• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Warning to Steganos Encrypted safe users - NOT SO SECURE

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware

View previous topic :: View next topic  
Author Message
FrankRizzo
Just Arrived
Just Arrived


Joined: 11 Apr 2007
Posts: 0
Location: Vancouver, BC, Canada

Offline

PostPosted: Wed Apr 11, 2007 8:02 pm    Post subject: Warning to Steganos Encrypted safe users - NOT SO SECURE Reply with quote

I posted this in the exploits section but I want to make sure everyone can see this because it is a serious security flaw in some not so secure encryption software.

This is an exploit involving an anti piracy mechanism, I'm not condoning the use of any pirated serials. This information is for educational purposes only.


Steganos encrypted file drive software is probablly the most widely used software for windows based users in the world. There is a serious security flaw with it though that appears to be done from their own greed.

When someone creates an encrypted drive with even the most complicated passwords it makes a .SLE file in your documents and user files and this drive can be mounted when you install a copy of steganos encrypted safe.

All you have to do is install a copy of Steganos Safe 8 and use a generic serial number that is off any serials and cracks website and turn off "update". This will allow you to mount as many drives as you like. From that point, you turn update back "on". After you force update steganos or restart the program it will detect your generic serial and return to shareware mode. HOWEVER, in order to force you into registering the software it RESETS the passwords for your encrypted drives to "123" giving you access to ANYONES encrypted drive. This means it is *NOT* true encryption and it stores it in clear text. This is a real eye opener for anyone that uses Steganos Encrypted File safe to keep their sensitive information private.



Try it out for yourself if you don't believe me!
Back to top
View user's profile Send private message
Mameluke
Just Arrived
Just Arrived


Joined: 16 Jun 2005
Posts: 0


Offline

PostPosted: Sun Apr 15, 2007 10:09 am    Post subject: Reply with quote

This needs a bit more info.

How can it "reset" your password?

Are the passwords stored somewhere?
That is the only way I can think that it can reset the passwords to your containers.

Please clear this up.


Closed source encryption software is usually a bad bad idea to begin with. Truecrypt works great. It's free and open source.


Mame
Back to top
View user's profile Send private message
americanhitler
Just Arrived
Just Arrived


Joined: 28 Apr 2007
Posts: 0
Location: Bangalore

Offline

PostPosted: Sat Apr 28, 2007 5:52 am    Post subject: Dont beleive this... Reply with quote

I tried it out thousand times with all the available Steganos Safe 8 versions... 8.0.13, 8.0.14 , 8.0.09,8.0.04
Nothing told above is true...
When we enter some fake key...It returns saying the Key entered is wrong...No way it ll save the generic ones...

Steganos safe is 100 percent safe as of now...
This post is saying what i experienced...
Am not intending to blame anybody...
waiting for reply..
Back to top
View user's profile Send private message Yahoo Messenger
Crush Them All
Just Arrived
Just Arrived


Joined: 05 Jun 2007
Posts: 0


Offline

PostPosted: Tue Jun 05, 2007 11:42 am    Post subject: forget BSware Reply with quote

SECURE & FREE

http://TrueCrypt.org


no installation required.. run in traveler mode
Back to top
View user's profile Send private message
Elderan
Just Arrived
Just Arrived


Joined: 08 Jun 2007
Posts: 0


Offline

PostPosted: Sun Jun 10, 2007 5:28 pm    Post subject: Re: Dont beleive this... Reply with quote

Hello,,
americanhitler wrote:

Steganos safe is 100 percent safe

How can you be sure, that the Steganos Safe implements AES correct and that there is no backdoor?
Steganos Safe is a _not_ OpenSource, so its easy, to integrate a backdoor, e.g. a backdoor in the function, which derives the key from your password, so that there are just 10^12 different keys. You can test all this keys in arround 3 hours, and to detect this backdoor is realy realy hard / impossible.
Or maybe they hide the key in the header of such a container, and without a special key, you can neither extract this key from the header nor can you prove that the key is hidden in the header.

Or maybe, there is an unintended, litte programming error in the implementation of AES.

Or maybe..... and so on.

With special techniques you can hide a secret message (e.g. the key) in an unsuspicious message, and with out the key, you cannot get this message nor you can prove that there is a secret message. Read 'Applied Cryptography by Bruce Schneier' for more information of such an attack.


And how knows, maybe had the management of Steganos a meeting with Lew Giles Read more about this


So without the source code, you cannot be sure, that there is no backdoor in it (or maybe your a programmer of the safe and you can tell us know, that there is no backdoor)


So use instead TrueCrypt, it's free and open source

Edit:
And 100% safe is just an OTP, by the way Wink
Back to top
View user's profile Send private message
Jago
Just Arrived
Just Arrived


Joined: 18 Jul 2007
Posts: 0


Offline

PostPosted: Wed Jul 18, 2007 4:47 pm    Post subject: Reply with quote

Oh God,

I'm amazed of your consiracy theories Very Happy

First of all, FrankRizzo is WRONG! His "exploit" is not working at all, I tried it with different versions of Safe and I'm not able to reproduce the error.

But I'm glad that he made his observation while "accidently" using illegal serials Confused

So let me come up with another conspiracy theory: What can be the interest of FrankRizzo to spread a lie about a software vendor and his product?!

And about the "Only Open Source is secure...", "NSA has infiltrated Steganos...", whatever BlahBlah...

Yes sure Smile

Thats the wonderful world of free markets:

- Hardcore tekkies with soooo secrets things that make them can use True Crypt

- Normal mums and dads use Steganos Safe, because it's easy AND SECURE

Laughing

But who knows, maybe I had a meeting with Lew Giles Twisted Evil

Cheers,

Jago

P.S.: By the way, do you think a software vendor (who wants to make money with his product for legit reasons!) should publish his source code?
Back to top
View user's profile Send private message
mxb
Trusted SF Member
Trusted SF Member


Joined: 30 Mar 2004
Posts: 6


Offline

PostPosted: Wed Jul 18, 2007 6:57 pm    Post subject: Reply with quote

Jago wrote:
But I'm glad that he made his observation while "accidently" using illegal serials Confused


This should be irrelevant, if it has this behavior to disuse 'illegal serials' it should still be documented.

Jago wrote:
And about the "Only Open Source is secure...", "NSA has infiltrated Steganos...", whatever BlahBlah...

Yes sure Smile


No one is saying only open source is secure, as both open source and closed source software can and will have bugs. However, open source software can have its implementation verified by independant parties. Without this, no-one is able to distinguish closed source software which can be 'trusted' and snake oil.

Jago wrote:
Thats the wonderful world of free markets:

- Hardcore tekkies with soooo secrets things that make them can use True Crypt

- Normal mums and dads use Steganos Safe, because it's easy AND SECURE


Free markets are irrelevent and this argument is false. Truecrypt is easy to use, is open source so its implemention can (and has) been investigated by others and also has the advantages of being cross-platform and free.

Quote:
P.S.: By the way, do you think a software vendor (who wants to make money with his product for legit reasons!) should publish his source code?


That's a straw argument, but the choice is ultimately up to the software vendor. People can and do create money from open source software (i.e. all the people making money from Linux). Open source software does not equal no money.

I nearly removed this post as because it is your first post you appear to come across a a shill for Steganos. However, rather than this I decided to explain why your points are false and to allow you to continue discussion.

Martin
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Wed Jul 18, 2007 10:33 pm    Post subject: Reply with quote

Jago wrote:
And about the "Only Open Source is secure...", "NSA has infiltrated Steganos...", whatever BlahBlah...

While trust is very much an essential concern - you cannot verify the trustworthiness of closed software, period - it is not the only problem. Poor design and implementations plague all sorts of man-made artifacts, and security software is no exception. Even if we assume good intent on the vendor's part (and that is already a very big assumption when it comes to securing data which could make or break your business, or throw you in jail, or get you exiled for disagreeing with the government, or simply because you want to protect your natural right of privacy), there is still the very big concern of whether the software is well designed and implemented.

Openness and peer review are basic and essential necessities in any scientific field, and the field of security - cryptography in particular - is no exception. You simply cannot establish the correctness (in this case, security) of a given solution if it is closed and proprietary. Only an open solution - and in the case of software, open source software - has the potential to be verifiably correct and secure.


Jago wrote:
- Normal mums and dads use Steganos Safe, because it's easy AND SECURE

And you know this because... it says so on the box?


Jago wrote:
P.S.: By the way, do you think a software vendor (who wants to make money with his product for legit reasons!) should publish his source code?

First of all, as mxb noted, that is a straw man argument. No one here ever spoke against earning money from your products. Second of all, you must not know free software very well. There are many making money out of free and/or open source software either directly through selling it or indirectly through incorporating it in their products or providing associated services: entities ranging from large corporations such as IBM, Novell, Cisco, Red Hat, Nokia and so on to small businesses and individuals.
Back to top
View user's profile Send private message
Jago
Just Arrived
Just Arrived


Joined: 18 Jul 2007
Posts: 0


Offline

PostPosted: Thu Jul 19, 2007 11:17 am    Post subject: Reply with quote

Thank you for giving me the chance to resume, because it looks like i started quite a heavy discussion Very Happy

mxb wrote:
No one is saying only open source is secure, as both open source and closed source software can and will have bugs. However, open source software can have its implementation verified by independant parties. Without this, no-one is able to distinguish closed source software which can be 'trusted' and snake oil.


I totally agree, but what I don't like is the attitude that non-open source software seems to be per se the devil. There is a conspiracy more often than someone thinks, but also not as often as someone wishes.

mxb wrote:
Jago wrote:
Thats the wonderful world of free markets:

- Hardcore tekkies with soooo secrets things that make them can use True Crypt

- Normal mums and dads use Steganos Safe, because it's easy AND SECURE


Free markets are irrelevent and this argument is false. Truecrypt is easy to use, is open source so its implemention can (and has) been investigated by others and also has the advantages of being cross-platform and free.


It's not an argument, it's an assumption Exclamation Users sometimes just want to go in a retail store and buy boxed software. Install it from a CD, get phone support, write a mail to a helpdesk and not to a mailing list or a forum like the experienced user does.

And I don't want to come up with a second thing, open source software is not able to provide "out of the box": legal liability. (And before this starts a new big dicussion, I know that there are solutions for this problem, that's why I wrote "out of the box"!)

But the discussion now totally lost track! This is not about discussing open source software. Your assumption is wrong, because I know how opens source works and I know it very well. In fact I work for a company that is making it's money with open source software, therefore I know

Quote:
People can and do create money from open source software (i.e. all the people making money from Linux). Open source software does not equal no money.


because it pays my rent Very Happy

But it should be legit for every company to not go open source without being blamed as part of a conspiracy.

Quote:
I nearly removed this post as because it is your first post you appear to come across a a shill for Steganos. However, rather than this I decided to explain why your points are false and to allow you to continue discussion.


To be honest I still don't see my points as false and I don't see myself as a shill for Steganos. I don't use their Safe software, I use something completely different (also open source, by the way Smile). I even don't care if you buy software or use open source software, thats not the point, so please let us skip this whole discussion.

My point is: I don't like people who wrongly accuse others in a respected forum without being able to prove it! For his second posting in a forum it is a quite heavy accusation to claim that a security tool is not secure.

Software is not secure, just because it's written on the box. But it's also not insecure, because some posts something. The whole story is not getting better by giving an explanation that is not able to reproduce it. Even if it looks plausible on first sight, it's not working.

That was my whole point and if that caused so much disturbance I really feel kind of sorry.

Best regards,

Jago
Back to top
View user's profile Send private message
mxb
Trusted SF Member
Trusted SF Member


Joined: 30 Mar 2004
Posts: 6


Offline

PostPosted: Thu Jul 19, 2007 6:44 pm    Post subject: Reply with quote

Jago wrote:
Thank you for giving me the chance to resume, because it looks like i started quite a heavy discussion Very Happy


No problem, discussion is good Smile

Jago wrote:
Users sometimes just want to go in a retail store and buy boxed software. Install it from a CD, get phone support, write a mail to a helpdesk and not to a mailing list or a forum like the experienced user does.


Again, I don't want to get too off track here, but these things are not mutually exclusive to being open source.

Jago wrote:
And I don't want to come up with a second thing, open source software is not able to provide "out of the box": legal liability. (And before this starts a new big dicussion, I know that there are solutions for this problem, that's why I wrote "out of the box"!)


Can you explain what legal liability you are referring to? The majority of closed-source software has an EULA (dubious ground here, but we'll leave that well alone). I don't think any software manufacturer provides liability for their encryption software.

Jago wrote:
But it should be legit for every company to not go open source without being blamed as part of a conspiracy.


I'm not claiming all software should be open-source here. My views on that point are irrelevent to this discussion. What I'm claiming is without independant verification of the encryption implementation and surrounding support code you cannot distinguish between a secure closed source piece of software and an insecure one.

Jago wrote:
My point is: I don't like people who wrongly accuse others in a respected forum without being able to prove it! For his second posting in a forum it is a quite heavy accusation to claim that a security tool is not secure.


Indeed it is, but it has remained here for others to note. It is explained how it was performed and thus anyone can try it out to verify if it is false or not.

Jago wrote:
Software is not secure, just because it's written on the box. But it's also not insecure, because some posts something.


We agree here, see above. Smile

Jago wrote:
The whole story is not getting better by giving an explanation that is not able to reproduce it. Even if it looks plausible on first sight, it's not working.

That was my whole point and if that caused so much disturbance I really feel kind of sorry.


We get lots of spam posts here and occasionally people come here to promote their products through deceptive means. I'm sorry I called you a shill but for a first post I didn't have much to go on. Smile

All the best,
Martin
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Cryptographic Software and Hardware All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register