Microsoft Dynamics GP "Encrypted" Using Caesar Cipher 206
scribblej writes "Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers. Turns out these numbers (and anything else in GP) are encrypted only by means of a simple substitution cipher. This includes the master system password, which can be easily selected and decrypted from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password. Not good.'"
Update: 05/22 02:57 GMT by T : The original linked post has been revised in a few places; significantly, the following has been added as a correction: "By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager."
Great Plains (Score:1, Interesting)
I wonder how long this security issue has been in Great Plains?
However long it has been, Microsoft really dropped the ball here because that acquisition was nearly ten years ago at this point.
Re:But... (Score:3, Interesting)
Re:But... (Score:4, Interesting)
I guess the question is, how many people even know what rot13 is these days?
I mean, really, my rot13 script's nearly 20 years old and I'll bet I use it less than once a year these days...
% ls -l bin/script/rot13
-rwx------ 1 jgreco user 64 Nov 11 1991 bin/script/rot13*
%
Re:Great Plains (Score:1, Interesting)
GP has encryption? Well that beats SL (Solomon), where social security numbers are stored in cleartext.
In fact I'm pretty sure the "recommended" Windows authentication method (vs. the Master60SP method) gives basic users full read/write access to the database by default.
Re:Most ERP systems do not have the data encrypted (Score:1, Interesting)
Re:obligatory (Score:5, Interesting)
"You need to use the vocative case there, not the nominative."
ie; "Brute." (pronounced "Brut-AY"
Getting back to the main story, let me add "Doh!" That's a major back door. And Microsoft, wanting to be our gatekeepers in so many ways and even with this big security initiative they've been trying to get everyone to believe they are on, is just sort of sluffing it off with their usual sheepish "Well, its not likely to actually happen." nonsense.
Re:Full Article (Score:5, Interesting)
Re:Most ERP systems do not have the data encrypted (Score:3, Interesting)
To be honest, it sounds like neither anonymous nor yourself have dealt with ERP systems at a database level. I'll give you a brief overview of why none of that works. First, there are six companies in my database and they do over 100 million in transactions every year. That database is 60,000 tables and there are only six users of the system. The database is only accessible from an accounting or management VLAN for obvious reasons. Going through and figuring out 10s of thousands of tables, triggers, procedures, and functions and granting permissions accordingly is just not going to happen.
I have yet to find an ERP setup that was in my mind sensible. They evolved from flat files and basically just use the database as a filesystem rather than employing the majority of functionality found in most RDBMS. In my current case its even worse as you can't enable multi-master replication of the data since the application does column position math. That means if you add any column for a GUID then the app will break. Fortunately MS developed mirroring which solved a critical high-availability dilemma for me. Now I have two live servers and do an encrypted backup every night. ERP systems are a pain in the ass!
MS isn't at fault for this BS setup, Navision and GP were both terrible even before MS bought them and there is a lot of work to do still before they start behaving like most Microsoft server apps.
Re:obligatory (Score:1, Interesting)
And in any case, the sentence, as taught in Latin courses, is "tu quoque fili". However, we have some reasons to believe that if Caesar even uttered anything like that, it was rather something like "kai su teknon". Educated Roman people of the time spoke Greek in private. Some traces of Greek can even be found in Cicero's Latin writings (e.g. "lectica octophoro").
Re:Full Article (Score:3, Interesting)
Ok, What the FUCK. I was going to say this wasn't even a story and that the poster had no clue on .NET, then I read THIS:
http://blogs.msdn.com/developingfordynamicsgp/archive/2008/10/02/why-does-microsoft-dynamics-gp-encrypt-passwords.aspx [msdn.com]
THIS is your argument? What version it is? All your talking about is application security.
Look, the poster isn't the greatest .NET programmer out there (Plenty of built in stuff for encryption in .NET), but come on. A two byte substitution cipher? All you have to do is put down a packet analyzer, have the application "retrieve" the system password and there you go. Its just kept in the freaking tables and I doubt businesses use ssl on their lan.
But that's not the biggest pet peve. WHY AREN'T YOU USING AD? You know, the 20+ years of authentication system that just works?
I sound angry because on one hand I like how you can program your own authentication provider in iss and start to warm up to Microsoft, but then I read something like this where you don't even bother to use the BUILT IN string encrypting in .NET.
Re:Microsoft engineers (Score:2, Interesting)
This is actually NOT a piece of Microsoft software.
Microsoft Dynamics is what used to be known as "Navision Financials", and before that "Fjölnir". It's a piece of extremely crappy software written in Denmark and is based on a Pascal engine where everything is loosely glued together.
Fjölnir was I think the first financial system Denmark exported. Much to the horror of a neighbour country - Iceland, where Fjölnir became mainstream on HPUX and DOS.
http://www.snerta.is/images/stories/products/fjolnir.gif [snerta.is]
Navision (the Windows version) was not a rewrite or redesign of Fjölnir as much as it was placing an abhorrent GUI on top of a ghastly DOS program.
Microsoft however got interested when they realised that all of the nordic countries were using Navision.
So in effect, I think this vulnerability may be traced all the way back to Fjölnir in the mid 90-s, and as such, blame the security on a sixpack of Carlsberg and one lazy Dane who didn't take security classes at school...
I mean... really... Caesar cipher ?
Can I laugh out loud now ?
Oh... I know how to spell i-d-1-0-t. Wonder if the original authors do...