Security flaw afflicts popular technology for sending scrambled e-mails
Wednesday, July 10th 2002, 12:00 am
By: News On 6
WASHINGTON (AP) _ The world's most popular software for scrambling sensitive e-mails suffers from a programming flaw that could allow hackers to attack a user's computer and, in some circumstances, unscramble messages.
The software, called Pretty Good Privacy, or PGP, is the de facto standard for encrypting e-mails and is widely used by corporate and government offices, including some FBI agents and U.S. intelligence agencies. The scrambling technology is so powerful that until 1999 the federal government sought to restrict its sale out of fears that criminals, terrorists and foreign nations might use it.
The new vulnerability, discovered weeks ago by researchers at eEye Digital Security Inc., does not exploit any weakness in the complex encrypting formulas used to scramble messages into gibberish. Instead, hackers are able to attack a programming flaw in an important piece of companion software, called a plug-in, that helps users of Microsoft Corp.'s Outlook e-mail program encrypt messages with a few mouse clicks.
Outlook itself has emerged as the world's standard for e-mail software, with tens of millions of users inside many of the world's largest corporations and government offices. Smaller numbers use the Outlook plug-in to scramble their most sensitive messages so that only the recipient can read them.
``It's not the number of people using PGP but the fact that they're using it because they're trying to safeguard their data,'' said Marc Maiffret, the eEye executive and researcher who discovered the problem. ``Whatever the percentage is, it's very important data.''
Maiffret said there was no evidence anyone had successfully attacked users of the encryption software with this technique. He said the programming flaw was ``not totally obvious,'' even to trained researchers examining the software blueprints.
Network Associates Inc. of Santa Clara, Calif., which until February distributed both commercial and free versions of PGP, made available on its Web site a free download to fix the software. The company announced earlier it was suspending new sales of the software, which hasn't been profitable, but moved within weeks to repair the problem in existing versions. The company's shares fell 50 cents to $17.70 in Tuesday trading on the New York Stock Exchange.
Free versions of PGP are widely available on the World Wide Web.
The flaw allows a hacker to send a specially coded e-mail _ which would appear as a blank message followed by an error warning _ and effectively seize control of the victim's computer. The hacker could then install spy software to record keystrokes, steal financial records or copy a person's secret unlocking keys to unscramble their sensitive e-mails. Other protective technology, such as corporate firewalls, could make this more difficult.
``You can do whatever you want _ execute code, read e-mails, install a backdoor, steal their keys. You could intercept all that stuff,'' Maiffret said.
Experts said the convenience of the plug-ins for popular e-mail programs broadened the risk from this latest threat, since encryption software is famously cumbersome to use without them. Even the creator of PGP, Philip Zimmermann, relies on such a plug-in, although Zimmermann uses one that works with Eudora e-mail software and does not suffer the same vulnerability as Outlook's.
A plug-in for Microsoft's Outlook Express _ a scaled-down version of Outlook _ is not affected by the flaw.
Maiffret said his company immediately deactivated the vulnerable software on all its computers, which can be done with nine mouse-clicks using Outlook, until it could apply the repairs from Network Associates. The decision improved security but ``makes it kind of a pain'' to send encrypted e-mails, he said.
Zimmermann, in an interview, said PGP software is used ``quite extensively'' by U.S. agencies, based on sales when he formerly worked at Network Associates. He also said use of the vulnerable companion plug-in was widespread. Zimmermann declined to specify which U.S. agencies might be at risk, but other experts have described trading scrambled e-mails using PGP and Outlook with employees at the FBI, the Energy Department and even the super-secret National Security Agency.
In theory, only nonclassified U.S. information would be at risk from this flaw. Agencies impose strict rules against transmitting any classified messages _ encrypted or not _ over the Internet, using the government's own secret networks instead.
``The only time the government would use PGP is when it's dealing with sensitive but unclassified information and has a reasonable degree of assurance that both parties have PGP,'' said Mark Rasch, a former U.S. prosecutor and expert on computer security. ``It's hardly used on a routine basis.''