Tony's Microsoft Access Blog : Security

Sites pulling sneaky Flash cookie-snoop

Tony — Thu, 08 Oct 2009 02:13:15 GMT

“What's far less well known is that Adobe Flash software also features cookies that can be used in much the same way as HTTP cookies. Flash cookies can be used for storing the volume level of a Flash video but the technology can also be used as "secondary, redundant unique identifiers that enable advertisers to circumvent user preferences and self-help", the academics warn.

A significant percentage of websites including federal government sites use this Flash-based technology to track users, the researchers discovered. The technology is sometimes used as a means to "undelete" the information in browser-based cookies that a user might have thought they had cleared from their system when they deleted their browsing history, the academics explain.”

http://www.theregister.co.uk/2009/08/19/flash_cookies/

More info and a script here Online Privacy Tips

Added - Jim Mack informed me of the CCleaner (apparently the first C is short for cr*p) that cleans those up. I cleaned my system using the above mentioned script an hour or two ago and since found three flash cookies from a website ytimg.com for which no web page exists but is apparently for YouTube. Which makes sense as I had indeed visited YouTube in there.

Key fobs for logging onto domains

Tony — Mon, 29 Jun 2009 02:22:38 GMT

A while back I read that Paypal were offering key fobs for logging onto their system. Also a while back fellow MVP Susan Bradley mentioned the AuthAnvil Tokens in her SBS Diva blog entry The "Later" Decision. This is looking like a very interesting solution for business environments.

What's a key fob? I'm not sure exactly what the official name, if any is. This is a device which is about the size of your little finger and generates a 4 to 8 digit random number every 30 or 60 seconds. You use it in addition to your userid and password to log into systems. So this is an extra authentication measure.

Now I'm no IT admin so I don't understand all the nuances here. But it would appear that you can, for example, force users who are remote to use the key fob and yet if they are on your physical LAN they can log in without it.

Looks like a very useful idea. And Dana Epp (good Mennonite last name there) is a fellow MVP.

(Jim, I have additional information if you're interested in it.)

Who is reading your email?

Tony — Fri, 19 Jun 2009 00:35:41 GMT

E-Mail Surveillance Renews Concerns in Congress What about your ISP or mail server hosting service? Or even Google, Yahoo or Hotmail.

For the record I've had discussions about privacy issues with employees of Microsoft. Not only do I doubt corporations snoop through your email on a regular basis I'm sure access is tightly restricted and logged. Therefore should an upset ex girl/boy friend/spouse/whatever start snooping around and you make a complaint then it's very likely their employer can go through the logs and fire them.

But then who knows what happens if your at the periphery of an investigation because of your brother-in-law who you've never liked. Yes, one of my job titles is paranoid pessimist.

Security experts state that you should think of email as a post card rather than a letter in an envelope.

I'd like to see greatly increased use of encryption in emails. Look up security, encryption, digital signatures, digital IDs or S/MIME in your email software help system. And you can get a personal certificate for free using Thawte's Web of Trust.

While you're at it see if you can use SSL authentication with your ISP or web hosting service as another security layer. I use OpenVPN between my laptop and my web/email server.

An older version of MSCOMM32.OCX has had the "kill bit" flag set.

Tony — Mon, 15 Jun 2009 00:28:56 GMT

The latest Windows Update has set the kill bit flag for an out of date but commonly used version of mscom32.ocx. Microsoft Security Advisory (969898)

Options

- roll back the update. Not recommended however instructions are in the above web page.

- locate the newest version of mscomm32.ocx and distribute to your users/customers. Not recommended as this will require the users to have admin privileges on their system to install the OCX or for the IT staff to do the update. In the meantime your app's serial port logic isn't working

- replace the mscomm32.ocx with API code. Perform Serial Port Communication - The sample code on this page consists of a VB module containing a collection of routines to perform serial port I/O without using the Microsoft Comm Control component. The module uses the Windows API to perform the overlapped I/O operations necessary for serial communications. Recommended

Symptoms

Errors such as

"<your application> doesn't support this ActiveX control".

"no inserted control" (or something like that)

"Object doesn't support this property or method"

When you open the form in design view you will get the following message "There is no Object in this control" and the control will no longer show the telephone icon.

DbUtilities - Transfer object permissions from a secured database to a new database container

Tony — Sat, 23 May 2009 23:57:46 GMT

The first item "is a fantastic re-write of DbUtilities which, as an Add-in, makes it easier to transfer the object permissions from a secured database to a new database container. " Author: Jeff Conrad (aka "Access Junkie"), former Access MVP and now a test for Microsoft.

Sandra Daigle's Microsoft Access Database Samples as well as other useful utilities. Including "a way to open and manage multiple instances of a single form using a collection class"

Encryption and developers

Tony — Tue, 18 Nov 2008 21:14:01 GMT

A newsgroup poster recently stated:

I found a freeware dll, md5lib.dll, on the web and am trying to use it in Access 2003.

My reply (which has been added to for the purposes of this posting)

I would strongly urge using the CryptoAPI as specified by Microsoft. Read the documentation thoroughly on MSDN. Although MSDN can be difficult to plow through.

See Security Alert: Debian & Ubuntu Linux Weak Encryption Keys which in turn has links to a number of articles such as DSA-1571-1 openssl -- predictable random number generator

My point is that rolling your own solution or using someone else's solution without you thoroughly understanding encryption and the code can cause problems. I trust Microsoft to do a good job with their code. I would've generally trusted open source systems as there are lots of folks reviewing the code. But that didn't work in this case. I certainly would not at all trust do it yourself code or dlls found on the web.

Security expert talks Russian gangs, botnets

Tony — Sat, 08 Nov 2008 20:01:14 GMT

Security expert talks Russian gangs, botnets

A very interesting story about a very low profile Botnet which has been around since 2002. "50 gigabytes of compressed data, searchable in a MySQL database. "

New type of phishing spam targeting domain owners

Tony — Tue, 28 Oct 2008 06:39:01 GMT

I get 300 to 500 spams per day and Mail Washer Pro does a darned good job of removing the crap. This last day or so I've been noticing a new type of spam targeting the owner of my domains. Text is below. The right most two domain chunks, in this case com72.biz, have varied substantially among the spams. Looks like that particular domain isn't working.

The text of the spams has varied slightly but this is the general theme. At least from what I could recall as it didn't dawn on me to think about how many of these spams I'd been receiving until just now.

Tony

Dear eNom Customer,

Starting at 1 AM PT on Saturday, November 1st, 2008 until 4 AM PT, we will be
conducting maintenance on our database and datacenter resulting in the following
sites and services being unavailable:

    * Main site
    * All web hosting services
    * Email services
    * Communication with the registry affecting new registrations, renewals, and
transfers

For access your account follow this link - http://www.enom.com.com72.biz

The following services will not be affected and will continue to be fully
operational:

* DNS will resolve normally - although operational through this downtime, any
changes to DNS settings may be delayed intermittently for a period of up to 24 hours
from the start of the maintenance period
* Email forwarding and site redirection will operate normally

We anticipate the maintenance will only last up to 3 hours. We apologize for any
inconvenience during this short maintenance and thank you for your patience.

Sincerely,
eNom Tech Support

How to secure your personal data on a removed hard disk drive.

Tony — Mon, 27 Oct 2008 17:39:45 GMT

How to secure your personal data on a removed hard disk drive. That works. A bit extreme mind you. I'd also ensure I was upwind.

Investigation confirms proper safeguards were in place for stolen laptop computer

Tony — Tue, 21 Oct 2008 23:14:05 GMT

So is employee information in your business encrypted? If not why not? (Note that just employee names isn't that big of a deal as they would mostly be in the phone book anyhow.)

Investigation confirms proper safeguards were in place for stolen laptop computer

"An investigation by the Office of the Information and Privacy Commissioner (of" Alberta) has determined that East Central Health had proper safeguards in place to protect health information contained on a laptop computer which had been stolen."

Let me add that Two Hills, Alberta is a village with a population of about 1,000 people. So it would be quite easy for the supervisor to notice a loitering individual and identify them to the RCMP. And the RCMP have a very good idea of who the unsavory individuals are in their towns and villages.

That said even if the laptop hadn't been recovered it would appear that East Central Health still followed proper procedures for encrypting the data.

I've forwarded the above to the The Risks Digest - Forum On Risks To The Public In Computers And Related Systems http://catless.ncl.ac.uk/risks as an example of what you are supposed to do. They have too many postings of the problems encountered and not enough good ones. <smile>

There are no statistics available on how many readers there are of that digest given the widely distributed nature of it's various communications methods. However I would suspect that it is in the millions of security conscious computer professionals around the world.

I also cc' d the folks at East Central Health and the local MLA, a provincially elected official.

Interesting WPA/WPA2 and docx, zip, etc. files cracking breakthrough

Tony — Sun, 12 Oct 2008 21:36:39 GMT

Slash dot reported Elcomsoft Claims WPA/WPA2 Cracking Breakthrough. There are some details there though so if this issue affects your corporate network, ensure you read the details.

Note the large number of file formats which it will brute force crack the password including Office 2007 documents and Zip files as well as Windows OS password files.

Now if you use a long pass phrase this may take so long as to be useless. Because each additional character in your pass word/phrase can lengthen the cracking time by 30 or 50 times. Note however that I am not a security expert so I don't know what I'm talking about.

Now imagine this as being part of a botnet with thousands of systems cracking away. There's quite a lot of money to be made if you are the bot herder.

Also do ensure you keep the passwords/phrases in a secure location, including offsite for both personal and business. If you die or become disabled due to illness your family wouldn't be able to open your personal accounting files to work on your estate. Yes, even if you're under the age of thirty. happens. Be prepared for the worst.

Stunningly weak Yahoo password security

Tony — Fri, 19 Sep 2008 02:24:56 GMT

I was wondering just how the hacker got into Palin's account so easily.

"Rubico claimed the actual intrusion into Palin's account was a relatively easy matter. It began after Rubico read news accounts claiming Palin used gov.palin@yahoo.com in her official capacity of governor of Alaska - which, if true, would skirt the state's open government laws. Rubico then hacked Yahoo's password recovery feature. In 45 minutes, he had her birth date, and two possible zip codes, and soon after that online research revealed Palin met her spouse, Todd, while they were students at Wasilla High School, in Alaska."

http://www.theregister.co.uk/2008/09/18/palin_email_investigation_continues/

What is the name of my favourite pet, mothers maiden name, etc, etc. Gotta love all those password recovery questions. I frequently put in words that some, including my mother, would consider offensive.

I was extremely upset when some genealogy buff put my full name and birth date on a web page a number of years ago. Along with my parents and siblings information. That page is gone now. And thankfully genealogy software doesn't do that by default any more.

Back in the days of bulletin board systems in the early '90s a friend found that many of the local BBS sysop's used the same password on their own BBS's as well as when logged into other BBS's. Duh! He was happy to see that that didn't work for me.

How many other website's use similar systems? Hopefully they're all having a massive "Oh sh*t" moment. Including the banks.

With Software, Till Tampering Is Hard to Find

Tony — Tue, 02 Sep 2008 03:15:45 GMT

A very interesting story on till tampering and cash in restaurants. With Software, Till Tampering Is Hard to Find Indeed any cash business. Thanks to Slashdot for the link

However that story concentrated on business owners and missed one area of attack. "Thieves put a zapping program onto a portable flash drive so it can be run and then removed from the machine, leaving no trace." What's to say employees who are working by themselves for a few minutes won't insert a USB memory key or CD Rom drive?

I recall a City of Edmonton police detective talking about a similar fraud at a rental business 25 years ago. The system operator deleted the occasional cash transaction from the tables for short term rentals of a day or less and pocketed the cash. The employee was only caught because a person doing the cash balancing at the end of the day realized he was missing a $100 bill he had put in the cash box earlier.

How is this Access related? If you're working on an application that handles cash think about how someone could poke about in the tables and start deleting transactions manually. Sure, there would likely be missing autonumbers but that doesn't mean much and certainly isn't proof of anything.

Anything that you could think about doing someone with a zapper program could figure out. See Sysinternals File and Disk Utilities. Ok, that's getting pretty complex for a mere waiter. Oh wait, a friend of mine has a degree and put himself through university as a waiter.

You're using a SQL Server database? The user could possibly be using some software running from the USB thumb drive to examine the tables directly. If security isn't setup properly. And I know next to nothing about SQL security.

Malicious Thumb Drives

Tony — Sat, 23 Aug 2008 02:41:52 GMT

"Please be advised that two USB thumb drives were discovered on the 9th Floor of the Bicentennial Building. One was discovered in the Men's restroom yesterday afternoon. Another was found this morning on a facsimile machine. The drives contain malicious code that automatically and silently executes when the drive is plugged into a system. The code captures certain system information and transmits it out of DOJ."

Malicious Thumb Drives in Justice

Thanks to Risk Factor Thumb Drive Security Peril at US Justice Department for pointing this out.

Note that I've been given thumb drives at trade shows and such. Including one that died four days later.

MS08-041 : The Microsoft Access Snapshot Viewer ActiveX control

Tony — Fri, 15 Aug 2008 04:46:18 GMT

MS08-041 fixes a vulnerability in the Microsoft Access Snapshot Viewer ActiveX control. It’s an interesting vulnerability so we wanted to go into more detail about platforms at reduced risk and also more about the servicing strategy for this vulnerability.

MS08-041 : The Microsoft Access Snapshot Viewer ActiveX control

Vulnerability in the Snapshot Viewer for Microsoft Access

Tony — Tue, 08 Jul 2008 06:12:49 GMT

Microsoft Security Advisory (955179) - Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution

(I've always wondered how they can come up with a FAQ section on a brand new vulnerability. But hey, what do I know.)

Note that the Multiple Microsoft Access Snapshot Files Printing Utility on my web site uses the default Snapshot Viewer control. However this vulnerability is of most concern if the user browses a web site which opens up a .snp file.

Stopping SQL Injection in its Tracks

Tony — Fri, 27 Jun 2008 23:49:28 GMT

Stopping SQL Injection in its Tracks Highly recommended if you are running ASP or IIS.

News Flash: Spaces are legal characters in both filenames and passwords!

Tony — Thu, 05 Jun 2008 00:35:26 GMT

News Flash: Spaces are legal characters in both filenames and passwords!

My comments to that posting:

I didn't know spaces were valid in a Windows password until I happened to be watching a Microsoft video a year or three ago. Oh I knew all about file names having spaces but not Windows passwords.

I'm a database developer specializing in MS Access for the last ten or fourteen years. I've been using Windows at least that long.

Many, many users don't know that either. I've asked around. I'd suggest adding some text to the Windows login screen.

Don't Forget To Lock Your Computer

Tony — Fri, 16 Nov 2007 20:53:30 GMT

Don't Forget To Lock Your Computer

Access 2000 security patches

Tony — Sat, 10 Nov 2007 01:43:00 GMT

Warning: Microsoft Update, which includes Windows and Office Updates, will not locate Office 2000 patches.

I was a bit startled recently when I managed to somehow get to an Office Update screen that informed me I was missing a number of Office 2000, and thus Access 2000, security patches. Yet I had visited Microsoft Update recently and there weren't any outstanding Office 2000 patches.

Some research and asking questions of Microsoft brought out the explanation that Office 2000 doesn't use a recent enough version of the MSI (Installer) package which the Microsoft Update requires. Office 2000 is in "the Extended Support portion of the Product Lifecycle." Given that the Office Update supports Office 2000 this was sufficient.

However my big problem was that I couldn't find that Office Update screen. Which I went to the Office Online page and clicked on "Check for Free Updates" on the upper right hand side this took me to Office Online Updates. The nice orange command button titled "Check for Microsoft Updates" wasn't the Office updates screen I had previously found.

Aha, a little while later I noticed the unobtrusive link just below that large bold font orange command button. Office Update: Get additional Office updates And now I was able to find the Office 2000 Updates.

I'm slightly irritated by the Office Update finding me some Word, PPT and Outlook 2000 patches. Those products were never installed on this laptop. Just Access 2000. However I'm not going to worry about that.

Thanks to the awesome MVP Leads Jamie and Sloan for digging up and having the explanation.