Re: Experts play down flaw of encryption software

[InfoSec News <isn () C4I ORG>]

Forwarded by: Aj Effin Reznor <aj () reznor com>

> http://www.nandotimes.com/technology/story/0,1643,500466235-500712408-503931029-0,00.html
>
> By ANICK JESDANUN, Associated Press
>
> NEW YORK (March 21, 2001 11:45 p.m. EST http://www.nandotimes.com)
> - The gravity of a flaw in the most popular software for sending
> encrypted e-mail was questioned Wednesday by security experts.
>
> The vulnerability in Pretty Good Privacy, disclosed by two Czech
> cryptologists a day earlier, could allow a hacker to use someone
> else's electronic signature to send messages.
>
> That, in essence, could mean the forging of signatures
> increasingly used to authorize such things as financial
> transactions.
>
> Philip Zimmermann, the creator of PGP, confirmed the flaw exists,
> but questioned how useful it would be to attackers.
>
> A hacker would first have to bypass security firewalls and gain
> access to the recipient's hard drive. If a hacker can get that
> far, Zimmermann said, the user has greater worries, including the
> ability for someone to install software to monitor keystrokes like
> passwords.

"60-70% of all attacks come from the inside" blah blah blah.  If we
are to beleive these numbers, which many of us see as accurate,
plus-or-minus whatever percentage that happens to tailor it to our
experiences, then it should be obvious that an intruder doesn't need
to bypass a firewall, he needs to stay late and access a machine
possible down the hall, or a few floors up.

-or-

A company rival may plant an after-hours maintenance worker in a
building... Where before only "encrypted data"  may have been stolen,
now the same data, plus the keys to it and anything intercepted can be
had.

But this isn't serious, no...

-aj.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".