Re: [ISN] PGPsdk Key Validity Vulnerability

From: InfoSec News (isnat_private)
Date: Wed Sep 05 2001 - 23:10:47 PDT

  • Next message: InfoSec News: "[ISN] Angry Drunken Dwarf Dies"

    Forwarded from: JohnE37179at_private
    In a message dated 9/5/01 1:40:08 AM, isnat_private writes:
    << A vulnerability in PGP's display of key validity has been discovered
    that could allow an attacker to fool users into thinking that a valid
    signature was created by what is actually an invalid user ID.  >>
    It is far simpler than this to fool any of the PKI security systems.
    In a recent test it was discovered that 3.4% of those applying for new
    checking accounts at over 26,000 branch banks in the U.S. were
    intentionally using altered or false identities. This is up from 2.2%
    in 1996. Obtaining a key in a false identity is no more difficult than
    asking for it. Reliance on PKI security infrastructure is very risky
    indeed. This is true of all certification systems. Assuming a false
    identity and obtaining a key through social engineering is child's
    play. PKI strategies offer the keys to the kingdom to the crooks. All
    the crooks have to do is ask.
    It is not technical frontal assaults that are the primary risk, but
    the simple human weaknesses that are the primary vulnerability to all
    security systems.
    John Ellingson
    Edentification, Inc.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Sep 06 2001 - 01:15:00 PDT