Steven H. Blackwell

  • Content count

  • Joined

  • Last visited

  • Days Won


Everything posted by Steven H. Blackwell

  1. For a further discussion on issues related to insecure default settings, please see this article: Steven
  2. Security Vulnerabilities of FileMaker Platform API’s: An Update January 9th 2017 In an April 2016 entry on this BLOG titled The FileMaker Platform API’s Are Your Friends, Right? [’s-are-your-friends-right/] I discussed a number of FileMaker Platform security issues centered on the uncontrolled use of a number of external Application Program Interfaces (API’s). There are at least nine of these API, possibly more, if ExecuteSQL is included. The central thesis of that article was that these API’s provide unexpected attack vectors to compromise FileMaker Platform files. As noted at the time: Many FileMaker developers are not aware, however, that these API’s have the capability to access customer or client solutions in unexpected ways and to extract or insert data, to manipulate business processes developers embedded into these solutions, and to compromise the integrity of these solutions. Unfortunately, in the intervening nine-month time span, we continue to see cases where several of these API have been used for malicious purposes to compromise FileMaker Platform files’ business process integrity, to manipulate data, and to extract data. And many in the developer community remain unaware of this problem. In this BLOG entry, I will describe two of these API’s in greater specificity and detail, including describing a variety of attacks they can facilitate. This article will not discuss the ActiveX API that is available on Windows OS; however, developers should give similar attention to that approach. Developers need to be aware of these items in order to protect their files and those of their clients. The two API at the center of this focus are Apple Events and the FMPURL process. In the earlier article, I noted several elements about these that bear repeating here: [These API] cause particular concern because of their breadth and relative ease of use…. The Apple Events Suite has an extensive set of commands that can read and write data, read metadata, manipulate the UI, and trigger scripts. In addition, they can work outside the normal constraints found on layouts in a file. [] The FMPURL…can open a file and run a script in it. If the file is already open, then the script will still run. [] A few general comments about both of these API’s: · They are not platform-specific in the sense that just because a client organization is an all Windows OS environment that it is immune from an Apple Event attack. It’s the OS of the attacker that controls whether the API can be used. · There are some ways within Privilege Sets to constrain behavior of these API commands when they are applied on a file. The Export privilege bit can control the ability of Apple Events to extract data from a file. The Layout Access privilege bits can also constrain the ability to see contents of a layout. Likewise, Script Access privilege bits can control the availability of a script to either of these API. · These API often perform actions in unexpected fashions that fall outside the normal, traditional, and familiar FileMaker Pro User Interface behavior. This is part of what catches developers by surprise. —Apple Events— When a file is open, whether standalone or hosted by FileMaker Server, an attacker can send Apple Event commands to it causing it to perform a variety of actions, including: · Run any script to which the user has access, irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button. · Navigate to any Layout irrespective of whether that Layout’s name is in the list of Layouts or not. If the user’s Privilege Set has access to see that Layout, then its contents are visible whether the developer ever intended for the user to view the Layout or not. · Return various metadata about the file, including such items as Script Names, Value List Items, Layout Names, Field Names, etc. If a user’s Privilege Set does not allow access to the item, its name does not appear in the list returned. · Put data into any field in the database or extract data from any field, irrespective of whether that field is on the active Layout or is on any Layout for that matter. Here are several examples of these scripts, all working on a file named Our_Secret_Information.fmp12. tell application "FileMaker Pro Advanced" activate go to first layout end tell tell application "FileMaker Pro Advanced" activate do script FileMaker script "Relog_as_Admin" end tell tell application "FileMaker Pro Advanced" activate set somevar to name of every layout end tell tell application "FileMaker Pro Advanced" activate set somevar to name of every field end tell tell application "FileMaker Pro Advanced" activate set somevar to get data field "CreditCardNumber" end tell —FMPURL— The FMPURL command’s principal attack vector is that it can be used to run any Script in a file to which a user’s privileges has access. Similar to Apple Events, this occurs irrespective of whether that script is in the list of Scripts or whether it is attached to some UI element, such as a button. If the file is closed, the command first opens the file with supplied credentials, then runs any OnFirstWindowOpen script, and then runs the designated script from the FMPURL command. As a result of this behavior, a Halt Script step at the end of the opening script has the effect of blocking the running of the FMPURL designated script. Some developers have utilized this technique to block FMPURL calls to scripts in a file. However, if the file is already opened or if there is no opening script, then the designated script does run. Here is an example of calling a script, again in our file Our_Secret_Information.fmp12 being hosted at a server at IP address fmp:// Relog_as_Admin —What Is the Significance Of This and How Do We Address This?— One of the many reasons we caution developers against embedding security elements such as Identity and Access Management controls into the data layer of FileMaker Pro databases is precisely because such elements are vulnerable to these API attacks. Think for a minute about that Relog_as_Admin script that presumably relogs into the file with a [Full Access] Account. If an Attacker can trigger that script and cause it to run, irrespective of what the developer might have intended, then the Attacker has full access to the file. This has actually happened. Or, suppose that a developer has made a “Developer_Only” layout in the file, removed it from the list of layouts, and left sensitive information on it. If the Attacker can navigate to that layout, and if it is not protected by settings in the Privilege Set, then the Attacker can learn the contents of the information on it. This has actually happened in numerous instances, including unbelievably, the appearance of [Full Access] level credentials left exposed on the layout! Likewise, suppose that a developer has made a so-called “Privileges Table” with various fields that purport to control whether a user can do such things as create records. Using the Apple Event Set Data command, an Attacker could likely change the values in these fields if they do not enjoy additional protection. More likely even, the Attacker could simply issue a Make New Record command and create the record. That is a process frequently used to thwart developer-imposed limitations on the number of records in a demonstration version of a vertical market solution. So, what can be done to manage this situation and to prevent these type attacks? In FileMaker® Pro 15, FileMaker, Inc. added a new Extended Privilege option in the Privilege Set called fmscriptdisabled. Developers must explicitly invoke this option; it is not a default option. What it does is to prevent Apple Events (Macintosh OS) and ActiveX commands (Windows OS) from activating scripts, just as the name implies. It has no impact on FMPURL or on other Apple Event commands that do not involve triggering of scripts. Some of the other items in a Privilege Set, notably Export and data layer modification elements, can control Get Data and Set Data Apple Events. If Export is disabled, then Get Data will not return data from the selected field. In tables where the editing privileges are restricted, likewise, Set Data will not add data to a field. Creation and deletion privileges behave in similar fashion. Remember, we are talking here only about Apple Events. Other processes may behave differently. Controlling API behavior is important; however, it is not the only security feature that developers must invoke to assure Confidentiality, Availability, and Integrity of their database systems. So, clearly what we need here is a way to block these API from interacting with FileMaker Pro files. FileMaker, Inc. is aware of these issues and has been working on new ways to address them. In the Product Road Map Webinar presented on November 30th 2016, FileMaker, Inc. noted that the next version of the FileMaker Platform will contain a number of additional security enhancements. I am authorized to say that one of those enhancements will be a new process for more closely and granularly controlling several of these API’s. At such time as there is any new version of the FileMaker Platform, I will have additional comments and analyses of the issues related to these API’s.
  3. The deadline for submitting Program Proposals for the 2017 DevCon is fast approaching: just a little over a week left. There is a new format for this year. There is more information here: Steven H. Blackwell
  4. These may prove useful: Steven H. Blackwell
  5. This is not expected behavior, especially in the absence of either a copy or a clone of the file. A snapshot link (FMPSL) may produce better results. Steven
  6. FileMker, Inc. has released the 15.0v2 updater fro FileMaker Server.
  7. This is probably due to a VLA install configuration. What does the function Get(AccountName) return? It should return the Account Name, in this instance the Account Name from Active Directory. User Name is not part of the process. Steven
  8. Recommended reading about FileMaker Cloud: by Wim Decorte. Steven
  9. Please remember this is a 1.0 version. There is, I believe, a high likelihood that future versions will have added features and functionalities: Steven
  10. Short video on FIleMaker Cloud: Steven
  11. FileMaker Cloud

    I am very excited about the advent today of FileMaker Cloud. It is an excellent addition to the overall FileMaker Platform. Even in Version 1.0 we can see major benefits and uses for FileMaker Cloud. Over time and in succeeding versions, I believe these will get even better. It is scalable, both up and down. It can meet rapidly changing needs for infrastructure to support FileMaker-based business management systems. It is secure. Your files are encrypted. And data in transit are also encrypted. This is important to preserve the Confidentiality, Integrity, Availability, and Resilience of your FileMaker business management systems. It is part of the FileMaker Platform. Users can connect to its hosted files with FileMaker Pro, FileMaker GO, and WebDirect™ clients. It requires minimal administrative attention once established. And while no system can ever be a fire-and-forget structure, FileMaker Cloud offers ease of management. Amazon Web Services handles the heavy lifting. FileMaker Cloud introduces the industry-standard oAuth2 process to the FileMaker Platform. That process allows new options for Identity and Access Management. In Version 1.0 that is confined to credentials for managing the newly revamped FileMaker Server Admin Console. This will work with an administrator’s regular Amazon Account. Such federated identity management support might possibly in the future allow developers to utilize other authentication platforms to validate user credentials. Then those other platforms could pass that validation to FileMaker Server and admit the user to specific files. And with correct file privileges to boot! I want to congratulate FileMaker, Inc. and its Engineering, SQA, and Product Management Teams on this initial foray into the Cloud. I look forward to future enhancements to FileMaker Cloud. Steven H. Blackwell
  12. Some familiar FileMaker faces in this video:
  13. It's a waste of money for features that a database server does not need to get the Macintosh Pro "trash can" machine. 16 GB of RAM is pretty minimal for most deployments, particularly if you are deploying WebDirect™ connectivity. How many files, how many users, etc. are you contemplating? Steven
  14. Protecting FileMaker Platform Business Solutions FileMaker Platform developers and FileMaker Server Administrators, as well as business data owners, need to take a variety of steps to protect the Confidentiality, Integrity, Availability, and Resilience (CIAR) of their FileMaker Platform Business Solutions. Threat Agents of many varieties seek to exploit vulnerabilities that might exist in those solutions to compromise them, to steal data, to alter data, or to destroy data. This FileMaker Security BLOG article will describe four key steps that developers and administrators can take to protect their files. Before listing those however, I want to describe an important caveat about such an approach to FileMaker platform security. Security is never a case of “One and Done.” It is not a check list of things to do to files, and then they are and will remain secure. Business circumstances change. We discover new vulnerabilities. Threat Agents perfect new attacks, some possibly exploiting so-called Zero Day vulnerabilities. Security is an on-going process in a constant state of flux. Maintaining security for business solutions requires constant monitoring and evaluation. All that said, however, here are four important considerations. All employ tools that the FileMaker platform already gives us to help protect our files. First. Use Granular Access Privileges. The FileMaker security schema allows for very specific privileges as well as for very broad ones. For best protection and control, set the privileges and permissions for each Privilege Set very carefully. For each business role, give the users in that role all the privileges they need for them to accomplish their business requirements. But do not give them any added privileges. This is called the Rule of Least Privileges, and it is fundamental to having correct security for your files. This process may take a bit of work, and it requires you to know and to understand what users are supposed to be doing—and not doing—in the file. To do this you also need to know what permissions are on and which are off by default in each Privilege Set. When a developer creates a new Privilege Set in a file, most privileges bits are off or at their most restrictive settings by default. This is a correct and is a consistent behavior with the Rule of Lest privileges. One of the things a developer wants to achieve in working with the security schema is to prevent an otherwise authorized user from escalating his or her privileges and gaining a level of access above the prescribed one. To that end, developers should most likely avoid in almost all situations the use of the two default subordinate level Privilege Sets: [Data Entry Only] and [Read-Only Access]. Both these contain privileges in excess of what their names suggest. If you plan to use them, carefully review the actual privileges they grant to see if those are consistent with your security model. Second. Invoke Encryption at Rest (EAR) on your files. This is a particularly important step; likewise, EAR offers particularly good protection, provided you use a strong encryption password. FileMaker Pro will tell you the strength of the password: Weak, Moderate, or Strong. If someone gains access to a copy of your files by any of several attack vectors, EAR prevents their forcing the file open or employing any of the so-called “password crackers” on them. Unauthorized possession of copies of files, including backup copies, is a particularly strong attack vector. It is also an attack vector that Threat Agents frequently employ. Third. Use File Access Protection to block manipulation of your files by other FileMaker Pro files you do not control. File Access Protection prevents unauthorized persons from pointing their files at yours and extracting, viewing, or manipulating information. An important part of effective file protection is understanding how external Application Program Interfaces (API’s) can access your FileMaker Pro business solutions and then how to control that access. This includes layout access, file metadata, and the business logic found in scripts. [You can read more about this topic here:’s-are-your-friends-right/] Some of these elements respond to fine-grain permission controls in the Privilege Set. Others do not; hence, developers should utilize File Access Protection. Additionally it can assist in preventing users who are otherwise authorized a particular level of permissions from escalating those permissions and privileges in the file. Escalation of privileges is a key vulnerability we must try to prevent in all instances. Fourth. Utilize Encryption in Transit to protect you data while they are in motion between FileMaker Server and a variety of FileMaker Platform clients such as WebDirect™, FileMaker GO, and FileMaker Pro. This is particularly important when users are accessing FileMaker Platform Business Solutions by public Wi-Fi networks such as those found in coffee shops, hotels, conference centers, malls, airports, and similar venues. For that matter it is also important when the only access is across a Local Area Network (LAN) behind a closed firewall. Just one single rogue wireless access point on that LAN can compromise it. Additionally anyone with access to the LAN could also intercept data in transit. Encryption in Transit also helps verify the identity of the FileMaker Server and helps prevent man-in-the-middle attacks where a Threat Agent could impersonate your FileMaker Server. I have described four FileMaker Platform security tools that developers and administrators can use to protect FileMaker Platform business solutions: Granular Access Privileges Encryption at Rest File Access Protection Encryption in Transit I have attached a schematic that can serve as a reminder about these features. Remember when using these, that security is dynamic and on-going. It is never a “One and Done” scenario. The FileMaker Platform provides these tools. A number of people have done a very considerable amount of work over the years to add these to the FileMaker Platform. I strongly recommend their use.
  15. Phishing Attacks on FileMaker Platform Files Recently I made reference in several venues to an article that described a sophisticated and interesting exploit to steal iOS credentials from a stolen Apple iPhone. You can read the full article here: The core element of the article was that when the owner discovered the theft that he activated “…all the ‘send me email when the phone returns online’ checkboxes….” Some eleven days later, the owner received an email and a SMS that the phone had been found. All the owner needed to do was to log-in to iCloud to see the location where the phone was. The only problem was that the message was a spoof of iCloud. It was a classic phishing attack designed to capture the owner’s credentials. This episode brought back to mind an example of a similar style ruse that an attacker could possibly perpetrate against a FileMaker Pro file. I showed a brief example of this during my presentation at the 2015 DevCon. In such an attack a Threat Agent might trick a user into believing that he or she had entered credentials incorrectly, most likely due to a mistyping. Such so-called “fat-finger” errors occur all the time. FileMaker Pro presents the user with a dialog box advising of the error, and it asks the user to please try again. The user then clicks the OK button and enters the credentials again. This time, the credentials work, and the user proceeds to go about his or her business in the file. But there was no credentials failure the first time around. The user had entered the correct credentials. One of these dialogs is real; the other is not, and it is the beginning of a phishing attack. The purpose is to trick the user into entering the credentials a second time, so that they may be captured in clear text and later used for nefarious purposes. That subsequent credentials entry box as shown below is a bit harder to spoof than is the error message. But when an Attacker can do that, this exploit likely will trick many users and possibly even some developers. Remember, it does not have to be perfect. It only has to be good enough to trick the user. This is but another reason developers and FileMaker Server Administrators must carefully review their systems to be sure that no vectors are open that could facilitate such an attack. Here are some such vectors: Guest Account enabled and attached to the [Full Access] Privilege Set A [Full Access] Account with no password A [Full Access] Account with the password stored using the File Options “Log In Using” feature. By default, FileMaker® Server 15 will not open such files for hosting. Administrators can authorize the hosting of such files by unchecking an option in the Server Admin Console. I strongly recommend that they not do so. Additionally, earlier versions of FileMaker Server will host such files automatically. Carefully audit those server for the presence of such files. Steven H. Blackwell
  16. If the file is also encrypted and no one knows the encryption password, the answer is No. If the developer removed the [Full Access] accounts with the Developer Tool, the answer is No. Absent either of the foregoing, the file likely can be opened to [Full Access] but it likely will be damaged in the process. When you say: do you mean by employed that the person was a regular full-time or part-time employee, subject to withholding taxes, FICA, UI, etc? Not a contract worker and certainly not a consultant?? This makes a difference in establishing ownership rights to the file. Steven
  17. This is by no means a straightforward situation. If the person was an employee acting within the scope of his or her employment, then the most likely answer is yes the company is the owner. The further you move from that basis, the less certain the situation becomes. Plus, this will vary jurisdiction by jurisdiction. Is there no company policy regarding requiring employees acting within the scope of their employment to provide credentials at the outset? Steven
  18. As Wim noted, the Admin Console is not intended to be left open for long periods of time. What are you trying to monitor? There may be another way to do it. Steven
  19. Use of RAID 1 did not help your configuration's performance. if you want to sue RAID, use RAID 10 instead. Steven
  20. I would strongly recommend that all FileMaker Platform developers and FileMaker Server Admins audit all their servers for any hosted files with any of the following credentials: Guest Account enabled and attached to the [Full Access] Privilege Set A [Full Access] Account with no password A [Full Access] Account with the password stored and using the File Options “Log In Using” feature. Files with these credentials options are very vulnerable to attack and compromise. They can be used as attack vectors to mount exploits against the server that hosts them as well as against other servers and those servers’ files. Steven -- Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance
  21. Take a look at tech Info It might have some clues for your situation. Steven
  22. I would not expect this to work. As a general rule the subadmins in the various Groups would not have direct access to the server itself. The CLI does not work remotely, IIRC, and has not done so in the modern Server era. The Groups can be authenticated by External Accounts, however, if that helps you any. Steven
  23. Check on the MAcBook Air that credentials are not accidentally stored in the KeyChain. That possibly can cause issues. Steven
  24. It is not clear exactly what you are saving here about FIleMAker Server. But FileMaker Server's machine should never be set to sleep at all. Steven
  25. Have you looked at Custom Web Publishing? Steven