Cryptocard database

From: John Madden (chiwawa999_at_yahoo.com)
Date: 02/16/05

Next message: Dario Ciccarone: "RE: Advice for a spread*** macro that calls home?"

Previous message: Andres Molinetti: "SQLInjecting DB2"
Next in thread: Kurt Seifried: "Re: Cryptocard database"
Reply: Kurt Seifried: "Re: Cryptocard database"
Reply: Noel Rosenberg: "Re: Cryptocard database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 16 Feb 2005 12:19:26 -0800 (PST)
To: pen-test@securityfocus.com

Hi,

Doing an internal pen-test for a company i came across
a mysql db that contains the Cryptocard tokens
database (root with no password)

The most interesting table (duh !!!) is the
"EncryptedKey". Obviously this is not good. I made the
usual recommandation to secure the db but i was
curious to know if any one had experience with
Cryptocard tokens and what is uses to encrypt that
field. I presume they use the PIN of each user...???

The size of the field is 48 characters (3DES ?)

I would appreciate any info

Thank you

John

__________________________________
Do you Yahoo!?
Take Yahoo! Mail with you! Get it on your mobile phone.
http://mobile.yahoo.com/maildemo

Next message: Dario Ciccarone: "RE: Advice for a spread*** macro that calls home?"

Previous message: Andres Molinetti: "SQLInjecting DB2"
Next in thread: Kurt Seifried: "Re: Cryptocard database"
Reply: Kurt Seifried: "Re: Cryptocard database"
Reply: Noel Rosenberg: "Re: Cryptocard database"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]