UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Closed TopicStart new topic
> Access Security    
 
   
EFCoins
post Jun 6 2007, 05:44 AM
Post#1


VIP Emeritus
Posts: 2,421
Joined: 6-May 02
From: UK


This is an updated version of my earlier FAQ, incorporating newly discovered weaknesses of MDE files
do not want to publicise Access hacking tools, but I can nolonger watch as people deploy applications believing them to be secure when they were not.
The built in Access security provides very little protection
http://www.lostpassword.com/access.htm
sells a tool for $45 which can reveal user and database passwords in a few seconds, after which your db is completely exposed. It also sells tools for revealing Windows administrator passwords, so an OS based security system will not work either.
dmtelf posted a link to
http://accesstools.narod.ru/
which has a password revealer for free (access 2000 and 97)
I have tested this tool and it works
Many people apear to believe that these Password revealers are new, they are not. I have known of lostpassword.com for many years, narod.ru does not have an Access2002 version which suggests that the hacker who made it lost interest many years ago.
I
So how can a db be secured, that depends upon the what you are trying to protect and how secure you need it to be, but my thoughts are below.
VBA Code
Your original VBA can be recovered in a few seconds with the right tools, I have tested this and posted the results
http://www.utteraccess.com/forums/showflat...1418890&Zp=
A tool which helps protect against this is available
http://www.everythingaccess.com/mdeprotector.htm
I have not used it, but I am confident that it works as described
Forms and Reports Design
If someone can use your db then they can see the Form / Report layout, so there is nothing worth protecting.
Queries
Put SQL code into the VBA, instead of using stored queries. Queries help someone understand your table design and relationships, so they are important.
Table design
Tricky, you can use Speed Ferret or
http://www.rickworld.com/products.html
to give everything meaningless names which makes an attackers job harder but other than that I can not help. (Hiding tables can easily be overcome.)
Table Data
The data within a table can be encrypted, I use Polar CryptoLight (see below for a quick explanation)
Normally encrypting just a few fields within a table is sufficient, and faster than encrypting everything
Part of an Application
Sometimes you want to have several levels of user.
Create a form in which passwords can be entered, then when a restricted feature is requested pop up an enter password form. Passwords themselves can be safely stored in a table as long as the table is encrypted. This allows everyone to have their own password(s) and to change it when they want to.
I support 3 passwords, one for reading data in the db (optional) another for adding / editing data (optional) and a third for sending emails (compulsory). Each organisation decides which passwords they want to use.
The Whole of an Application – Making the User Pay
(All encryption is done with Polar CryptoLight see below)
This is a bit more involved, but what I do is
I distribute the application for free, limiting the number of records in the main table to 1000, and disabling all delete buttons. If someone wants to remove these restrictions then they have to pay as follows.
Enter their name and address on a form then press a Buy button. This encrypts their details and sends them to my web site where they enter a credit card number. Once the credit card company has verified everything the web site encrypts their details using a second encryption key and sends it back to the db. The db verifies the response from the web site and thus knows that it has been paid for and works without restriction.
My db generates emails (encrypted) and includes the name and address used above to identify the sender. Hence if someone allows a friend to copy their paid-for software, the friend will the be able to send emails and buy things using the identity of the original purchaser. This deters people from making illegal copies of my application, but may not be applicable to your application. When someone changes address they have to make a small payment and the above process is repeated.
Polar CryptoLight
http://www.polarsoftware.com/products/cryptolight/index.asp
This is an active X which can be distributed with an application, and is now free.
It implements the AES encryption algorithm. AES is used by banks for transactions up to $10million, so if someone manages to breaks it they will probably transfer $10million to a bank account of their choice rather than attack your database.
This post is "as is" with no warrenty of any sort, I am not a security expert, and the above does not represent the opinion of my company or that of Utter Access.
HAs it is not possible to reply to FAQs, so I have opend a post which can be used to comment on the above
http://www.utteraccess.com/forums/showflat...;o=&fpart=1
Mark
Go to the top of the page
 


Custom Search
RSSSearch   Top   Lo-Fi    16th December 2017 - 11:50 AM