RE: Password Hiding

From: Calderon, Juan C (EM, DDEMESIS) (Juan.Calderon_at_ge.com)
Date: 07/30/03 

Date: Wed, 30 Jul 2003 11:51:56 -0400
To: "pablo gietz" <pablo.gietz@nuevobersa.com.ar>, "secprog" <secprog@securityfocus.com>

My approach to this is trying to hide the password using steganographyc
techniques over disguised files.

e.g. store the password in a .dll file in System32 folder (where many of
windows and third party dlls are stored) using a steganographyc method.

Since DLL files are several KB long files, you have to fill your file
with dump data, besides this allows you to store your "treated" password
at an arbitrary intermediate position in the file (not the begining nor
the end).

Of course this is not infallible but a harder to discover method.

cheers :)

Juan C Calderon
Application Security Auditor

-----Original Message-----
From: pablo gietz [mailto:pablo.gietz@nuevobersa.com.ar]
Sent: Tuesday, July 29, 2003 1:14 PM
To: secprog
Subject: Password Hiding

Hi all
This is my first post,
What can I do to hide a password that is used to encrypt-decrypt a
config.file? .
Where to save the password?. The program must run without user
intervention and use this password to access that file.

Language: Delphi

Platform: windows

Thanks 

--
Pablo A. C. Gietz
Jefe de Seguridad Informática
Nuevo Banco de Entre Ríos S.A.
Te.: 0343 - 4201351
La información y archivos contenidos en este mensaje son confidenciales
y para utilización exclusiva de los destinatarios consignados. Si Usted
no reviste ese carácter, no se encuentra autorizado para divulgar,
copiar,distribuir o retener todo o parte de la informacion y archivos, y
deberá notificarlo de inmediato al remitente y eliminarlo de su sistema.
Muchas gracias.