lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4D471CD8.8040503@csuohio.edu>
Date: Mon, 31 Jan 2011 15:34:32 -0500
From: Michael Holstein <michael.holstein@...ohio.edu>
To: "Thor (Hammer of God)" <thor@...merofgod.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Vulnerability discloses PIN used in Microsoft
 Excel secure printing


> I assume it is embedded so that cancelled or queued jobs can still require PIN.  You can't have one job pause all other jobs in the queue, so it would need some way of continuing from bypass.  The whole "vulnerability" angle is pretty lame.
>   

How it works on our Xerox printers is you hit a button to pull up the
jobs and the secure ones are held (in memory, on the printer) until the
user enters the same code embedded in the job. The primary purpose is to
target the resistance against departmental printers under the "privacy"
angle. Jobs that don't have this tag print FIFO ("secure" jobs are a
separate queue internally).

The PIN just an attribute sent by the postscript driver and embedded in
the job. I have seen print drivers and hardware that do operate in a
"secure" manner (we have ID printers that do this), but IMHO that's more
for license compliance than actual security of the information.

The fact that Excel stores it as a printing default is interesting, but
hardly a vulnerability. If you have access to the document to see the
printing PIN in metadata, you obviously can read the document itself ..
It'd be like saying "OMG! Excel remembers what size paper I like to use".

One could argue the whole "creatures of habit" aspect around the PIN
(dammit, now I need to change my luggage), but the whole "secure print"
thing is sort of a misnomer and more of a marketing trick (internally
and externally) than anything else.

Cheers,

Michael Holstein
Cleveland State University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ