Welcome to Telelogic Product Support
  Home Downloads Knowledgebase Case Tracking Licensing Help Telelogic Passport
Telelogic DOORS (steve huntington)
Decrease font size
Increase font size
Topic Title: DOORS Security Question
Topic Summary:
Created On: 25-Nov-2008 21:12
Status: Post and Reply
Linear : Threading : Single : Branch
Search Topic Search Topic
Topic Tools Topic Tools
Quick Reply Quick Reply
Subscribe to this topic Subscribe to this topic
E-mail this topic to someone. E-mail this topic
Bookmark this topic Bookmark this topic
View similar topics View similar topics
View topic in raw text format. Print this topic.
 25-Nov-2008 21:12
User is offline View Users Profile Print this message


Omair Ahmed

Posts: 8
Joined: 16-Feb-2006

All,

I have the following situation.

In our DOORS db, a fictitious user account was created. This user account was given full database administrator rights.

Two previously disabled user accounts were re-activated. One of those previously dis-abled accounts was also given higher privileges than what it previously had before.

All three accounts were modified on the same date.

The login history file shows that a particular user's PC (a user who is internal to the company) was used to login from as each two of the previosly dis-abled accounts. The fake super user account was not used to login.

The login history file shows logins by the internal user, followed by successive logins by the two previously dis-abled user ids.

It seems unlikely that the admin password was compromised as there were no logins using the admin account.

Anyone have any inkling what might have happened here?
Report this to a Moderator Report this to a Moderator
 1-Dec-2008 15:14
User is offline View Users Profile Print this message


Louie Landale

Posts: 2070
Joined: 12-Sep-2002

How do you know when the user accounts were changed?

It appears that the user whose machine was used to login the previously disabled accounts, was the one that granted the access. In any case, that user would know what happened since she/he used the accounts to login, and no doubt knows who enabled them.

- Louie
Report this to a Moderator Report this to a Moderator
 1-Dec-2008 17:38
User is offline View Users Profile Print this message


Omair Ahmed

Posts: 8
Joined: 16-Feb-2006

The date stamp on the "Last Changed" field is the same for the 3 three accounts - the two re-enabled accounts as well as the fictitious account.

The user whose machine was used claims no involvement or knowledge of what happened.
Report this to a Moderator Report this to a Moderator
 1-Dec-2008 20:49
User is offline View Users Profile Print this message


Louie Landale

Posts: 2070
Joined: 12-Sep-2002

I'm obviously missing something, but I see no such 'Last Changed' field for Users nor Groups. Please provide a little more info.

Does the user in question have rights ..err.. 'power' to manipulate the User database?

Maybe someone used that client.

You can use Triggers to get other folks to execute stuff for you. Clever hostile triggers will do their dirty work then delete themselves. But its possible such a trigger remains in the database. Look for 'DxlFind.dxl' on these forums that may perhaps find such hidden hostile triggers.

- Louie
Report this to a Moderator Report this to a Moderator
 3-Dec-2008 22:40
User is offline View Users Profile Print this message


Omair Ahmed

Posts: 8
Joined: 16-Feb-2006

The "Last Changed" field I am referring to is the last field on the Security tab when editing a user's account.

The user in question is a Standard user (did not have ability to update user accounts).

I did not find any info on hostile triggers in forum.

Omair
Report this to a Moderator Report this to a Moderator
Statistics
20925 users are registered to the Telelogic DOORS forum.
There are currently 1 users logged in.
The most users ever online was 15 on 15-Jan-2009 at 16:36.
There are currently 0 guests browsing this forum, which makes a total of 1 users using this forum.
You have posted 0 messages to this forum. 0 overall.

FuseTalk Standard Edition v3.2 - © 1999-2009 FuseTalk Inc. All rights reserved.