Brian Madden TV #11 - Citrix Synergy Preview, Pano Logic's zero client, and a phone call with Nivio

Hi guys,

You mention in every video that if you wish to purchase advertising space on your videos, you should visit www.brianmadden.com/tv and click on advertising. Hmm, where ? There is no advertising link...

NIVIO - Review

The Guy who is in video claims that Nivio is the secured software build by his company, it took me only 3 minutes after i logged on to one of the server called Tanaya2 and i was able to access there homedirectory stored in one of the non-secured clusterd environment which these guys build.

Was able to access there code...

Here is an example of that:

File Name : Nivioapi

-

-

STR_T_RejectedUsers_Select_Where_UName_Pass_Query

SELECT N_RUserId, S_UserName, S_Password, S_RejectionMode FROM iRWS_M_RejectedUsers WHERE (S_UserName LIKE '?') AND (S_Password LIKE '?') AND (S_RejectionMode = 'W')

-

-

STR_User_Logon_TS_details

select UsrLog.n_eventid, isnull(UsrLog.S_MachineName,0) as MacName, isnull(TSMap.ExternalIP,0) as ExtIP, isnull(TSMap.InternalIP,0) as IntIP, isnull(TSMap.Port,0) as Port from irws_m_userlogaudit as UsrLog left outer join NivioTSMapping as TSMap on UsrLog.S_MachineName = TSMap.MachineName where n_logauditid =?

-

STR_User_Logon_TS_SessionState

select isnull(max(n_logauditid),0) from irws_m_userlogaudit where S_UserName = '?' and B_Isvalid = 1

-

-

-

-

-

STR_GetCountry_Select_Query

SELECT Region.RegionId AS RegionId,iRWS_M_CountryMapping.Country AS Country FROM Region INNER JOIN RegionDetail ON Region.RegionId = RegionDetail.RegionId INNER JOIN iRWS_M_CountryMapping ON RegionDetail.CountryCode=iRWS_M_CountryMapping.ISO_Code

-

-

STR_GetStoragePath_Select_Query

select paramname,paramvalue from region where parentid in (select parentId from region where RegionId = '?')

-

-

STR_GetRegionID_Select_Query_UserName

SELECT RegionDetail.RegionId,Region.ParamName,Region.ParamValue FROM Region INNER JOIN RegionDetail ON Region.ParentId = RegionDetail.RegionId INNER JOIN iRWS_M_Users ON RegionDetail.CountryCode = iRWS_M_Users.S_ISO_CODE WHERE iRWS_M_Users.S_UserName = '?' or iRWS_M_Users.N_UserId = '?'

-

-

STR_UpDate_AdTable_Query_UserId

UPDATE AD_USER_MASTER SET IsProfileCreated =0,IsUserLogin =0 WHERE User_ID = ?

-

-

STR_Select_Ad_User_Master_UserId

Select IsProfileCreated AS Profile,IsUserLogin as Login from AD_USER_MASTER where User_ID =? and IsProfileCreated = ? and IsUserLogin = ?

-

-

STR_Insert_InTo_NivioRoam

Insert into nivioroam(?)values(?)

-

-

-

-

STR_Select_From_UserDetail

SELECT users.N_UserId, users.S_UserName, users.S_Password, users.S_ISO_CODE,users.dt_createddate, userdetail.S_Title, userdetail.S_FName, userdetail.S_LName, isnull(userdetail.B_Gender,0) as B_Gender, isnull(userdetail.DT_DateOfBirth,'1/1/1900') as DT_DateOfBirth, userdetail.S_Occupation, email.S_EMail, Isnull(telephone.N_TelephoneCountryCode,0) AS N_TelephoneCountryCode, Isnull(telephone.N_TelephoneCityCode,0) As N_TelephoneCityCode, Isnull(telephone.N_TelephoneNumber,0) As N_TelephoneNumber, countrymapping.Country, countrymapping.Region, countrymapping.Capital, countrymapping.Currency, countrymapping.S_CurrencyCode, isnull(countrymapping.F_USDConversionFactor,0) as F_USDConversionFactor, countrymapping.S_Symbol, isnull(countrymapping.B_IsBaseCountry,0) as B_IsBaseCountry, isnull(countrymapping.N_TelCode,0) as N_Discount, users.S_FirstTimeLogin, users.s_Flag, users.N_OrgId, isnull(MailConfirm.dt_confirmdate,getdate())as dt_confirmdate FROM iRWS_M_Users users LEFT OUTER JOIN iRWS_M_UserDetails userdetail ON users.N_UserId = userdetail.N_UserId LEFT OUTER JOIN iRWS_T_UserEMail email ON userdetail.N_UserId = email.N_UserId LEFT OUTER JOIN iRWS_T_UserTelephone telephone ON email.N_UserId = telephone.N_Userid LEFT OUTER JOIN iRWS_M_CountryMapping countrymapping ON users.S_ISO_CODE = countrymapping.ISO_Code left outer join niviouseremailconfirm MailConfirm on users.N_userId =MailConfirm.N_userId WHERE ((users.S_UserName LIKE '?') or (users.N_UserId = '?'))

-

-

STR_Select_From_NivioRoam

select N_DestinationId as DestinationId,N_SourceId as SourceId, S_Password from nivioroam where N_UserId = ? and I_RoamStatus = '?' and B_IsValid = ?

-

-

STR_Update_NivioRoam_Dynamically

update nivioroam set ? where ?

-

-

STR_ReturnUserId_Irws_M_Users

select N_userId, b_isvalid as Isvalid from irws_M_users where S_userName='?'and S_Password ='?'

-

-

STR_Insert_InTo_NivioMessage

insert into NivioMessage(S_UserName,S_Mode,N_MessageStatus,S_Message,DT_NextMessageTime,N_OrgId,B_IsValid,S_Remarks,N_CreatedBy,DT_CreatedDate,N_ModifiedBy,DT_ModifiedDate)values('?','?','?','?','?','?','?','?','?','?','?','?')

If you want i can copy paste the data from

1) MyGlobalServer.dll

2) SMXutilities.dll

First learn how to secure your servers then sell and claim your product "SECURE"

Best Wishes

GSmith

Thank you for pointing this out.

What  you have accessed are the SQL queries that are part of the upcoming

public APIs which we are releasing to facilitate other providers to

integrate with Nivio. Since the schema of the database could theoretically

be inferred from parts of it, before going live, this will be encrypted; our

team is already in the pipe for doing this.

Thank you for bringing up the actual access of this which we now realise is

due to the fact the machine was brought online to the Grid after a reboot

before GPO had been fully applied so you got in under the Group Policy

Blanket - we have now made sure each machine is security tested after a

reboot.

Please note that all user data is encrypted and no access to either users'

confidential data nor to the Nivio Grid is possible using this information.

We encrypt all passwords using hashing and we do file-system level security

to user level data.

Best regards,

Raghav Kapur, Senior Technical Officer, Nivio SA

You can email me on rkapur@nivio.com if you have any more questions.