Pointer Corporation

The Information Technology Architects

Project Management and Database Solutions ...
From the Desktop to the World

How Secure is "Secure?"- Part 1

I was recently working on a database debugging task for a client in a remote location and the only direction I was given was to find out what's wrong with that database application.

Actually, I'm fine with the ambiguity of the direction; I don't always get a clear-cut definition of the problem first time around (mainly because the client may not know how to ask for help, and I'm quite fine with helping them define the problem).  But that's not why I'm writing these notes.

The main reason is that in the process of defining the problem and finding a solution, I ran into something interesting which I'd like to share with my readers.  Here's what happened:

1. They told me about a problem with application X.

2. I asked them where on the network it was and they were able to find that out, using the shortcut properties;  So far so good!

3. Next, I tried to connect myself to the application, but I didn't have access authority to that particular server;  That's not uncommon either, so I went through the network data security process and got access to the server.

4. The I looked for the application and found an EXE which looked like the one I needed;  I double clicked on it and got a login screen.  I called the client, trying to ask for a valid ID and password, but the client was gone for the day (so I left a message and waited for a callback).

5. Then I thought that while I'm waiting for an ID and password, let's see if I can figure it out myself, so here's what I did next:

  • I found out which database was behind the application; it was right there under the main application folder.
  • I opened the database.
  • Then I looked for a table named "passwords" or "security" or "users" or something like that;  and there it was the "users" table!
  • I opened the "users" table and found all the IDs and passwords, but the passwords were encrypted.
  • So I said to myself: "See if you can add a record to the users table and enter any ID and password."  To my amazement, I was able to do so: I added a record with ID=BEN and NO PASSWORD at all.  I then opened the application one more time and on the login screen, simply entered BEN and no password and clicked OK.  I then got full access to the entire application.

Wow!

Ben Aminnia, president of Pointer Corporation is a database architect with over 20 years of experience.  He's also the president of Los Angeles SQL Server Professionals Group www.sql.la and a board member of Los Angeles .NET Developers Group www.ladotnet.org.     

 

Copyright © 2008 Pointer Corporation