lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070411183013.9287.qmail@securityfocus.com>
Date: 11 Apr 2007 18:30:13 -0000
From: frankrizzo604@...il.com
To: bugtraq@...urityfocus.com
Subject: Steganos Encrypted Safe NOT so safe

Sometimes greed can be the downfall of the greatest people and nations but in this case it's software. Steganos Encrypted File safe for Windows is one of the most commonly used file security systems in the world. They boast how excellent their encryption and how uncrackable they are. This is probablly the easiest way to get passed encryption I have ever seen. When you make an encrypted drive with Steganos it creates a .SLE file which is stored in your Documents and User Files. 

This next part is where the greed comes in and since this exploit involves an anti piracy mechanism I don't recommend using serial codes that you didn't pay for but I will need to mention it for this example. 

You simply install a copy of Steganos Safe 8 but not the new security suite and when doing this you turn "OFF" the update feature temporarily and use a fake serial code you get off the net. Simply mount anyones .SLE file encrypted drive into the software and it will ask you for their password but won't let you in because it's encrypted.

>From this point you want to turn the "update" feature back on and force steganos to update by right clicking it in your system tray or restarting the software. From this point it will detect you had used a fake or known serial after the update and it will now PUNISH you by resetting your encrypted drives passwords to "123" until you buy a registered copy.

Some encrypted drive software huh? Stores passwords in clear text. Why didn't they just disable the software instead of punishing everyone and leaving anyones safe files vulnerable to a faulty serial used on the copy of steganos being used to view your sensitive data?

This was a real eye opener for me to how good Steganos Encrypted Safe is. Greed will get you everytime!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ