Re: PGPsdk Key Validity Vulnerability

[InfoSec News <isn () c4i org>]

Forwarded from: JohnE37179 () aol com

In a message dated 9/5/01 1:40:08 AM, isn () c4i org writes:

<< A vulnerability in PGP's display of key validity has been discovered
that could allow an attacker to fool users into thinking that a valid
signature was created by what is actually an invalid user ID.  >>

It is far simpler than this to fool any of the PKI security systems.
In a recent test it was discovered that 3.4% of those applying for new
checking accounts at over 26,000 branch banks in the U.S. were
intentionally using altered or false identities. This is up from 2.2%
in 1996. Obtaining a key in a false identity is no more difficult than
asking for it. Reliance on PKI security infrastructure is very risky
indeed. This is true of all certification systems. Assuming a false
identity and obtaining a key through social engineering is child's
play. PKI strategies offer the keys to the kingdom to the crooks. All
the crooks have to do is ask.

It is not technical frontal assaults that are the primary risk, but
the simple human weaknesses that are the primary vulnerability to all
security systems.

John Ellingson
CEO
Edentification, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.