NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > InfoSec News> 2001-q1

Re: [ISN] Experts play down flaw of encryption software

From: InfoSec News (isnC4I.ORG)
Date: Sat Mar 24 2001 - 20:14:40 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded by: Aj Effin Reznor <ajreznor.com>

> http://www.nandotimes.com/technology/story/0,1643,500466235-500712408-503931029-0,00.html
>
> By ANICK JESDANUN, Associated Press
>
> NEW YORK (March 21, 2001 11:45 p.m. EST http://www.nandotimes.com)
> - The gravity of a flaw in the most popular software for sending
> encrypted e-mail was questioned Wednesday by security experts.
>
> The vulnerability in Pretty Good Privacy, disclosed by two Czech
> cryptologists a day earlier, could allow a hacker to use someone
> else's electronic signature to send messages.
>
> That, in essence, could mean the forging of signatures
> increasingly used to authorize such things as financial
> transactions.
>
> Philip Zimmermann, the creator of PGP, confirmed the flaw exists,
> but questioned how useful it would be to attackers.
>
> A hacker would first have to bypass security firewalls and gain
> access to the recipient's hard drive. If a hacker can get that
> far, Zimmermann said, the user has greater worries, including the
> ability for someone to install software to monitor keystrokes like
> passwords.
>

"60-70% of all attacks come from the inside" blah blah blah. If we
are to beleive these numbers, which many of us see as accurate,
plus-or-minus whatever percentage that happens to tailor it to our
experiences, then it should be obvious that an intruder doesn't need
to bypass a firewall, he needs to stay late and access a machine
possible down the hall, or a few floors up.

-or-

A company rival may plant an after-hours maintenance worker in a
building... Where before only "encrypted data" may have been stolen,
now the same data, plus the keys to it and anything intercepted can be
had.

But this isn't serious, no...

-aj.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]