OpenPGP, S/MIME, TLS
Bypass e-mail encryption
Edward Snowden encrypted his revelatory emails with OpenPGP five years ago, because the additional encryption layer is considered particularly secure - until now.
Thanks to OpenPGP, attackers cannot read emails even if they have access to the email account. "It is precisely this encryption technology that we can now break," says Prof. Dr. Sebastian Schinzel from the Department of Electrical Engineering and Computer Science at Münster University of Applied Sciences.
Together with his team and scientists from the Ruhr University Bochum (RUB) and the Katholieke Universiteit Leuven, he has uncovered this security gap. The same applies to the equally common encryption technology S/MIME. This makes it possible for attackers to read even additionally encrypted e-mails on the Internet.
Outdated standard
The researchers call their attack "Efail", and it was successful in 25 out of 35 email programs tested for S/MIME and in 10 out of 28 for OpenPGP. In other Internet standards such as TLS, short for Transport Layer Security, a protocol for encrypting data transmissions on the Internet, this type of cryptography has already been broken several times. "However, this is the first time we have proven its vulnerability in email encryption," explains Prof. Dr. Jörg Schwenk from the RUB Chair of Network and Data Security.
The problem is that the flaw lies in the standard: OpenPGP and S/MIME have been in use since the 1990s without any major updates. They are the mathematical envelope for e-mails that are otherwise sent through the Internet like postcards.
Attack through the back door
"In our attack, we modified the encrypted emails so that external images are loaded," explains Schinzel. This happens via HTTP links and parts of the plain text, the content of the message, are then embedded in the path of these links. By the time the modified email is displayed to the recipient, it is already too late - the plain text has already been sent to the attacker.
Many companies encrypt their email traffic with S/MIME, while OpenPGP is more commonly used by individuals. Both encryption methods are currently unsuitable for secure communication. The research team is now calling for a new standard from the Internet Engineering Task Force.
You might also be interested in
Kaspersky moves customer data to Switzerland
Following allegations of US espionage, the Russian IT security company Kaspersky will move the data of customers from Europe and North America from Russia to Switzerland. A new data center in Zurich is to be set up for this purpose by the end of...
read more...Cyber protection is not enough in mechanical engineering
Feared and yet underestimated: Germany's mechanical engineering companies are aware of the danger of cyber attacks. However, not all companies in the medium-sized industry are sufficiently prepared for this, according to a survey by the VDMA...
read more...Internet of Things / embedded world 2018
Quo vadis embedded security?
What security challenges does the IoT pose? What are the trends in research? What can the industry do to facilitate security processes? Security experts discussed this at the 'Safe for the Future' panel discussion at embedded world 2018.
read more..."Most destructive and expensive cyberattack in history"
The ransomware 'Petya' paralyzed countless companies in June 2017. The USA and the UK have now officially named Russia as the perpetrator, who deliberately tried to attack Ukraine.
read more...No accidental changes to files
CodeMeter 6.80 from Wibu-Systems supports Universal Write Filter (UWF), a Windows option from Microsoft that prevents accidental changes to files, which is particularly important for embedded systems.
read more...Security through network segments
The Microwall Gigabit from Wiesemann & Theis is the first in a series of easy-to-use security products for industry and manufacturing.
read more...Mushroom is the victim of a targeted hacker attack
The automation technology provider Pilz from Ostfildern was the victim of a targeted cyber attack on Sunday, October 13. All server and PC workstations worldwide, including the company's communication network, were affected.
read more...Four out of ten ICS computers are under threat
Kaspersky's latest report on cyber threats for the first half of 2019 shows that 41.2% of ICS (Industrial Control System) computers were exposed to an attack. The energy sector is most frequently affected - including by generic malware.
read more...Kaspersky warns of "ticking time bomb"
More than a third of small companies and more than half of large companies are still using the 'Windows 7' operating system, support for which will expire in five months' time.
read more...