Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Dynamics GP "Encrypted" Using Caesar Cipher

Posted by kdawson on from the no-safety-in-numbers dept.

scribblej writes "Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers. Turns out these numbers (and anything else in GP) are encrypted only by means of a simple substitution cipher. This includes the master system password, which can be easily selected and decrypted from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password. Not good.'" Update: 05/22 02:57 GMT by T : The original linked post has been revised in a few places; significantly, the following has been added as a correction: "By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager."

4 of 206 comments (clear)

  1. Re:But... by the_one_wesp · · Score: 3, Interesting

    I disagree with this being off topic. Perhaps, though, if /.ers are too hasty to recognize a quick rot13, that justifies why MS thinks they can do the same with their products... o.O

  2. Re:But... by jgreco · · Score: 3, Interesting

    I guess the question is, how many people even know what rot13 is these days?

    I mean, really, my rot13 script's nearly 20 years old and I'll bet I use it less than once a year these days...

    % ls -l bin/script/rot13
    -rwx------ 1 jgreco user 64 Nov 11 1991 bin/script/rot13*
    %

  3. Re:obligatory by interval1066 · · Score: 4, Interesting

    "You need to use the vocative case there, not the nominative."

    ie; "Brute." (pronounced "Brut-AY"
    Getting back to the main story, let me add "Doh!" That's a major back door. And Microsoft, wanting to be our gatekeepers in so many ways and even with this big security initiative they've been trying to get everyone to believe they are on, is just sort of sluffing it off with their usual sheepish "Well, its not likely to actually happen." nonsense.

    --
    Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  4. Re:Full Article by mpolino · · Score: 5, Interesting

    I'm a Microsoft MVP for Dynamics GP and this line "What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password... " is completely false. GP users can't log in to SQL using their GP passwords. The article doesn't state a version being used. On some older versions it was possible to chose to allow a user to access SQL with their GP login. This is not possible on any of the supported versions of Dynamics GP. Additionally, the System password referred to has always been a second line of defense. Security has to be given to a particular window in the application before GP even asks for the System password. Relying on the System password alone for security has never been a best practice. There are a number of other areas where the writer confuses different types of passwords and security in Dynamics GP making it clear that he's never actually used the application to understand how differnt passwords and settings interact to provide security. Mark