Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 405
  • Last Modified:

Security issues with Sybase ODBC connections?

We have a Sybase ASE 12.5.0.2 database on Win2k.  We have approximately 50 Win2k/WinXP workstations running a Visual Basic Front-end to retreive data from this database.  Data Access is via an ODBC connection using the Sybase ASE ODBC Driver.  The username/password combination is hidden in the VB-Application and is the same for all users.

The database server is in a secure environment and Windows Access Control is considered good.  The clients are in a non-secure environment and Access Control is poor.

We have disabled the application if it discovers that Tracing has been switched on.

What are other security issues we need to think about?  Do you have any recommended solutions?
0
ErichN
Asked:
ErichN
  • 4
  • 3
  • 2
1 Solution
 
leonstrykerCommented:
Does the application allow the users to create and pass through query strings?

Leon
0
 
leonstrykerCommented:
Even though the user/password are hidden in the exe, it can be retrieved.  What kind of permission does this login id have?

It should be limited to executing store procedures and/or running selects on views.

Leon
0
 
ErichNAuthor Commented:
Leon,

The application completely controls the creation of query strings. I am not concerned about anything the application does - this is well controlled.  I am concerned about the contents of one table, which the user needs read/write access to.  The application restricts access to certain rows in that table.  I am concerned that if the username/password combination became known, access to the whole table would be possible.

The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.
0
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

 
leonstrykerCommented:
>>the user needs read/write access to

Why?  Allow access only through store procedures.  No table access should be given.

>>The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.

Yes, this will make it more difficult to retrieve (but not impossible).

In general, I am surprised you do not track induvidual user access through their logon ids.

Leon
0
 
ErichNAuthor Commented:
>> Allow access only through store procedures.  No table access should be given.

This would be a major rewrite - but yes I understand what you are saying and will check this out more.

>> In general, I am surprised you do not track induvidual user access through their logon ids.

Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.
0
 
leonstrykerCommented:
>>Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.

Have you checked this for dynamic SQL access?  Try this, start the application then the id and password screen comes up type nothing for id and for password type this:

' OR 1=1

If this lets you in, you have a big security hole.

Leon

0
 
Jan FranekCommented:
You should also check, whether you have set-up password encryption - otherwise login name and password can be retrieved from captured network comunication. If you want to secure all the communication, use SSL.
0
 
ErichNAuthor Commented:
Leon,
I have tested and there is no problem with ' OR 1=1.
In addition, even if they managed to trick the login somehow, a user with an incorrect pseudo username does not have access to the data I want to protect (governed by the application).

Jan Franek,
Where and how do I set up password encryption?

How do I use SSL?

0
 
Jan FranekCommented:
On the client's side you can set it in ODBC DSN properties - I think it's on Connection tab. However it need's some changes on server side too - check your Sybase manuals.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now