You are here: silicon.com > Software > Security Strategy

Security Strategy

PGP flaw turns emails into 'digital bullets'

Threatens those with the most to lose

Printer Friendly Email Story RSS

By Robert Lemos

Published: 6 September 2002 17:20 GMT

Email messages encrypted with the Pretty Good Privacy (PGP) program can be used as 'digital bullets' to attack and take control of a victim's computer, according to security consulting firm Foundstone.

Because of a flaw in the way PGP handles long file names in an encrypted archive, an attacker could "take control of the recipient's computer, elevating his or her privileges on the organisation's network," Foundstone said in an advisory note.

The company classified the vulnerability as a high risk "due to the trusting nature of encrypted attachments in email, its relative ease of exploitation and the large amount of corporations and military and government agencies that rely on PGP encryption for secure communication."

The flaw occurs in the way PGP handles long file names in encrypted archives, Network Associates said on its site. PGP runs into problems when it tries to encrypt or decrypt files that have names longer than 200 characters. When PGP attempts to decrypt the files, a buffer overflow causes it to crash.

The long file names aren't readily apparent to a recipient of such an email, said Foundstone CEO George Kurtz.

"It is just like a ZIP file," Kurtz said. "You can name a file with eight characters, but archived in the file are several other (files) with long file names."

The danger, Kurtz said, is that the flaw could be used to attack users who have the most to protect. "Most users of PGP have some level of security sophistication. It makes it that much more of a high-level attack," Kurtz said. An attacker could "obtain that very valuable information that was meant to be protected by encryption".

The flaw affects PGP Corporate Edition 7.1.0 and 7.1.1. Software maker Network Associates has posted a patch on its site (http://www.nai.com). The company recently sold all PGP assets to a start-up, PGP Corp., but appears to still be providing support for the program. Neither company could be reached for comment.

The current vulnerability resembles another flaw in the PGP plug-in for Outlook, found in early July.

Robert Lemos writes for News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Related Links

Zimmermann hits back at 'terrorist aid' accusations

Pretty Good Privacy pretty much dead

PGP defect reveals encrypted messages

Microsoft finds malicious attack flaw

Renegade program stealing passwords at banking sites

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business

Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business

UK ID cards rollout hit by delay as launch date revealed

Bletchley Park's World War Two codebreakers in their own words

'You're responsible for your own wi-fi security' say ISPs

'UK must up privacy safeguards following Phorm'

The top 10 technologies you need to plan for next year


  • Jobs
CharacterAnimator

Requirements: Obviously, we are looking for specific qualities in you to fulfil the role of therefore, if possible, we'd like your CVs to include ...

Mechanical Engineer

By sending us your CV, you are explicitly consenting to our processing of your personal data on a computer database and/or in manual files for the ...

Security Operations Centre Manager (SOC Manager), SC Security Cleared

Basic awareness of computer based vulnerability analysis testing. Moderate awareness of computer based vulnerability analysis testing. Basic ...

Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.

JD Edwards Spotlight Video

CEO Dashboard Management: Why Creating Visual Reports You Can't Hide From Will Help...

Virtual Private Servers (VPS)

Looking for a fast payback? 10 Minutes with Free Tool Can Save Thousands

Martin Brokers cashes in on back-up swap

VocaLink makes virtualisation pay

Sony Pictures sets sights on best IT Oscar

Co-op Group kicks "server sprawl" into touch

Arts Council gets tech troubleshooting boost

Torex tech treats Thorntons to quicker sales

Stories from the web...


eBay app lets users bid from a BlackBerry

ID card database: 500 names added in first month

Women in IT: Tech has an image problem

Tesco Mobile to get a taste of Apple's iPhone

Marketing chiefs: Are you spamming your customers?

IT skills shortage squashed by recession?




Quick Sitemap Links: