Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Dynamics GP "Encrypted" Using Caesar Cipher

Posted by kdawson on from the no-safety-in-numbers dept.

scribblej writes "Many large companies use Microsoft's Dynamics GP product for accounting, and many of these companies use it to store credit card numbers for billing customers. Turns out these numbers (and anything else in GP) are encrypted only by means of a simple substitution cipher. This includes the master system password, which can be easily selected and decrypted from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password. Not good.'" Update: 05/22 02:57 GMT by T : The original linked post has been revised in a few places; significantly, the following has been added as a correction: "By default, GP gives the user access to the DYNAMICS database but the user CANNOT login to the SQL server using SQL Enterprise Manager."

8 of 206 comments (clear)

  1. But... by the_one_wesp · · Score: 5, Funny

    Ohg vg'f jnl zber frpher gung jnl

  2. I have a fix for this. by 2names · · Score: 5, Funny

    They should hire some of them "too smart for their own good" Googlers.

    --
    "I'm just here to regulate funkiness."
  3. Most ERP systems do not have the data encrypted by Anonymous Coward · · Score: 5, Insightful

    I don't know if this is any news at all. Most ERP systems do not have the data in the database encrypted at all. You should never give any direct access to your ERP database to anybody. If absolutely necessary, just create a view in another DB schema and give a read access to it only to selected users (so they could access for example the inventory information useing excel/access).

    1. Re:Most ERP systems do not have the data encrypted by Sir_Lewk · · Score: 5, Insightful

      The news here is they were claiming to be using encryption, but really were not. Regardless of whether or not encryption is needed in the first place, you don't mislead your customers like that.

      --
      "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  4. My encryption method... by Eberlin · · Score: 5, Funny

    I figure that the variation of Caesar Cipher, ROT13, was easy to decipher so for maximum security, I always run it through the ROT13 encoder twice before I send it. Hell, I'm encoding this message in that method now so it will have to take a bit of cunning for you to read this comment. So if you've managed to read this, congratulations, you are qualified to work in Microsoft's security department.

  5. Full Article by Anonymous Coward · · Score: 5, Informative

    Sorry... I didn't expect /. to pick this up, and didn't really warn Chris Kois that I'd submitted it. My fault.

    Below is the original article:

    I use the term "encryption" loosely in this article. As you read on, you'll realize why...

    I've been doing some work on a plugin for Microsoft Dynamics GP, which is an accounting system aimed at Medium sized to Large businesses. To give you an idea of what type of application this is: There are companies that pay somewhere around $10,000-$15,000 to consultants or VARS (Value Added Resellers) to implement a Microsoft Dynamics GP solution for their business. Many of the VARs have their own plugins and solutions for Microsoft Dynamics GP, usually written in .NET or Dexterity. The process of installing and maintaining GP is an industry all it's own and it's not cheap for a company to maintain this accounting system.

    I've been searching for the "encryption algorithm" or at least some way other way to "encrypt" data in GP in some other way than within Dexterity code. I was really hoping that there would be some .NET library that would do this for me, but I was never able to find anything that would help me do this. So, I became interested in what type of "encryption" this is. Somewhere (I can't remember where) I found something that indicated that the it's a symmetric key encryption algorithm. The message boards were not much help either. Anywhere I went, I basically saw this same type of statement, "the encryption algorithm is a closely guarded secret".

    Today, while doing some testing, I noticed something with data that we were saving to a field which utilizes the GP "encryption". The plugin I was testing puts data in an encrypted field (not that it needs to because it's not sensitive in nature), and I was testing with the same values each time. As I would expect, I saw the same data stored in the field in the database for each row in the table. However, I noticed that one of the entries was different, by 2 characters. That seemed very odd to me. After looking at it some more and conducting some more tests, it looks like I simply miskeyed my test data, but it prompted me to take another look at this.

    After trying a couple different combinations of test data, it became very obvious that changing only one character in the test data appeared to only alter 2 characters of the encrypted data. So I ran through a battery of tests, and came up with this:

    Yep, it's basically your run-of-the-mill Substitution cipher. The worst part, there's evidence all over the place that this was a VERY weak encryption algorithm for awhile, but nobody seemed to pay any attention to it when people were asking how they could reset passwords of users in the database (Post 1 - Post 2)

    I did some more searching, because there is ABSOLUTELY NO WAY THAT I AM THE ONLY ONE THAT SAW THIS... I found a good write up on the MSDN blogs that explains pretty well how the GP encryption was used (here).

    The article is evidence to support a theory that I have, which is after GP moved to SQL server authentication, the encryption method didn't seem to be needed any longer so they never replaced. I don't know if the word was released to developers and integrators that the "encryption algorithm" wasn't ideal for storage of sensitive information, but I don't know how many plugins or customizations use it either.

    EXCEPT.... Microsoft still uses it for their GP system password, which is the password needed to get to the Security Roles/Tasks and all the User Security related forms while in GP. What's even worse, if you create a new user, you have to give the user explicit rights to the company or companies you want the user to access, but you DON'T HAVE TO GIVE ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password... Not good...

    I created a

    1. Re:Full Article by mpolino · · Score: 5, Interesting

      I'm a Microsoft MVP for Dynamics GP and this line "What that means is if you create a base user in GP, that user can log into the SQL server and run a select statement on the table containing the "encrypted" GP System password... " is completely false. GP users can't log in to SQL using their GP passwords. The article doesn't state a version being used. On some older versions it was possible to chose to allow a user to access SQL with their GP login. This is not possible on any of the supported versions of Dynamics GP. Additionally, the System password referred to has always been a second line of defense. Security has to be given to a particular window in the application before GP even asks for the System password. Relying on the System password alone for security has never been a best practice. There are a number of other areas where the writer confuses different types of passwords and security in Dynamics GP making it clear that he's never actually used the application to understand how differnt passwords and settings interact to provide security. Mark

  6. Re:obligatory by Kilrah_il · · Score: 5, Funny

    And to make it clearer:

    [Brian is writing graffiti on the palace wall. The Centurion catches him in the act]
    Centurion: What's this, then? "Romanes eunt domus"? People called Romanes, they go, the house?
    Brian: It says, "Romans go home. "
    Centurion: No it doesn't ! What's the latin for "Roman"? Come on, come on !
    Brian: Er, "Romanus" !
    Centurion: Vocative plural of "Romanus" is?
    Brian: Er, er, "Romani" !
    Centurion: [Writes "Romani" over Brian's graffiti] "Eunt"? What is "eunt"? Conjugate the verb, "to go" !
    Brian: Er, "Ire". Er, "eo", "is", "it", "imus", "itis", "eunt".
    Centurion: So, "eunt" is...?
    Brian: Third person plural present indicative, "they go".
    Centurion: But, "Romans, go home" is an order. So you must use...?
    [He twists Brian's ear]
    Brian: Aaagh ! The imperative !
    Centurion: Which is...?
    Brian: Aaaagh ! Er, er, "i" !
    Centurion: How many Romans?
    Brian: Aaaaagh ! Plural, plural, er, "ite" !
    Centurion: [Writes "ite"] "Domus"? Nominative? "Go home" is motion towards, isn't it?
    Brian: Dative !
    [the Centurion holds a sword to his throat]
    Brian: Aaagh ! Not the dative, not the dative ! Er, er, accusative, "Domum" !
    Centurion: But "Domus" takes the locative, which is...?
    Brian: Er, "Domum" !
    Centurion: [Writes "Domum"] Understand? Now, write it out a hundred times.
    Brian: Yes sir. Thank you, sir. Hail Caesar, sir.
    Centurion: Hail Caesar ! And if it's not done by sunrise, I'll cut your balls off.

    --
    Whenever in an argument, remember this.