Information Security News mailing list archives
Re: PGPsdk Key Validity Vulnerability
From: InfoSec News <isn () c4i org>
Date: Thu, 6 Sep 2001 01:10:47 -0500 (CDT)
Forwarded from: JohnE37179 () aol com In a message dated 9/5/01 1:40:08 AM, isn () c4i org writes: << A vulnerability in PGP's display of key validity has been discovered that could allow an attacker to fool users into thinking that a valid signature was created by what is actually an invalid user ID. >> It is far simpler than this to fool any of the PKI security systems. In a recent test it was discovered that 3.4% of those applying for new checking accounts at over 26,000 branch banks in the U.S. were intentionally using altered or false identities. This is up from 2.2% in 1996. Obtaining a key in a false identity is no more difficult than asking for it. Reliance on PKI security infrastructure is very risky indeed. This is true of all certification systems. Assuming a false identity and obtaining a key through social engineering is child's play. PKI strategies offer the keys to the kingdom to the crooks. All the crooks have to do is ask. It is not technical frontal assaults that are the primary risk, but the simple human weaknesses that are the primary vulnerability to all security systems. John Ellingson CEO Edentification, Inc. - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- PGPsdk Key Validity Vulnerability InfoSec News (Sep 05)
- <Possible follow-ups>
- Re: PGPsdk Key Validity Vulnerability InfoSec News (Sep 06)