CRIME FW: [ISN] File-name flaw threatens PGP users]

From: George Heuston (GeorgeH@private)
Date: Sun Sep 08 2002 - 12:49:46 PDT

  • Next message: George Heuston: "CRIME meeting - 10 September @ 10Am @ Verizon"

    Thanks John!
    
    -----Original Message-----
    From: John E Jewkes-AAA0OR-AAA0ID [mailto:aar0mi@private] 
    Sent: Sunday, September 08, 2002 12:44 AM
    To: George Heuston
    Subject: Fw: [ISN] File-name flaw threatens PGP users]
    
    Hi George, this was forwarded to me by one of my MARS
    members who is the IT Guru for SW Oregon Coastal Comm. Coll.
    It would warrant a look for those with regular doses of PGP that
    they accept .
    
    John Jewkes, SMD US ARMY MARS
    Oregon/Idaho State Director
    AAA0OR OR/AAA0ID ID/AAR0MI OR
    W6HNC
    
    --------- Forwarded message ----------
    From: Phil Barker <pbarker@private>
    To: John E Jewkes-AAA0OR-AAA0ID <aar0mi@private>
    Date: Fri, 06 Sep 2002 08:28:02 -0700
    Subject: [Fwd: [ISN] File-name flaw threatens PGP users]
    Hello John,
    
    I have no idea if you may still work with some form of classified
    data -- and if you do, you may want to be aware of this issue.
    
    73,
    Phil
    
    -------- Original Message --------
    Subject: [ISN] File-name flaw threatens PGP users
    Date: Fri, 6 Sep 2002 01:29:30 -0500 (CDT)
    From: InfoSec News <isn@private>
    Reply-To: InfoSec News <isn@private>
    To: isn@private
    
    http://news.com.com/2100-1001-956815.html?tag=fd_top
    
    By Robert Lemos 
    Staff Writer, CNET News.com
    September 5, 2002, 5:07 PM PT
    
    For more than a decade, the United States government classified
    encryption technology as a weapon. Now that label might actually
    apply.
    
    Security-consulting firm Foundstone said Thursday that e-mail messages
    encrypted with the Pretty Good Privacy program can be used as digital
    bullets to attack and take control of a victim's computer.
    
    Because of a flaw in the way PGP handles long file names in an
    encrypted archive, an attacker could "take control of the recipient's
    computer, elevating his or her privileges on the organization's
    network," Foundstone said in an advisory.
    
    The company classified the vulnerability as a high risk "due to the
    trusting nature of encrypted attachments in e-mail, its relative ease
    of exploitation and the large amount of corporations and military and
    government agencies that rely on PGP encryption for secure
    communication."
    
    The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker
    Network Associates has posted a patch on its site. The company
    recently sold all PGP assets to a start-up, PGP Corp., but appears to
    still be providing support for the program. Neither company could be
    reached for comment.
    
    The flaw occurs in the way PGP handles long file names in encrypted
    archives, Network Associates said on its site. PGP runs into problems
    when it tries to encrypt or decrypt files that have names longer than
    200 characters. When PGP attempts to decrypt the files, a buffer
    overflow causes it to crash.
    
    The long file names aren't readily apparent to a recipient of such an
    e-mail, said Foundstone CEO George Kurtz.
    
    "It is just like a ZIP file," Kurtz said. "You can name a file with
    eight characters, but archived in the file are several other (files)  
    with long file names."
    
    The danger, Kurtz said, is that the flaw could be used to attack users
    who have the most to protect. "Most users of PGP have some level of
    security sophistication. It makes it that much more of a high-level
    attack," Kurtz said. An attacker could "obtain that very valuable
    information that was meant to be protected by encryption."
    
    The flaw is unrelated to another theoretical vulnerability discussed
    by security experts last month. Exploiting that flaw, someone could
    fool the sender of a PGP-encrypted e-mail into decoding their own
    message. Unlike the current flaw, that vulnerability wouldn't give the
    attacker control of a computer.
    
    The current vulnerability resembles another flaw in the PGP plug-in
    for Outlook, found in early July.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    
    ________________________________________________________________
    GET INTERNET ACCESS FROM JUNO!
    Juno offers FREE or PREMIUM Internet access for less!
    Join Juno today!  For your FREE software, visit:
    http://dl.www.juno.com/get/web/...
    



    This archive was generated by hypermail 2b30 : Sun Sep 08 2002 - 13:56:16 PDT