1 2 3 Previous Next 76 Replies Latest reply on Dec 31, 2015 11:07 PM by CarstenLevin

    Hacking a FMP12 file

    maestrodevelopment

      How easy is it to hack a FMP12 files and find a master password?  Is any such hacking avoidable?

        • 1. Re: Hacking a FMP12 file
          JavierDura

          You can remove Admin access using FileMaker Pro Advanced:

          Removing Admin access to databases (FileMaker Pro Advanced)

          • 2. Re: Hacking a FMP12 file
            mikebeargie

            Upgrade to FM13 and use encryption at rest. This is the only way to overcome the cracker utility that exists out there, although said utility requires a standalone copy of the .fmp12 file. The cracker will not tell you the password, rather will overwrite the existing encrypted pass string with it's own. But it's easy and readily available.

             

            While you're at it, follow the rest of the advice in the filemaker security guide.

            The FileMaker Security Guide | FileMaker

            • 3. Re: Hacking a FMP12 file
              coherentkris

              Only user FileMaker server and don't let anyone get the .fmp12 files + both other recommendations already posted.

              Hacking is never 100% preventable.

              • 4. Re: Hacking a FMP12 file

                There are many methods of gaining passwords that don't entail hacking the file's password.

                 

                Sit next to someone using an iPhone and watch the letters popup. Someone used iMovie to capture these.

                 

                Capture the wireless signals from the keystrokes.

                 

                Intercept the network signal.

                 

                Tell someone you forgot your password and need to get in.

                 

                Try Admin with no password. A lot of developers use this.

                 

                While the developer is out to lunch, use his computer to send a request for a new password to his password program and then wait for the return email.

                 

                When the developer has to use the bathroom and leaves FileMaker open, create a new Full Access account and password. He probably won't notice it.

                 

                Etc.

                • 5. Re: Hacking a FMP12 file
                  jormond

                  If SSL is on and you are accessing a remote file, the data is encrypted. So the danger for most files is direct access to the file itself. As Mike pointed out, FM 13's Encryption at Rest ( EAR ) also helps with that. But preventing physical access to the server and the file are extremely important...and that applies to the back up files as well.

                   

                  There are some good tips from your post:

                  1. Be mindful of who is around when you enter your password.

                  2. Lock your workstation when you walk away.

                  3. Never, never leave the default admin account, or any Full Access account, without a password.

                   

                  jackrodgers wrote:

                   

                  There are many methods of gaining passwords that don't entail hacking the file's password.

                   

                  Sit next to someone using an iPhone and watch the letters popup. Someone used iMovie to capture these.

                   

                  Capture the wireless signals from the keystrokes.

                   

                  Intercept the network signal.

                   

                  Tell someone you forgot your password and need to get in.

                   

                  Try Admin with no password. A lot of developers use this.

                   

                  While the developer is out to lunch, use his computer to send a request for a new password to his password program and then wait for the return email.

                   

                  When the developer has to use the bathroom and leaves FileMaker open, create a new Full Access account and password. He probably won't notice it.

                   

                  Etc.

                  • 6. Re: Hacking a FMP12 file
                    richardcarlton

                    +1 to Mike.  Yep!

                    • 7. Re: Hacking a FMP12 file
                      JavierDura

                      >> There are many methods of gaining passwords that don't entail hacking the file's password.


                      Don´t forget this one:


                      - Read that yellow sticky note the user has on his monitor that says: "FileMaker Password: 123456". Real!

                      • 8. Re: Hacking a FMP12 file
                        martinc

                        I am getting ready to release a iPhone file that will get remote access to our served files.  How can I work on the file as the admin and remove the admin account?

                         

                        If there is no admin account, can the cracker still create one?  If it can, at that point, the new admin still has no access to the served files..right?

                        • 9. Re: Hacking a FMP12 file
                          jormond

                          The "admin" account, specifically, is less important than a [Full Access] account.

                           

                          If you remove all [Full Access] accounts from the file, you can't later create one. In that case, the file is what it is. If that is the route you take, you need a secure and bullet-proof way to get the data out of the file and into a new one, in the case of upgrades and further development.

                           

                          Then you would simply keep the master file, that has a [Full Access] account. And continue development on that file.

                           

                          Also note: the problem isn't the "admin" account. The problem is when you leave the admin account with a blank password. That is the real security risk Jack was referencing.

                          • 10. Re: Hacking a FMP12 file
                            martinc

                            Right, I meant to say Full Access- I never use Admin.  My thought was to work with a master file and release copies that have the full access account removed.

                             

                            Along those lines.  Has anyone heard of a script that can delete the file running the script.  In this case if the version is outdated, I'd prefer to have the file self destruct since it holds no data.

                            • 11. Re: Hacking a FMP12 file

                              The simplest method would be to change account names with each version. Your users will complain, of course.

                               

                              You could change passwords but users would probably change them back if you allow them to change their passwords. There may be a legal problem with you knowing their passwords so you might have to force them to change it so you won't know.

                               

                               

                              Use Advanced and remove the Full Access password before distributing and only have one account name in the file. Test this on a sample file to see if you can enable it when you last close the file before removing full access:


                              If account is Full access

                                close file <--- this of course should not be in your master file and only in the copy you will remove full access from

                              end if

                               

                               

                              Since you are distributing a GUI file, you can either script in or use a table to hold a version number. When that empty file opens your main file, it passes its ID number which the main file validates.

                               

                              Self destructing is a good idea however, that doesn't eliminate any copies that were made.

                               

                              On First Window Open:

                              Allow user abort off  <--- hopefully this avoids the esc issue

                              Perform script in main file (Validate Parameter = 12.777)

                              If get(scriptresult) = "OK"

                                *

                              else

                                Close File  < - verify that the On Last Window Close  trigger doesn't interfere

                              end if

                               

                              In your hosted file

                              Validate

                              If get(scriptparameter) > 2.55

                              exit script ( "OK" )

                              else

                              exit script ( "Invalid" )

                              end if

                               

                              This has the problem in that there is a time delay due to the internet and if there is no connection FileMaker will hang for a while. Using a timestamp has similar problems. Insert your login capture script before the IF.

                               

                              So, that brings us to what I have been working on for years, off and on. An internal firewall for FileMaker files. I used one idea for hackers where I transferred them to a honey pot file and they thought they had the jewels...

                              • 12. Re: Hacking a FMP12 file
                                jormond

                                Just be very careful about trying to rely on Scripts ( OnFirstWindowOpen or whatever other timing ) for maintaining security. There are ways around scripts and preventing them from firing when you expect them to.

                                 

                                Use FileMaker's built in security properly, EAR, and common sense.

                                • 13. Re: Hacking a FMP12 file
                                  maestrodevelopment

                                  The file that I have is in FM13 and the file type is fmp12.  At the moment our solution is single user through a FM Advanced run time solution.  This, I believe, cannot be hacked.  However, we have had to include in it a [Full Access] user account since we want users to be able to add or change ID's and change passwords.  Stripping off the [Full Access] to that would be great but does not seem workable.  We are getting our system ready to run as multi-user on FM Server.  I am not sure whether a run time file can be run on Server.  We will try that.  If it can, that is great.  But if not, we have to expose the fmp12 files to a 3rd party purchaser of our product.  And if that file is hackable, that is our concern.  So the questions we have are (1) whether a run time solution can allow users the change passwords and add users WITHOUT a [Full Access] account, (2) if not to (1) then is the run tie file hackable to get at the [Full Access] account and (3) is a fmp12 file hackable assuming that we need to leave a [Full Access] account for users to change passwords, add, users, etc.

                                  • 14. Re: Hacking a FMP12 file
                                    richardcarlton

                                    If it has FULL ACCESS account enabled...and EAR tuned OFF.... then I can hack it.

                                    1 2 3 Previous Next