Reply to post:

Sysadmin cracked military PC’s security by reading the manual

JimboSmith Silver badge

At a previous employers a good few years ago they used an industry standard DOS program. It was still a DOS version despite XP now being the latest windows version. Each brand had a mission critical database on the system that you needed to be authorised for before you could read or edit the data. The security was such that giving a user a level of access for each database were possible. The program needed at least one administrator to be set to assign other users their access level. There was read only/read and write only/administrator (with ability to dump data out). They also required you to license each database each month by manually inputting a code they gave you every 30 days.

However I spotted a flaw with this because after entering the code it just left a licensed database on the server. If you had a copy of the program you could simply copy the database file/files to your computer and use that to access the data. You just used your own login on your version of the program and bingo you had access until the code needed to be reentered. So you could have a month of access doing that to a competitors data. Once you did though it was easy as admin on your version to dump the data out. Of course you had to get access first but a disgruntled employee or a hacker could do that. I pointed this out to both my employers and the firm concerned. The employers were quite concerned and took measures to restrict access to where the databases were stored on the system. The software company didn't think it was a major problem and it would doubtless be fixed in the Windows version when it arrived shortly. The problem with that was the windows version had been "arriving shortly" for some time.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019