Jump to content

How secure is .fp7 format?


This topic is 5993 days old. Please don't post here. Open a new topic instead.

Recommended Posts

For the purposes of e-mailing the contents of individual records (usually text information) is the .fp7 file format considered fairly secure? In other words, if someone obtained a .fp7 file and they did not have the corresponding FMP runtime application, do hacking tools exist that could enable that someone to "read it like a book"?

Link to comment
Share on other sites

In fp5, data is stored in plaintext, so all you have to do is open it in a text editor and you can see all sorts of info. I'm pretty sure this is the case in the fp7/8 file format.

In other words, it is completely INSECURE.

Link to comment
Share on other sites

OK, a few points here. K1200 asks abut emailing the contents. I don't know whether to take that literally or whether K1200 actually means to email a Filemaker Pro file as an attachment.

There are hacker tools that can replace the stored hash of the credentials. There are ways to defeat those tools. And ultimately, the creators of the tools will find ways to defeat the defeating mechanisms.

Second, the contents of the file are reasonably well protected from text editors, although they are not strongly encrypted.

You may want to use a commercial tool to encrypt the attachment (the FileMaker Pro file) before emailing it.

Steven

Link to comment
Share on other sites

The answer is as an e-mail attachment. Here's a more complete explanation from a related post:

My situation is that I'm building a runtime application that will be running at many different sites. Users will occasionally need to e-mail the contents of specific records to another user. I wanted to use FMP's native file format (1) to provide some measure of security against someone literally reading the information and (2) to ensure that the information imports correctly if and when future changes are made to the table structures

To use an analogy, I'm considering this situation as the difference between an unlocked door (.txt) or a locked door (.fp7) on a home versus a bank vault (encryption). As a barrier against casual viewing, it seems that the locked door (.fp7) will do the job. I only wanted to make sure everyone in the world doesn't already have a key!

Thanks for your response.

Edited by Guest
corrected a couple of key words
Link to comment
Share on other sites

To clarify: I'm e-mailing a Records.fp7 file as an attached file. The record contents will be behind the "locked door" of the .fp7 format. As you stated, only someone with FileMaker AND a hacker tool to replace the stored hash of the credentials could get to the contents. The purpose of my initial question was to confirm that a Records.fp7 approach can, indeed, provide a measure of security -- or, in your words, be "reasonably well protected".

Thanks for your responses.

Link to comment
Share on other sites

... Or zip the file with an additional password... also crackable, but if you make it 5 numbers and 10 characters, it takes people like 8 months to crack running industry leading software.

Link to comment
Share on other sites

To clarify: I'm e-mailing a Records.fp7 file as an attached file. The record contents will be behind the "locked door" of the .fp7 format. As you stated, only someone with FileMaker AND a hacker tool to replace the stored hash of the credentials could get to the contents. The purpose of my initial question was to confirm that a Records.fp7 approach can, indeed, provide a measure of security -- or, in your words, be "reasonably well protected".

Reasonably well protected does not mean strongly protected. You must assess the risks and the damage that would occur if a breach occurs. The hacker tools are easily obtained, as are trial copies of FileMaker Pro.

Steven

Link to comment
Share on other sites

What exactly do the hacker tools do? Do they try and brute force their way in by entering passwords repeatedly, or is the FM security really pretty weak in reality?.. Even if they do, i've done something really, really weird (with my front end anyway). Even if you attempt to bypass the opening script, or manage to log in as anything -- it's seems to spit you back out into a low privelege access account anyway. I can't even bypass it (not necessarily a good thing but hey).

But then again, i'm not exactly sure how it works sooo....

Link to comment
Share on other sites

Steven said:

There are hacker tools that can replace the stored hash of the credentials.

I suppose any approach is possible. Personally, I was thinking more along the line of a file parse utility that would simply display "recognized" text fields directly out of an fp7 file.

Link to comment
Share on other sites

  • 2 weeks later...

My experience has been different. I haven't been able to see any text other than "AM, PM, Yes, No" and a strange description of my printer! I've even tried some variations of UTF settings.

My guess is that the .fp7 file format uses compression on strings longer than some minimum length (4 characters?), which is why you'd only see short strings in plaintext. However, compression is NOT encryption, so probably a hacker could figure out what the rest of the strings are compressed using (some zip variant probably) and un-zip them to plaintext w/o needing the password.

This is just my best guess, I may be wrong.

Link to comment
Share on other sites

  • 2 weeks later...

An additional level of security can be put by the

Troi Encryptor Plug-in.

Original Product description:

Secure your FileMaker data by encryption, export or email your data without risk and import safely back into FileMaker. Also helps you to verify data integrity, create text signatures, convert binary numbers and compress data. You need this plug-in if you want data to be safe! Now 8.5 Compatible!

Troi Encryptor page

Link to comment
Share on other sites

  • 1 year later...

This is an old thread, so one Q I have is how/if FM9 server has changed some of the issues mentioned above.

(Also, if this is the proper approach, rather than starting a new thread?)

More specifically, I am concerned about the vulnerability of personal data in files hosted on a OSX box running FMS9 to physical breach of the HW, e.g. theft of the computer hosting the file.

How wide open is the FM.fp7 file to hacking in such a circumstance?

I've read that the passwords etc are no longer stored in the DB, and I assume the file is some kind of binary format that can't simply be read with a texteditor, given FM's "proprietary compression algorithms"...

On the other hand, Steven often refers to Troi's encryption plugin, suggesting that the .fp7 format is too open?

How would that help in the case of a running server file?

Does the plugin encrypt the data continuously, or is it meant to be used for transferring data e.g. by email etc?

Any comments appreciated.

Link to comment
Share on other sites

This topic is 5993 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.