Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook

from [Erwann ABALEA] Network Security [Permanent Link]
Subject: Re: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook
Date: Fri, 25 Mar 2005 17:50:05 +0100 
Bonjour,

Hodie VIII Kal. Apr. MMV est, Roberto Franceschetti scripsit:

The following one has been "hacked" so that the sender now appears to be 
"Hackers Franceschetti" (hackers@logsat.com). Note that Outlook states that 
the email is absolutely valid, and that the certificate is Valid and Trusted. 
This is most definitely not the case, as I've altered the original message to 
make it appear as a different person actually sent it. Imagine the scenario 
where a digital signature is supposed to unequivocally identify a sender, but 
now this email that appears to be sent by "hackers" appears legitimate, and a 
poor victim will trust it and send the hacker any confidential information he 
is asked for... (follow the hyperlinks for the email's source):


It is clearly indicated "Signed by: roberto@logsat.com", what's the
problem? (see below)


Screenshot at http://www.logsat.com/Signatures/Hacked1.gif
Email's source at http://www.logsat.com/Signatures/Hacked1.msg


It's not an email, it's a binary message that can be opened only by
Microsoft Outlook. Could you please provide pure text messages? Same
request for your conversation between MS, CERT, and you.


This 3rd email is yet another variation showing how a digitally signed email 
can further be forget without Outlook ever raising warning flags (follow the 
hyperlinks for the email's source):


In your 2 examples, you aparently fail to notice that the envelope of
the message is not signed *at all*. What you're modifying in precisely
this envelope. What is really signed is the *body* of the message,
that's all. If you change the "From" address, or the subject, or the
sending date, that won't invalidate the signature.

I don't like to say this, but here, Microsoft did something useful for
the end user, by clearly displaying the identity of the signer, along
with the declared identity of the sender. If you want them to do more,
that's something else. But cryptographically speaking, the signatures
haven't been invalidated by your manipulations.


The full emails with the conversations between myself, Microsoft and CERT can 
be found here (http://www.logsat.com/Signatures/emails.asp). I hope that by 
making this information public all the users who rely on digital signatures 
will be aware of this severe security flaw in Microsoft Outlook, and will 
take other precautions to ensure the identity of users in digitally signed 
emails they receive.


Could you reformat your web page? It's difficult to read, and .msg
files don't fit my Linux machine.

-- 
Erwann ABALEA <erwann.abalea@keynectis.com>
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Security Flaw with Digital signatures in Microsoft Outlook, Adrian Floarea
Next by Date:  Re: [FLSA-2005:2129] Updated mysql packages fix security issues, Ventsislav Genchev
Previous by Thread:  RE: Security Flaw with Digital signatures in Microsoft Outlook, Adrian Floarea
Next by Thread:  RE: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook, Lyal Collins
Indexes:  [Date] [Thread] [Top] [All Lists]