Home Community Discussion Forums Special Interest Boards Lookout Topic

Lookout

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Major Security Issue

Major Security Issue

‎08-17-2005 02:49 PM

Platforms: Lookout 5.0, 5.1, 6.0

Category: Security / Users

Details:  User passwords longer than 8 characters are NOT verified completely.  Incorrectly typed passwords are accepted. Passwords consisting of Alpha and/or Numeric characters are vulnerable.

Replicate: 
    Create user 'MyUser'
    Enter password 'MyPassword2'

    Login to Lookout with 'MyUser' and the above password. (Successful login)
    Login to Lookout with 'MyUser' with the password 'MyPass'. (Failed login)
    Login to Lookout with 'MyUser', password 'MyPasswo'. (Successful login)
    Login to Lookout with 'MyUser', password 'MyPasswo23'. (Successful login)
   
Suggestions: 
    Require length checking as well as binary comparisions (Case sensitive)
    Create checksums/hash of password
   
Comments:
    This is a very bad thing to have in the software.  Brute force password hacking could easily be used to bypass passwords.
    This flaw was found when testing case-sensitive passwords.
   
Contact me for more information if needed.
Mike Crabtree - Lead Developer
Destek of Nevada, Inc. / Digital Telemetry Systems, Inc.
(866) 964-6948 / (760) 247-9512
0 Kudos
Message 1 of 13
(5,556 Views)
Reply

Re: Major Security Issue

‎08-18-2005 11:05 AM

Very Interesting Mike!

I don't really see this as a security concern however.  There are many layers available to tighten up before even exposing the lookout process authentication.  Additionally, I believe the lookout.sec file would need to be made available to the remote client to properly authenticate in the first place.  Also, you can enable object specific security if needed.

Nice to know for sure!!

Ed

0 Kudos
Message 2 of 13
(5,536 Views)
Reply

Re: Major Security Issue

‎08-18-2005 11:17 AM

Im going based on a local client, as that is what most of what we have currently.  Setting levels wouldnt matter as, using a common tool (created in Visual Basic even!), brute forcing the login for Administrator woulnt leave the whole system open...

The lookout.sec file would not even come into the effect of this. 

It may not be something that most, even 99% of the systems need to worry about, but is still a rather obvious thing that needs cleaned.  If my applications included security like that, id probably be finding a new job... 
Mike Crabtree - Lead Developer
Destek of Nevada, Inc. / Digital Telemetry Systems, Inc.
(866) 964-6948 / (760) 247-9512
0 Kudos
Message 3 of 13
(5,533 Views)
Reply

Re: Major Security Issue

‎08-18-2005 11:46 AM

Point taken, and I'm not suggesting it shouldn't be corrected by NI.

You can lock down the local machines to prevent running anything like that, and of course you should have some physical security in place to prevent installation of root kits etc.  If you can't trust the people with physical access to the machine, and you don't have other measures in place to prevent corruption, you have bigger problems than lookout only using the first 8 characters!!

Cheers,

Ed

0 Kudos
Message 4 of 13
(5,532 Views)
Reply

Re: Major Security Issue

‎08-18-2005 12:20 PM - edited ‎08-18-2005 12:20 PM

We're on the same level 🙂

With some of the smaller companies out there dont usually "think" about these things thats all.
Systems we create have a highly limited user account to begin with, and installing such tools would take some work. 

Thanks for listening 😉
Mike

Message Edited by Mike@DTSI on 08-18-2005 12:23 PM

Mike Crabtree - Lead Developer
Destek of Nevada, Inc. / Digital Telemetry Systems, Inc.
(866) 964-6948 / (760) 247-9512
0 Kudos
Message 5 of 13
(5,526 Views)
Reply

Re: Major Security Issue

‎08-18-2005 02:38 PM

Thank you Mike, for reporting this issue along with the steps to reproduce.  After following your outline, I was able to observe this for myself firsthand.  I have already submitted this (just this afternoon) to our Lookout R&D team in order to address the problem.

Regards,

Jeff M.

Applications Engineering, National Instruments

0 Kudos
Message 6 of 13
(5,519 Views)
Reply

Re: Major Security Issue

‎08-18-2005 03:04 PM

Not a problem, any idea when Lookout 6 will be worth upgrading too? 😉  (Just ribbing ya)

Mike
Mike Crabtree - Lead Developer
Destek of Nevada, Inc. / Digital Telemetry Systems, Inc.
(866) 964-6948 / (760) 247-9512
0 Kudos
Message 7 of 13
(5,516 Views)
Reply

Re: Major Security Issue

‎08-18-2005 04:07 PM

Mike@DTSI wrote:
"any idea when Lookout 6 will be worth upgrading too?" 😉  (Just ribbing ya)

Mike

DITTO....but NOT just ribbin' Ya!  Smiley Mad
0 Kudos
Message 8 of 13
(5,507 Views)
Reply

Re: Major Security Issue

‎08-18-2005 11:32 PM - last edited on ‎12-12-2024 08:49 AM by Member

With Citadel5 turning out the way it did, you will want to upgrade to Lookout 6 if you want new icons or a new getting-started video... hmmm....
 
-Khalid  Smiley Wink
0 Kudos
Message 9 of 13
(5,499 Views)
Reply

Re: Major Security Issue

‎08-19-2005 09:55 AM

Mike,

Thank you for your feedback regarding Lookout security.  I understand your concerns with password checking beyond 8 characters.  Lookout passwords are not designed to be the only line of defense against intrusion.  As erblock mentioned there are many other layers available to increase system security.

The lookout.sec file should be protected against remote intrusion by enabling appropriate Windows permissions on that file.  Make sure unauthorized users cannot access the User Account Manager or copy over the lookout.sec file with their own version of the file.  Do this by making sure Lookout is the only application in the Windows startup folder, and selecting "User cannot switch to another program" in the Lookout System Options.  You must install the NT keyboard driver filter to enable this option in Windows NT.  This prevents an operator from toggling out of the Lookout and modifying lookout.sec or deleting process related security files of the form "processname.lka".  This also prevents users from running other applications, such as brute force cracking tools, on the same machine.  In cases where security is of extremely high concern the PC can be placed in a locked cabinet or room with only the keyboard and mouse accessible through a small window.


I don’t mean to trivialize your concerns about system security.  Ensuring that our customers are able to adequately secure their systems is always a consideration in our product development process.

One of the greatest benefits of Lookout 6 is, as Khalid mentioned, is the Citadel 5 database.  Lookout 6.0 also offers improved driver compatibility support, including improvements to the Modbus and Modbus Slave driver objects.  The Lookout user interface was also updated to simplify the development process.

 

Regards,

Nick Folse
Product Support Engineer – Lookout R&D
National Instruments

~~
0 Kudos
Message 10 of 13
(5,489 Views)
Reply