From: Chris Claborne <Chris.Claborne@SanDiegoCA.ATTGIS.COM>
To: cypherpunks@toad.com
Message Hash: 1e6a1b8fb0aec607854c8ee09c05e5d3944912fa8ee7d1decb05c34d3f7ac3cb
Message ID: <9509190017.aa08714@ncrhub1.ATTGIS.COM>
Reply To: N/A
UTC Datetime: 1995-09-19 04:17:59 UTC
Raw Date: Mon, 18 Sep 95 21:17:59 PDT
From: Chris Claborne <Chris.Claborne@SanDiegoCA.ATTGIS.COM>
Date: Mon, 18 Sep 95 21:17:59 PDT
To: cypherpunks@toad.com
Subject: Bidzos takes advantage of Netscape hole!
Message-ID: <9509190017.aa08714@ncrhub1.ATTGIS.COM>
MIME-Version: 1.0
Content-Type: text/plain
The following article has a quote from Bidzos claiming that they offered to
review the code but that Netscape declined. Of course the good student is
going to have them review it...
How about having the Goldberg and Wagner review it for some bucks!!!
2
-- C --
----------------------------------------------------------
Netscape's Internet Software Contains
Flaw That Jeopardizes Security of Data
By JARED SANDBERG
Staff Reporter of The Wall Street Journal
A serious security flaw has been found in Netscape Communications
Corp.'s Internet software, jeopardizing sensitive financial data such as
credit-card numbers that users pass over the global computer network.
The company acknowledged the flaw and said it's issuing a software fix. But
as is often the case with Internet security, it may take time for users to
adopt
the fix, leaving them vulnerable meanwhile.
"It's a very big trapdoor," said Dietrich Kappe, a partner with Red Planet
L.L.C., an Chicago Internet consulting firm. "You can drive a truck through
it. Somebody goofed" at Netscape, he added.
The breach presents a problem for Netscape, which produces the most
popular software for browsing the World Wide Web, the multimedia portion
of the Internet where businesses are setting up electronic storefronts to sell
goods and services. Netscape has captured roughly 75% of the "browser"
market, reaching roughly eight million people, who use the Netscape
product to browse the Web and make credit-card purchases. The breach
also underscores the persistent security problems that have plagued the
Internet and forestalled electronic commerce.
Netscape uses so-called symmetric key cryptography to scramble sensitive
data so that they are unreadable by hackers snooping on the network. That
key is essentially a mathematical formula so long that it makes it impractical
for hackers to crack, even with powerful computers. The formula is
generated by a random number that may be determined by the number of
electronic-mail messages, for example. Netscape's software chooses a
number between one and two-to-the-30th-power -- or roughly one billion.
But on Sunday night, two graduate students at the University of California at
Berkeley posted a message to the Internet's "Cypherpunks" mailing list, a
group of mathematicians and programmers who discuss the science of
cryptography. In the electronic missive, they said that the random number
that generates the mathematical key was "fairly trivial to guess" and that the
key "usually takes less than one minute to find."
Rather than try to break the encryption "key," the two graduate students
examined the so-called "random number generator" and discovered that the
number isn't so random, allowing them to guess the encryption key. It took
the two students, Ian Goldberg and David Wagner, two days to identify the
vulnerability and write a software program that could guess the encryption
key in less than one minute.
Netscape's software, said Mr. Goldberg, 22 years old, "is not as good as
people thought, which is probably worse than no security" since people have
a false sense of security as they enter payment details.
"The information we were using to create the key is now a known set of
information," said Jeffrey Treuhaft, security product manager for Netscape.
"We feel it's important to let our consumers know," he said, adding that the
company will post a warning on its own Web site.
"It's a serious hole, but it can easily be corrected," said James Bidzos,
president of RSA Data Security Inc., which licenses security technology that
Netscape incorporates in its system. Netscape said it plans to have a
software fix to resolve the problem available for downloading over the
Internet by the end of this week.
RSA's Mr. Bidzos said his company offered to review Netscape's security
when it first introduced its browser, but Netscape declined. "They're asking
us to review it this time," he said.
A month ago, a student at France's Ecole Polytechnique cracked the same
weaker encryption system that U.S. government policy forces Netscape to
use in a foreign version of its Navigator software. To break the code, the
student used 120 computer workstations and two supercomputers working
for eight days to break the so-called 40-bit encryption system, a number
that refers to length of the encoding "key," which is used to scramble data.
Netscape sells a far stronger version of its software that includes 128-bit
key length, but is prevented by the government from distributing it on the
Internet. The government fears that such strong encryption could fall into the
hands of terrorists who might use it to communicate without fear of being
tapped by U.S. security agencies. Security experts, however, noted that the
same problem exists with the stronger software.
... __o
.. -\<,
Chris.Claborne@SanDiegoCA.ATTGIS.Com ...(*)/(*). CI$: 76340.2422
http://bordeaux.sandiegoca.attgis.com/
PGP Pub Key fingerprint = A8 FA 55 92 23 20 72 69 52 AB 64 CC C7 D9 4F CA
Avail on Pub Key server.
PGP-encrypted e-mail welcome!
Return to September 1995
Return to “Chris Claborne <Chris.Claborne@SanDiegoCA.ATTGIS.COM>”
1995-09-19 (Mon, 18 Sep 95 21:17:59 PDT) - Bidzos takes advantage of Netscape hole! - Chris Claborne <Chris.Claborne@SanDiegoCA.ATTGIS.COM>