Analysis of Microsoft Office password protection system, and survey of encryption holes in other MS Windows applications. presented at BlackHatWindows 2001

by Andrey Malyshev,

Summary : While successfully creating password recovery software for most of the major applications on the market including Microsoft Word, Microsoft Excel, Lotus, Paradox, NT, Oucken, and many more, ElcomSoft has become a leader in its field. This speech covers a password protection of Micorosoft Office documents (created in Word, Excel, Outlook) and VBA macros embedded in all MS Office and some other vendors applications. Examples of low cryptographical stability and some software tools doing this will be demonstrated (see also a paper on these issues here)
Andrey Malyshev Chief of software development since 1998. Before this he worked as a System Administrator in Russian Military Academy of General Staff.
Their Presentation! (PowerPoint 112k)
Deep Knowledge
Kevin McPeake - Senior Consultant, Trust Factory.
Wouter Aukema- Co-founder, Trust Factory.
Falling Domino's
Lotus Notes / Domino is considered one of the more secure mail/groupware platforms in the world. With an installed base of more than 50 millions mainly corporate and government- seats, the product is used by almost all financial institutions, big 6 accounting firms, government's secret agencies and defense organizations.
At Defcon 8, Trust Factory consultants Patrick Guenther, Kevin McPeake and Wouter Aukema presented several new vulnerabilities along with Chris 'BloodAxe' Goggans, of Security Design International, who validated their research. Topics included known vulnerabilities and new ones, such as bypassing the Execution Control List, modifying Notes design elements and identity theft. Using Notes Sesame, a tool written by Patrick Guenther, Trust Factory demonstrated weaknesses in the hashing algorithms for internet passwords as well as the validation of Notes ID-files obtained from remote networks and users.
At Black Hat Windows 2000, Patrick and Wouter will give in-depth information about the vulnerabilities they discovered. Also, they will give and update about their latest results of their ongoing research.
1. Execution Control List : The ECL was designed to prevent malicious code from running on a client Several methods exist to bypass and/or reset the ECL
2. Design Element manipulations : How to re-enable Stored Forms which is known to be a dangerous feature and implementing mechanisms for information operations.
3. Traditional Hashing algorithms
4. ID-file: Validation mechanism and bypassing it and brute forcing an ID-file.
5. Revealing the 'strong' password hash: The strong password hash was Lotus' answer to the vulnerabilities they discovered. Patrick will talk about the latest findings of his research regarding the "strong password hash".
Originally entering the world of computer security at the age 11 & armed with his TRS-80, Kevin McPeake has worked in many different facets of the computer industry. In the beginning of 90's, after he began his formal career, he began developing applications for various banks and institutions which were making the move to electronic funds transfers over X.25 networks. In 1993, his skills in protocols & programming were recognized by a Dutch firm, who relocated him to Germany and later to The Netherlands, where he worked on various protocol development for the BBS & Telecom industry. After trying his hand at International Sales (which he refers to as "paid social engineering") in 1994, Kevin returned to the IT market in the USA, where he worked as a X.25 network & Internet consultant. In 1996, Kevin was relocated to The Netherlands for his "2nd Tour of Duty" by another Dutch firm, where he served as an Infrastructure Consultant and later Chief of Network Security. Realizing that one could actually make money in security, he eventually returned to his roots and co-founded his own security company, Trust Factory BV, where he now serves actively as a senior consultant, as well as the CEO.
Wouter Aukema is the co-founder of Trust Factory. He's been in the security underground for about three years, and he concentrates mainly on Lotus Notes/Domino and other (client) application security issues. His interest in computers date from 1980, when he bought himself an Acorn Atom computer. Since '86, Wouter has worked for several corporations, such as Philips daughter Origin, AT&T and the Venezuelan state-owned oil company PDVSA, where he also specialized in telephone switches.
Patrick Guenther, a Swiss native and resident, previously worked at Arlan SA, where he personally oversaw the integration of Lotus Notes into the KLE-LINE electronic payment system, and developed a Java based licensing system for third party Lotus Notes applications. Guenther also developed the first version of EQS (Electronic Quality System) for Lotus Notes, which went on to win the Lotus Beacon Award in 1996. Guenther recently joined Trust Factory in May 2000, where he heads up R&D of security vulnerabilities as well as new software products. Guenther recently was credited with the discovery of multiple password hashing problems within the Lotus Notes environment and presented these findings to the community at DEFCON-8.
Their Presentation! (PowerPoint 168k)