IP: Security flaw afflicts popular technology for encrypting e-mail

[Dave Farber <dave () farber net>]

http://www.siliconvalley.com/mld/siliconvalley/news/editorial/3638319.htm

   Posted on Wed, Jul. 10, 2002

   Security flaw afflicts popular technology for encrypting e-mail

   WASHINGTON (AP) - The world's most popular software for scrambling
sensitive e-mails suffers from a programming flaw that
   could allow hackers to attack a user's computer and, in some
circumstances, unscramble messages.

   The software, called Pretty Good Privacy, or PGP, is the de facto
standard for encrypting e-mails and is widely used by corporate
   and government offices, including some FBI agents and U.S. intelligence
agencies. The scrambling technology is so powerful that
   until 1999 the federal government sought to restrict its sale out of
fears that criminals, terrorists and foreign nations might use it.

   The new vulnerability, discovered weeks ago by researchers at eEye
Digital Security Inc., does not exploit any weakness in the
   complex encrypting formulas used to scramble messages into gibberish.
Instead, hackers are able to attack a programming flaw in
   an important piece of companion software, called a plug-in, that helps
users of Microsoft Corp.'s Outlook e-mail program encrypt
   messages with a few mouse clicks.

   Outlook itself has emerged as the world's standard for e-mail software,
with tens of millions of users inside many of the world's
   largest corporations and government offices. Smaller numbers use the
Outlook plug-in to scramble their most sensitive messages
   so that only the recipient can read them.

   ``It's not the number of people using PGP but the fact that they're
using it because they're trying to safeguard their data,'' said
   Marc Maiffret, the eEye executive and researcher who discovered the
problem. ``Whatever the percentage is, it's very important
   data.''

   Maiffret said there was no evidence anyone had successfully attacked
users of the encryption software with this technique. He
   said the programming flaw was ``not totally obvious,'' even to trained
researchers examining the software blueprints.

   Network Associates Inc. of Santa Clara, Calif., which until February
distributed both commercial and free versions of PGP, made
   available on its Web site a free download to fix the software. The
company announced earlier it was suspending new sales of the
   software, which hasn't been profitable, but moved within weeks to repair
the problem in existing versions. The company's shares
   fell 50 cents to $17.70 in Tuesday trading on the New York Stock
Exchange.

   Free versions of PGP are widely available on the World Wide Web.

   The flaw allows a hacker to send a specially coded e-mail -- which would
appear as a blank message followed by an error warning
   -- and effectively seize control of the victim's computer. The hacker
could then install spy software to record keystrokes, steal
   financial records or copy a person's secret unlocking keys to unscramble
their sensitive e-mails. Other protective technology, such
   as corporate firewalls, could make this more difficult.

   ``You can do whatever you want -- execute code, read e-mails, install a
backdoor, steal their keys. You could intercept all that
   stuff,'' Maiffret said.

   Experts said the convenience of the plug-ins for popular e-mail programs
broadened the risk from this latest threat, since
   encryption software is famously cumbersome to use without them. Even the
creator of PGP, Philip Zimmermann, relies on such a
   plug-in, although Zimmermann uses one that works with Eudora e-mail
software and does not suffer the same vulnerability as
   Outlook's.

   A plug-in for Microsoft's Outlook Express -- a scaled-down version of
Outlook -- is not affected by the flaw.

   Maiffret said his company immediately deactivated the vulnerable
software on all its computers, which can be done with nine
   mouse-clicks using Outlook, until it could apply the repairs from
Network Associates. The decision improved security but ``makes it
   kind of a pain'' to send encrypted e-mails, he said.

   Zimmermann, in an interview, said PGP software is used ``quite
extensively'' by U.S. agencies, based on sales when he formerly
   worked at Network Associates. He also said use of the vulnerable
companion plug-in was widespread. Zimmermann declined to
   specify which U.S. agencies might be at risk, but other experts have
described trading scrambled e-mails using PGP and Outlook
   with employees at the FBI, the Energy Department and even the
super-secret National Security Agency.

   In theory, only nonclassified U.S. information would be at risk from
this flaw. Agencies impose strict rules against transmitting any
   classified messages -- encrypted or not -- over the Internet, using the
government's own secret networks instead.

   ``The only time the government would use PGP is when it's dealing with
sensitive but unclassified information and has a
   reasonable degree of assurance that both parties have PGP,'' said Mark
Rasch, a former U.S. prosecutor and expert on computer
   security. ``It's hardly used on a routine basis.''

   ----

   On the Net:

   eEye Digital Security: http://www.eeye.com/

   Network Associates: http://www.nai.com/

   MIT's PGP site: http://web.mit.edu/network/pgp.html



------ End of Forwarded Message

For archives see:
http://www.interesting-people.org/archives/interesting-people/