The Technical Writer's Checklist
 
ITrain - International Association of Information Technology Trainers PGP 5.0
Security problem averted
ITINFO Sponsor
Website Hosting by HostMaster

Fast, unlimited hits. Secure SSL servers.
Unlimited email aliasing, redirection, and autoresponders.
Triple webservers, Triple T1 lines.
Fast & accurate domain registration.

http://dgl.com/host/

PGP Averts Security Hole
by Dave Murphy
ISSN 1535-3613

Dave Murphy, DGL President & ITrain founder Pretty Good Privacy, maker of the most popular ultra-secure encryption software, has averted a potential security hole in PGP 5.0. PGP 5.0 is used to encrypt email messages and files. The potential security problem isn't caused by PGP, but rather by Windows 95's file caching scheme.

"The problem is fixed; we have a workaround for it," said Jon Callas, PGP's chief scientist. The fix requires users to change their PGP preferences to allow their password to expire in a very short time--such as one second. This will allow the password to be removed from the computer system entirely, and will prevent Win95 from allowing the password to be written to disk during a file cache save.

Australian security expert Christopher Drake, who operates the NetSafe Web site, discovered and publicized the security weakness. Using a popular desktop utility, Drake discovered his PGP password stored in several locations by the Win95 file cache.

The bug results from how "virtual memory" works in Windows and many Unix operating systems, he added. Operating systems try to extend a computer's memory by storing data that isn't immediately required on the hard disk. But that data, such as a password, may remain on the hard disk instead of being erased when quitting the application.

"Part of the problem is the operating system doesn't make it that easy for us application designers to properly maintain our electronic hazardous waste," Callas noted. "We have to constantly go and take care of clearing any sensitive data."

Subscribe to ITINFO.
Receive computing and Internet news & tips
by subscribing to the ITINFO information service.
Type your Internet email address in the form, and click "Subscribe."
Email Address:

Damar Group, Ltd. helps business use technology.

ITINFO is again accepting sponsors. Sponsor messages are included in ITINFO's email newsletter and are permanently posted to DGL's website and online reference areas.

ITINFO is an electronic publication of Damar Group, Ltd., publisher of Training Express computer learning guides. Comments and submissions to info@dgl.com.

Previous issues are on our website at dgl.com/dglinfo.

updated August 29, 1997
http://dgl.com/dglinfo/1997/dg970829.html

Damar GroupReturn to DGL homepage
Copyright © 1997, Damar Group, Ltd., All Rights Reserved