Information Security News mailing list archives
Re: Experts play down flaw of encryption software
From: InfoSec News <isn () C4I ORG>
Date: Sat, 24 Mar 2001 20:14:40 -0600
Forwarded by: Aj Effin Reznor <aj () reznor com>
http://www.nandotimes.com/technology/story/0,1643,500466235-500712408-503931029-0,00.html By ANICK JESDANUN, Associated Press NEW YORK (March 21, 2001 11:45 p.m. EST http://www.nandotimes.com) - The gravity of a flaw in the most popular software for sending encrypted e-mail was questioned Wednesday by security experts. The vulnerability in Pretty Good Privacy, disclosed by two Czech cryptologists a day earlier, could allow a hacker to use someone else's electronic signature to send messages. That, in essence, could mean the forging of signatures increasingly used to authorize such things as financial transactions. Philip Zimmermann, the creator of PGP, confirmed the flaw exists, but questioned how useful it would be to attackers. A hacker would first have to bypass security firewalls and gain access to the recipient's hard drive. If a hacker can get that far, Zimmermann said, the user has greater worries, including the ability for someone to install software to monitor keystrokes like passwords.
"60-70% of all attacks come from the inside" blah blah blah. If we are to beleive these numbers, which many of us see as accurate, plus-or-minus whatever percentage that happens to tailor it to our experiences, then it should be obvious that an intruder doesn't need to bypass a firewall, he needs to stay late and access a machine possible down the hall, or a few floors up. -or- A company rival may plant an after-hours maintenance worker in a building... Where before only "encrypted data" may have been stolen, now the same data, plus the keys to it and anything intercepted can be had. But this isn't serious, no... -aj. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Experts play down flaw of encryption software InfoSec News (Mar 22)
- <Possible follow-ups>
- Re: Experts play down flaw of encryption software InfoSec News (Mar 26)
- Re: Experts play down flaw of encryption software InfoSec News (Mar 26)