13.08.2002, 21:27
zu Gast
#1 Flaw discovered in encryption software

PGP hole could let unauthorized people decode e-mail

NEW YORK (AP) -- Snoopers on the Internet could decode sensitive e- mail messages simply by tricking recipients into hitting the reply button, computer security researchers warned Monday.

The flaw affects software using Pretty Good Privacy, the most popular tool for scrambling e-mail.

Researchers at Columbia University and Counterpane Internet Security Inc. found that someone intercepting an encrypted message could descramble it by repackaging the message and passing it on to the recipient.

The message would appear as gibberish, possibly prompting the recipient to request a resend.

If the recipient includes the original text with that request -- as many people have their configured their software to do automatically when they reply -- the interceptor could then read the original message.

Bruce Schneier, Counterpane's chief technology officer, said most people would never dream that security can be compromised simply by returning gibberish.

Intercepting a message is trivial using software known as sniffers, and companies may use such programs to monitor employees on its network. An oppressive government may snoop on its citizens if it also controls service providers or other access points.

Thus, human rights workers, some FBI agents and even the son of a jailed mobster have used PGP to encrypt messages sent over the Internet and data stored on computers.

So powerful is the technology that the United States government until 1999 sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it.

Serious, but tough to exploit

Jon Callas, principal author of the OpenPGP standard at the Internet Engineering Task Force, said the vulnerability is serious but very difficult to exploit.

And, he said, many PGP software packages compress messages before sending. Researchers found that such compression can sometimes thwart the unauthorized decoding.

Nonetheless, an update to the OpenPGP standard was to be released Monday to coincide with the announcement of the flaw. Many developers already have begun to write software fixes, Callas said.

In the meantime, Schneier and Callas urged recipients of PGP e-mail to avoid including full text of messages when replying.

Schneier and co-researchers Kahil Jallad and Jonathan Katz, who were at Columbia University when they discovered the flaw, identified its possibility about a year ago. The latest paper offered a demonstration of the flaw in practice.

The findings come weeks after researchers at eEye Digital Security Inc. discovered that hackers could exploit a programming flaw in companion software -- a plug-in for Microsoft Corp.'s Outlook program -- to attack a user's computer and in some cases, unscramble messages.

In neither case does the flaw affect the actual encrypting formulas used to scramble messages.

Seitenanfang Seitenende
13.08.2002, 21:37
zu Gast
#2 @Ajax
Danke für die News ;)

ich hab mal bei Heise nachgesehen; hier also nochmal ein kurze deutschsprachige Notiz dazu ;)


Sicherheitsloch im Outlook-Plugin von PGP

Das Outlook-Plugin des E-Mail-Verschlüsselungsprogramm PGP enthält einen Buffer-Overflow, der sich via E-Mail zu einem Angriff auf den Rechner des Anwenders ausnutzen lässt. Dazu genügt es, dass der Anwender in Outlook eine speziell präparierte E-Mail auswählt. Betroffen sind die Freeware- und Desktop-Security-Version, nicht aber die Version PGP Corporate Desktop.

Die Entdecker von der Firma eEye Digital Security haben den Hersteller benachrichtigt, sodass Network Associates parallel zu dem Security Advisory auch gleich einen Patch bereitstellen konnte, der das Problem beseitigt. Diese prompte Reaktion dürfte einige Skeptiker beruhigen, die schon befürchtet haben, dass sich nun, nachdem NAI das Produkt offiziell nicht mehr verkauft, niemand mehr für die Beseitigung von Sicherheitslücken zuständig fühlen würde.
Seitenanfang Seitenende
13.08.2002, 21:40
zu Gast
#3 nicht zu vergessen die Quelle:

Übrigens Lukas, Wie sieht es eigentlich mit einer englischen Sektion im Board aus?
Seitenanfang Seitenende
14.08.2002, 08:55
Avatar sh4rk

Beiträge: 1148
#4 Nein ich kann kein englisch ;)

Aber mit Hebräisch wäre ich einverstanden *lol*
So wird mein Post von allen gelesen..
Seitenanfang Seitenende
19.08.2002, 21:02
zu Gast

#5 Newly Formed PGP Announces New Products for Windows and Macintosh

Windows Support for XP, Notes, Novell; Macintosh version for OS X

Palo Alto, Calif. (Aug 19, 2002) – PGP Corporation, the recognized worldwide leader in secure messaging and data storage, today announced major product line upgrades to their industry-leading PGP encryption product families. The products, PGP 8.0 for Windows and PGP 8.0 for Macintosh, will ship in November of 2002.

PGP 8.0 is a new product and significant upgrade to current PGP offerings, including substantial new features on both platforms.

PGP 8.0 for Windows: PGP Mail and PGP Disk. Adds full Windows XP support, server-side Lotus Notes plug-in, support for Novell GroupWise 5.5 and 6.0 clients, as well as supporting all current operating systems and messaging clients, significantly enhanced Unicode internationalization support, and PGP Admin 8.0 automatic configuration of PGP Disk.

PGP 8.0 for Macintosh OS X: PGP Mail and PGP Disk. This new product brings full Mac OS X support to the PGP product line. An all-new version of PGP Disk allows compatibility with PGP disks created on Windows, AES algorithm support, and compatibility with older Mac OS 9 PGP disks. PGP Mail for Mac OS X directly integrates with Apple’s mail application as well as providing support for Microsoft’s Entourage.

New customers may purchase a license for PGP 8.0 for Windows immediately. Orders for the Macintosh version will be accepted in Q4 2002. Under the current purchase program, new customers will receive the 7.1.1 version now plus a full year license of PGP 8.0 when it ships.

A limited time promotional program has been created to simplify this process. Existing customers may purchase a license and upgrade to PGP 8.0 for existing or new seats. The program is also available to new customers. Pricing is set from 20% to 40% off! of standard pricing. Details are available at promo.

und ein Brief von Jon Callas

Seitenanfang Seitenende
19.08.2002, 21:14
zu Gast

#6 Hi,

jetzt sehe ich daß bei Heise die Meldung auch draußen ist.
Seitenanfang Seitenende
11.10.2002, 10:21
zu Gast
#7 has this hole been fixed. if so where can the fix be downloaded?
Seitenanfang Seitenende
Um auf dieses Thema zu ANTWORTEN
bitte erst » hier kostenlos registrieren!!

Folgende Themen könnten Dich auch interessieren: