SNIP
It's funny. D3 has the capability to assign a macro to any user who gets to
tcl (or the debug prompt). Often this macro is either a login (again) or a
logoff. Works great. U2 doesn't seem to have addressed this issue because
their client base has never required it. Hopefully, now they
ON.ERROR
ON.ABORT
(and remote verbs)
JayJay
snip
It's funny. D3 has the capability to assign a macro to any user who gets to
tcl (or the debug prompt). Often this macro is either a login (again) or a
logoff. Works great. U2 doesn't seem to have addressed this issue because
their client base
PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Frost, Bodo
Sent: 01 June 2005 04:45
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
JayJay,
This combination just misses Level -1 (Minus One, or DefCon Dark Red):
Pull the plug... :-D
Cheers
BJ
---
u2-users mailing list
u2
open with a sign telling people not to go in.
Piers
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Jenkins
Sent: 31 May 2005 23:42
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
So what does this combination miss?
---
u2-users
this information will always help. Thanks. :-)
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Jenkins
Sent: Wednesday, June 01, 2005 1:01 AM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
ON.ERROR
ON.ABORT
(and remote
a
hugely inviting route to hack the database, it needs better server-side
authentication
Piers
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Jenkins
Sent: 30 May 2005 01:56
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
Other
in theory of what might happen?
Les
-Original Message-
From: Piers Angliss [mailto:[EMAIL PROTECTED]
Sent: 31 May 2005 10:07
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
JayJay,
Reading between the lines I think you're saying a firewall could be a good
idea
I'm
2005 11:09
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
I have been following this thread with great intrest. The issues seems to be
that if someone has Excel, UniObjects and knows how U2 works that they can
gain access to the data.
Where are these people? Are they working
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Piers Angliss
Sent: Tuesday, 31 May 2005 9:35 PM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
I agree it's unlikely, but it's something that needs to be considered
I can't remember whether your branches
@listserver.u2ug.org
Sent: Tuesday, May 31, 2005 6:09 AM
Subject: RE: [U2] Uniobjects hack
I have been following this thread with great intrest. The issues seems to
be that if someone has Excel, UniObjects and knows how U2 works that they
can gain access to the data.
Where are these people? Are they working
An alternative method is looking at Single Sign On technologies.
Single sign on technology would enable you to hide the username and password
to UniVerse either through telnet, uniobjects or ODBC and all the user would
know is the single logon which maybe tied to windows.
Thus if someone tries
@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
Even scarrier, if a person has telnet (almost definitely since its a OS
supported application), a valid user id, password and knows how U2 works
then they may be able to access data. No need to install UniObjects or
purchase Excel.
Depending
Bingo! Ian.
If your users are good enough to hack together an application out of
notepad, excel and uniobjects, then you've hired the wrong guy for
that sales / counter job. Move him/her into the development group.
Be carefull of over protecting your systems to the point they become
more
to auditors when
these questions are broached.
Regards
David Jordan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Don Kibbey
Sent: Tuesday, 31 May 2005 11:36 PM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
Bingo! Ian.
If your users
because
of security by obscurity. So it does happen.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Les Hewkin
Sent: Tuesday, May 31, 2005 8:29 AM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
Can we have a quick show of hands of those who
From: Les Hewkin
Can we have a quick show of hands of those who have had
there U2 system hacked?
I was accused of it once by a system administrator because I pointed out
the security hole that I was then accused of wriggling through. This
was the same system administrator who once ended up as
:[EMAIL PROTECTED] Behalf Of Les Hewkin
Sent: 31 May 2005 14:29
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
Can we have a quick show of hands of those who have had there U2 system
hacked?
I am not saying that it's not an issue, I am just curious. I do not know of
it happening
Les,
All the hacking I've seen has come through the front door - it has
always been authorized people using the system in the way in which they
were authorized. I've had senior executives who have sabotaged their own
systems.
- Chuck
Les Hewkin wrote:
Can we have a quick show of
needed to be
fixed but nothing major.
Jeffrey Lettau
ERP Systems Manager
polkaudio
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Les Hewkin
Sent: Tuesday, May 31, 2005 9:29 AM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
Can we
So what does this combination miss?
Level 1
---
1. Use a firewall with a DMZ and reverse lookup so only designated client
PCs can access specific systems (and audit)
2. User Public Key based application level authentication between VALID
client applications and the server to permit valid
enough to think they can get the
information they require by doing it themselves.without going through the
official menus.
jak
- Original Message -
From: Les Hewkin [EMAIL PROTECTED]
To: u2-users@listserver.u2ug.org
Sent: Tuesday, May 31, 2005 7:39 PM
Subject: RE: [U2] Uniobjects hack
.
Should discourage the casual player.
Regards
David Jordan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Kent
Sent: Wednesday, 1 June 2005 8:43 AM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
Les,
this is a situation i have
Of course you could just stop anyone loading or using any development tools
unless they are authorised to do so
Making it a sackable offence usually works (I think that's a pink sheet
for those on the western side of the Pond)
Otherwise set the firewall to only accept connections on the
Did you mean to say carhacked?
Mind you, having a finger dangling from your key-ring instead of rabbits
foot would sure be a tip-off at key-parties.
S
What about the thieves who carjacked a Merc? Because it was
biometrically started, they chopped off the driver's finger so they
According to the IBM website, UOLOGIN must be a globally cataloged subroutine
with two arguments.
First argument is a return value. If set to zero, login is rejected and error
code 80011 is returned.
Second argument is input to the subroutine and contains the application name.
Example:
: Saturday, May 28, 2005 3:27 AM
Subject: Re: [U2] Uniobjects hack]
According to the IBM website, UOLOGIN must be a globally cataloged
subroutine
with two arguments.
First argument is a return value. If set to zero, login is rejected and
error
code 80011 is returned.
Second argument is input
You might want to look at the article in the U2UG newsletter on security.
http://u2ug.org/docs/20040919_U2UG_Newsletter.pdf that deals with this
issue.
With Universe a program can have higher access rights than the user. If a
user gets to tcl they may not have access rights to update, enquire
Of John Kent
Sent: Friday, May 27, 2005 2:03 AM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
Steve,
thanks for that
jak
- Original Message -
From: Steve Johnson [EMAIL PROTECTED]
To: u2-users@listserver.u2ug.org; U2UG
u2-users@listserver.u2ug.org
Sent: Friday
The ability to bypass application security using UniObjects has really got
me thinking. In the absence of any suitable remedies and perhaps as a
stop gap solution whilst a better solution is written, I would recommend
the following:
1. As Martin said, make sure that you do not let UniObjects
How about using file level security, and common area in your
subroutines.
The problem remains that a user who can validly use the application must
have access to these files and hence can open them and tinker in his own VB
program. It all comes down to the fact that UV/Udt cannot tell the
The same issue applies for SQL access to UniVerse as it does for UniObjects.
It is a problem for RDBMS. They get around by restricting access and only
allowing updates through Stored Procedures which can have a different access
level. UniVerse can do the same thing.
Regards
David Jordan
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of
[EMAIL PROTECTED]
Sent: Friday, May 27, 2005 10:56 AM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
The ability to bypass application security using UniObjects has really got
me
In message
[EMAIL PROTECTED],
HENDERSON MIKE, MR [EMAIL PROTECTED] writes
Things will get better?
No, things will get much, MUCH worse!
When someone finds out my password, then to repair the security breach,
I have to change my password.
When someone finds out the magic number which is the
. :-)
Bill
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Richard Taylor
Sent: Friday, May 27, 2005 8:09 AM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
[snipped]
2) Convert the account to an SQL schema. You can then attach file level
All,
The BetterBetter committee (got an idea for an improvement or fix?
email [EMAIL PROTECTED]) has been listening in and kicking this
around. Here's what we've come up with so far:
UniData *has* a UOlogin functionality which will allow you to vett
the user and decide if they can
:[EMAIL PROTECTED] On Behalf Of Richard Taylor
Sent: Friday, May 27, 2005 8:09 AM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
[snipped]
2) Convert the account to an SQL schema. You can then attach file level
security via the SQL user. Just remember to create a security
UniData *has* a UOlogin functionality which will allow you to vett
the user and decide if they can connect as a UO connection. You could
build most of what you want in there. We haven't tested it on UniVerse,
but I have the PE and UO set up, so if no one gets to it by Monday, I'll
test it
Martin,
Not true. Using UOlogin, I could run a filter and only allow a
subset of the valid user list access. That would stop people from using
telnet ids as UO ids. If you expand this to lock out some accounts to
ALL UO logins, you can draw a box around the UO user.
Now, if you said
I have looked at all of the documentation that I have and can't find ANY
reference to UOLOGIN, UOlogin, ... Is this documented anywhere?
I tried to create a simple PROC (UniData 6.1PE) and it doesn't execute on
login. The interesting thing is that if I create and direct catalog a
program
Chuck,
Thanks!
Regards,
Jim
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Key Ally
Sent: Friday, May 27, 2005 7:08 PM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
James,
Here's a link on the IBM site.
http
because I'm a consultant not a VAR/End User is frustrating! :-(
Cheers,
Ken
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Key Ally
Sent: Saturday, 28 May 2005 9:08 AM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
James,
Here's
is frustrating! :-(
Cheers,
Ken
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Key Ally
Sent: Saturday, 28 May 2005 9:08 AM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
James,
Here's a link on the IBM site.
h.x=50Search.y=11Search
The most secure way would be to turn off the service. :)
Of course, there are a couple of different ways a determined, advanced
user could do to get access.
Colin Alfke
Calgary, Canada
-Original Message-
From: John Kent
Does anyone have any suggestions on how to contain an advanced
Twiddle the PAM config file if your on unix so that services don't go
through the user login process. Send them off to something else...
I don't know of anyway to keep them out of a Windows system though.
---
u2-users mailing list
u2-users@listserver.u2ug.org
To unsubscribe please visit
]
[mailto:[EMAIL PROTECTED] On Behalf Of Don Kibbey
Sent: Thursday, May 26, 2005 8:36 AM
To: u2-users@listserver.u2ug.org
Subject: Re: [U2] Uniobjects hack
Twiddle the PAM config file if your on unix so that services don't go
through the user login process. Send them off to something else...
I don't
This is a hole in the Uniobjects security. A user who has a valid username
and password to access a Uniobjects application can write his own VB program
to do almost anything; modify files, write VOC entries, upload, compile and
run programs.
Using o/s security is fine but the user will have
Well, let's not put this all on UO. Almost all of the connectivity tools
in our market were written without any thought of security. It's generally
assumed that if you have a valid password to the system that you are
authorized to use whatever means available to get in. What I don't like is
Of Tony Gravagno
Sent: Thursday, May 26, 2005 02:14 PM
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] Uniobjects hack
Well, let's not put this all on UO. Almost all of the connectivity tools
in our market were written without any thought of security. It's generally
assumed that if you have
Just because this is a wider problem doesn't mean that UO
shouldn't be called on it.
So how would you go about it?
UO is a tool for developers. As such, it's strength is that it is able to do
anything a developer needs it to do.
It is clean client/server middleware and so it can't launch a
So how can it tell the difference between a legitimate connection from a
controlled application, and an illegitimate connection from e.g. a piece
of
VBScript hacked into notepad?
The easy answer is that it cannot. We had to think very hard about this when
we designed the equivalent of
PROTECTED]
To: u2-users@listserver.u2ug.org
Sent: Thu, 26 May 2005 11:13:48 -0700
Subject: RE: [U2] Uniobjects hack
Well, let's not put this all on UO. Almost all of the connectivity tools
in our market were written without any thought of security. It's generally
assumed that if you have a valid
To answer both questions about unauthorized client access and then about
encryption:
Brian wrote:
The only way is to add a new security layer to the
server.
I think the way to do this on the client side (wherever the UO DLL is kept
and a connection initiated) is to have a separate DLL which
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Gravagno
Sent: Friday, 27 May 2005 12:15
To: u2-users@listserver.u2ug.org
Subject: RE: [U2] UniObjects hack
[snip]
Gerry wrote:
If you're not worried about every shmoe with a password
How about running a monitor program constantly in the
background. It monitors all new logins to U2. The new login
process must send a sleeping pill to the monitor within a
short time after login -- short being relative to your
system performance. If the monitor doesn't receive this
sleeping pill
54 matches
Mail list logo
