[1188] in cryptography@c2.net mail archive
Re: MS Access 'known database attack'
daemon@ATHENA.MIT.EDU (Matthew James Gering)
Wed Jul 9 18:24:51 1997
From: "Matthew James Gering" <mgering@ricochet.net>
To: "'cryptography@c2.net'" <cryptography@c2.net>
Date: Wed, 9 Jul 1997 12:26:45 -0700
MS Access has security turned off by default. If you can open a database
w/o a password, and have full access to all the objects, then security was
not implemented.
You can implement security in Access by proper use of the system.mda. If
the hacker does not have access to the original system.mda that the
database was developed with, that is not to be distributed with the
database, nor stored on a network -- then the hacker will not be able to
gain such simple access.
That is not to say that Access is very secure, only that some of your
premises may be false. I suspect that much if it is not bad implementation
by MS, but misused and unused securtity by the developer.
That said, what kink of idiot would store sensitive information in Access
anyway and/or store sensitive information in any application w/o using
their own encryption algorithm on top of what limited security the
application gives.
Matt
> Unless I'm missing something, why not just determine both the hard-coded
> key and the function using a debugger? If Access can decrypt a database
> starting from scratch with no human input (e.g., password) this has to
> work... in fact, you could probably snip the actual decryption code
> right out of the Access binaries and wrap a cracker mainline around it.
