Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Boy of 12 exposes Whitehall email flaw

From: InfoSec News <isn () c4i org>
Date: Wed, 18 Dec 2002 03:43:00 -0600 (CST)
http://www.opinion.telegraph.co.uk/news/main.jhtml?xml=/news/2002/12/17/nflaw17.xml

By Robert Uhlig, 
Technology Correspondent
17/12/2002

A boy of 12 yesterday revealed the ease with which confidential
Government emails could be intercepted because ministers and officials
are unaware of computer security procedures.

Using software freely available on the internet, the boy, known only
as Tommy, exposed a loophole in the Government's email system that
could compromise national security.

All email sent within the Government's intranet system, called gsi, is
automatically encrypted to prevent it being read by anyone other than
the recipient.

But security experts said yesterday that the encryption system,
introduced in 1996, was now vulnerable to breaches because it was
outdated and had been designed to make the sender unaware their
messages were being encrypted.

The boy demonstrated on BBC Radio 4's Today how to make an email
appear as if it came from within the secure gsi network. If a minister
or official replied, they would be unwittingly sending unencrypted and
potentially sensitive information outside the Government.

Paran Chandrasekaran, the head of the internet security firm Indicii
Salus, said: "The danger is that users believe all their
communications are secure and do not think twice before sending
confidential documents outside the encrypted gsi network."

The boy showed how, by using a hacker's technique called email
spoofing, he could make an email appear as if it came from
TonyBlair () Labour gov uk.

Mr Chandrasekaran said there was nothing to stop anyone using the same
technique to make it appear that the message had come from within the
gsi network.

He added that the biggest danger was that the messages were not
encrypted on ministers' and officials' computers but only when they
were being sent within the network. He said: "Anyone could read them
on the desktop."

A Cabinet office spokesman said there was "no question that Government
information security has been compromised".



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: