[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060526220100.11281.qmail@securityfocus.com>
Date: 26 May 2006 22:01:00 -0000
From: thesinoda@...mail.com
To: bugtraq@...urityfocus.com
Subject: RE: A Nasty Security Bug that affect PGP Virtual Disks & PGP SDA
, PGP 8.x & 9.x and Truecrypt.
Firstly, we appricate truecrypt team comments but on the other hand we do not agree on some.
--Adonis Comment--
I do not agree with some of truecrypt comments specially the quoted text below.
What if you had created a virtual disk and give that to someone. That someone
use it as his/her own disk and decided to change the password because they own
the disk now (You give them to them with the pass). So they did change the
passowrd, but the originator can still access that disk if he/she replace the
passphrase bytes in the binary file. So I consider this an attack on data
INTEGRITY and data AVAILABILITY since the legitimate user will be denied access
to the disk after replacing the passphrase bytes.
-- End Comment--
====================================================================
"In conclusion, this is not a "security bug", but design/feature. Also,
to exploit the design, the adversary would have to know your password
first (or have your keyfiles). That means, for example, that he would
capture it using a keystroke logger. If that was the case, then all
security would be practically lost on that machine."
====================================================================
Peace
Powered by blists - more mailing lists