Friday, September 18, 2020

Email Security Weakness – Vulnerability or Application Misuse?

ROPEMAKER: Email Security Weakness – Vulnerability or Application Misuse?

by Matthew Gardiner, Senior Product Marketing Manager, Mimecast

Most people live under the assumption that email is immutable once delivered, like a physical letter.  A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.  Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.  While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing.  As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.  ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this: 

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild.  We have, however, shown it to work on most popular email clients and online email services.  Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them.  However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email?  Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself.  Experience tells us that cybercriminals are always looking for the next email attack technique to use.  As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!

Want to learn more? Download the full ROPEMAKER security advisory.

MOST READ

Virtual meeting by Rotary Club of Salmaniya

The Rotary Club of Salmaniya held its regular virtual meeting on Wednesday 2nd September 2020. The club was privileged enough to have internationally renowned...

Artificial Intelligence Academy launched at Bahrain Polytechnic

The Artificial Intelligence (AI) Academy of the Bahrain Technical College (Bahrain Polytechnic) launched the first batch of 38 students. This came under the directives of...

Health Minister receives Indian ambassador

Health Minister Faeqa bint Saeed Al Saleh, received Indian Ambassador to Bahrain Piyush Srivastava. The minister praised the historical relations between Bahrain and India in...

AI Ethics by Dr. Jassim Haji

There global agreement among modern Artificial Intelligence professionals that Artificial Intelligence falls short of human capabilities in some critical sense, even though AI algorithms...

‘KHCB’ Honours Its Frontline Staff

In a benevolent gesture that reflects the Bank’s appreciation to the noble national efforts exerted in light of the challenging circumstances witnessed by Bahrain...

RHF Secretary-General visits flood-affected areas in Sudan

Royal Humanitarian Foundation (RHF)'s Secretary-General Dr. Mustafa Al-Sayed, visited some areas affected by the floods and torrents that swept Sudan. This came under the directives...

Ebrahim K. Kanoo Hosts First INJAZ Bahrain Virtual Job Shadow Event

The Ebrahim K. Kanoo company has hosted the first ever INJAZ Bahrain Virtual Job Shadow event in Bahrain showcasing the different aspects of the...

Carrefour Bahrain Introduces ‘Click and Collect’: The Latest Innovation for Faster and More Flexible Online Shopping

Carrefour, operated by Majid Al Futtaim in the Kingdom of Bahrain, is introducing Click and Collect, a new service that will give online shoppers...

Renault Bahrain Hosts Special Fleet Delivery Ceremony

Y.K. Almoayyed & Sons, the sole distributor of Renault vehicles in the Kingdom of Bahrain hosted a special delivery ceremony in Bahrain to hand...

Quick look at Nvidia’s new RTX 3080

Nvidia is promising big things with the GeForce RTX 3080 graphics card. “Twice the performance” of the RTX 2080 is perhaps the biggest claim...

Declaration Supporting Peace: A historic, brave step aimed to enhance regional security and stability

The declaration supporting peace signed by the Kingdom of Bahrain with the State of Israel is a historic move towards establishing peace in the...

HH Shaikh Nasser hails horse racing victories in UK, France

His Majesty King Hamad’s Representative for Humanitarian Work and Youth Affairs and Supreme Council for Youth and Sport (SCYS) Chairman, HH Shaikh Nasser bin...

stc Bahrain collaborates with INJAZ Bahrain to host a no. of virtual workshops

stc Bahrain, as a world-class digital enabler partnered with INJAZ Bahrain to host its Virtual Innovation Camp and Virtual Job Shadow workshops, in support...

Gulf Air resumes direct flights to India

Gulf Air, the national carrier of the Kingdom of Bahrain, announces that it will resume its direct flights to and from the Republic of...

‘AGU’ Appoints ‘Dr Ben-Salah’ As New Deputy Dean for Graduate Studies and Scientific Research

The Arabian Gulf University (AGU) President Dr Khalid bin Abdulrahman Al Ohaly recently appointed Family and Community Medicine Department Head Dr Afif Ben-Salah as...