=============================================================== T H E S E C U R I U S N E W S L E T T E R =============================================================== August 31, 2000 | Vol. 1, #09 | http://www.securius.com/ CONTENTS 1. RIP vs. CARNIVORE, AN INTERNATIONAL PERSPECTIVE 2. PGP's BACK DOOR 3. PEER-TO-PEER RISKS 4. TOOL: FIRESTARTER 0.4.1 5. TOOL: ENCRYPTION PLUS(R) CD-ROM 4.0 FORWARD THIS MAIL RIGHT NOW Please take a moment and forward this newsletter to a colleague or friend. =============================================================== A service of PC Guardian | San Rafael, California Computer security products | http://www.pcguardian.com/ "Protecting Computers & Data Worldwide -- Since 1984" =============================================================== -------------------------------------------------------- 1. RIP vs. CARNIVORE, AN INTERNATIONAL PERSPECTIVE -------------------------------------------------------- In the wake of last month's coverage of the FBI's Carnivore packet-sniffing system, I received a handful of notes along the lines of: "You think you have it bad in the States ... Have you followed what's happened in the UK with the RIP Act?" At first glance, it seems like the world's most advanced and enlightened nations are in a mad rush to see which can implement the most totalitarian surveillance systems. The UK's Regulation of Investigatory Powers (RIP) Act 2000 was approved last month and will take effect in October. It provides the British secret police with widespread and coercive Internet surveillance powers. RIP requires that all Internet Service Providers (ISPs) in the UK develop the capability to pass all traffic to the MI5 (the equivalent of the FBI). If intercepted data is encrypted, the government can compel disclosure of the decryption keys. Those who don't comply with an order to provide keys face up to two years of imprisonment. They have ways of making you talk! Even more insidiously, once someone is ordered to surrender an encryption key or cooperate with an interception order, that person is barred from telling anyone. Not even their own management or security people. Not ever. Those who violate the "tip-off" rule face five years of imprisonment. The interception and key disclosure requirements go into effect if law enforcement believes it is necessary * in the interests of national security * for the purpose of preventing or detecting crime * in the interests of the economic well-being of the United Kingdom. This last justification should be of interest to any non-UK company that does business in or competes in the UK. Your confidential business information (read: all competitive business correspondence) can be intercepted and cracked through coercion at the behest of nameless, shadowy bureaucrats who deem the disclosure important to the UK's economic well-being. For some companies -- ISPs in particular -- this could be reason enough to avoid the UK as a nexus of business. The FBI may have wide surveillance powers in the US and technology like the Carnivore system to back it up, but it's still limited by the US Constitution's Bill of Rights: the Fifth Amendment protects against self-incrimination (key disclosure) and the First Amendment protects freedom of speech (tip-offs). These were originally put in place in response to an overarching monarchy. Ironic how little changes over the centuries. As they still say over in the great state of New Hampshire: Live free or die! For a recap of articles about the RIP Act, see http://www.theregister.co.uk/content/29/11821.html STAND is a loose organziation of concerned netizens that led a well-intentioned but doomed campaign against RIP: http://www.stand.org.uk/ If you want explanations how RIP 2000 will help combat "the threat posed by rising criminal use of strong encryption," visit the Home Office site: http://www.homeoffice.gov.uk/ripa/ripact.htm -------------------------------------------------------- 2. PGP's BACK DOOR -------------------------------------------------------- It's not surprising that governments want the ability to coerce people into surrendering decryption keys. It's all about control. Unfettered private communications threaten the kind of control that governments have been become accustomed to exerting over everything from telecom and broadcast systems to the movement of hard goods (trade). Just as governments desire control over citizens, companies desire control over employees. When buying encryption software, many companies demand a way to recover encryption keys without the cooperation of their employees. After all, what happens if an employee is not available to decrypt an important file? This kinds of situation comes up all the time. Perhaps someone's on vacation. Maybe someone forgets a password. Maybe someone gets hit by a bus. In response to this requirement, most vendors of encryption solutions engineer key recovery mechanisms into their products. No one likes to call these "back doors" but that's what they are: if the front door is securely locked and the key isn't available, a third party can use the back door key instead. Not surprisingly, implementing key recovery in cryptosystems is a tricky business. Last week, Network Associates received an object lesson in just how tricky this is. A German researcher found a serious bug in PGP's Additional Decryption Key (ADK) feature that could allow an unauthorized party to decrypt and access confidential information. ADK was designed as a back door of sorts that allows encrypted ciphertext to be restored to plaintext with a secondary key. The bug effects PGP versions 5.5 through 6.5.3; a patch is available. See the CERT advisory for an overview of the problem and solutions: http://www.cert.org/advisories/CA-2000-18.html For complete details, see researcher Ralf Senderek's site: http://senderek.de/security/key-experiments.html Phil Zimmerman, the creator of PGP, sent in a personal response which Senderek has published here: http://senderek.de/security/doc/personal-response.html Note: The bug does not effect GnuPG, the GNU Privacy Guard (http://www.gnupg.org). The designers of this free alternative decided against supporting the additional key feature. When in doubt, keep it simple. -------------------------------------------------------- 3. PEER-TO-PEER RISKS -------------------------------------------------------- When I first got on the Internet in 1990, a quirky but powerful peer-to-peer communications facility called UUCP (Unix-to-Unix Copy Program) was all the rage. UUCP is now a legacy platform, but once again, peer-to-peer (P2P) file sharing software is all the rage. The current legal and media frenzy was kicked off by Napster Inc. and it has spread to include dozens of variants such as Scour, Freenet, Gnutella, and Gnapster. With all the teeth-gnashing about copyright violations and piracy, there's been very little analysis of the security implications of these technologies, which, after all, provide for promiscuous and unregulated data sharing between unauthenticated strangers. The new P2P platforms present security challenges, just as UUCP did before them. Some of the more advanced programs, for example, are designed to evade blocking by corporate and academic firewalls. There are few things that charm firewall adminstrators less than network apps that switch ports when blocked. Security knowledge company KTSI has worked up an interesting analysis the security risks of the P2P platforms. Check out their white paper "Security Concerns for Peer-to-Peer Software" at http://www.ktsi.net/whpapers.html For an expertly-written overview of the P2P phenomena, see http://www.theatlantic.com/issues/2000/09/mann.htm -------------------------------------------------------- 4. TOOL: FIRESTARTER 0.4.1 -------------------------------------------------------- Finally someone has developed a simple, free, and complete firewall tool. Firestarter is a must-install for anyone managing a fixed Internet connection, especially for those with home DSL or cable modem connnections. It requires a Linux machine running the GNOME 1.2 environment. If you aren't running Linux, here's the perfect excuse to take the plunge and set up a test box. From the home page: "Use the firewall creation wizard to create a basic firewall, then streamline it further using the powerful dynamic rules modifiers. Open and close ports with a few clicks, or stealth your services giving access only to a select few. Watch the real-time hit monitor as attackers probe your machine for open ports, in vain." It's great sport really, watching the script kiddies hit the wall. A tip of the white hat to programmer Tomas Junnonen. For more information, surf to: http://firestarter.sourceforge.net/ -------------------------------------------------------- 5. TOOL: ENCRYPTION PLUS(R) CD-ROM 4.0 -------------------------------------------------------- If you use CD media -- including CD-ROM, CD-R, CD-RW -- to store or distribute confidential information, you should check out our latest PC Guardian software release: Encryption Plus CD-ROM 4.0. This powerful encryption tool allows you to encrypt all or some of the data on CD and restrict access in one of three ways: by password, by workstation, or by using a challenge/response. The program uses the Blowfish algorithm with 192-bit keys. For more information or to download the trial version: http://www.pcguardian.com/software/cd_rom_s.html =============================================================== ABOUT THIS NEWSLETTER The Securius Newsletter is published monthly by PC Guardian. For information about our simple and effective crypto software and anti-theft devices, please visit us at http://www.pcguardian.com/ SUBSCRIBING/UNSUBSCRIBING To unsubscribe from this newsletter, send an email to leave-security-outpost-news@lists.securityoutpost.com To subscribe to this newsletter, send an email to join-security-outpost-news@lists.securityoutpost.com FEEDBACK OR QUESTIONS Write the author, Seth T. Ross SPECIAL THANKS TO Emily Navarre, editor extraordinaire =============================================================== Redistribution of this newsletter is permitted, as long as the entire message body and this notice are included. Copyright 2000 PC Guardian. All rights reserved.