lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Sat, 15 Mar 2003 19:13:02 +0100
From: Andreas Marx <amarx@...a-it.de>
To: Andreas Beck <becka@...atec.de>, bugtraq@...urityfocus.com
Subject: Re: response to tax software not encrypting tax info


Hello!

The problem with the unencrypted files is not new. In 2000 we made a test 
of common financial office programs, including MS Money, Quicken, Lexware, 
Quickbooks etc. -- in most cases, we were able to disable a password 
protection by just changing one byte in the (mostly unencrypted) files, or 
you were able to recover the passwords in no time (with a calculator and a 
simple hex editor). To make it short - no program has reliable protected 
your data. We were always able to open the (possible confidential) files!

The feedback we got from the developers of the programs was quite 
interesting: Most tried to increase the pressure that we remove the test 
from our website ("to avoid legal problems"). Cool, isn't it? Actually, all 
wanted to fix the problems we found ASAP, but after checking some of the 
new versions after seeing the PivX posting I think, almost NOTHING has 
changed in the above programs. Again: All wanted to fix the problems we've 
found (in 2000) ASAP, but now, three years later, all products are still 
wide-open.

Here's the original German review (from the German edition of PC World, 
called PC-WELT -- we had to remove some details "to avoid legal problems"):

Sicherheitslöcher in Finanzsoftware
http://www.pcwelt.de/ratgeber/online/15806/

cheers,
Andreas

-- 
Andreas Marx <amarx@...a-it.de>, http://www.av-test.org
GEGA IT-Solutions GbR, Klewitzstr. 7, 39112 Magdeburg, Germany
Phone: +49 (0)391 6075466, Fax: +49 (0)391 6075469

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ