Re: Utimaco Safeguard Easy vulnerability

[Juha-Matti Laurio <juha-matti.laurio () netti fi>]

The following vendor statement (English language) including workarounds has been released recently:

Statement on SafeGuard(R) Easy Articles regarding Configuration File Vulnerability:
http://www.utimaco.fi/servlets/ActionDispatcher?action:ws3_content_get_binary=true&scope=domain&domain_id=www.utimaco.fi&page_id=/templates/ajankohtaisteksti.jsp?ws3_page_id=tiedoteartikkeli_103&form_id=&component_id=linkin_dokumentti_104

- Juha-Matti


boomboom999 () yahoo com wrote: 
> Hello guys,
>
> At this moment our company looks for a software to encrypt the whole disk drives on laptops.
>
> I see that many companies and government  institutions use Utimaco Safeguard Easy.
>
> First, we looked at this software as well.
>
> However, it seems that the tool that is supposed to make laptops more secure has some serious problems related to 
> password and key distribution.
>
> For deployement in big companies, Utimaco recommend to implement centralized management. 
> The management is done via CFG-files that are pushed via SMS, Active Directory or otherwise.
>
> These CFG files contain encryption keys for hard disks and floppy, as well as user passwords and backup passwords for recovery. 
>
> The content of the file is supposedly "encrypted" as Utimaco's manual says. However, it seems that the encryption keys 
> are hardcoded directly in the EXE file. So, they are easily recoverable and all these CFG files can be easily compromised.
>
> I am just wondering whether it has been discussed here and someone else has seen this problem before?
>
> I know that many government and bank institutions use this product, am I the only person to see this security whole?
>
> Thank you
>
> boom