In 15 years with my last job, I know of 3 times when bored users found their way into parts of the system that should not have been accessable, but were left open through a philosophy of security by obscurity on the part of the developer. In 2 of those cases the user reported the problem, and in the third, significant damage was done (by accident, on the part of a user who had gotten their hands on a manual and was trying to select vustomers by install date, but instead ran an install program). I also know of 2 attempts by disgruntled former employees to do damage, one successful, again because of security by obscurity. So it does happen.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Les Hewkin Sent: Tuesday, May 31, 2005 8:29 AM To: [email protected] Subject: RE: [U2] Uniobjects hack Can we have a quick show of hands of those who have had there U2 system hacked? I am not saying that it's not an issue, I am just curious. I do not know of it happening. Les -----Original Message----- From: Ian Renfrew [mailto:[EMAIL PROTECTED] Sent: 31 May 2005 13:33 To: [email protected] Subject: Re: [U2] Uniobjects hack Even scarrier, if a person has telnet (almost definitely since its a OS supported application), a valid user id, password and knows how U2 works then they may be able to access data. No need to install UniObjects or purchase Excel. Depending on the version of UniData or network access, the user may be able to go as far as utilizing Windows Explorer to access / view UniData data. The user could use a file browser to view report information contained within the HOLD (_PH_ / &PH&) file. ... Ian ----- Original Message ----- From: "Les Hewkin" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, May 31, 2005 6:09 AM Subject: RE: [U2] Uniobjects hack >I have been following this thread with great intrest. The issues seems to >be that if someone has Excel, UniObjects and knows how U2 works that they >can gain access to the data. > > Where are these people? Are they working for the IT department? > > Is this a real life scenario? or an exercise in theory of what might > happen? > > Les > -----Original Message----- > From: Piers Angliss [mailto:[EMAIL PROTECTED] > Sent: 31 May 2005 10:07 > To: [email protected] > Subject: RE: [U2] Uniobjects hack > > > JayJay, > > Reading between the lines I think you're saying a firewall could be a good > idea.... > > I'm not sure that the other methods will work though. As I understand the > problem, it is that you can have a secure VB App using UniObjects on a > secure PC but if I have access to Excel on that PC, together with a valid > server login id and password (with update rights) and basic knowledge of > the > directory structure on the server then techniques 2, 5, 6 & 7 won't > trouble > me at all. Ok, I need to understand UniObjects and U2. > > I'm not even sure that a firewall would help because the PC I'm trying to > hack the database from has a valid IP address to run the VB App > > As somebody looking to implement UniObjects alongside traditional > server-based applications that's a big hole. I can plug it by taking David > Jordan's advice and using AUTHORIZE, but that's a lot of work for me at > this > stage. > > It sounds like UOLOGIN is a step in the right direction, but it is only > available on UniData and if Ian's experience is any guide may have some > "implementation issues". > > I've been impressed with how easy it is to use UniObjects, I'm less > impressed now. The functionality is great but in too many cases it's just > a > hugely inviting route to hack the database, it needs better server-side > authentication > > Piers > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of John Jenkins > Sent: 30 May 2005 01:56 > To: [email protected] > Subject: RE: [U2] Uniobjects hack > > > Other techniques posted on the group will work as well - but to list a > few: > > 1. firewall with nominated IP address interconnectivity ONLY > 2. Restricted accounts with purged VOCs > 3. O.S level permissions (or Tivoli Access Manager) > 4. Triggers > 5. Account level controls (remote verbs etc) > 6. UO application-level authentication (suggest public key and > one-time-pad > for the serious - stops network sniffing) > 7. Restrict access to Windows client PCs - stop anyone from doing anything > untoward as they don't have permission to load or use that sort of > software. > 8. firewall > 9. firewall > ------- > u2-users mailing list > [email protected] > To unsubscribe please visit http://listserver.u2ug.org/ > > This message has been comprehensively scanned for viruses, > please visit http://virus.e2e-filter.com/ for details. > > This e-mail and any attachments are confidential and intended solely for > the use of the addressee only. If you have received this message in error, > you must not copy, distribute or disclose the contents; please notify the > sender immediately and delete the message. > This message is attributed to the sender and may not necessarily reflect > the view of Travis Perkins plc or its subsidiaries (Travis Perkins). > Agreements binding Travis Perkins may not be concluded by means of e-mail > communication. > E-mail transmissions are not secure and Travis Perkins accepts no > responsibility for changes made to this message after it was sent. Whilst > steps have been taken to ensure that this message is virus free, Travis > Perkins accepts no liability for infection and recommends that you scan > this e-mail and any attachments. > Part of Travis Perkins plc. Registered Office: Lodge Way House, Lodge Way, > Harlestone Road, Northampton, NN5 7UG. > ------- > u2-users mailing list > [email protected] > To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ This message has been comprehensively scanned for viruses, please visit http://virus.e2e-filter.com/ for details. ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
