lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308051613.h75GDcjN062629@mailserver3.hushmail.com>
From: lorenzofaggot at hushmail.com (Lorenzo Figueroa-Acuna-Gonzales-Garcia-Ortiz-Trujillo)
Subject: ¿Bruce Schneir no intelligente?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

¡Bueno!

I reading these informacions, I no think Bruce Schneir smart.  This error
made by kids.  ¿Matt Murphy right?

- -------------
Program description:

- ---
Password Safe is a tool that allows you to have a different password
for all the different programs and websites that you deal with,
without actually having to remember all those usernames and passwords.

Originally created by Bruce Schneier's Counterpane Labs, Password Safe
is now opening it's source, and development and maintenance has been
handed off to Jim Russell. Currently, the PasswordSafe Open Source
project is being administered by Rony Shapiro.
- ---

Versions affected: 1.92b (latest) - tested both with win2k and XP.

Description: about two years ago I was reporting here

http://www.securityfocus.com/archive/1/213931

about some rare circumstances in which Password Safe will leave
cleartext in memory even when used in the most safest configuration.

However, with the current version the situation is even worse - the
option "Clear the clipboard when minimized" is not helping at all -
you can still recover the last password used from the memory.

How to reproduce: run password safe as usual, be sure to have the
options "Clear the clipboard when minimized", "Lock password database
on minimize" selected. Copy a password into clipboard (right click ->
copy password to clipboard) and minimize Password Safe. Now the
password should be erased, but it's not ! You can find the password
very easy - for example run winhex (the attacker can have winhex on a
floppy, it doesn't have to be installed), open the virtual memory
associated to the process Pwsafe, look into it (or dump to a file and
then use strings on that file). The password is there; one thing worth
mentioning - without the first character. But this is not a problem,
even if the first character is hard to guess (random password) most
systems can be brute-forced without any problem even with "bare
hands".

Solution: not much to say ... just don't trust Password Safe when
minimized ... use the win2k/xp lock feature, keep your computer in a
safe, things like that.

That's all, have a nice day,
Valentin (Vali) Butanescu
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAj8v17IACgkQaXuo1rXWHGd1ewCcCMv2VEPWqcBXUrv0YiqGtHTUJNoA
njJ6dABQSAPZ7adKWGLtjVOKuOBQ
=5qmB
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ