lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20070414002842.GA18419@acs.uni-duesseldorf.de>
Date: Sat, 14 Apr 2007 02:28:42 +0200
From: Andreas Beck <becka-list-bugtraq@...atec.de>
To: bugtraq@...urityfocus.com
Subject: Re: Steganos Encrypted Safe NOT so safe

frankrizzo604@...il.com wrote:
> They boast how excellent their encryption and how uncrackable they are. 

If your findings are true, it is utterly insecure. Worse than what you
found.

Can someone confirm this vulnerability?

> Simply mount anyones .SLE file encrypted drive into the software and it 
> will ask you for their password but won't let you in because it's 
> encrypted.

If your findings are true, it is not encrypted, bute merely
access-controlled by the Steganos Software.

If it were encrypted - in the sense of "encrypted with the passphrase, so
unuseable without that" - the program would simply be unable to do something 
like:

> [update detects fake key and]
> after the update and it will now PUNISH you by resetting your
> encrypted drives passwords to "123" until you buy a registered copy.

This should be impossible, if the passphrase would play a role in the
encryption.

> Stores passwords in clear text. 

Yes - the key must be retrievable in some way, if the password can be
changed without knowledge of the prior password.


Kind regards,

Andreas Beck

-- 
Andreas Beck
http://www.bedatec.de/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ