Forwarded from: JohnE37179at_private In a message dated 9/5/01 1:40:08 AM, isnat_private writes: << A vulnerability in PGP's display of key validity has been discovered that could allow an attacker to fool users into thinking that a valid signature was created by what is actually an invalid user ID. >> It is far simpler than this to fool any of the PKI security systems. In a recent test it was discovered that 3.4% of those applying for new checking accounts at over 26,000 branch banks in the U.S. were intentionally using altered or false identities. This is up from 2.2% in 1996. Obtaining a key in a false identity is no more difficult than asking for it. Reliance on PKI security infrastructure is very risky indeed. This is true of all certification systems. Assuming a false identity and obtaining a key through social engineering is child's play. PKI strategies offer the keys to the kingdom to the crooks. All the crooks have to do is ask. It is not technical frontal assaults that are the primary risk, but the simple human weaknesses that are the primary vulnerability to all security systems. John Ellingson CEO Edentification, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 01:15:00 PDT