Computer Security Weekly, Aug. 27, 2000
If you don't use Outlook, and correspond regularly with those who do, you will likely have noticed that you occasionally receive an attached file called winmail.dat. Winmail.dat contains information about RTF (Rich Text Format) fonts and other settings. Unfortunately, it contains a lot more information than that. It is a fairly simple matter to obtain, from the file, details of the user's default system directory, NT username, and domain name, among other things. Users of Outlook should be aware of how much information they are giving away about themselves.
Just as an aside to that, Outlook sometimes buries multiple file attachments actually made by the user in the winmail.dat file. This renders them unreachable by other mail systems.
The big security news this week is that the venerable PGP (Pretty Good Privacy) encryption software has been found to be insecure. Only not quite.
This story is a little more detailed that. The only version affected is the commercial version from Network Associates. The fault lies not with the base program, or even the key management system overall, but with a "recovery" feature called "Additional Decryption Keys" (ADK). Even at that, the ADKs themselves are not at fault, but rather the certificates that NAI produces. The ADK field is not, itself, protected by encryption or a digital signature. Therefore, it is possible for an attacker to replace the ADK on the certificate with his own ADK, and then publicize the modified certificate.
The international versions of PGP, or keys generated without the ADK option, should still be secure.
http://www.pcworld.com/cgi-bin/pcwtoday?...
mailto:rslade@sprint.ca
mailto:robertslade@usa.net
mailto:p1@canada.com
-
Find virus, book info http://victoria.tc.ca/techrev/rms.htm
Mirrored at http://sun.soci.niu.edu/~rslade/rms.htm
Linked to bookstore at http://www97.pair.com/robslade/
Go To Page: 1
Articles in this Topic Discussions in this Topic
Latest Articles