There were a few times that I've seen people exploit the fact that they knew how to cause the program to error out to get them to the prompt level. Then it was open season for them since we were just working off a menu based security. They were just trying to be more efficient in how they worked. Using the program took too long. It was faster just to edit the records. Was the reasoning. They couldn't get to the payroll account but they could have if they knew how to make a pointer to the files in that account. Things could have been worse. A few bill of materials and some pricing needed to be fixed but nothing major.
Jeffrey Lettau ERP Systems Manager polkaudio -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Les Hewkin Sent: Tuesday, May 31, 2005 9:29 AM To: [email protected] Subject: RE: [U2] Uniobjects hack Can we have a quick show of hands of those who have had there U2 system hacked? I am not saying that it's not an issue, I am just curious. I do not know of it happening. Les -----Original Message----- From: Ian Renfrew [mailto:[EMAIL PROTECTED] Sent: 31 May 2005 13:33 To: [email protected] Subject: Re: [U2] Uniobjects hack Even scarrier, if a person has telnet (almost definitely since its a OS supported application), a valid user id, password and knows how U2 works then they may be able to access data. No need to install UniObjects or purchase Excel. Depending on the version of UniData or network access, the user may be able to go as far as utilizing Windows Explorer to access / view UniData data. The user could use a file browser to view report information contained within the HOLD (_PH_ / &PH&) file. ... Ian ----- Original Message ----- From: "Les Hewkin" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Tuesday, May 31, 2005 6:09 AM Subject: RE: [U2] Uniobjects hack >I have been following this thread with great intrest. The issues seems to >be that if someone has Excel, UniObjects and knows how U2 works that they >can gain access to the data. > > Where are these people? Are they working for the IT department? > > Is this a real life scenario? or an exercise in theory of what might > happen? > > Les > -----Original Message----- > From: Piers Angliss [mailto:[EMAIL PROTECTED] > Sent: 31 May 2005 10:07 > To: [email protected] > Subject: RE: [U2] Uniobjects hack > > > JayJay, > > Reading between the lines I think you're saying a firewall could be a good > idea.... > > I'm not sure that the other methods will work though. As I understand the > problem, it is that you can have a secure VB App using UniObjects on a > secure PC but if I have access to Excel on that PC, together with a valid > server login id and password (with update rights) and basic knowledge of > the > directory structure on the server then techniques 2, 5, 6 & 7 won't > trouble > me at all. Ok, I need to understand UniObjects and U2. > > I'm not even sure that a firewall would help because the PC I'm trying to > hack the database from has a valid IP address to run the VB App > > As somebody looking to implement UniObjects alongside traditional > server-based applications that's a big hole. I can plug it by taking David > Jordan's advice and using AUTHORIZE, but that's a lot of work for me at > this > stage. > > It sounds like UOLOGIN is a step in the right direction, but it is only > available on UniData and if Ian's experience is any guide may have some > "implementation issues". > > I've been impressed with how easy it is to use UniObjects, I'm less > impressed now. The functionality is great but in too many cases it's just > a > hugely inviting route to hack the database, it needs better server-side > authentication > > Piers > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of John Jenkins > Sent: 30 May 2005 01:56 > To: [email protected] > Subject: RE: [U2] Uniobjects hack > > > Other techniques posted on the group will work as well - but to list a > few: > > 1. firewall with nominated IP address interconnectivity ONLY > 2. Restricted accounts with purged VOCs > 3. O.S level permissions (or Tivoli Access Manager) > 4. Triggers > 5. Account level controls (remote verbs etc) > 6. UO application-level authentication (suggest public key and > one-time-pad > for the serious - stops network sniffing) > 7. Restrict access to Windows client PCs - stop anyone from doing anything > untoward as they don't have permission to load or use that sort of > software. > 8. firewall > 9. firewall > ------- > u2-users mailing list > [email protected] > To unsubscribe please visit http://listserver.u2ug.org/ > > This message has been comprehensively scanned for viruses, > please visit http://virus.e2e-filter.com/ for details. > > This e-mail and any attachments are confidential and intended solely for > the use of the addressee only. If you have received this message in error, > you must not copy, distribute or disclose the contents; please notify the > sender immediately and delete the message. > This message is attributed to the sender and may not necessarily reflect > the view of Travis Perkins plc or its subsidiaries (Travis Perkins). > Agreements binding Travis Perkins may not be concluded by means of e-mail > communication. > E-mail transmissions are not secure and Travis Perkins accepts no > responsibility for changes made to this message after it was sent. Whilst > steps have been taken to ensure that this message is virus free, Travis > Perkins accepts no liability for infection and recommends that you scan > this e-mail and any attachments. > Part of Travis Perkins plc. Registered Office: Lodge Way House, Lodge Way, > Harlestone Road, Northampton, NN5 7UG. > ------- > u2-users mailing list > [email protected] > To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ This message has been comprehensively scanned for viruses, please visit http://virus.e2e-filter.com/ for details. ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [email protected] To unsubscribe please visit http://listserver.u2ug.org/
