Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Dynamics GP "Encrypted" Using Caesar Cipher

Posted by kdawson on from the no-safety-in-numbers dept.

scribblej writes "Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers. Turns out these numbers (and anything else in GP) are encrypted only by means of a simple substitution cipher. This includes the master system password, which can be easily selected and decrypted from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password. Not good.'" Update: 05/22 02:57 GMT by T : The original linked post has been revised in a few places; significantly, the following has been added as a correction: "By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager."

1 of 206 comments (clear)

  1. Re:My guess is ITAR, the market and standards by TerranFury · · Score: 0, Flamebait

    DES is sufficiently weak that it is possible to build a home-grown cluster that can break a DES key in minutes. Yes, DES is "strong" in the sense that the algorithm itself has no significant flaws that anyone can detect, but [...] the cost of smashing DES would be 0.1% of the money the criminals could walk off with. In short, as close to nothing as to make no odds.

    I think your "consider the cost in dollars" point of view is very insightful, and DES is indeed not very strong, but I still don't think it's fair to compare it to a substitution cipher. It takes ~$200k of hardware and 24 hours to crack DES. It takes a retiree five minutes and the back of a napkin (or a laptop less than a second) to break a substitution cipher. Organized criminals can break DES, but Joe Average can't without taking out a mortgage just to buy the hardware (or having access to a pretty extensive botnet).

    If the keyspace can be reduced further, though, then things get easier. E.g., one program I investigated that sent DES-encrypted passwords over the network ignored the least significant bit of every character in a password, only allowed 7 or 8 character passwords, and was IIRC case-insensitive; if you additionally assumed that most passwords would be alphanumeric you ended up with a keyspace that could be bruteforced in a few days by no more than half a dozen workstations in a university computer lab.