Microsoft Dynamics GP "Encrypted" Using Caesar Cipher

scribblej writes "Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers. Turns out these numbers (and anything else in GP) are encrypted only by means of a simple substitution cipher. This includes the master system password, which can be easily selected and decrypted from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password. Not good.'" Update: 05/22 02:57 GMT by T : The original linked post has been revised in a few places; significantly, the following has been added as a correction: "By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager."

Great Plains

[Anonymous Coward]

I wonder how long this security issue has been in Great Plains?

However long it has been, Microsoft really dropped the ball here because that acquisition was nearly ten years ago at this point.

Re:But...

[the_one_wesp]

I disagree with this being off topic. Perhaps, though, if /.ers are too hasty to recognize a quick rot13, that justifies why MS thinks they can do the same with their products... o.O

Re:But...

[jgreco]

I guess the question is, how many people even know what rot13 is these days?

I mean, really, my rot13 script's nearly 20 years old and I'll bet I use it less than once a year these days...

% ls -l bin/script/rot13
-rwx------ 1 jgreco user 64 Nov 11 1991 bin/script/rot13*
%

Re:Great Plains

[Anonymous Coward]

GP has encryption? Well that beats SL (Solomon), where social security numbers are stored in cleartext.

In fact I'm pretty sure the "recommended" Windows authentication method (vs. the Master60SP method) gives basic users full read/write access to the database by default.

Re:Most ERP systems do not have the data encrypted

[Anonymous Coward]

That's a very good point. I have all kinds of access to my companies ERP tables through SAP (though we don't store credit cards). The advantage here to using a cipher AT ALL is that those people who should have access can work with these tables as neccessary without seeing private information. Makes sense to me. However, the article claims that all tables are available to any user created in GP? I find that hard to believe. The article says that the user does not need to be granted DB access and therefore it has DB access. As the parent mentions, NO USER has DB access in an ERP system. Only the ERP system itself has access and then the ERP system manages all table and transaction access. Can anyone verify this for GP? Also, even if the system password is available to any user created in GP I don't think that matters. I don't know MS Dynamics in specific, but in SAP the "root" user (SAP*) has a well-known default password (PASS). Now, there's a LOT of background for doing this and for a long time now it is recommended to change the default password, disable automatic SAP*, lock the user, change the validity date and remove all profiles from this account. In other words, there should be NO POSSIBLE way to EVER use this account in a production environment. I hope that is the same for the MS GP system user... Can anyone verify?

Re:obligatory

[interval1066]

"You need to use the vocative case there, not the nominative."

ie; "Brute." (pronounced "Brut-AY"
Getting back to the main story, let me add "Doh!" That's a major back door. And Microsoft, wanting to be our gatekeepers in so many ways and even with this big security initiative they've been trying to get everyone to believe they are on, is just sort of sluffing it off with their usual sheepish "Well, its not likely to actually happen." nonsense.

Re:Full Article

[mpolino]

I'm a Microsoft MVP for Dynamics GP and this line "What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password... " is completely false. GP users can't log in to SQL using their GP passwords. The article doesn't state a version being used. On some older versions it was possible to chose to allow a user to access SQL with their GP login. This is not possible on any of the supported versions of Dynamics GP. Additionally, the System password referred to has always been a second line of defense. Security has to be given to a particular window in the application before GP even asks for the System password. Relying on the System password alone for security has never been a best practice. There are a number of other areas where the writer confuses different types of passwords and security in Dynamics GP making it clear that he's never actually used the application to understand how differnt passwords and settings interact to provide security. Mark

Re:Most ERP systems do not have the data encrypted

[Vancorps]

To be honest, it sounds like neither anonymous nor yourself have dealt with ERP systems at a database level. I'll give you a brief overview of why none of that works. First, there are six companies in my database and they do over 100 million in transactions every year. That database is 60,000 tables and there are only six users of the system. The database is only accessible from an accounting or management VLAN for obvious reasons. Going through and figuring out 10s of thousands of tables, triggers, procedures, and functions and granting permissions accordingly is just not going to happen.

I have yet to find an ERP setup that was in my mind sensible. They evolved from flat files and basically just use the database as a filesystem rather than employing the majority of functionality found in most RDBMS. In my current case its even worse as you can't enable multi-master replication of the data since the application does column position math. That means if you add any column for a GUID then the app will break. Fortunately MS developed mirroring which solved a critical high-availability dilemma for me. Now I have two live servers and do an encrypted backup every night. ERP systems are a pain in the ass!

MS isn't at fault for this BS setup, Navision and GP were both terrible even before MS bought them and there is a lot of work to do still before they start behaving like most Microsoft server apps.

Re:obligatory

[Anonymous Coward]

And in any case, the sentence, as taught in Latin courses, is "tu quoque fili". However, we have some reasons to believe that if Caesar even uttered anything like that, it was rather something like "kai su teknon". Educated Roman people of the time spoke Greek in private. Some traces of Greek can even be found in Cicero's Latin writings (e.g. "lectica octophoro").

Re:Full Article

[WarlockD]

Ok, What the FUCK. I was going to say this wasn't even a story and that the poster had no clue on .NET, then I read THIS:

http://blogs.msdn.com/developingfordynamicsgp/archive/2008/10/02/why-does-microsoft-dynamics-gp-encrypt-passwords.aspx [msdn.com]

THIS is your argument? What version it is? All your talking about is application security.

Look, the poster isn't the greatest .NET programmer out there (Plenty of built in stuff for encryption in .NET), but come on. A two byte substitution cipher? All you have to do is put down a packet analyzer, have the application "retrieve" the system password and there you go. Its just kept in the freaking tables and I doubt businesses use ssl on their lan.

But that's not the biggest pet peve. WHY AREN'T YOU USING AD? You know, the 20+ years of authentication system that just works?

I sound angry because on one hand I like how you can program your own authentication provider in iss and start to warm up to Microsoft, but then I read something like this where you don't even bother to use the BUILT IN string encrypting in .NET.

Re:Microsoft engineers

[Der PC]

This is actually NOT a piece of Microsoft software.

Microsoft Dynamics is what used to be known as "Navision Financials", and before that "Fjölnir". It's a piece of extremely crappy software written in Denmark and is based on a Pascal engine where everything is loosely glued together.

Fjölnir was I think the first financial system Denmark exported. Much to the horror of a neighbour country - Iceland, where Fjölnir became mainstream on HPUX and DOS.

http://www.snerta.is/images/stories/products/fjolnir.gif [snerta.is]

Navision (the Windows version) was not a rewrite or redesign of Fjölnir as much as it was placing an abhorrent GUI on top of a ghastly DOS program.

Microsoft however got interested when they realised that all of the nordic countries were using Navision.

So in effect, I think this vulnerability may be traced all the way back to Fjölnir in the mid 90-s, and as such, blame the security on a sixpack of Carlsberg and one lazy Dane who didn't take security classes at school...

I mean... really... Caesar cipher ?

Can I laugh out loud now ?

Oh... I know how to spell i-d-1-0-t. Wonder if the original authors do...