[ news_security_news ]
Holey Open Source Encryption
John Stith
Staff Writer
2006-03-13
 Insider Reports RSS Feed
In the realm of cyber security idiocy, many companies fail to encrypt their huge swathes of consumer data. Normally encrypting is a good thing. However, an open source encryption software program appears to have a problem. There's a security hole in it.
Gnu Privacy Guard (GnuPG) is an open source encryption program based on the Pretty Good Privacy (PGP) software, designed to encrypt data and create digital signatures. The program normally makes the rounds with various Linux versions including FreeBSD and OpenBSD.
Computerworld quoted Thomas Kristensen, CTO at Secunia, saying, "Someone who's able to intercept the message as it's transmitted could inject some data, and then the person who verifies the signature would be told it's a valid, unaltered message."
The whole thing started back in February when a false positive signature verification bug crept in. GnuPG started intensive testing and found another vulnerability. The new problems affect the use of this software for verification of signatures, which are not detached. It also affects signatures embedded in encrypted messages. This is what this program is supposed to do.
Signature verification of non-detached signatures may give a positive result but when extracting the signed data, this data may be prepended or appended with extra data not covered by the signature. Thus it is possible for an attacker to take any signed message and inject extra arbitrary data.
Updates are available for version 1.4.2.2. No fixes are available for anything before that. They advise users to get the updates as quickly as possible. More information is available at their site.
Get all the updates - click this link: 
Add to | DiggThis| Yahoo My Web
About the Author:
John is a staff writer for SecurityProNews covering cyber security.
More news_security_news Articles
Insider Reports RSS Feed
|
|
iEntry 10th Anniversary
RSS
Archive
