Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
RANT: Dumb Windows application security
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Off the Wall
View previous topic :: View next topic  
Author Message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 17, 2002 3:05 am    Post subject: RANT: Dumb Windows application security Reply with quote

Standard rant disclaimer applies.

So, I have been given a task -- I have to install some software (which we will refer to as "That Thing") onto a lot of computers. That Thing is for a school, and they want That Thing to be installed on every computer for purposes of tracking attendance electronically. They figure since they have a network, That Thing tracks attendance, and it's supposed to run over a network, they shouldn't have to run green slips of paper back and forth... right?

So, I looked at it, and I called up That Company just to talk to a support rep.

Quote:
Me: The docs say I have to run around to each computer with a "key floppy" to install That Thing. There's 80 workstations, and a lot of them don't have floppy drives. What am I supposed to do?
Them: Oh, since version 5.0 you don't need to use a key floppy.
Me: These are the version 5.0 docs...?
Them: Yeah, we know.
Me: ...okay...? Anyway, we want to make it talk over a network. How can we do that?
Them: Well, once it's installed onto each machine, just edit the ThatThing.ini to point to F:\...\
Me: I don't want to map network drives; does it understand UNC paths?
Them: Uhhh... I think so. You'll probably want to check that.
Me: ...right. Okay, so once I get the paths set, then what?
Them: Then make sure each user has Full Control over the data directory.
Me: <slaps forehead> ...okay, we'll come back to that. I already did all that, and it seems to be creating a lock file in the program directory, which is failing. Can I disable that?
Them: No, you need to give them Full Control over the program directory too.
Me: <slaps forehead louder> Back to the data directory thing. So, you want me to give all the users read, write, and delete access to all of the data files, even if I don't want them to?
Them: Well, you can try it, but I don't think it'll work. Full Control.
Me: So... any user, then, can go in and delete everything if they feel like it or if someone uses the workstation to "type a paper".
Them: Well, no, they have to get a user ID and password first.
Me: You're referring to the built-in user tracking system?
Them: Yeah. Without that, they can't do anything.
Me: But they can still delete the files, because you told me to give them Full Control.
Them: Well, yeah, if they're smart enough to go to Network Neighborhood, right click, and hit Delete, then yeah. But that's why we included the backup feature, just save it to a floppy every day.
Me: You mean that menu option that pops up PKZIP?
Them: Yeah.
Me: Huh. Okay, so let's just say I had full control, and I didn't want to delete anything. Could I, say, start changing numbers in the billing tables?
Them: Well, yeah, but you would need Access 97 and there's a lot of tables to look through...
Me: Access is deployed on all of our workstations anyway, and anyone that has taken the freshman-year applications class knows how to use it. So, I can just go and double-click the TTBILL.MDB file and start fiddling with stuff?
Them: Well, yeah, but there's lots of records to update...
Me: Okay, let's just say I wanted to add another username to That Thing's user database, even though we already have our own authentication system. Could I do that?
Them: Yeah, but you'd have to know where to look.
Me: Hold on... <double-clicks TTSYS.MDB> Ah, a "Users" table.
Them: You'll never get the passwords, they're encrypted.
Me: <looks at table> The encryption appears to be an XOR cipher.
Them: :?:
Me: Nevermind. Hey, I just created a new user! Also, I flipped ADMIN_USER to "No" for the sysadmin account and flipped it to "Yes" for my new account.
Them: So you just got system administrator permissions?
Me: <double-clicks That Thing icon> Logging in... I got a Billing button, a Transcript button, and... look, an Add/Remove Users dialog. I just removed the sysadmin.
Them: <silence>
Me: And you're telling me I have to give all the users Full Control to those files? I just compromised your entire security system in 45 seconds with standard desktop tools and no prior knowledge of how your software works.
Them: Well...
Me: I know you use ODBC internally. Is there any way I can point it to a DSN so I can secure it on a per-table basis?
Them: We're working on making it work with SQL Server.
Me: Can I expect that by August 5th, our freeze date?
Them: No. I wouldn't count on hearing anything about it until December of next year.


Further digging revealed that That Thing refuses to start up if it does not have read/write access to the security database. Looks like I'll have to either modify That Thing's database directly or code an entirely new system to replace That Thing -- by August 5th.

Maybe I missed something...?
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
rac
Bodhisattva
Bodhisattva


Joined: 30 May 2002
Posts: 6553
Location: Japanifornia

PostPosted: Wed Jul 17, 2002 3:48 am    Post subject: Reply with quote

Disclaimer: everything I know about Windows would fit on a blade of grass. I have never used it, to speak of. So apologies in advance if none of this makes any sense.

Could you make a copy of the ThatThing data directory and/or program directory in a central location, mount it read-only on each workstation, have a cron job (or whatever the windows equivalent is) compare checksums of files that are not supposed to change (i.e. everything except the attendance tracking table) and automatically revert files modified on the workstation?

This would require actually installing ThatThing locally on all the workstations, and manually managing the integration of the data, I suppose, which might be prohibitive with 80 workstations. And the whole house of cards falls down if the tables that are supposed to be modified are co-mingled with the tables that are not. And users could fake the attendence data anyway, rendering the whole point of the system rather unreliable. But at least it might prevent hax0ring of other more sensitive data and reduce collateral damage.

Actually, I thought of a better suggestion, if you're located in the USA. Just follow ThatThingCo's instructions to the letter, ask them for permission to record the telephone calls to tech support, carry out the correspondence in writing if they refuse, sit back and wait for the inevitable, and then when it happens, sue the pants off of ThatThingCo, and use the settlement proceeds to pay yourself to do it right.
_________________
For every higher wall, there is a taller ladder
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 17, 2002 3:54 am    Post subject: Reply with quote

rac wrote:
Could you make a copy of the ThatThing data directory and/or program directory in a central location, mount it read-only on each workstation, have a cron job (or whatever the windows equivalent is) compare checksums of files that are not supposed to change (i.e. everything except the attendance tracking table) and automatically revert files modified on the workstation?

We can get That Thing to use UNC paths, which take the form \\Server\Share\Directory, so getting them to use remote data isn't a problem. The problems arise with two things. One: even though it uses separate databases for somewhat different things, transcripts and attendance are in the same file, so someone could screw around with credits and GPAs and so forth. (That's why they have PKZIP!) Two: as I said, the stupid thing won't even fire up unless it can write to TTSYS.MDB, which happens to contain the program's security system and a number of other important items. It also does read/write/exclusive opens on lots of other files, so it doesn't want to share nor does it want to become secure.

rac wrote:
This would require actually installing ThatThing locally on all the workstations, and manually managing the integration of the data, I suppose, which might be prohibitive with 80 workstations.

That's not a big deal. I can whip up a Windows Installer (.MSI) file that I can deploy onto every workstation with four clicks on the server. (Oh, BTW, it's a Visual Basic 5.0 app [ick! :evil:] that requires a hundred megs of local storage space for all its dependencies. And they decided to change the executable so it lacks a standard stub and is not technically in win32/pe format. Oh, and it's still backwards-compatible with a DOS version.)

rac wrote:
And the whole house of cards falls down if the tables that are supposed to be modified are co-mingled with the tables that are not.

As in this instance.

rac wrote:
sue the pants off of ThatThingCo, and use the settlement proceeds to pay yourself to do it right.

Such legal fees aren't in the budget, and this has to be done by August 5, so I don't think that'll work too well.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
craftyc
Guru
Guru


Joined: 23 May 2002
Posts: 443
Location: Behind You.

PostPosted: Wed Jul 17, 2002 4:17 pm    Post subject: Re: RANT: Dumb Windows application security Reply with quote

delta407 wrote:

Me: And you're telling me I have to give all the users Full Control to those files? I just compromised your entire security system in 45 seconds with standard desktop tools and no prior knowledge of how your software works.


Well done !!!!
_________________
Postcount ++
Back to top
View user's profile Send private message
klieber
Administrator
Administrator


Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA

PostPosted: Wed Jul 17, 2002 4:36 pm    Post subject: Reply with quote

OK, two thoughts spring to mind:

  1. The program is designed very poorly. I'm not sure that's indicitave of a problem with Windows so much as it is indicative of a moron developer (or development team)
  2. The tech support person you talked to was a moron. I'd advise calling back and making enough of a stink to get one of the developers on the phone. They'll (hopefully!!!!) know more about the program and its security requirements than the front-line grunt you originally spoke to

Also, this is NOT a substitute for good security, but you can at least make it a little more difficult by using a hidden share (append a $ sign to the end of the sharename). Yes, I know this isn't worth much, but when you have zip to start with, "not much" is better than a sharp poke in the eye.

--kurt
_________________
The problem with political jokes is that they get elected
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 17, 2002 5:12 pm    Post subject: Reply with quote

1. Agreed. It was re-written in Visual Basic to supercede their DOS version (which I, thankfully, have never used). It's really dumb.

2. Yeah, I'm going to. I think the developer who "handles the data access" will be getting in touch with me; if not, I've sent off an e-mail describing what will happen if they can't get this resolved.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Thu Jul 18, 2002 2:33 am    Post subject: Reply with quote

My e-mail exchange, with names changed to protect the guilty.

I wrote:
To whom it may concern:

This is [First] [Last] of [School Name]. I have spoken with one of your technical support representatives on Tuesday, July 16th, regarding deploying [That Thing] on to workstations such that each workstation can update attendance information in a secure manner. I was told -- and later verified -- that [That Thing] requires full read/write access to all of the data files in order to function properly.

This behavior is not desirable, since Windows provides strong security mechanisms that we are already using, which would be undermined. Furthermore, the solution offered has significant security problems. Since [That Thing] requires read/write access to the data files -- particularily smsys.mdb -- anyone that can run [That Thing] can use Microsoft Access to change the ADMIN_USER flag on his or her account, providing unlimited access to and control of all our school's records. This situation affects our mission-critical application, and we cannot afford to deploy such an insecure product.

We are asking for something that should already be in place. Currently, any user may arbitrarily modify any information, including but not limited to transcript details, user permissions, and billing data. A little intuition and Microsoft Access are all that is necessary to compromise the integrity of the data that our school relies on. This is unacceptable.

The technical support representative earlier today offered to get me in contact with one of the developers for [That Thing], but I have not
yet received a call. This is understandable, as developers have busy schedules; however, we need to get attendance tracking available to every workstation by Monday, August 5th. If [That Company] is unable to provide adequate security mechanisms by Friday, July 26th, we will be forced to develop our own in-house solution for attendance tracking that functions in a secure manner. If that becomes necessary, our relations with [That Company] will be re-evaluated and would likely face termination.

Please take this into consideration.

[First] [Last]


They wrote:
Mr [Last]-

I am writing in response to your email (noted below) stating your concern about the security in [That Thing]. We do realize that there needs to be tighter security with [That Thing], but at this point in the development cycle, are unable to make any changes to that area. Changing the secruity within the program is a massive undertaken, one that will not be addressed until we port [That Thing] over into a database such as SQL. There currently is not a completion date for this move, however, I would speculate that it will be completed within the next two years. I realize that this does not help solve your present dilema, but I wanted to give you a heads up as to the direction for where [That Thing] is heading.

If you have any other questions, please let me know.

[That Guy]
Director, Client Services


The best part is a toss-up between "a database such as SQL" and the estimated completion date of two years. First, "SQL" isn't a database, it's a standard for interacting with a database engine. Again, they use ODBC, so changing one line of code could make it talk to M$ SQL Server or mySQL or whatever. (Of course, you'd have to undo stupid things like the lockfile creation...) Second, it's a Visual Basic app, and any VB programmer worth his salt could rewrite the whole freaking thing in a month.

Suggestions? I'm thinking a standard PHP/mySQL, though I might end up with MSVC.

BTW, if I write a comparable system, I plan on starting a Sourceforge project and raising a big stink about it. I can probably make them lose business, too... darn! ;)
_________________
I don't believe in witty sigs.


Last edited by delta407 on Thu Jul 18, 2002 2:51 am; edited 1 time in total
Back to top
View user's profile Send private message
fghellar
Bodhisattva
Bodhisattva


Joined: 10 Apr 2002
Posts: 856
Location: Porto Alegre, BR

PostPosted: Thu Jul 18, 2002 2:51 am    Post subject: Reply with quote

delta407 wrote:
BTW, if I write a comparable system, I plan on starting a Sourceforge project and raising a big stink about it. I can probably make them lose business, too... darn! ;)

If this were a poll, I'd vote yes! :twisted:
_________________
| www.gentoo.org | www.tldp.org | www.google.com |
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Thu Jul 18, 2002 3:22 am    Post subject: Reply with quote

I wrote:
They wrote:
I realize that this does not help solve your present dilema, but I wanted to give you a heads up as to the direction for where [That Thing] is heading.


Do you have any suggestions as to what we can do to provide some semblance of security in the mean time? The direction [That Thing] is headed does us little good, because as-is anyone can change any information stored in [That Thing] quickly and easily.

We could use a hidden share (i.e. \\server\thatthing$\), though if the program directory is set to Full Control (which is necessary since [That Thing] creates a lock file in the program directory), then it would take another 20 seconds to figure out by examining the paths in the INI file. This "security measure" would be wafer-thin at best; and, though better than nothing, would pose no problem to anyone interested in messing up or spying on our information.

In any event, if [That Company] is unable to rectify this situation, we will examine our alternatives and likely develop our own solution to replace [That Thing] entirely. This would be time consuming, somewhat costly, and prone to error -- however, action needs to be taken quickly. If we cannot entrust our most critical data to [That Thing], we will have to look for other options.

--[First] [Last]


So: PHP or MSVC? Hmm....
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
Fester
n00b
n00b


Joined: 04 Jul 2002
Posts: 41
Location: Los Angeles, CA (USC)

PostPosted: Sun Jul 21, 2002 8:47 pm    Post subject: Reply with quote

In my opinion, PHP would be faster to write, and easier to deploy.
Back to top
View user's profile Send private message
jthj
Apprentice
Apprentice


Joined: 04 Jun 2002
Posts: 176
Location: The Matrix Has Me....

PostPosted: Mon Jul 22, 2002 5:50 am    Post subject: Reply with quote

Makes me wonder what the heck their developers do all day!
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Mon Jul 22, 2002 1:58 pm    Post subject: Reply with quote

Fester wrote:
In my opinion, PHP would be faster to write, and easier to deploy.


I would agree with that, though MSVC would provide easier integration with the already-deployed Windows authentication system.

Oh well, I'll probably end up with PHP anyway.
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
jay
l33t
l33t


Joined: 08 May 2002
Posts: 980

PostPosted: Mon Jul 22, 2002 2:37 pm    Post subject: Reply with quote

I have to admit, that I don't know anything about MSVC, so I'd rather set it up with PHP. I think one month is more than enough to set up a fairly proper working draft on mySQL - cosmetic and gimmicks can come later....
_________________
Do you want your posessions identified? [ynq] (n)
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Mon Jul 22, 2002 2:52 pm    Post subject: Reply with quote

Actually, now that I think about it, I could install PHP onto an IIS box (icky :neutral:), tell IIS to use "Integrated Windows authentication" (IIS+IE do their little gig and forwards Windows logon credentials), and suck the username out of the HTTP header... hmm...
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Mon Jul 22, 2002 2:52 pm    Post subject: Reply with quote

Actually, now that I think about it, I could install PHP onto an IIS box (icky :neutral:), tell IIS to use "Integrated Windows authentication" (IIS+IE do their little gig and forwards Windows logon credentials), and suck the username out of the HTTP header... hmm...
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
jay
l33t
l33t


Joined: 08 May 2002
Posts: 980

PostPosted: Mon Jul 22, 2002 3:06 pm    Post subject: Reply with quote

PHP and IIS work fairly well together but don't expect that stability comapared to a LAMPS setup. Authentification for an andmin could also be done on a combined IP / userid login basis, thus preventing administrative access to the database from all other networking pc's except one particular machine.
_________________
Do you want your posessions identified? [ynq] (n)
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Mon Jul 22, 2002 7:27 pm    Post subject: Reply with quote

The idea behind IIS+PHP is that the school's PCs will automatically send the hashed logon credentials to the web server. It's actually not that insecure and it provides reasonably seamless integration with the rest of the system; they will use the username and password combo they already have without even knowing it. Though, I would like to run Apache... :neutral:

Anyway, I opened up the master database file, ran some silly tool, and printed 142 pages detailing the structure of and relationships between all of the tables. I then got a three-ring binder, some multi-color sticky page marker thingies, three different colors of pens and a comfy chair and stared at it for a while. The data structures aren't all that bad, really, and I think life would be better for everyone if I re-used it. So, it'd be a matter of representing the current data as SQL, importing it into a real database backend (yes, I am dissing Access), and making a new frontend.

I broke that database down into twelve groups based on function. Attendance, Billing, Discipline, Faculty, Grading, Guidance, Infrastructure, Medical, Miscellaneous, Students, Scheduling, and Transcripts. Oh, and there's five tables in "Unknown" (AGCodes, BRoutes, CGLevels, Location, and PDEqual), though I think I can figure it out. To meet the requirements -- attendance tracking by August 5th -- I'll have to implement most of Faculty, some of Students, most of Scheduling, and (of course) Attendance.

I think I'll open a SourceForge project, too. (Oh, and I'll make a "Migration tool" to automate the transition from That Thing to That New Thing.)

Come to think of it, said New Thing needs a name. Any suggestions?
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
UnderScore
n00b
n00b


Joined: 14 Jul 2002
Posts: 25
Location: Long Island, NY, USA

PostPosted: Mon Jul 22, 2002 7:48 pm    Post subject: Reply with quote

Not That Thing
TEACH - Track(ed) Educational Attendance Computer Helper
Back to top
View user's profile Send private message
Blaze
n00b
n00b


Joined: 16 Apr 2002
Posts: 24

PostPosted: Wed Jul 24, 2002 5:14 am    Post subject: Reply with quote

Have you checked out www.seul.org

It may interest you even if they dont have that application
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 24, 2002 1:59 pm    Post subject: Reply with quote

No dice; there aren't any comparable applications. And I'm already familiar with Sourceforge's services, so I think I'll stick with them. Thanks anyway, though.

I'm continuing my reverse-engineering and plan to start forward re-engineering soon. I will, of course, run into countless problems on my way... oh well.

Still need a name... the staff was thinking either "School Tracker" or "Bob". (Bob is the invisible office guy that does everything they don't have time to do; hence, it fits.) Recursive acronyms are always welcome. :D
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
UnderScore
n00b
n00b


Joined: 14 Jul 2002
Posts: 25
Location: Long Island, NY, USA

PostPosted: Wed Jul 24, 2002 3:11 pm    Post subject: Reply with quote

STARPA
Starpa Tracks And Records Pupil Attendance

STARS
Stars Tracks Attendance Records of Students

PARK
Pupil Attendance Record Keeper

Booyah! 8)
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 24, 2002 4:15 pm    Post subject: Reply with quote

Hmm... STARS would be good as the school's mascot is a star, except that it will (eventually) take over almost all of the above functions (transcripts, grading, medical, etc.) as well as others that are on the wish list (library). So, it's not just attendance.

I've started running with the Bob idea (bob is the internal name; the database name, the table prefix, etc.), and I thought of something. How about Bob Sims? (Best of Bob's School Internet Managment Software... or something. :D)
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
Swishy
Guru
Guru


Joined: 06 Jun 2002
Posts: 491
Location: NZ

PostPosted: Wed Jul 24, 2002 5:28 pm    Post subject: Reply with quote

how bout >

FASTMIGG-BMD takes in all of the 12 groups listed in the previous post


:D

Quote:
I broke that database down into twelve groups based on function. Attendance, Billing, Discipline, Faculty, Grading, Guidance, Infrastructure, Medical, Miscellaneous, Students, Scheduling, and Transcripts


Cheers
Dale.
_________________
Theres no substitute for C.I.
Back to top
View user's profile Send private message
delta407
Bodhisattva
Bodhisattva


Joined: 23 Apr 2002
Posts: 2876
Location: Chicago, IL

PostPosted: Wed Jul 24, 2002 5:50 pm    Post subject: Reply with quote

Swishy wrote:
FASTMIGG-BMD takes in all of the 12 groups listed in the previous post


Well, a few of those won't be implemented (a billing system is already in place, etc.) -- otherwise, it's... uhh...

Uhh...

:D
_________________
I don't believe in witty sigs.
Back to top
View user's profile Send private message
Swishy
Guru
Guru


Joined: 06 Jun 2002
Posts: 491
Location: NZ

PostPosted: Wed Jul 24, 2002 5:57 pm    Post subject: Reply with quote

uh??????lolololololol

:D well it was an idea at least , Im sure someone could have come up with some fantastic graphics for the gui (I could do the logo but gui'ing isnt my forte' ) lololololol yeah I no bit lame

Dale.
_________________
Theres no substitute for C.I.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Off the Wall All times are GMT
Goto page 1, 2, 3  Next
Page 1 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum