| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: lorenzofaggot at hushmail.com (Lorenzo Figueroa-Acuna-Gonzales-Garcia-Ortiz-Trujillo) Subject: ¿Bruce Schneir no intelligente? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ¡Bueno! I reading these informacions, I no think Bruce Schneir smart. This error made by kids. ¿Matt Murphy right? - ------------- Program description: - --- Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Originally created by Bruce Schneier's Counterpane Labs, Password Safe is now opening it's source, and development and maintenance has been handed off to Jim Russell. Currently, the PasswordSafe Open Source project is being administered by Rony Shapiro. - --- Versions affected: 1.92b (latest) - tested both with win2k and XP. Description: about two years ago I was reporting here http://www.securityfocus.com/archive/1/213931 about some rare circumstances in which Password Safe will leave cleartext in memory even when used in the most safest configuration. However, with the current version the situation is even worse - the option "Clear the clipboard when minimized" is not helping at all - you can still recover the last password used from the memory. How to reproduce: run password safe as usual, be sure to have the options "Clear the clipboard when minimized", "Lock password database on minimize" selected. Copy a password into clipboard (right click -> copy password to clipboard) and minimize Password Safe. Now the password should be erased, but it's not ! You can find the password very easy - for example run winhex (the attacker can have winhex on a floppy, it doesn't have to be installed), open the virtual memory associated to the process Pwsafe, look into it (or dump to a file and then use strings on that file). The password is there; one thing worth mentioning - without the first character. But this is not a problem, even if the first character is hard to guess (random password) most systems can be brute-forced without any problem even with "bare hands". Solution: not much to say ... just don't trust Password Safe when minimized ... use the win2k/xp lock feature, keep your computer in a safe, things like that. That's all, have a nice day, Valentin (Vali) Butanescu -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAj8v17IACgkQaXuo1rXWHGd1ewCcCMv2VEPWqcBXUrv0YiqGtHTUJNoA njJ6dABQSAPZ7adKWGLtjVOKuOBQ =5qmB -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
Powered by blists - more mailing lists