1995-09-19 - Bidzos takes advantage of Netscape hole!

Header Data

From: Chris Claborne <Chris.Claborne@SanDiegoCA.ATTGIS.COM>
To: cypherpunks@toad.com
Message Hash: 1e6a1b8fb0aec607854c8ee09c05e5d3944912fa8ee7d1decb05c34d3f7ac3cb
Message ID: <9509190017.aa08714@ncrhub1.ATTGIS.COM>
Reply To: N/A
UTC Datetime: 1995-09-19 04:17:59 UTC
Raw Date: Mon, 18 Sep 95 21:17:59 PDT

Raw message

From: Chris Claborne <Chris.Claborne@SanDiegoCA.ATTGIS.COM>
Date: Mon, 18 Sep 95 21:17:59 PDT
To: cypherpunks@toad.com
Subject: Bidzos takes advantage of Netscape hole!
Message-ID: <9509190017.aa08714@ncrhub1.ATTGIS.COM>
MIME-Version: 1.0
Content-Type: text/plain


The following article has a quote from Bidzos claiming that they offered to
review the code but that Netscape declined.  Of course the good student is
going to have them review it...  

   How about having the Goldberg and Wagner review it for some bucks!!!

     2
-- C  --
----------------------------------------------------------
Netscape's Internet Software Contains
 Flaw That Jeopardizes Security of Data

 By JARED SANDBERG
 Staff Reporter of The Wall Street Journal 

 A serious security flaw has been found in Netscape Communications
 Corp.'s Internet software, jeopardizing sensitive financial data such as
 credit-card numbers that users pass over the global computer network. 

 The company acknowledged the flaw and said it's issuing a software fix. But
 as is often the case with Internet security, it may take time for users to
adopt
 the fix, leaving them vulnerable meanwhile. 

 "It's a very big trapdoor," said Dietrich Kappe, a partner with Red Planet
 L.L.C., an Chicago Internet consulting firm. "You can drive a truck through
 it. Somebody goofed" at Netscape, he added. 

 The breach presents a problem for Netscape, which produces the most
 popular software for browsing the World Wide Web, the multimedia portion
 of the Internet where businesses are setting up electronic storefronts to sell
 goods and services. Netscape has captured roughly 75% of the "browser"
 market, reaching roughly eight million people, who use the Netscape
 product to browse the Web and make credit-card purchases. The breach
 also underscores the persistent security problems that have plagued the
 Internet and forestalled electronic commerce. 

 Netscape uses so-called symmetric key cryptography to scramble sensitive
 data so that they are unreadable by hackers snooping on the network. That
 key is essentially a mathematical formula so long that it makes it impractical
 for hackers to crack, even with powerful computers. The formula is
 generated by a random number that may be determined by the number of
 electronic-mail messages, for example. Netscape's software chooses a
 number between one and two-to-the-30th-power -- or roughly one billion. 

 But on Sunday night, two graduate students at the University of California at
 Berkeley posted a message to the Internet's "Cypherpunks" mailing list, a
 group of mathematicians and programmers who discuss the science of
 cryptography. In the electronic missive, they said that the random number
 that generates the mathematical key was "fairly trivial to guess" and that the
 key "usually takes less than one minute to find." 

 Rather than try to break the encryption "key," the two graduate students
 examined the so-called "random number generator" and discovered that the
 number isn't so random, allowing them to guess the encryption key. It took
 the two students, Ian Goldberg and David Wagner, two days to identify the
 vulnerability and write a software program that could guess the encryption
 key in less than one minute. 

 Netscape's software, said Mr. Goldberg, 22 years old, "is not as good as
 people thought, which is probably worse than no security" since people have
 a false sense of security as they enter payment details. 

 "The information we were using to create the key is now a known set of
 information," said Jeffrey Treuhaft, security product manager for Netscape.
 "We feel it's important to let our consumers know," he said, adding that the
 company will post a warning on its own Web site. 

 "It's a serious hole, but it can easily be corrected," said James Bidzos,
 president of RSA Data Security Inc., which licenses security technology that
 Netscape incorporates in its system. Netscape said it plans to have a
 software fix to resolve the problem available for downloading over the
 Internet by the end of this week. 

 RSA's Mr. Bidzos said his company offered to review Netscape's security
 when it first introduced its browser, but Netscape declined. "They're asking
 us to review it this time," he said. 

 A month ago, a student at France's Ecole Polytechnique cracked the same
 weaker encryption system that U.S. government policy forces Netscape to
 use in a foreign version of its Navigator software. To break the code, the
 student used 120 computer workstations and two supercomputers working
 for eight days to break the so-called 40-bit encryption system, a number
 that refers to length of the encoding "key," which is used to scramble data. 

 Netscape sells a far stronger version of its software that includes 128-bit
 key length, but is prevented by the government from distributing it on the
 Internet. The government fears that such strong encryption could fall into the
 hands of terrorists who might use it to communicate without fear of being
 tapped by U.S. security agencies. Security experts, however, noted that the
 same problem exists with the stronger software. 

                                        ...  __o
                                       ..   -\<,
Chris.Claborne@SanDiegoCA.ATTGIS.Com   ...(*)/(*).          CI$: 76340.2422
http://bordeaux.sandiegoca.attgis.com/
PGP Pub Key fingerprint =  A8 FA 55 92 23 20 72 69  52 AB 64 CC C7 D9 4F CA
Avail on Pub Key server.
PGP-encrypted e-mail welcome!






Thread