[ISN] PGP flaw could let unauthorized people decode sensitive e-mail

From: InfoSec News (isnat_private)
Date: Mon Aug 12 2002 - 00:50:06 PDT

  • Next message: InfoSec News: "[ISN] Stakes are higher for hackers since Sept. 11, experts say"

    Sun, Aug. 11, 2002
    NEW YORK (AP) - Snoopers on the Internet could decode sensitive e-mail
    messages simply by tricking recipients into hitting the reply button,
    computer security researchers warned Monday.
    The flaw affects software using Pretty Good Privacy, the most popular
    tool for scrambling e-mail.
    Researchers at Columbia University and Counterpane Internet Security
    Inc. found that someone intercepting an encrypted message could
    descramble it by repackaging the message and passing it on to the
    The message would appear as gibberish, possibly prompting the
    recipient to request a resend.
    If the recipient includes the original text with that request -- as
    many people have their configured their software to do automatically
    when they reply -- the interceptor could then read the original
    Bruce Schneier, Counterpane's chief technology officer, said most
    people would never dream that security can be compromised simply by
    returning gibberish.
    Intercepting a message is trivial using software known as sniffers,
    and companies may use such programs to monitor employees on its
    network. An oppressive government may snoop on its citizens if it also
    controls service providers or other access points.
    Thus, human rights workers, some FBI agents and even the son of a
    jailed mobster have used PGP to encrypt messages sent over the
    Internet and data stored on computers.
    So powerful is the technology that the U.S. government until 1999
    sought to restrict its sale out of fears that criminals, terrorists
    and foreign nations might use it.
    Jon Callas, principal author of the OpenPGP standard at the Internet
    Engineering Task Force, said the vulnerability is serious but very
    difficult to exploit.
    And, he said, many PGP software packages compress messages before
    sending. Researchers found that such compression can sometimes thwart
    the unauthorized decoding.
    Nonetheless, an update to the OpenPGP standard was to be released
    Monday to coincide with the announcement of the flaw. Many developers
    already have begun to write software fixes, Callas said.
    In the meantime, Schneier and Callas urged recipients of PGP e-mail to
    avoid including full text of messages when replying.
    Schneier and co-researchers Kahil Jallad and Jonathan Katz, who were
    at Columbia University when they discovered the flaw, identified its
    possibility about a year ago. The latest paper offered a demonstration
    of the flaw in practice.
    The findings come weeks after researchers at eEye Digital Security
    Inc. discovered that hackers could exploit a programming flaw in
    companion software -- a plug-in for Microsoft Corp.'s Outlook program
    -- to attack a user's computer and in some cases, unscramble messages.
    In neither case does the flaw affect the actual encrypting formulas
    used to scramble messages.
    On the Net:
    Research paper: http://www.counterpane.com/pgp-attack.html PGP site:
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Aug 12 2002 - 02:56:29 PDT