lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <29881719.2230701161181804718.JavaMail.juha-matti.laurio@netti.fi>
Date: Wed, 18 Oct 2006 17:30:03 +0300 (EEST)
From: Juha-Matti Laurio <juha-matti.laurio@...ti.fi>
To: boomboom999@...oo.com, bugtraq@...urityfocus.com
Subject: Re: Utimaco Safeguard Easy vulnerability

The following vendor statement (English language) including workarounds has been released recently:

Statement on SafeGuard(R) Easy Articles regarding Configuration File Vulnerability:
http://www.utimaco.fi/servlets/ActionDispatcher?action:ws3_content_get_binary=true&scope=domain&domain_id=www.utimaco.fi&page_id=/templates/ajankohtaisteksti.jsp?ws3_page_id=tiedoteartikkeli_103&form_id=&component_id=linkin_dokumentti_104

- Juha-Matti


boomboom999@...oo.com wrote: 
> 
> Hello guys,
> 
> At this moment our company looks for a software to encrypt the whole disk drives on laptops.
> 
> I see that many companies and government  institutions use Utimaco Safeguard Easy.
> 
> First, we looked at this software as well.
> 
> However, it seems that the tool that is supposed to make laptops more secure has some serious problems related to password and key distribution.
> 
> For deployement in big companies, Utimaco recommend to implement centralized management. 
> The management is done via CFG-files that are pushed via SMS, Active Directory or otherwise.
> 
> These CFG files contain encryption keys for hard disks and floppy, as well as user passwords and backup passwords for recovery. 
> 
> The content of the file is supposedly "encrypted" as Utimaco's manual says. However, it seems that the encryption keys are hardcoded directly in the EXE file. So, they are easily recoverable and all these CFG files can be easily compromised.
> 
> I am just wondering whether it has been discussed here and someone else has seen this problem before?
> 
> I know that many government and bank institutions use this product, am I the only person to see this security whole?
> 
> Thank you
> 
> boom

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ