[ISN] Encryption in Company Networks Foiled

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 23:21:29 PST

  • Next message: InfoSec News: "[ISN] F1 on hacker alert"

    http://www.heise.de/english/newsticker/data/anw-26.02.02-007/
    
    Published 26.02.2002 
    Christiane Schulzki-Haddouti
    
    The encrypting of e-mails in company networks is foiled if it is done
    in a Microsoft Exchange/Outlook 9x/200x environment. In a POP3/IMAP4
    environment this is not the case. In answer to a question by heise
    online Microsoft confirmed that appended files encrypted with crypto
    plug-ins are transmitted in an unencrypted form from client to server
    even when the encryption function of the plug-in has been activated.
    
    The problem lies in the fact that the appended file is transmitted
    immediately via the RPC protocol (Remote Procedure Call) to the server
    once the user has created a confidential e-mail and appended the file
    - regardless of whether the encryption plug-in has been activated or
    not. Neither does the "Save Drafts" option within the Outlook e-mail
    program have an effect on the above procedure. Although Outlook does
    activate the desired plug-in, encrypting both mail and appended file
    once the user has completed his e-mail and presses the send button;  
    however, prior to this taking place the unencrypted appended file has
    already been sent. The problem can be detected with the aid of a
    network sniffer.
    
    Activating the RPC standard encoding procedure is the only means of
    protection available, in some versions, though, this amounts to an
    encoding of only 40 bits  a level widely considered unsafe. Microsoft
    confirmed that if the line to the server is not encrypted at this
    point the data are RPC-encoded only and not encrypted. A Microsoft
    employee declared towards heise online that about half the
    manufacturers of crypto plug-ins were affected; PGP, for instance, and
    most of the Sphinx products were vulnerable
    
    Experts suspect, however, that virtually all marketed crypto plug-ins
    are affected. The problem has been discussed since January at the
    Forum of Incident Response and Security Teams (FIRST), without a
    result so far. When queried Microsoft informed heise online that
    "after an analysis of the technical details" this operation could not
    be labeled a "security breach within the MS Exchange/Outlook 9x/200x
    environment." The "automatic MAPI-RPC-based potentially unencrypted
    transmission of e-mail data" was "a standard procedure undertaken for
    performance reasons within the domain of a protected network" by the
    Outlook program.
    
    An Exchange/Outlook environment might in the event of large amounts of
    data being transmitted impede the performance of client applications,
    Microsoft declared. Which is why Outlook for performance reasons
    engaged in "pro-active background storage" of data already existing in
    the message memory in question. These "optimizations" had been
    introduced "at the request of a large number of Outlook users" so as
    to optimize the use of the program in an exchange-server environment.  
    Microsoft pointed out that the Outlook object model intended to be
    used for programming plug-ins gave plug-in manufacturers the
    opportunity of suppressing the automatic background transmission, thus
    preventing data from leaving the local PC before being encrypted.
    
    A manufacturer affected had been informed of this by the Microsoft
    Service Department and was now discussing ways of redesigning his
    product. When approached by heise online the company in question,
    which did not want its name to be made public, denied this, however.  
    The company said that rather than demand an elaborate redesign of the
    plug-ins, it was up to Microsoft to modify the transmission routine.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 02:14:00 PST