Microsoft Dynamics GP "Encrypted" Using Caesar Cipher 206
Posted
by
kdawson
from the no-safety-in-numbers dept.
from the no-safety-in-numbers dept.
scribblej writes "Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers. Turns out these numbers (and anything else in GP) are encrypted only by means of a simple substitution cipher. This includes the master system password, which can be easily selected and decrypted from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password. Not good.'"
Update: 05/22 02:57 GMT by T : The original linked post has been revised in a few places; significantly, the following has been added as a correction: "By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager."
Re:::gasp:: (Score:5, Insightful)
Yeah, but this isn't a security flaw due to an oversight or simple mistake. This is a massive downright idiotic flaw! How the HELL did this make it into a product?
Most ERP systems do not have the data encrypted (Score:5, Insightful)
I don't know if this is any news at all. Most ERP systems do not have the data in the database encrypted at all. You should never give any direct access to your ERP database to anybody. If absolutely necessary, just create a view in another DB schema and give a read access to it only to selected users (so they could access for example the inventory information useing excel/access).
Re:andnothingofvaluewaslost (Score:4, Insightful)
From TFS:
Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers.
Sorry, if you're actually going to say that a lot of consumer credit cards aren't valuable or important, you're going to have to provide just a teensy bit more justification.
Re:andnothingofvaluewaslost (Score:3, Insightful)
I think the GP means the cards are all probably maxed out, blocked/revoked, or both.
It's true (Score:1, Insightful)
The old saying: "Anyone can create a security system that they cannot break"
Re:Most ERP systems do not have the data encrypted (Score:5, Insightful)
The news here is they were claiming to be using encryption, but really were not. Regardless of whether or not encryption is needed in the first place, you don't mislead your customers like that.
Re:Incredible. (Score:1, Insightful)
pserver was never intended to hold secure information or be a secured server.
There are CVS servers that use SSL encryption, kinda like blaming HTTP for being insecure, despite anything which involves your credit card number being done over HTTPS.
Re:Incredible. (Score:4, Insightful)
Well, that's what I mean. pserver is insecure and never pretends to be anything more than it is--a barebones security mechanism that won't thwart anyone with a genuine interest in stealing passwords. All it would do is keep someone from *accidentally* seeing somebody else's password if they were monitoring network traffic. That's about it.
That Microsoft is using basically the same thing to secure a corporate accounting system that holds genuinely sensitive data is both terrifying and laughable.
My guess is ITAR, the market and standards (Score:5, Insightful)
Not that long ago, competent security was a criminal offense to export. It still is, unless the code is Open Source (and we all know how Microsoft loves Open Source). The practical difference between a Caesar cipher and DES is that the Caesar cipher is faster so more transactions can be performed. You could do more leaving things in plain-text, but regulations usually require encryption of some sort for this kind of data. However, those same regulations don't usually stipulate any particular strength of encryption, so Caesar becomes ideal. The high throughput will sell better and the absence of security means it evades export controls. You end up with the largest possible market.
If there was a recognized, official (or even semi-official) standard API and ABI for cryptography libraries, ITAR would be less of an issue. You could swap out any crypto library in any product and swap in an alternative. You could then use any crypto library (and therefore any crypto algorithm) you liked.
If standards better-mandated what level of security was required, weak algorithms would never be used. No corporation would dare risk the penalties and so no vendor would dare supply soft crypto.
The market's preference for high throughput is perfectly reasonable, but it is often unwilling to invest in security - which is why there are so many issues of this kind. If corporations were more willing to invest in securing their systems, say by using hardware crypto engines to get the high throughput they needed, they would be able to use essentially bullet-proof algorithms without harming the amount of data they could manage.
Re:andnothingofvaluewaslost (Score:2, Insightful)
Re:Most ERP systems do not have the data encrypted (Score:2, Insightful)
They are. Just not very strong encryption.
Re:::gasp:: (Score:5, Insightful)
Whether the folks at Microsoft wrote this themselves, or whether they instead paid $1.1 billion for this software 9 years ago it is still pretty much the same thing. Either way this makes the folks at Microsoft look like amateurs. This is precisely the sort of thing that only closed source proprietary software can get away with.
Re:My guess is ITAR, the market and standards (Score:3, Insightful)
DES is sufficiently weak that it is possible to build a home-grown cluster that can break a DES key in minutes. Yes, DES is "strong" in the sense that the algorithm itself has no significant flaws that anyone can detect, but when dealing with a credit card system where it's quite plausible that each card could have a thousand dollars available on it on average, obtaining 500 cards would cover the cost of the EFF's DES-breaking machine and therefore cover the costs. Everything else would be sheer profit for the crook(s). Given that news stories on credit card theft usually talks about hundreds of thousands of cards being stolen, the cost of smashing DES would be 0.1% of the money the criminals could walk off with. In short, as close to nothing as to make no odds.
If the cost of smashing 40-bit or even 56-bit encryption is insignificant, then there is no practical difference between DES and ROT13 at the kind of level of sophistication you'd require to even steal from that many cards without being caught or detected. This leaves you two options - spend less money and superficially meet requirements (and then hope like hell), or spend more money to invest in doing security correctly. Hands up all who know IT managers who enjoy spending money on things that don't (in themselves) offer any return because it is Doing The Job Right. Ok, now hands up all those who know IT managers who take shortcuts to meet business requirements or upper-level management demands even though they know it's probably risky and/or bloody stupid to take those shortcuts?
My guess is that the vast, overwhelming majority raised your hands on the second question and that maybe a few dozen (at most) did so on the first. I also suspect that anyone who questioned my original post would actually agree that IT managers aren't known for Doing The Right Thing when it comes to IT security, that cost and the performance needs of everyone else take first and second place (order depending on where you work). In short, outside threats are likely to be considered rare and more likely to affect underlings than the manager, whereas office politics is a constant and immediate danger with backstabbing and dirty infighting being the norm. You may well be in a place that isn't like that, but if so, I defy you to seriously claim (and prove) that your situation is remotely close to typical.
Even ignoring the treachery that makes up the modern workplace, you still have the Peter Principle to contend with. If you have an IT manager who is experienced at being an IT manager, the principle dictates that this means he has risen to his level of incompetence. Again, there will likely be exceptions, but I'm talking the typical case here.
So, if the typical IT manager is stingy and/or incompetent, thus defining this to be the primary business market for Microsoft, this will be the sort of person Microsoft products will be aimed at. Microsoft is lots of things, but stupid about their customers they are not. If they ship a flaky product, it is because they know the customer won't care and/or won't notice, but will buy it anyway. Hell, Vista for the desktop probably still made a sizable profit despite the complaints and the effective abandonment.
Re:Not a substitution cipher (Score:5, Insightful)
Whoever coded the "encryption" routine really dropped the ball. SQL Server supports AES encryption on individual fields. The first result of a Google search for "sql server field encryption" points to an MSDN article with code examples of how to use AES-256 encryption.
How do these things keep happening? There have to be mistakes on so many levels. Whoever developed the spec obviously was clueless. The person who coded the spec was probably clueless, and/or didn't have the authority to do things the right way. The tools to make these applications secure are available. You'd think that a Microsoft coder using a Microsoft database could use the Microsoft solution properly.
The more I deal with corporate America and the people who find themselves in charge of projects, the more I believe that competence really is a Bell curve with the center of the curve being INCOMPETENT, the far left is DISABLED. How do these people sleep at night? The only thing that I can figure is that they really are ignorant. If I do something half assed, it bugs me. It keeps me up at night. So either these people just don't give a rats ass and are working in a culture that lacks accountability, or they are completely ignorant and are working in a culture that lacks accountability. A friend of mine once told me, "Most people don't do the right thing because it is the right thing. They do the right thing because they fear the consequences of getting caught doing the wrong thing." Every where I look in society, there are fewer and fewer consequences.