Enterprises are under constant attack from cybersecurity threats resulting in the loss of millions in revenue annually. Factors such as ransomware, targeted attacks, insufficient network visibility, various operating systems in an organization, bad security behaviour among office staff, lack of skilled cybersecurity workforce and the level of tolerance among staff are the major causes of cyber-attacks in the country.
To mitigate these issues, ESET East Africa offers free training, suitable for all skill levels to help educate enterprises on the importance of cybersecurity.
Subscribe to our newsletter to find out more about this training, our enterprise offering and to follow our series on the 6 Biggest Cybersecurity Challenges for Enterprises.
A team of 8 academics have discovered weaknesses in OpenPGP and S/MIME encryption protocols which could lead to the plain text of encrypted emails being exposed to attackers. The academics have named these flaws “EFAIL”.
Insights from cryptography expert Bruce Schneier explained that “[t]he vulnerability isn’t with PGP or S/MIME itself, but in the way they interact with modern e-mail programs.”
To be able exploit the weaknesses, you would first need to access the end-to-end-encrypted email message. This could be by way of stealing it from a compromised account or by intercepting its path. Following this, the attacker would need to alter the email, adding a custom HTML code and then sending this new version onto the victim. The victim’s email client decrypts the email and is tricked by the malicious code into sending the full plaintext of the emails to the attackers. Even messages sent years ago are vulnerable.
The team said that their proof-of-concept exploit has been shown to be successful against 25 out of 35 tested S/MIME email clients and 10 out of 28 OpenPGP clients. The flaws affect email applications such as Apple Mail with the GPGTools encryption plug-in, Mozilla Thunderbird with the Enigmail plug-in, and Outlook with the Gpg4win encryption package. The academics said that, in keeping with the principles of responsible disclosure, they have reported their findings to all email providers concerned.