July 11th, 2002, 11:32 PM
Taken from here
WASHINGTON, July 10 — The world’s most popular software for scrambling sensitive e-mails suffers from a programming flaw that could allow hackers to attack a user’s computer and, in some circumstances, unscramble messages.
THE SOFTWARE, called Pretty Good Privacy, or PGP, is the de facto standard for encrypting e-mails and is widely used by corporate and government offices, including some FBI agents and U.S. intelligence agencies. The scrambling technology is so powerful that until 1999 the federal government sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it.
The new vulnerability, discovered weeks ago by researchers at eEye Digital Security Inc., does not exploit any weakness in the complex encrypting formulas used to scramble messages into gibberish. Instead, hackers are able to attack a programming flaw in an important piece of companion software, called a plug-in, that helps users of Microsoft Corp.’s Outlook e-mail program encrypt messages with a few mouse clicks. (MSNBC is a Microsoft - NBC joint venture.)
Outlook itself has emerged as the world’s standard for e-mail software, with tens of millions of users inside many of the world’s largest corporations and government offices. Smaller numbers use the Outlook plug-in to scramble their most sensitive messages so that only the recipient can read them.
“It’s not the number of people using PGP but the fact that they’re using it because they’re trying to safeguard their data,” said Marc Maiffret, the eEye executive and researcher who discovered the problem. “Whatever the percentage is, it’s very important data.”
Maiffret said there was no evidence anyone had successfully attacked users of the encryption software with this technique. He said the programming flaw was “not totally obvious,” even to trained researchers examining the software blueprints.
Network Associates Inc. of Santa Clara, Calif., which until February distributed both commercial and free versions of PGP, made available on its Web site a free download to fix the software. The company announced earlier it was suspending new sales of the software, which hasn’t been profitable, but moved within weeks to repair the problem in existing versions. The company’s shares fell 50 cents to $17.70 in Tuesday trading on the New York Stock Exchange.
Free versions of PGP are widely available on the World Wide Web.
The flaw allows a hacker to send a specially coded e-mail — which would appear as a blank message followed by an error warning — and effectively seize control of the victim’s computer. The hacker could then install spy software to record keystrokes, steal financial records or copy a person’s secret unlocking keys to unscramble their sensitive e-mails. Other protective technology, such as corporate firewalls, could make this more difficult.
“You can do whatever you want — execute code, read e-mails, install a backdoor, steal their keys. You could intercept all that stuff,” Maiffret said.
Experts said the convenience of the plug-ins for popular e-mail programs broadened the risk from this latest threat, since encryption software is famously cumbersome to use without them. Even the creator of PGP, Philip Zimmermann, relies on such a plug-in, although Zimmermann uses one that works with Eudora e-mail software and does not suffer the same vulnerability as Outlook’s.
A plug-in for Microsoft’s Outlook Express — a scaled-down version of Outlook — is not affected by the flaw.
Maiffret said his company immediately deactivated the vulnerable software on all its computers, which can be done with nine mouse-clicks using Outlook, until it could apply the repairs from Network Associates. The decision improved security but “makes it kind of a pain” to send encrypted e-mails, he said.
Zimmermann, in an interview, said PGP software is used “quite extensively” by U.S. agencies, based on sales when he formerly worked at Network Associates. He also said use of the vulnerable companion plug-in was widespread. Zimmermann declined to specify which U.S. agencies might be at risk, but other experts have described trading scrambled e-mails using PGP and Outlook with employees at the FBI, the Energy Department and even the super-secret National Security Agency.
In theory, only nonclassified U.S. information would be at risk from this flaw. Agencies impose strict rules against transmitting any classified messages — encrypted or not — over the Internet, using the government’s own secret networks instead.
“The only time the government would use PGP is when it’s dealing with sensitive but unclassified information and has a reasonable degree of assurance that both parties have PGP,” said Mark Rasch, a former U.S. prosecutor and expert on computer security. “It’s hardly used on a routine basis.”
Heh,... leave it to a Microsoft product to screw things up [again]. Je-sus, you think the guys at Microsoft would get a clue... but they don't. Comments? Criticism? Down_right_flamming_of_MS? All welcome. Just remember that if you use PGP, eEye Digital Security Inc. said that it wasn't "too obvious". Whatever that means,...
...This Space For Rent.
July 11th, 2002, 11:41 PM
Another reason not to use Outlook. Hmmm. The reasons just keeping coming and coming.....
I wonder what it's gonna take to make M$ wake up. I'm actually getting bored with all that's wrong with M$, it used to be amusing, got a little funny for a while, but now it's just downright pathetic.
They are not only screwing up their own stuff but they are messing with any software that's any good too......ugh.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
July 11th, 2002, 11:52 PM
As far as i remember PGP was put into maintenance mode after they could not find a buyer for this product. I thought it was pretty good in that you could use the IPSEC client for environments that could not support IPSEC like MAC OS.
Here is a letter that NetAss sent out to their PGP customers a while back...
freedom is a road seldom traveled by the multitude
freedom aint free
July 28th, 2002, 03:19 AM
Like the article said, Eudora is not affected by the plugin, nor is OutLook Express (Not to be confused with Outlook). I have also configured Pegasus to function with PGP encryption, however Pegasus will only exchange signed documents with other Pegasus users, ... At least that's the way i read their manual, and that's how it worked when i tried to send encrypted from my Pegasus client to another address i could download with my OutlookExpress client. I really don't believe there is a lot of danger in this hole, nor in the one related by (Prof. from England?) last year where you end up changing or modifying the uploaded public keys of someone who is "the mark".
July 28th, 2002, 11:10 AM
isn't this trying to say "Keylogger" or "Trojan" ??? and the hole in Outlook.. isn't it similar to the one that allowed Klez to do it's deeds?..
The flaw allows a hacker to send a specially coded e-mail — which would appear as a blank message followed by an error warning — and effectively seize control of the victim’s computer.
I agree with the comments regarding non HTML email progs... but ppl insist on recieving "Pretty" HTML emails... anyone tried to convince someone to not use proggy's like "Incredimail"? .. "My Nortons will protect me" .... F### and the pigs are all loaded and ready to fly..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr