Law Firm Cybersecurity Efforts are Being Threatened by Efail Jaliz Maldonado

Law Firm Cybersecurity Efforts are Being Threatened by Efail

Law Firm Cybersecurity Efforts are Being Threatened by Efail Jaliz MaldonadoOn May 15 earlier this year, the Electronic Frontier Foundation announced that a team of researchers from two universities in Germany and one university in Belgium had uncovered Efail, a malicious method used to expose email messages in plain text.

What they didn’t mention is that the means that they describe to exfiltrate encrypted messages have been known since 1999.

To be vulnerable to an Efail attack, email clients must use PGP or S/MIME to encrypt messages. Among the affected email clients are Apple Mail with the GPGTools encryption plug-in, Mozilla Thunderbird with the Enigmail plug-in, and Outlook with the Gpg4win encryption package.

PGP or S/MIME are programs that add an additional layer of protection to emails. People who work in vulnerable, dangerous environments such as journalists, political activists, and whistleblowers use PGP or S/MIME to prevent their messages from being hacked.

Unfortunately, using these programs, in conjunction with an HTML formatted email, allows an attacker to exfiltrate plaintext from hijacked emails. The attacker must have access to a victim’s encrypted email. The message is modified and sent back to the user, where the email client will decrypt it. Using the HTML tags, the decrypted messages are sent back to the attacker through a request. This even works for emails that were sent in the past.

Of course, the paper has been controversial. Enigmail’s Robert J. Hansen called the warnings “a tempest in a teapot” and suggested that the public not panic. He encouraged people to use the latest version of Enigmail.

The developers of Enigmail, Mailvelope, ProtonMail, and the inventor of PGP issued an official statement about the Efail paper.

“The statements are highly misleading and potentially dangerous. PGP is not broken. The vulnerabilities identified by Efail are not flaws with the OpenPGP protocol itself but rather flaws in certain implementations of PGP, including in Apple Mail and Mozilla Thunderbird.”

In a teaching moment, Pedro Umbelino writes about the tracking pixel. This is a common tool for the ad industry that is used to gather data. Umbelino explains that tracking pixels are used in HTML formatted emails. It’s a tiny little image that is inserted into a webpage or email. The tracker causes the client to make a request of another server. The upshot is that using this tracker allows a treasure trove of data from the user to be sent to the tracking pixel’s agent.

This is essentially what is happening in Efail.

EFail | Preventative Measures

The researchers behind the Efail paper recommend four actions to prevent malicious attacks.

  1. Use a third-party application to decrypt your email messages;
  2. Disable HTML rendering;
  3. Be on the lookout for patches, which the authors believe will be forthcoming soon.
  4. The standards of PGP and S/MIME should be updated

Umbelino believes most of these actions are tossing the baby with the bathwater. He recommends disabling HTML rending and this will take care of the issue.

The PPG developers believe that the mitigation suggestions from the Efail are like saying, “’Some locks can be broken; therefore we must remove all doors.’ This is particularly dangerous because it can put at risk individuals who rely on PGP encryption for security.”

Efail | Precautions

Instead, the PPG developers issued these precautions:

  • Use PGP implementations that are not impacted by Efail, or update their PGP software to the latest version.
  • Ensure that everyone you communicate with is also using unaffected implementations or has updated their PGP software. Be sure to get a verified confirmation from your contacts before sending sensitive information to them.

Among the commonly used software based on PGP, GnuPG, Mailvelope, and ProtonMail were never susceptible to Efail. Enigmail and GPGtools were vulnerable, and we recommend the following mitigations:

  • If you use Enigmail, upgrade to version 2.0.5, use only simple HTML or plain text viewing modes in Thunderbird, and update to the latest version of Thunderbird
  • If you use GPGTools with Apple Mail, switch to Enigmail and Thunderbird, or one of the other unimpacted implementations like ProtonMail or Mailvelope.

Conclusion

The take away from the entire Efail issue seems to be that hackers will always try to find a way in, therefore, take security as seriously as if your license depends on it.

 

The following two tabs change content below.
Jaliz Maldonado

Jaliz Maldonado

Operations Manager at PracticePanther
Jaliz Maldonado is the Director of Human Resources and the Operations Manager for PracticePanther, the #1 rated legal case management software in the world. Her growth trajectory at PracticePanther is not isolated; as an eight-year Army veteran, Jaliz rose through the ranks to become a Staff Sergeant. Following her honorable discharge, Jaliz obtained a degree in Psychology from the University of Central Florida. Since joining the company, she has channeled her talent and organizational skills into streamlining the company’s operations, maximizing efficiency, and creating a cohesive plan to cultivate and maintain its incomparable culture. Jaliz has quickly risen to a role characterized by her extraordinary ability to multitask. This uncanny capacity to wear several different hats, all the while proving her capability of putting on, even more, is highlighted by Jaliz’s obtaining her MBA from the University of Miami with a focus in finance while coordinating all of the operations of a tremendously successful up-and-coming company such as PracticePanther.