UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
3 Pages V < 1 2 3  (Go to first unread post)
   Reply to this topicStart new topic
> Challege For Disable The Shift Bypass, Any Version    
 
   
fogline
post Feb 4 2020, 06:47 PM
Post#41



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


I see no Forms' queries 'tables or code

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
fogline
post Feb 4 2020, 07:19 PM
Post#42



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Frank
You say
QUOTE
You would also have to use a server db backend like MySQL instead of an Access


Why should I not use a Access db for my back end with VB6.?
This post has been edited by fogline: Feb 4 2020, 07:20 PM

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
FrankRuperto
post Feb 4 2020, 08:59 PM
Post#43



Posts: 654
Joined: 21-September 14
From: (MilitaryBrat) Tampa Bay, Florida, USA


Ray,

Glad you held on to all the old vb6 stuff, comes in handy now.
If you use an ACE backend, then you would be defeating the whole purpose of securing everything in your app, including the table designs and data.
Server db backends are more secure, they require user ID's and passwords to connect to them, and you also have fine granularity for granting specific permissions to different users.
You can also use SQLite and several other free versions, Don't use SQL-Server, hackers recently exploited a backdoor to login in as 'sa', (system administrator) with full permissions.
https://www.bleepingcomputer.com/news/secur...ft-SQL-servers/

---

Colin,

I ran your ShiftBypassQuit32 that's compiled and password protected. After "Enabling ShiftBypass key" and re-launching with shift key held down the same popup form reappears.
Holding down the shift key when launching did not work even after enabling it with your app.
Is this the expected behavior?
Did you borrow anything from the prototype app I sent you a year ago to create this test app?


This post has been edited by FrankRuperto: Feb 4 2020, 09:02 PM
Attached File(s)
Attached File  ShiftBypassDecryptedDecompiled.PNG ( 63.26K )Number of downloads: 9
 

--------------------
Currently supporting pawnbrokers that use my store management system developed with Access 2010 on Windows7. Experienced with Informix and Oracle DB's.
Go to the top of the page
 
isladogs
post Feb 5 2020, 12:25 AM
Post#44


UtterAccess VIP
Posts: 2,185
Joined: 4-June 18
From: Somerset, UK


Hi Frank
What you saw was the expected behaviour.
If opened normally, the shift bypass is disabled again automatically.

If you get around that by using code externally, there are various other measures in place.
For example
a) the main form cannot be opened from the navigation pane.
b) the shift bypass state is checked and, if it is enabled, the app quits

Not sure what you are referring to but the utility is all my own work.
The main issue I have developing these types of app is not locking myself out whilst implementing the security!

However, as previously stated no Access app is ever 100% secure and I know at least one 'back door'.
Indeed, as the main form says, this is a cut down version of another more secure app I have created.

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 
JonSmith
post Feb 5 2020, 05:12 AM
Post#45


UtterAccess VIP
Posts: 4,073
Joined: 19-October 10



To quickly weigh in on this.

Years ago when I had my bike stolen from outside my house the policeman said they best thing to stop it happening again is to spend abit more to get a better lock next time. The lock can definitely still be broken but you make it not worth it for a bike thief and they go for the bike next to yours.
Same is true of this, if you add some of the stuff Colin has demonstrated you can secure it adequately enough to deter all but the most determined person, and odds are, that most determined person isnt going to be a customer anyway nor try to resell it. They have their own skills high enough to focus their energy elsewhere.

JS
Go to the top of the page
 
fogline
post Feb 5 2020, 02:32 PM
Post#46



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Frank
I talk about saving my old stuff look at this: Access 2.0
All original everything still in the box.

Attached File  Access_2.0.jpg ( 1.33MB )Number of downloads: 2

This post has been edited by fogline: Feb 5 2020, 02:40 PM

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
FrankRuperto
post Feb 5 2020, 02:39 PM
Post#47



Posts: 654
Joined: 21-September 14
From: (MilitaryBrat) Tampa Bay, Florida, USA


That's a collectible. It will be worth more when Microsoft kills Access. I think they're assuming everyone will migrate to PowerApps or DotNet. Let us know how your vb6 rewrite goes.
This post has been edited by FrankRuperto: Feb 5 2020, 02:43 PM

--------------------
Currently supporting pawnbrokers that use my store management system developed with Access 2010 on Windows7. Experienced with Informix and Oracle DB's.
Go to the top of the page
 
fogline
post Feb 5 2020, 02:44 PM
Post#48



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


QUOTE
That's a collectible. It will be worth more when Microsoft kills Access


Ya you right, I also have version 1.0 somewhere.
You ever get digging in your old developing stuff it's like a big toy box of new toys
after not seeing it for years.

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
isladogs
post Feb 5 2020, 05:48 PM
Post#49


UtterAccess VIP
Posts: 2,185
Joined: 4-June 18
From: Somerset, UK


See A Trip Down Memory Lane

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 
fogline
post Feb 5 2020, 06:02 PM
Post#50



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Colin you said
QUOTE
If anyone is interested, please email me for an explanation



--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
FrankRuperto
post Feb 5 2020, 06:09 PM
Post#51



Posts: 654
Joined: 21-September 14
From: (MilitaryBrat) Tampa Bay, Florida, USA


Here's a youtube video of the MS-Access debut at Comdex 1992 in Las Vegas. The Access 1.0 demo begins at the 11:50 mark and there's a brief glimpse of a younger me seated in the crowd at the 12:50 mark. Chris Caposella, who is now Chief Marketing Officer at Microsoft is also in the video, he was the chief of all database development products back then. ChrisCap is another reason why Access is still around and getting a little love. When have you seen MS support a product for almost 30 years? It's been a good run!.. Enjoy!
https://www.youtube.com/watch?v=evMilwVBHAQ

P.S. I just found my copy of Microsoft Multiplan spreadsheet for 8-bit CP/M pompom.gif
This post has been edited by FrankRuperto: Feb 5 2020, 06:40 PM

--------------------
Currently supporting pawnbrokers that use my store management system developed with Access 2010 on Windows7. Experienced with Informix and Oracle DB's.
Go to the top of the page
 
fogline
post Feb 5 2020, 06:25 PM
Post#52



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Wow that is an old video
That you in the white shirt Frank?

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
FrankRuperto
post Feb 5 2020, 06:34 PM
Post#53



Posts: 654
Joined: 21-September 14
From: (MilitaryBrat) Tampa Bay, Florida, USA


Bingo thumbup.gif

--------------------
Currently supporting pawnbrokers that use my store management system developed with Access 2010 on Windows7. Experienced with Informix and Oracle DB's.
Go to the top of the page
 
fogline
post Feb 5 2020, 06:45 PM
Post#54



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Wow it's crazy how this thread got turned around 20 years.
I love seeing that old stuff, It makes you think how long you really been doing this..
We need to start a thread called " The Golden Years "

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
isladogs
post Feb 6 2020, 02:33 AM
Post#55


UtterAccess VIP
Posts: 2,185
Joined: 4-June 18
From: Somerset, UK


Got your emails. Will reply later today.
I did outline how it worked in post 44 but thought you were now focusing on using VB6.

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 
fogline
post Feb 6 2020, 09:10 AM
Post#56



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Hi Colin
No I will never stop using Access.
I am just trying to see what I can do with VB6
and even if I did rebuild my apps lord it would take me a year or longer..
Thanks for all your support and help thumbup.gif

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
fogline
post Feb 7 2020, 04:59 PM
Post#57



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Hi Colin
I think I have 1 or 2 over your Security apps you made
which one of them would show me how to hide all
of the Forms, Queries, macros
like that last app you was show us I really liked that one.

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
isladogs
post Feb 7 2020, 05:14 PM
Post#58


UtterAccess VIP
Posts: 2,185
Joined: 4-June 18
From: Somerset, UK


Hi Ray
Sorry. I've been very busy for the past few days and so not had time to reply properly.
You can find a lot of my code in this app: Manage Application Interface

However, for info, the hidden objects can be made visible by ticking Show Hidden Objects in Navigation Options.
In the case of my example app, that won't help much as you can't open the main form frmStart from the navigation pane.

You can find lots of security related items elsewhere on my website

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 
fogline
post Feb 7 2020, 05:15 PM
Post#59



Posts: 198
Joined: 5-August 15
From: Ringgold, GA. USA


Ok great Thanks Colin

--------------------
Ray White - Fog Line Software LLC.
Email
Go to the top of the page
 
isladogs
post Feb 8 2020, 01:43 PM
Post#60


UtterAccess VIP
Posts: 2,185
Joined: 4-June 18
From: Somerset, UK


OK finally I have a bit of time.

First of all back in post #2 Daniel Pineault wrote:
QUOTE
One way or another, if I want to look at your db, I won't be using the shift bypass anyways and I make backups before I start messing around. So all your hard work would be for nothing.


I agree totally with the first part of that. However as Jon Smith wrote:
QUOTE
if you add some of the stuff Colin has demonstrated you can secure it adequately enough to deter all but the most determined person, and odds are, that most determined person isnt going to be a customer anyway nor try to resell it. They have their own skills high enough to focus their energy elsewhere.


So disabling the shift bypass should be considered along with other security measures purely as a deterrent to make it harder for anyone to hack your app.

Anyway, to clarify (hopefully) what I wrote before
1. Enabling the shift bypass then opening the app 'normally' automatically disables the shift bypass again
2. It is IMPOSSIBLE to prevent anyone re-enabling the shift bypass externally.
I have code to do that myself and use it regularly.
However you can still mitigate the impact of that with code which will run as soon as you try to do anything.

If you do manage to open it using the shift bypass, you will indeed see the nav pane.
The objects are hidden but can be made visible. There are 2 forms: frmAutomation & frmStart and 5 modules - all except modSecurity are included in the app link from my previous post.

The code below is the entire module modSecurity

CODE
Option Compare Database
Option Explicit

Public Function CheckTrusted() As Boolean

'checks whether macros and VBA code have been enabled in the current project
CheckTrusted = CurrentProject.IsTrusted

End Function

Function CheckShiftBypassState() As Boolean

On Error GoTo Err_Handler

    CheckShiftBypassState = CurrentDb.Properties("AllowByPassKey")

    If CheckShiftBypassState = True Then
        If Environ("ComputerName") Like "COLIN*" And CurrentDBFileType = "accdb" Then
            'development machine
           If MsgBox("WARNING : " & vbCrLf & _
                "The Shift Bypass key is ENABLED" & vbCrLf & _
                    "Do you want to disable it now? (RECOMMENDED)", vbQuestion + vbYesNo, "WARNING") = vbYes Then
                        DisableShiftBypass
            Else
                MsgBox "ENSURE the Shift Bypass is disabled before this application is released", vbExclamation, "Critical Error"
            End If
     Else
        'ACCDE version or other workstations
             FormattedMsgBox "CRITICAL ERROR : " & vbCrLf & _
                      "The Shift Bypass key has been ENABLED    " & _
                      "@As the application has been modified, it will now be closed      @", vbCritical, "Critical Error"
            Application.Quit
        End If
    End If
    
Exit_Handler:
    Exit Function
          
Err_Handler:
      If Erl > 0 Then
          MsgBox "Error " & Err.Number & " in line " & Erl & " in CheckShiftBypassState procedure : " & _
                    Err.Description, vbOKOnly + vbCritical, "Critical Error"
       Else
           MsgBox "Error " & Err.Number & " in CheckShiftBypassState procedure : " & _
                    Err.Description, vbOKOnly + vbCritical, "Critical Error"
     End If

     Resume Exit_Handler
          
End Function

'the next 2 procedures are functions so these could be called from an autoexec macro
Function DisableShiftBypass()
    StartUpProps "AllowBypassKey", False, True
End Function

Function EnableShiftBypass()
    StartUpProps "AllowBypassKey", True, True
End Function

Function CheckUserControl() As Boolean

On Error GoTo Err_Handler

    CheckUserControl = Access.Application.UserControl
    
    If CheckUserControl = False Then
       If CurrentProject.AllForms("frmStart").IsLoaded Then
           DoCmd.Close acForm, "frmStart"
           DoCmd.OpenForm "frmAutomation"
        End If
        
        'application opened externally using automation
        MsgBox "CRITICAL ERROR : " & vbCrLf & _
                  "This application cannot be run externally using automation and will now be closed", vbCritical, "Critical Error"
        Application.Quit
   End If

Exit_Handler:
        Exit Function
          
Err_Handler:
    MsgBox "Error " & Err.Number & " in CheckUserControl procedure : " & _
                    Err.Description, vbOKOnly + vbCritical, "Critical Error"
    Resume Exit_Handler

End Function

Function ModifyStartUpProps()

On Error GoTo Err_Handler

    'Delete existing start up properties
    DeleteStartupProps "AllowFullMenus"
    DeleteStartupProps "StartUpShowStatusBar"
    DeleteStartupProps "AllowBuiltInToolbars"
    DeleteStartupProps "AllowShortcutMenus"
    DeleteStartupProps "AllowToolbarChanges"
    DeleteStartupProps "AllowSpecialKeys"
    DeleteStartupProps "StartUpShowDBWindow"
    DeleteStartupProps "AllowBypassKey"

    'By default, set all start up properties to False
    StartUpProps "AllowBypassKey", False, True
    StartUpProps "AllowFullMenus", False, True
    StartUpProps "StartUpShowStatusBar", False, True
    StartUpProps "AllowBuiltInToolbars", False, True
    StartUpProps "AllowShortcutMenus", False, True
    StartUpProps "AllowToolbarChanges", False, True
    StartUpProps "AllowSpecialKeys", False, True
    StartUpProps "StartUpShowDBWindow", False, True
    
    'for developer mode, enable props
    If Environ("ComputerName") = "COLIN-PC" And Environ("UserName") = "cridd" Then
        If CurrentDBFileType = "accdb" Then
            StartUpProps "AllowBypassKey", True, True
            StartUpProps "AllowFullMenus", True, True
            StartUpProps "StartUpShowStatusBar", True, True
            StartUpProps "AllowBuiltInToolbars", True, True
            StartUpProps "AllowShortcutMenus", True, True
            StartUpProps "AllowToolbarChanges", True, True
            StartUpProps "AllowSpecialKeys", True, True
            StartUpProps "StartUpShowDBWindow", True, True
        End If
   End If

Exit_Handler:
    Exit Function
    
Err_Handler:
    MsgBox "Error " & Err.Number & " in ModifyStartUpProps procedure : " & Err.Description, vbOKOnly + vbCritical
    Resume Exit_Handler

End Function

Function StartUpProps(strPropName As String, Optional varPropValue As Variant, _
        Optional ddlRequired As Boolean) As Variant
    ' This function requires a reference to DAO library.
    ' This function will both return and set the value of startup properties
    ' in your database. It can also be used for other database properties
    ' with some slight modification.
    
    Dim dbs As DAO.Database, prp As DAO.Property, varPropType As Variant
    Const conPropNotFoundError = 3270
    
    If IsMissing(ddlRequired) Then
    ddlRequired = False
    End If
    
    ' Because this code is specific to the startup properties, we assume that the
    ' data type of the property is Boolean unless stated otherwise.
    
    varPropType = dbBoolean
    Select Case strPropName
    Case "frmSplash"
    varPropType = dbText
    End Select
    Set dbs = CurrentDb
    
    ' This function will either set the value of the property or try to
    ' return it. It knows which mode it is in by the existence of the
    ' property value in the procedure that called the function.
    
    If Not IsMissing(varPropValue) Then
    
        ' As we change the value of the startup property, we will first try to
        ' assign that value. If the property does not exist, it will be
        ' added to the database object by using the following error handling code.
        On Error GoTo AddProps_Err
        dbs.Properties(strPropName) = varPropValue
        StartUpProps = True
    Else
        ' If we find out the value of the startup property, we first see if
        ' that value exists. If the property does not exist, we will return a null string.
        On Error GoTo NotFound_Err
        StartUpProps = dbs.Properties(strPropName)
    End If
    
StartupProps_End:
    On Error Resume Next
    Set dbs = Nothing
    Set prp = Nothing
    Exit Function
    
    'When a property doesn't exist in the database, you must use the CreateProperty method to add the property
    'to the database. The error handling section of the sub-routine handles this method as follows:
    
AddProps_Err:
    
    If Err = conPropNotFoundError Then
        ' Property not found when adding a property value.
        Set prp = dbs.CreateProperty(strPropName, varPropType, varPropValue, ddlRequired)
        dbs.Properties.Append prp
        Resume Next
    Else
        ' Unknown error.
        StartUpProps = False
        Resume StartupProps_End
    End If
    
NotFound_Err:
    If Err = conPropNotFoundError Then
        ' Property not found when returning a property value.
        StartUpProps = Null
        Resume Next
    Else
        ' Unknown error.
        StartUpProps = False
        Resume StartupProps_End
    End If

End Function

Function DeleteStartupProps(strPropName As String) As Boolean
' Function requires a reference to DAO library.

Dim dbs As DAO.Database, prp As DAO.Property
Const conPropNotFoundError = 3270

DeleteStartupProps = False

On Error GoTo DeleteStartupProps_Err

    CurrentDb.Properties.Delete (strPropName)
    DeleteStartupProps = True

DeleteStartupProps_End:
   On Error Resume Next
   Set dbs = Nothing
   Set prp = Nothing
   Exit Function

DeleteStartupProps_Err:
   If Err = conPropNotFoundError Then
      ' Property not found.
      DeleteStartupProps = False
      Resume Next
   Else
      ' Unknown error.
      Resume DeleteStartupProps_End
   End If

End Function


OK - lets assume you have opened it with the shift bypass & can see the database objects in the nav pane

Try opening frmStart from the navigation pane. You shouldn't be able to do so.
That action is blocked with one line of code in Form_Open:
CODE
   'block opening item from nav pane
    If Application.CurrentObjectName = Me.Name Then Cancel = True


You can open the (normally hidden) form frmAutomation but it immediately closes and runs code to disable the shift bypass before opening frmStart normally with its code running
Also try opening the app from a non trusted location and note what happens.

In summary, I can't prevent you re-enabling the shift bypass but if you do so, other code is in place to (hopefully) prevent you getting anywhere 'useful'.
Am I making sense?

Obviously using an ACCDE file is added protection but the example app is also fairly secure as an ACCDB (see attached)
You still need the password isladogs to run the app.
I've added a different password to the VBA project so you still can't see the code though you now have access to most of it.
As its now ACCDB, you can now open the forms in design view but I believe you still cannot run the forms without letting the code run which will disable the shift bypass again.

NOTE: I'm aware it is possible to circumvent the VBA password. Another security flaw in Access itself.

In summary:
In the end, no Access app can ever be made 100% secure against a hacker with sufficient skill, determination and time on their hands. Basically what all security measures including disabling the shift bypass actually do is to erect a series of hurdles to make it harder for anyone to get in and not worth the time and effort required.

For info, in the next week or so I hope to upload a new version of my Encrypted Split No Strings example app.
I've added several additional layers of security to the earlier version posted here
Its a fully functioning split database but its been designed so that the data cannot be exported.
I'll let you know when its ready. Hopefully you (and others) will be interested enough to try it out and see if you can break it
Attached File(s)
Attached File  ShiftBypassQuit.zip ( 769.03K )Number of downloads: 4
 

--------------------
Colin (Mendip Data Systems)
Website, email
Go to the top of the page
 
3 Pages V < 1 2 3


Custom Search


RSSSearch   Top   Lo-Fi    23rd February 2020 - 11:12 AM