Hacking Your Own FileMaker Platform Solutions
Should FileMaker Platform developers mount hacking attacks on their own solutions? At first glance, this may seem an odd question. But I believe that the answer is “Yes, we should.”
Consider this. As developers we see our solutions from a totally different perspective than Threat Agents see them. Without practicing our own hacking skills, we can become blind to the vulnerabilities a Threat Agent can exploit to compromise the Confidentiality, Integrity, Availability, and Resilience (CIAR) of our deployed solutions.
I have previously observed that we need to “Think as the Attacker thinks, not as the Developer thinks.” It will be the strength of the Defender, much more so than the strength of the Attacker, that determines the outcome of a breach of any of our systems.
What are some of the vulnerabilities a Threat Agent (i.e. an Attacker) might exploit to compromise our systems? What have we done to close those vulnerabilities and to mitigate the level of severity of impact of CIAR compromises when a breach occurs? There are a number of attack vectors to consider:
If the File Access Protection option is off, then an attacker with even lower-level privileges in the targeted file may be able to print, export, view, edit, and otherwise manipulate data in the hosted solution totally outside many of the constraints that the developer has utilized. The attacker may also be able to run scripts in the file, even if they are not attached to User Interface elements or present in the Scripts menu. The attacker may also me able to navigate to layouts in an unexpected and unauthorized fashion. And the Attacker can extract a significant amount of metadata from the file.
Are the files open to access by other, rogue FileMaker Pro files? The File Access Protection feature found in the Manage Security area of the file is designed to inhibit this behavior. But the developer must explicitly invoke that option. When it is in force, an Attacker must know a [Full Access] level password in order to define External Data Source references to our file.
What about the External API’s that work in the FileMaker Platform? Have you, as the developer, considered how these might provide unauthorized and unexpected access to your files? Some of these can be disabled via the Privilege Set bits. Examples of these include XML, PHP, ODBC, and JDBC. A Threat Agent could manipulate these and others to gain access to data and to view or to change them. An Attacker could also possibly use these to trigger scripts in an unexpected fashion.
Other API’s are harder to control, and an attacker can use them to gain access to data, to gain access to metadata, to trigger scripts, and to manipulate the User Interface and traverse among various layouts. These, to varying degrees, include Apple Events, ActiveX, FMPURL, and ExecuteSQL. Developers can control much of this behavior through the use of very finely-grained Privilege Sets. And here is where the self-hacking aspect can play a particularly important role. Try attacking your own files so you can spot the vulnerabilities a Threat Agent could employ using these API’s. I will have more to say about API’s in a future FileMaker Security BLOG post.
If a Threat Agent can gain access to a physical copy of your file, then the Agent can mount additional attacks against it. Have you tested for this? Use of Encryption At Rest (EAR) and removal of the [Full Access] Privilege Set and Accounts with the Developer Tool can help mitigate these type attacks. EAR is particularly effective, since even lower-level access can furnish multiple opportunities for compromise of CIAR.
How easy is it for a Threat Agent to discover your FileMaker Server? In many instances, organizations need to make their servers available for access via the public Internet. The presumption should be that an Attacker can discover all such servers. Sometimes this is as easy and as direct as entering the organization’s domain name into the hosts directory of Open Remote. For example, www.somebody.com will frequently resolve to the public IP address of the server. If administrators have not enabled File Access Filtering, then FileMaker Pro will display a list of available files. If, in turn, a Threat Agent can access any of these, mischief can ensue.
Alternatively, through a process known as “Google-Dorking” attackers may discover enough information about a server to be able to attempt access. So, the question is whether you, as the developer or administrator, have investigated how easy it might be to locate your server in any of these ways. It may be necessary to require authentication to access the Local Area Network by use of some process such as a VPN or two-factor authentication to protect these servers from outside access.
- Finally, be sure that you and the FileMaker Server Administrator have implemented a vigorous and robust back-up regimen for your FileMaker Platform deployment. Test that you can fully restore your system from these backups; otherwise, they are not worth too much at all. Given the rise and increasing frequency of ransom-ware attacks, this is particularly important.
Speaking recently about the MedStar Hospital ransom-ware attack (http://wtop.com/local/2016/03/medstar-paralyzed-as-hackers-take-aim-at-another-us-hospital/) one of the Editors of the SANS Bulletin (a well-known information security news letter) noted:
This case again highlights the need for good disaster recovery plans. Organizations should be planning today for how they will deal with ransom-ware and other destructive attacks - these are no longer black swan events.
These type activities have also prompted warnings by the US and Canadian governments about ransom-ware and the need to maintain continuity of business operations in light of the threats such attacks pose. (http://www.computerweekly.com/news/450280335/US-and-Canada-issue-joint-alert-on-ransomware)
So, Yes, do hack your own FileMaker Platform deployments.
Steven H. Blackwell