Posted on 07/11/2002 6:59:49 PM PDT by chance33_98
Flaw Found In Popular E-Mail Scrambling Program Hacker Could Take Control Of User's Computer
POSTED: 8:31 a.m. EDT July 11, 2002
WASHINGTON -- The world's most popular software for scrambling sensitive e-mails suffers from a programming flaw that could allow hackers to attack a user's computer and, in some circumstances, unscramble messages.
The software, called Pretty Good Privacy, or PGP, is the de facto standard for encrypting e-mails and is widely used by corporate and government offices, including some FBI agents and U.S. intelligence agencies. The scrambling technology is so powerful that until 1999 the federal government sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it.
The new vulnerability, discovered weeks ago by researchers at eEye Digital Security Inc., does not exploit any weakness in the complex encrypting formulas used to scramble messages into gibberish. Instead, hackers are able to attack a programming flaw in an important piece of companion software, called a plug-in, that helps users of Microsoft Corp.'s Outlook e-mail program encrypt messages with a few mouse clicks.
Outlook itself has emerged as the world's standard for e-mail software, with tens of millions of users inside many of the world's largest corporations and government offices. Smaller numbers use the Outlook plug-in to scramble their most sensitive messages so that only the recipient can read them.
"It's not the number of people using PGP but the fact that they're using it because they're trying to safeguard their data," said Marc Maiffret, the eEye executive and researcher who discovered the problem. "Whatever the percentage is, it's very important data."
Maiffret said there was no evidence anyone had successfully attacked users of the encryption software with this technique. He said the programming flaw was "not totally obvious," even to trained researchers examining the software blueprints.
Network Associates Inc. of Santa Clara, Calif., which until February distributed both commercial and free versions of PGP, made available on its Web site a free download to fix the software. The company announced earlier it was suspending new sales of the software, which hasn't been profitable, but moved within weeks to repair the problem in existing versions. The company's shares fell 50 cents to $17.70 in Tuesday trading on the New York Stock Exchange.
Free versions of PGP are widely available on the World Wide Web.
The flaw allows a hacker to send a specially coded e-mail - which would appear as a blank message followed by an error warning - and effectively seize control of the victim's computer. The hacker could then install spy software to record keystrokes, steal financial records or copy a person's secret unlocking keys to unscramble their sensitive e-mails. Other protective technology, such as corporate firewalls, could make this more difficult.
"You can do whatever you want - execute code, read e-mails, install a backdoor, steal their keys. You could intercept all that stuff," Maiffret said.
Experts said the convenience of the plug-ins for popular e-mail programs broadened the risk from this latest threat, since encryption software is famously cumbersome to use without them. Even the creator of PGP, Philip Zimmermann, relies on such a plug-in, although Zimmermann uses one that works with Eudora e-mail software and does not suffer the same vulnerability as Outlook's.
A plug-in for Microsoft's Outlook Express - a scaled-down version of Outlook - is not affected by the flaw.
Maiffret said his company immediately deactivated the vulnerable software on all its computers, which can be done with nine mouse-clicks using Outlook, until it could apply the repairs from Network Associates. The decision improved security but "makes it kind of a pain" to send encrypted e-mails, he said.
Zimmermann, in an interview, said PGP software is used "quite extensively" by U.S. agencies, based on sales when he formerly worked at Network Associates. He also said use of the vulnerable companion plug-in was widespread. Zimmermann declined to specify which U.S. agencies might be at risk, but other experts have described trading scrambled e-mails using PGP and Outlook with employees at the FBI, the Energy Department and even the super-secret National Security Agency.
In theory, only nonclassified U.S. information would be at risk from this flaw. Agencies impose strict rules against transmitting any classified messages - encrypted or not - over the Internet, using the government's own secret networks instead.
"The only time the government would use PGP is when it's dealing with sensitive but unclassified information and has a reasonable degree of assurance that both parties have PGP," said Mark Rasch, a former U.S. prosecutor and expert on computer security. "It's hardly used on a routine basis."
Maybe Network Associates fixed it. I doubt it.
--Boris
Cost of 9 mouse clicks: 50 cents
Knowing where to point the mouse for each click: $500.00
They make it sound like it's PGP's fault, however Outlook is the fault of most e-mail security breaches. I think Microsoft has a class-action lawsuit problem in its future.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: 6.0.2ckt mQENAzwadLsBQgEIALqceJanQWnGrSRdVQH7KOU/ilP/63Aln4ueDRhjznDu1Gsi CemtA7sxV6xolLOZIc+zSOk9SBC3rDXUAftfQfgUaO/ULmWIcWaNFgU1QQMtOjY1 Cy3Vnt0ZcICR/aGfcB9EzNQODLFugddRXbH26Knz9x4hZj+t5xeA1LzBtDxeBO2i UgFpiGFkjJ7W+p8dcsD4fGm6BCQVHhTusO7zPTGD3gcHdTcv63AejgH18AIfXZxe H/a3wAadTAljL4gpbuhBpqNsCYpAfVCZgEtm5qsP16TKzQ5ZsC6nDcOXxIl3VFAx 5Gni1WAfEt+4lPxne6C0xDlyvnAanFzYiqH9rksABRG0I0JydWNlIEYuIFNsYXlt YW4gPHNsYXltYW5AYnZtbC5vcmc+iQEVAwUQPBp0u5xc2Iqh/a5LAQH+0Af/bwnv zZEDiddkdM4nPrn2YvzKMoleypK8ByQ29rZgf6hD6NmpqJzBa/Ymu0YxHM1HDHno XlTH0106pZ7T4Bs7ax9fTKpI5WrsnaHpGFpCUaG9Ljoq79JwmE/I7uHX/Pp8XwvI L0pQ07san7t/3gasqgQIqum0Kw3rjdbrWoZ1V1F7CpihGm8dvSwZlYM0BwCjMJnF jaJtzAX+NaaLIoBaq98EtrTkX9kv8NZtX1mQXRxsbz2y+orv1IDvTXjlkybYsVqn WMnCXulzm3uWUtS5IV79nxfTYgdiS4FloKjWsh6iAHU69FFbrZFvZenW9RvzEusr rUGwdvn0NoyoGc1uPokCFQMFEDwadRcaJ6byCLQOFwEBUlkQAJXUUa46wANxlTIs 2fD6bOg4KwC3uRmlJeUtkYYVTEk2RT+F6bfN2341NRyibuwcHYZQg29FfW3/bbq6 lnq8s9fiq/P6s7n8fSiar+b8hrAaVhFcFHOq0I7cCmrdGMkpXvcjbmahN8ezSMcN 4AfH5N3alJ6LlwOpC5Qb/yZq2l0UIxcfpnbQzbpj5RnjkHnvFuaNJBhGAIMVzqc+ y+lsTmxg5w65oGlI7ggve6DE5Dj4NEtMrbn9uNi9B6STDgc7qtG8Gc6kkjzMt4WW ysC7BcROgMXHxW6M5YDY1xuKUjfVZCldiKCPR6+GCqMTptYH4P5sdlNr3rG0Stl1 9SA7FpQANL5e4VYpnD5J0fSEPp/+Xs7pjfDN+MbJVuCkLkWw+AWje95tIykv40VQ ay6ar9hTVj11kutKddLpQ7N0HmnA85mycW7NWB7uysUNihJOYpanyOWsOfPi6MCi j2W9U2mnQ0PJioelWaCVZ3R3LlDXT6fWg5GQmA+f5Apf4O4rzm6K6qeO6L+wZO99 Q6F1sa8Ds38feB5HZ/aUbi4UsA3Fb0lUEiUIjMwlBsX1J8eJTyWpG0WME3vDTf/d 7wXHogoa8uYShR6kMU9uyAutNy9FGg6EHcsWpe4s1AiCtYWkaKNlVpr2371NbFnT i6rmc7LfPMsSIDBSKc1tv9x5FyRO =68jC -----END PGP PUBLIC KEY BLOCK----- KeyID: 0xA1FDAE4B Fingerprint: D534 2CD2 FC1B 0D2D 15C3 85B6 B881 43FB
Sounds like (another) security hole in Microsoft LookOut, not PGP per se.
Sounds like (another) security hole in Microsoft LookOut, not PGP per se.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.