<<<
Chronological Index
>>> <<<
Thread Index
>>>
[ga] Bridging the gap: Why privacy and security are so important VIII - Microsoft Dynamics GP "Encrypted" Using Caesar Cipher
- To: ga@xxxxxxxxxxxxxx, dansimon@xxxxxxxxxxxxx, robert.smith1@xxxxxxxxxxxxx, rod_beckstrom@xxxxxxxxx, monitor@xxxxxxxxxxxxx
- Subject: [ga] Bridging the gap: Why privacy and security are so important VIII - Microsoft Dynamics GP "Encrypted" Using Caesar Cipher
- From: "Jeffrey A. Williams" <jwkckid1@xxxxxxxxxxxxx>
- Date: Sun, 23 May 2010 16:01:28 -0500 (GMT-05:00)
All,
Very important information, if accurate, for those that participate
in any sort of ecommerce using their credit card online. Lets hope
that Dan Simon, a member of ICANN's SSAC, see:
http://www.icann.org/en/committees/security/
can get this addressed in a strong corrective manner
and that NO ICANN registries or registrars are using or have been
using MS'es Dynamics GP product for accounting or transactional
purposes to date and NO Registrants have been impacted or otherwise
effected. If they have lets hope that ICANN's SSAC will
immediately conduct a security audit as would be appropriate, accordingly.
See:
https://it.slashdot.org/story/10/05/21/1437227/Microsoft-Dynamics-GP-Encrypted-Using-Caesar
Many large companies use Microsoft's Dynamics GP
product for accounting, and many of these companies use it to store
credit card numbers for billing customers. Turns out these numbers (and
anything else in GP) are http://www.christopherkois.com/?p=448
encrypted only by means of a simple substitution cipher. This includes
the master system password, which can be easily selected and decrypted
from the GP database by any user. Quoting: '[Y]ou DON'T HAVE TO GIVE
ACCESS TO THE DYNAMICS DATABASE. What that means is if you create a
base user in GP, that user can log into the SQL server and run a select
statement on the table containing the "encrypted" GP System password.
Not good.'" Update: 05/22 02:57 GMT by http://www.monkey.org/~timothy/
T : The original linked post has been revised in a few places;
significantly, the following has been added as a correction: "By default,
GP gives the user access to the DYNAMICS database but the user CANNOT
login to the SQL server using SQL Enterprise Manager.
Regards,
Jeffrey A. Williams
Spokesman for INEGroup LLA. - (Over 294k members/stakeholders and growing,
strong!)
"Obedience of the law is the greatest freedom" -
Abraham Lincoln
"Credit should go with the performance of duty and not with what is very
often the accident of glory" - Theodore Roosevelt
"If the probability be called P; the injury, L; and the burden, B; liability
depends upon whether B is less than L multiplied by
P: i.e., whether B is less than PL."
United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947]
===============================================================
Updated 1/26/04
CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of
Information Network Eng. INEG. INC.
ABA member in good standing member ID 01257402 E-Mail jwkckid1@xxxxxxxxxxxxx
Phone: 214-244-4827
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|