[ISN] Boy of 12 exposes Whitehall email flaw

From: InfoSec News (isnat_private)
Date: Wed Dec 18 2002 - 01:43:00 PST

  • Next message: InfoSec News: "[ISN] Elcomsoft not guilty - DoJ retreats from Moscow"

    By Robert Uhlig, 
    Technology Correspondent
    A boy of 12 yesterday revealed the ease with which confidential
    Government emails could be intercepted because ministers and officials
    are unaware of computer security procedures.
    Using software freely available on the internet, the boy, known only
    as Tommy, exposed a loophole in the Government's email system that
    could compromise national security.
    All email sent within the Government's intranet system, called gsi, is
    automatically encrypted to prevent it being read by anyone other than
    the recipient.
    But security experts said yesterday that the encryption system,
    introduced in 1996, was now vulnerable to breaches because it was
    outdated and had been designed to make the sender unaware their
    messages were being encrypted.
    The boy demonstrated on BBC Radio 4's Today how to make an email
    appear as if it came from within the secure gsi network. If a minister
    or official replied, they would be unwittingly sending unencrypted and
    potentially sensitive information outside the Government.
    Paran Chandrasekaran, the head of the internet security firm Indicii
    Salus, said: "The danger is that users believe all their
    communications are secure and do not think twice before sending
    confidential documents outside the encrypted gsi network."
    The boy showed how, by using a hacker's technique called email
    spoofing, he could make an email appear as if it came from
    Mr Chandrasekaran said there was nothing to stop anyone using the same
    technique to make it appear that the message had come from within the
    gsi network.
    He added that the biggest danger was that the messages were not
    encrypted on ministers' and officials' computers but only when they
    were being sent within the network. He said: "Anyone could read them
    on the desktop."
    A Cabinet office spokesman said there was "no question that Government
    information security has been compromised".
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 11:37:48 PST