Emerging Tech optimize

Backdoor found in Quicken


A recent statement released by ElcomSoft, a Russian maker of password-recovery tools, claims that Quicken versions since 2003 have a backdoor that unlocks the strong encryption in the product with a secret 512-bit RSA controlled by Intuit.

ElcomSoft accused Intuit of hiding this backdoor to give itself -- and perhaps government agencies -- access to users' data. Though Intuit does not deny the presence of the backdoor, it is adamant that this ability was only meant to be used by the company's support team to help customers who have forgotten their passwords.

This seems to be in order, as a quick search of Quicken's support site revealed what Intuit bills as its "password removal service," which will extricate forgotten or misplaced passwords to the user at $9.95 per file.

Even ElcomSoft admits that it is unlikely this backdoor could be taken advantage of by malicious third-parties, according to the Computer World article, Russians say Quicken back door could give feds access to finance data:

"It is very unlikely that a casual hacker could have broken into Quicken's password protection regimen," Vladimir Katalov, ElcomSoft's CEO, said in the statement. "[We] needed to use advanced decryption technology to uncover Intuit's undocumented and well-hidden backdoor, and to successfully perform a factorization of their 512-bit RSA key."

It is very probable that ElcomSoft made its allegations as part of a marketing ploy to draw attention to its suite of password-recovery products.

Still, the fact remains that a very well-known and popular product has a built-in backdoor that allows circumvention of its own encryption safeguards. Would you knowingly recommend and purchase such a product, whether it be for personal or corporate use?

Any rants or insights to share? Join the discussion.

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

19 comments
stewartav
stewartav

Is there really anyone here who believes Windows is secure? There's enough back-doors in Windows to supply a hundred and twenty floor high-rise! Privacy? You've got to be kidding. That's why I have both "on-line" and "off-line" computers and a CD chipper. I have nothing to hide from anyone but I like making them wonder. I go to some of the most subversive sites I can find just to add to their interest. I've been a gun dealer, a gunsmith and survivalist for a number of years. I'm 66 now and don't do much of anything but play on my computers. Still, if they're watching, here's to 'em, God bless 'em.

CuMorrigu
CuMorrigu

I think it's another slip down the slippery slope of personal privacy. We are slowly giving up small bits of our personal privacy in the name of 'security,' be it against terrorists or criminals. The problem is once you start down this slope it's hard to stop and it's almost impossible to get back the rights that we gave up.

lchill
lchill

I agree with RobP, but on the other hand this is the 2nd time a little secret has slipped out about Intuit! Back in 2002 there was the auto-update checker/spyware that was found in 2000/2001 versions of Quickbooks Pro that was not only checking for updates, but also sending unrelated info about what was in the user's PC to Intuit. Not a company that seems trustworthy.

paulmah
paulmah

Any rants or insights to share?

Kurse
Kurse

Well said. Reminds me of a quote from Ben Franklin: "The man who trades freedom for security does not deserve nor will he ever receive either."

RobPatten
RobPatten

That sounds sneaky, and not something I would like to think was happening on any software I installed unless it was necessary. For example, Windows Update scans your machine to see which updates you need. I remember years ago the outrage when people discovered that the Windows 95 registration wizard submitted a summary of the PC hardware and software installed as part of the registration process. It may only be to collect usage statistics, but nobody likes the idea of such things going on without their knowledge. I still think the Quicken "back door" has been overplayed a bit, and stick by my origianl comment. But assuming what you say is true about the "phone home feature" in earlier versions, my estimations of the company would go downhill and I would be inclined to be less trusting.

RobPatten
RobPatten

I have no problem with this at all. I am sure without this "back door" many small businesses using Quicken would have been left high and dry when their book keeper or accountant disappeared without disclosing the password. As IT professionals it is sometimes easy to forget that not all computer users understand the importance of passwords. How many admins have to reset user passwords because they have forgotten them? Yet as an admin have you ever forgotten a server password? Or at least not written it down somewhere safe in case you did forget? That is the difference. Non IT staff always think there is somebody who knows more than them who can bail them out if they forget their password or mess something up. Good on Quicken for building this useful feature in and probably saving the bacon of many small businesses. At least they have had the good sense and responsibility to use a high level of encryption. How many Sage users do we all know who never change the MANAGER password...?

apotheon
apotheon

1. Intuit is a publicly traded corporate business entity. 2. Quicken is closed-source software. Point 1 means that you cannot trust the company to act in your best interest. Even if the people in charge this year are trustworthy (which you really have no way of knowing), the people in charge two years from now may be completely different people, and completely untrustworthy. That's the nature of corporations, and there's nothing to be done about it unless you find some way to get your software from non-corporate vendors/developers whose nature is not so mercurial from one year to the next due to executive turnover and reshuffling the board of directors. Point 2 is relevant to the fact that, with closed-source software, it's exceedingly difficult (if not effectively impossible) to be sure that you're not getting lied to by the software vendor. Open source software, among other benefits, ensures that any reasonably popular software has enough eyes on it that the vendor/developer can't expect to get away with back doors, rootkits, and other reprehensible "features" to their software -- the way vendors like Sony and Intuit can. Consider this: for each piece of closed source software in which we (the public) find back doors, rootkits, and other built-in security vulnerabilities, we don't know how many exist that we [b]don't[/b] find. We do, however, have a pretty good idea how many are in open source software -- none.

apotheon
apotheon

1. This gives unauthorized people -- at Intuit and in the federal government, for instance -- access to your confidential financial data. 2. It's an [b]intentionally[/b] built-in security vulnerability. If the backdoor exists, someone outside of Intuit can find it and use it -- someone other than people you'd trust with that information, such as a malicious security cracker looking to make money with your financial data. 3. Intuit has been deceiving its customers for at least four years now. The intent was obviously not to provide password recovery for its customers, because while they do provide a password removal service, they don't tell anyone that the backdoor allows them far more access to the software's functionality than simple password removal. (edited for clarity)

TechExec2
TechExec2

. [b][i]"...If you didn't like the idea of the "back door" I don't suppose you'd be too keen on voluntarily sending them your data files either!..."[/i][/b] Intuit made the mistake of putting a "back door" in their file encryption scheme. That makes them foolish and untrustworthy. I can see the value of an online backup service. But, the encryption would have to be done on my computers only, the keys would be completely under my control, and there must be no back doors whatsoever. Intuit is completely disqualified from providing the encryption, or the online backup service. I would never trust a company that is so foolish and just plain dumb.

RobPatten
RobPatten

I got to this point in your reply: "I know the main point of discussion here is Quickbooks, but when you made it about open source vs. closed source, you stepped well outside the realm of being able to actually support your points with statements like those." And stopped reading. I have no interest in an open source vs closed source debate, and if you think I was trying to start one you are sadly mistaken. As soon as a thread like this turns into a Windows vs Linux, Open Source vs Closed Source, AMD vs Intel, or any of the other cliche "debates" we see over and over again I lose interest because I've seen it all before and there is no right or wrong choice. I am not saying that people are right or wrong to use "mainstream" software. What I was trying to point out was that a lot of people running a small business do not have the time or inclination to look at all the options.

RobPatten
RobPatten

To quote again: "Protect your Enterprise Solutions data and any other business data with up to 10 GB of free online backup storage." I think it is safe to assume that they are inviting you to store your QuickBooks Enterprise data online, along with any other data you see fit. That would certainly add an interesting opportunity for malicious crackers. Why bother trying to get through one company's network security when they know there will be a whole host of financial data stored online if they can break into the Online Backup area?

apotheon
apotheon

Some data is fine for online storage. Other data is not. Personal financial information, for example, is [b]not[/b] fine for online storage.

apotheon
apotheon

"[i]The 'problem' with open source software is that the majority of small businesses are too busy getting on with running their business to look into or learn a new package.[/i]" Translation: They're too busy buying anything with a butterfly or wavy multicolored grid logo to bother actually determining the best solutions for their problems. "[i]They want something easy to use and mainstream[/i]" Translation: They can't be bothered to find out whether something is easy to use if it isn't featured on the cover of Computer World. "[i]something they can get instant telephone support for.[/i]" There's no translation for that, because it's not applicable. Instant telephone support for MS Windows and friends? No such thing. Meanwhile, I love being able to actually speak to the lead developer for a piece of software when I have a problem with it. That's much better than waiting on hold for three hours while they find someone who knows something more than "restart the computer and see if that works" that doesn't have too much seniority to touch a telephone. "[i]a lot of people prefer the 'tried and tested' option.[/i]" Why, then, are they using software that is new, untested, and prone to failure, rather than a rock-solid system based on the Unix architecture -- which has been around since the '60s? Even Linux, a relatively recent incarnation of the Unix ideal, is about fifteen years old -- and, thus, built on a system architecture whose current implementation is about thirteen years older than, say, Vista's. I know the main point of discussion here is Quickbooks, but when you made it about open source vs. closed source, you stepped well outside the realm of being able to actually support your points with statements like those. "[i]How many businesses do you know that could use OpenOffice, but don't, simply because Microsoft Office is the 'comfortable' standard?[/i]" Many. I also know of many that use OpenOffice.org instead. OO.o is the "right" choice, if those are the only two you'll consider, for maximum portability and price. The fact that MS Office is more popular in no way proves it's any good for a particular purpose. Of course, in general, if you can find a way to do without either MS Office or OO.o, you should. There are much better ways to achieve the same functionality with software than either office suite. Unfortunately, most of them do not support MS Office file formats, so in cases where you deal with obstinately MS-oriented businesses you kinda need something like MS Office or OpenOffice.org at least sometimes. I, personally, need OO.o for something like four or five days at a time, once every six months -- give or take. For most purposes, most organizations will take PDFs, and there are a great many (better) ways to generate PDFs without having to use a bloated, cantankerous, unstable office suite that does more to suck up productive time than to contribute to it. "[i]Nobody likes the idea of a cracker stealing their personal finance details, but if he wants to sell this data on, it is not going to be as valuable as if he has financial records for a big corporate outfit.[/i]" How does that at all change how absolutely atrocious an idea it is to use software that makes it easier for someone to steal my private financial data? Anyway, the whole point of computers is automation and convenience. If you think a malicious security cracker couldn't figure out a way to automate and distribute the process of harvesting financial data from hundreds of Quicken users at a time (given a means to exploit a Quicken vulnerability), leveraging the power of his botnet for the task, you probably don't know much about computer network security. "[i]That's not to say that the personal or small business user is not at risk, there may be enough information obtained for a cracker to commit some kind of fraud. But details of a Quicken user's monthly incomings and outgoings is not going to be as valuable to sell on.[/i]" On the other hand, account numbers, social security numbers, and other data related to financial operations can be used much more directly than mere information about income and expenses.

RobPatten
RobPatten

Online Backup Service Protect your Enterprise Solutions data and any other business data with up to 10 GB of free online backup storage. Your data is stored in a private, secure and encrypted format at two separate locations. Online backup is a new benefit of the Full Service Plan. Taken from the QuickBooks Enterprise solutions product overview web site: http://quickbooksenterprise.intuit.com/features/new_version.jhtml If you didn't like the idea of the "back door" I don't suppose you'd be too keen on voluntarily sending them your data files either!

RobPatten
RobPatten

I don't expect to, and have no desire to change your opinion or anybody else's. The initial post asked for people's thoughts, so I offered mine. Simple as that. The "problem" with open source software is that the majority of small businesses are too busy getting on with running their business to look into or learn a new package. They want something easy to use and mainstream, something they can get instant telephone support for. I'm not saying there is no support for open source software, but a lot of people prefer the "tried and tested" option. How many businesses do you know that could use OpenOffice, but don't, simply because Microsoft Office is the "comfortable" standard? The point I was trying to make is that Quicken is not aimed at big business. Nobody likes the idea of a cracker stealing their personal finance details, but if he wants to sell this data on, it is not going to be as valuable as if he has financial records for a big corporate outfit. That's not to say that the personal or small business user is not at risk, there may be enough information obtained for a cracker to commit some kind of fraud. But details of a Quicken user's monthly incomings and outgoings is not going to be as valuable to sell on. If QuickBooks is also affected then perhaps that is less appropriate, as QuickBooks Enterprise is aimed at a different market completely. I was not trying to be flippant about security, and your argument about leaving valuables on the kitchen table is perfectly valid. But this would be more of an opportunist crime, whereas a cracker would have to know that the company used Quicken before he even started.

apotheon
apotheon

"[i]However unless you are prepared to develop your own package or use open source software, you will always be relying on something that is out of your control.[/i]" So . . . use open source software. What's the problem? "[i]That said, Quicken is not aimed at the corporate market, it produces personal finance and small business software.[/i]" As TechExec2 pointed out, the problem appears to apply to more than just Quicken. In any case, many small businesses [b]are[/b] corporations, and they need secure financial records as much as any enterprise (if not more so, since they'd have a harder time recovering from compromise of that security), so I don't get how your point is relevant. "[i]You can spend forever worrying about security, but financial information stolen from an individual or small business is not likely to be of much interest to a cracker hoping to sell it on.[/i]" That sounds suspiciously like the argument of a guy who won't install antivirus software on his computer because he thinks he doesn't have any information on the computer that anyone would want. "[i]These crackers would also need to get hold of a copy of your Quicken data file before they can access it, and if they can get that far there are issues with physical or network security within the organisation concerned.[/i]" True. That doesn't mean your financial records applications should be any less secure, though. Otherwise, you may as well leave your front door unlocked because if burglars can get to your front door there's something wrong with community security anyway, or you may as well leave all your firearms and jewelry out on the kitchen table instead of putting it in a safe because if a burglar gets that far your front door security has problems anyway.

TechExec2
TechExec2

. [b][i]"...That said, Quicken is not aimed at the corporate market, it produces personal finance and small business software..."[/i][/b] It appears that QuickBooks has it too (1)(2). [b][i]"...You can spend forever worrying about security, but financial information stolen from an individual or small business is not likely to be of much interest to a cracker hoping to sell it on..."[/i][/b] Sure it is! A QuickBooks file has information about both customers and vendors including methods of payment. [b][i]"...These crackers would also need to get hold of a copy of your Quicken data file before they can access it, and if they can get that far there are issues with physical or network security within the organisation concerned..."[/i][/b] True. All a remote hacker would need to do is install a rootkit on the computer running one of these products. Encryption is supposed to be the last line of defense. Encryption with a backdoor is stupid. Can you say "Clipper Chip"? ----------------------------------------------- (1) QuickBooks Password Removal Tool https://dataservices.intuit.com/qbpassrm2/qb_automation.htm (2) QuickBooks Password Reset Tool https://dataservices.intuit.com/QBPassRm/PasswordReset.aspx

RobPatten
RobPatten

I'm not denying there are implications. However unless you are prepared to develop your own package or use open source software, you will always be relying on something that is out of your control. That said, Quicken is not aimed at the corporate market, it produces personal finance and small business software. You can spend forever worrying about security, but financial information stolen from an individual or small business is not likely to be of much interest to a cracker hoping to sell it on. These crackers would also need to get hold of a copy of your Quicken data file before they can access it, and if they can get that far there are issues with physical or network security within the organisation concerned.