Utimaco Safeguard Easy vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Utimaco Safeguard Easy vulnerability
From: boomboom999@xxxxxxxxx
Date: 13 Oct 2006 02:49:19 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello guys,

At this moment our company looks for a software to encrypt the whole disk 
drives on laptops.

I see that many companies and government  institutions use Utimaco Safeguard 
Easy.

First, we looked at this software as well.

However, it seems that the tool that is supposed to make laptops more secure 
has some serious problems related to password and key distribution.

For deployement in big companies, Utimaco recommend to implement centralized 
management. 
The management is done via CFG-files that are pushed via SMS, Active Directory 
or otherwise.

These CFG files contain encryption keys for hard disks and floppy, as well as 
user passwords and backup passwords for recovery. 

The content of the file is supposedly "encrypted" as Utimaco's manual says. 
However, it seems that the encryption keys are hardcoded directly in the EXE 
file. So, they are easily recoverable and all these CFG files can be easily 
compromised.

I am just wondering whether it has been discussed here and someone else has 
seen this problem before?

I know that many government and bank institutions use this product, am I the 
only person to see this security whole?

Thank you

boom

Prev by Date: PHP Cards <= 1.3 Remote File Inclue Vulnerability
Next by Date: Bloq 0.5.4 Remote File İnclude
Previous by thread: PHP Cards <= 1.3 Remote File Inclue Vulnerability
Next by thread: Re: Utimaco Safeguard Easy vulnerability
Index(es):
- Date
- Thread