FileMaker Platform Security Update

[Steven H. Blackwell]

August 4^th 2014

 

 

Today, August 4^th, marks fourteen years since my first post regarding FileMaker security items that appeared on the old FSA Tech Talk.  It now seems as if “…everything old is new again…”, as the song goes.

 

Two events at the just concluded FileMaker Developer Conference bring this into sharp focus.  First, FileMaker, Inc. Senior Consulting Engineer Rosemary Tietge’s excellent presentation on the Threat Landscape should have been a trumpeting wake-up call to any who might still believe the FileMaker community is immune to present-day security issues.

 

Second, Mark Richman of FBA Platinum Member Skeleton Key posted to Twitter (https://twitter.com/mark_richman) a screen shot of many exposed files at the Conference and a subsequent warning that many of the files lacked credentials challenges. Not good, colleagues; this is not good at all. But we all owe Mark a vote of thanks for reminding us of the need to be vigilant.

 

On July 15^th I posted a FileMaker Security BLOG entry with a summary and a link to a new White Paper that discusses six common exploits (or attacks) that can take advantage of one or more of seven vulnerabilities.  And I explained how to close those vulnerabilities. You can see that here:

http://fmforums.com/forum/blog/13/entry-830-an-exploit-based-approach-to-providing-filemaker-platform-security/

 

Any of these vulnerable files could have been attacked by anyone with access to the Conference wireless network or wired network.  And that includes just about anybody in or near the hotel, whether part of the Conference or not.

Failures in FileMaker security usually come from one or more of four sources:

1. Flaws in any of the products in the FileMaker Platform.  FileMaker, Inc. reviews and fixes these from time to time and reports on them at http://thefmkb.com/13585.
2. Exploitation of design choices related to features in the products that may have unintended or unforeseen security implications.
3. Failure by developers and/or server administrators to use the considerable and powerful range of security features found across the FileMaker Platform. This especially includes strong passwords and rigorous application of Privilege Set options as Rosemary Tietge so well pointed out in her session.
4. Creation, by developers, of artificial or ersatz “security” systems that almost always, without exception, introduce many avenues of attack and compromise not present otherwise. This is a target-rich environment.

I do not want to see developer reputations damaged by security lapses that are fully preventable. Likewise, I do not want to see the FileMaker Platform’s reputation damaged by these same lapses. I do not want to hear about breaches of client/customer data. I do not want to hear about lawsuits, liabilities, and so forth.

 

Please determine what assets need protecting.  What would be the impact on the asset of a breach?  What vulnerabilities could a Threat Agent exploit to cause the breach?  Then close those vulnerabilities to the maximum extent possible.

 

In coming days, I may have a good deal more to say about these items.

 

Many thanks.

 

Steven