[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 15 Mar 2003 19:13:02 +0100
From: Andreas Marx <amarx@...a-it.de>
To: Andreas Beck <becka@...atec.de>, bugtraq@...urityfocus.com
Subject: Re: response to tax software not encrypting tax info
Hello!
The problem with the unencrypted files is not new. In 2000 we made a test
of common financial office programs, including MS Money, Quicken, Lexware,
Quickbooks etc. -- in most cases, we were able to disable a password
protection by just changing one byte in the (mostly unencrypted) files, or
you were able to recover the passwords in no time (with a calculator and a
simple hex editor). To make it short - no program has reliable protected
your data. We were always able to open the (possible confidential) files!
The feedback we got from the developers of the programs was quite
interesting: Most tried to increase the pressure that we remove the test
from our website ("to avoid legal problems"). Cool, isn't it? Actually, all
wanted to fix the problems we found ASAP, but after checking some of the
new versions after seeing the PivX posting I think, almost NOTHING has
changed in the above programs. Again: All wanted to fix the problems we've
found (in 2000) ASAP, but now, three years later, all products are still
wide-open.
Here's the original German review (from the German edition of PC World,
called PC-WELT -- we had to remove some details "to avoid legal problems"):
Sicherheitslöcher in Finanzsoftware
http://www.pcwelt.de/ratgeber/online/15806/
cheers,
Andreas
--
Andreas Marx <amarx@...a-it.de>, http://www.av-test.org
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469
Powered by blists - more mailing lists