employee
deletes the backend file, you should consider that a severe (though
unlikely) security risk. Apply this rule to the following (risks) of
using Access/JET security for your backend data:

--Deletion of any necessary file to use the program, specifically:
-The backend MDB file
-The workgroup MDW file

--Unauthorized access to data, such as SSNs or payroll or medical
chart info
-Individual 'targeted' accesses
-Wholesale information stealing

--Unauthorized modifying of production data, e.g. "Computer, give me a
MILLION DOLLARS"

--Disruption of database service for a period of time (calculate the
cost of several employees not being able to complete their tasks, in
employee time and in customer loss/quality of service issues)

Re: How often is Access security breached?

deanma66999@hot mail.com (Deano) wrote in
<4Zsub.9996$lm1 .70453@wards.fo rce9.net>:
[color=blue]
>should
>programmers, be they Access people or whatever, embrace DRM
>(digital rights management) and Microsoft's Palladium idea and
>suchlike, with the view that it offers developers and publishers
>*potentially * greater control of who owns and uses their software?[/color]

I would say NO. If it were not for the way the Digital Millenium
Copyright Act is written, then I would see it differently. The
problem with the DMCA is that it makes too many things criminal
which should not be -- anything that even smells like circumvention
is heavily penalized.

And that's where the problem is, from my point of view. It's not
with digital rights management per se, it's with the way the law
works with DRM to penalize far more acts than should be restricted.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

Re: How often is Access security breached?

pshappyman@zomb ieworld.com (Pete) wrote in
<988f1cfc.03111 81246.4cfe17c7@ posting.google. com>:
[color=blue]
>--Deletion of any necessary file to use the program, specifically:
> -The backend MDB file
> -The workgroup MDW file[/color]

Um, this is never a risk if they are stored in an NT folder with no
delete permission for the users.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc

Re: How often is Access security breached?


On Tue, 18 Nov 2003 21:51:19 GMT, dXXXfenton@bway .net.invalid (David
W. Fenton) wrote in comp.databases. ms-access:
[color=blue][color=green]
>>--Deletion of any necessary file to use the program, specifically:
>> -The backend MDB file
>> -The workgroup MDW file[/color]
>
>Um, this is never a risk if they are stored in an NT folder with no
>delete permission for the users.[/color]

I took 'deletion' to mean 'loss of' and not just a file delete
operation.

Two comments to that extent:

1) file loss is limited to loss of data/activity since the last
backup. Any non-trivial database should be backed up at least
nightly, so workgroup loss is a non-issue, and database-loss is very
limited (although still a possibly significant loss - many call
centers use Access/Jet, and even an hours loss is a very significant
amount of irretrievable business lost).

2) file loss can take many forms, of course, including media failure
and the like, but cracker-triggered file loss usually comes from the
file space being trashed. NT permissions do nothing to prevent this.
A user who uses an Access database for normal data entry requires
write permission to the database back-end, and if these permissions
are allowed, it is trivial to overwrite the file with garbage. In
other words, file loss is indeed an important consideration when
discussing potential cracker mischief.

Peter Miller
_______________ _______________ _______________ _______________
PK Solutions -- Data Recovery for Microsoft Access/Jet/SQL
Free quotes, Guaranteed lowest prices and best results
www.pksolutions.com 1.866.FILE.FIX 1.760.476.9051

Re: How often is Access security breached?

I think you should start another thread.

"Deano" <deanma66999@ho tmail.com> wrote in message
news:4Zsub.9996 $lm1.70453@ward s.force9.net...[color=blue]
> Mike MacSween wrote:[color=green]
> > "Michael (michka) Kaplan [MS]" <michkap@online .microsoft.com> wrote in
> > message news:3fba3046$1 @news.microsoft .com...[color=darkred]
> >> "Mike MacSween" <mike.macsween. nospam@btintern et.com> wrote...
> >>
> >>>> Using Access/Jet security is a LOT like leaving your fly unzipped.
> >>>> It might be good to think about that a bit before you keep coming
> >>>> here and waving your "privates" err..... "private solutions"
> >>>> around.
> >>>
> >>> Wouldn't be the first time! Are you saying I'm making a fool of
> >>> myself? Because I'm naive enough to ask a straightforward question
> >>> and make it clear that I am unsure of some of the issues here? Or
> >>> is it just an unwillingness to go along with the 'accepted widsom'
> >>> without question that is[/color]
> > considered[color=darkred]
> >>> such a gaff.
> >>
> >> No, not at all. It is more the disdain for the people who point out
> >> the flaws in the nature of the approach, or the "well tell me whats
> >> wrong with it, then" type of response.[/color]
> >
> > I hope that I haven't treated posters with greater knowledge than I
> > with disdain. However I find blunt 'all I can tell you is you're
> > wrong' responses unhelpful. If I come up with an idea I DOwant to be
> > told what's wrong with it.
> >[color=darkred]
> >> If they can get to it at all (which they must, to use it, right?
> >> <g>),[/color]
> > then[color=darkred]
> >> they can get in. And its a lot easier than you are willing to
> >> accept. It[/color]
> > is[color=darkred]
> >> your refusal to believe this than bothers me.[/color]
> >
> > It may well bother you. I think that there is clearly a huge
> > difference between, lets say, a data file stored on an unsecured
> > Windows 95 machine with an obvious name in an obviously named
> > directory, perhaps with a desktop shortcut to it, and a FE/BE split
> > with the BE on a server running under windows 2000+ with strong
> > passwords enforced, Jet security, some of the ideas suggested for DIY
> > 'security' etc. etc. It's harder to get unauthorised access to the
> > latter than the former. That is obvious. And it's all I'm saying. IT
> > IS POSSIBLE TO MAKE IT PROGRESSIVELY HARDER TO GAIN UNAUTHORISED
> > ACCESS TO AN ACCESS DATABASE. I don't know why you and Peter seem
> > unable to accept what is to me a clear truth. You can make it harder.
> > That's all. And that's all I'm discussing here. All I can conclude is
> > we aren't talking about the same thing.
> >[color=darkred]
> >> Remember that King Canute *knew* he could not sweep back the tide;
> >> he was just trying to show his advisors that they were not thinking
> >> clearly enough....[/color]
> >
> > Yes, most people get that wrong don't they?
> >[/color]
>
> While I'm enjoying this thread might I interject with this question -[/color]
should[color=blue]
> programmers, be they Access people or whatever, embrace DRM (digital[/color]
rights[color=blue]
> management) and Microsoft's Palladium idea and suchlike, with the view[/color]
that[color=blue]
> it offers developers and publishers *potentially* greater control of who
> owns and uses their software?
> I reckon most folk would think that DRM is a bad thing if it's forced onto
> them but would programmers be seduced if it saved them the grief of trying
> to ensure authorised use of their work?
> And maybe DRM might be employed to make apps harder to hack into? I have[/color]
no[color=blue]
> idea, just putting the idea out there.
>
> Apparently Microsoft want to make DRM a *core* part of the next version of
> Windows. This article on the subject is quite interesting
> http://www.theregister.co.uk/content/55/33958.html
>
>
>
>
>
>
>
>
>[/color]

Re: How often is Access security breached?

This is not a reply to any one poster, so I have cleared all previous
messages.

Today, at the request of one of my users, I have found out some information
that was held in an Access 2000/2002 database (don't know which as it was
password protected).

How did I do this? I opened the MDB file with (or all things!) WordPad. I
used its Find command to find some information that I knew was in the DB,
then Find again, until I had the instance that I wanted. I then read the
information (in plain language!) from the screen.

Obviously if it had been encrypted, then I would not have been able to read
the data (at least, I hope not!)

Security? What security!

Nick