[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | DEC ODBC Driver |
| Notice: | DEC ODBC Driver V2.0 Now Available |
| Moderator: | SQLSRV::MAVRIS |
|
| Created: | Tue Dec 29 1992 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1357 |
| Total number of notes: | 4864 |
[http://www5.zdnet.com/zdnn/content/zdnn/0417/zdnn0013.html]
ODBC SECURITY QUESTIONED
By Juan Carlos Perez
April 17, 1997 5:29 PM PDT
ZDNN
ODBC 3.0, which allows Windows apps to access databases on a
network, may have a "massive security hole."
Dan Morgan, a developer at a large manufacturer in the Pacific
Northwest, claims he has found an easy way to uncover passwords
and user ID's using the tracing function in ODBC 3.0. "This is a
massive, monstrous security hole," said Morgan, who didn't want
his company identified.
Morgan and his team discovered the ODBC 3.0 flaw while testing
Microsoft Office 97, which comes with the protocol. Users only
need to hit the "start" button, choose "settings," go to the
control panel, click on the ODBC icon and then check the "trace"
radio button. A log is then created that lists all the passwords
and user ID's used by that client machine to log on to ODBC
compliant systems, Morgan said.
So if a machine is left unattended, someone could quickly go
through these steps and find out this information, Morgan said.
But a Microsoft official said something doesn't add up in
Morgan's account. To nab a password using the ODBC 3.0 tracing
feature, someone would have to enable "trace" and then log off
and log on again. But to do that, you need to know the password
in the first place, said Tom Kreyche, Microsoft's SQL Server
product manager. But Kreyche admits that there could, in fact, be
a flaw.
The easiest way to avoid such a problem, is to never leave your
machine unattended. If you do, you should log off, Kreyche said.
"ODBC is not and was never intended to be a secure protocol by
itself. It's a communications mechanism. To implement security
when using ODBC, you need a combination of administration
policies and other security components" like encryption, said
Kreyche.
If there is a problem, Microsoft will tackle it and try to solve
it as soon as possible, he said.
But this is little consolation for Morgan, who can't understand
why ODBC 3.0 has a trace function that opens up such a gaping
hole. And someone doesn't have to physically sit down at your
machine to run the trace function; it can be done remotely, he
said.
"I don't understand why they think they're adding value by
exposing passwords. You should be able to do all the ODBC tracing
you want without having passwords displayed."
| T.R | Title | User | Personal
Name | Date | Lines
|
|---|