Preventing Password spy programs

[Charles Delfs]

Hey all, I have an application that I would like secure, but I know passware spy type programs will reveal the PW. I heard once, a way to defeat this with other special characters, what is the method to do that? and, is there still a less easy way to defeat it?

Charles

[Anatoli]

It was posted somewhere here, that even without password revealing program the FM password encryption is weak and was done probably by 8 year old son of cleaning lady at the FMI headquarters.

It was also described in the same thread, that FM is sending all passwords weakly encrypted to the connecting client.

The security FM Inc. achieved is at best called "security through obscurity".

Just my 2p

[CobaltSky]

Anatoli said:...at best called "security through obscurity"

Kinda like hiding the front door key under the doormat, eh Anatoli?

It's true that FileMaker (along with quite a few other commercial products) doesn't use adequate encryption to protect its passwords and, sadly, this has been the case up to and including the current version. I wait with interest to see what FMI may do in the future.

It's also true that there are a range of things that can be done to make it difficult for most users to use the currently available cracker tools and spyware to 'see' your passwords - but advanced users (and especially Dj ) are likely to be able to circumvent at least some of these techniques.

It's also true that if anyone were to list some of the techniques here or elsewhere, you can bet that within hours or days, new versions of the spyware would be available that would defeat them. For that reason, if anyone on this site or a site like it *does* tell you a technique, *don't use it* because by the time your solution hits the market that technique will already be a dead duck. Even if someone tells you a technique privately, don't use it - you can bet if they told you, they will tell others (and others will tell others) and it will be three weeks at the most before every hack tool publisher on the planet has it nailed.

In fact the best measures (the only ones you can place any reasonable hope in) are the ones that are least widely known and preferably, ones that you come up with yourself and tell no-one else about. An hour or two of experimentation on your part will likely translate into an at least equal number of hours of frustration on the part of would be hackers - many of whom will give up before that. So, in short, I can confirm that work-arounds exist (some more effective than others) and I encourage you to experiment.

All of that having been said, I'd also recommend that you use the Developer tool to permanently prevent modification of the database structure (whereupon everyone - except possibly Dj - will no longer be able to go into Layout Mode or Define Fields or ScriptMaker etc - even if they discover the master password).

You might also like to pay a visit to the NMCI web site and take a look at a product there called 'Password Administrator'. It has a number of uses, several of which can enhance password security.

No perfect solutions, I'm afraid, but several things which may be worth following up nevertheless...

[Anatoli]

CobaltSky said:

Kinda like hiding the front door key under the doormat, eh Anatoli?

[BobWeaver]

Charles,

Using special characters may have fooled some password crackers, but I would not make any assumptions about the enemy's capabilities now.

I mentioned the insecurity of FM passwords being delivered by FM Server in at least one or two threads a while back. In the thread below I posted a screen shot from an application I wrote to demonstrate how FM file passwords could be pulled off a server:

http://www.fmforums.com/threads/showflat.php?Cat=&Board=UBB27&Number=46880&page=3&view=collapsed&sb=5&o=all&fpart=all

It's about 6 messages from the tail end of the thread.

Without going into any explanations why you should do this (because as Ray says, as soon as it's explained someone will come up with a new attack), I will simply say that the safest system that I can envision is one where the files reside on a server, and they are protected with one of the New Millennium products which do what is known as password shielding (or use the developer tool to strip the design information). That will protect your design information (scripts, field definitions, etc.) but not necessarily the data. If you want to protect the data as well, then you need to very carefully control access to the data either by group access, scripts or a combination of both. And custom login systems can come into play here as well.

As developers, we are often only concerned that someone may be stealing our layouts, scripts and calculation formulae. But, you have to look at it from your client's point of view too. The client wants to know that his data is secure. He likely couldn't care less if someone steals your field definitions or scripts. But if someone steals his customer list or his annual sales figures he is going to be really pissed off. So, you have to consider your client's concerns as well as your own.

[Steven H. Blackwell]

Take a look at FileMaker, Inc. Tech Info Letter 108462.