Tag: security

How loadshedding affects your security

By Ntwaagae Seleka for News24

Home owners and businesses have been urged to test their security systems as a matter of urgency and to pay particular attention to the battery back-up systems during load shedding periods.

“Many people are under the incorrect assumption that their home alarm system is deactivated when the power supply is interrupted. However, if you have a stable and correctly programmed system coupled with a battery that is in good condition, it will continue to protect the premises during a power outage – regardless if the outage is because of load shedding or not,” said Charnel Hattingh, national marketing and communications manager at Fidelity ADT.

The only time it may not function correctly is if there is a technical issue, or the battery power is low.

“Most modern alarm systems have a back-up battery pack that activates automatically when there is a power failure. There are a number of practical steps that can be taken to ensure security is not compromised during any power cuts.

“Some of these include ensuring that the alarm system has an adequate battery supply, that all automated gates and doors are secured and lastly to remain vigilant and report any suspicious activity to your security provider or the South African Police Service,” said Hattingh.

With the added inconvenience of the lights going out at night due to power cuts, candles and touch-lights are handy alternatives.

Home owners are also advised that it is important that their alarm systems have adequate battery supply and that batteries should be checked regularly. Alarms should be checked during extended power outages to keep systems running.

Power cuts can affect fire systems and fire control systems, so these also need to be checked regularly. The more frequent use of gas and candles can increase the risk of fire and home fire extinguishers should be on hand.

People are urged to remain vigilant during power cuts and be on the lookout for any suspicious activity and report this to their security company or the police immediately.

Hattingh said home and business owners should consider installing Light Emitting Diode (LED) technology, which is integrated into the alarm system’s wiring and automatically switches on for a maximum of 15 minutes when there is a power outage.

“If there is an additional battery pack, the small, non-intrusive LED lights can stay on for the duration of the power outage – or a maximum of 40 hours – without draining the primary alarm battery. Because of load shedding, there might also be a higher than usual number of alarm activation signals received by security companies and their monitoring centres.

“This could lead to a delay in monitoring centre agents making contact with customers. You can assist by manually cancelling any potential false alarms caused by load shedding, and thus help call centre agents in prioritising the calls needing urgent attention,” said Hattingh.

 

15 000 CCTV cameras coming to Jo’burg

Source: Vumacam

Vumatel unveiled its CCTV platform Vumacam this week, which it hopes will help make South Africa’s streets and neighbourhoods safer.

The Vumacam system is initially only available in Johannesburg, and currently consists of 889 cameras covering 48 suburbs.

There are 917 camera poles installed around the city, however, which when fully populated will hold over 3 000 cameras.

The video feeds from Vumacam’s CCTV system are then made available to security companies for a monthly fee, depending how many cameras they would like access to.

Vumacam is also in discussions with the police and car tracking companies to provide their CCTV feeds, it said.

How Vumacam works
Vumacam’s business model is based on providing its video feeds to security companies and enforcement agencies for a subscription fee, which is based on how many cameras they want access to.

Vumacam assembles and installs the CCTV cameras in the areas it rolls out to, ensuring there is adequate coverage and the quality of the video feed is up to its standards. Its “video as a service” is then open to companies after they have been heavily vetted.

This means that multiple security companies can subscribed to the same camera feed, and if a new security company is hired by a resident’s organisation, for example, it can access the vendor-neutral CCTV infrastructure.

Vumacam said its CCTV system transfers its UHD feed via fibre connections to Teraco’s data centre. From there, it can be distributed to security control rooms which have subscribed to their service.

Security companies have the ability to view the feeds they have access to, lay intelligent software on top of the feed to make footage processing quicker and easier, and rewind their feeds to look back at certain places at certain times.

Vumacam emphasised that the companies cannot download the footage, however, and footage is only stored on their system for 30 days.

“Data is securely stored in a Tier 3 data centre, which is accessed by a secure connection. This ensures it is not subject to interference and not at risk of local disturbance.”

It added that 96% uptime for its systems is guaranteed, unless an issue is beyond its control – such as extended load-shedding.

In terms of regulation, Vumacam said their system is POPI Act compliant and meets the most stringent privacy requirements.

Software
Where Vumacam’s system really stands out from your standard CCTV camera installation, however, is its advanced software features.

It not only provides a live feed from cameras, but also serves licence plate recognition (LPR) services, exception alerts, and the ability to isolate elements in an area.

The LPR functionality does as its name suggests, and every vehicle passing an LPR camera is checked against multiple databases – including SAPS-listed stolen vehicles.

The “exception” notifications allow incidents to be surfaced to a security command centre, such as a vehicle illegally dumping in a park, which means operators do not need to watch hundreds of screens the time looking for potential crimes.

Software can also be laid on top of the video feed which allows security operators to search for specific objects during a set time period – such as a red car on a particular street on a Wednesday. This makes investigating incidents reported after the fact much quicker and easier.

Expansion
Vumacam said it plans to expand across Johannesburg in the next 12 months, with a rollout from Braamfontein in the south to Woodmead in the north.

This will consist of 15,000 cameras when complete and R500-million has been allocated for this expansion.

By Benjamin Mayo for 9to5Mac

A significant bug has been discovered in FaceTime and is currently spreading virally over social media. The bug lets you call anyone with FaceTime, and immediately hear the audio coming from their phone — before the person on the other end has accepted or rejected the incoming call. Apple says the issue will be addressed in a software update “later this week”.

Naturally, this poses a pretty big privacy problem as you can essentially listen in on any iOS user, although it still rings like normal, so you can’t be 100% covert about it. Nevertheless, there is no indication on the recipient’s side that you could hear any of their audio. There’s a second part to this which can expose video too.

9to5Mac has reproduced the FaceTime bug with an iPhone X calling an iPhone XR, but it is believed to affect any pair of iOS devices running iOS 12.1 or later.

The iPhone FaceTime bug could be reproduced by doing the following:

Start a FaceTime Video call with an iPhone contact.
Whilst the call is dialling, swipe up from the bottom of the screen and tap Add Person.
Add your own phone number in the Add Person screen.
You will then start a group FaceTime call including yourself and the audio of the person you originally called, even if they haven’t accepted the call yet.
It will look like in the UI like the other person has joined the group chat, but on their actual device it will still be ringing on the Lock screen.

Whilst the call is ringing, swipe up from the bottom of the screen and add yourself to the call.

The damage potential here is real. You can listen in to soundbites of any iPhone user’s ongoing conversation without them ever knowing that you could hear them. Until Apple fixes the bug, it’s not clear how to defend yourself against this attack either aside from disabling FaceTime altogether.

As it stands, if your phone is ringing with an incoming FaceTime request, the person on the other end could be listening in.

What we have also found is that if the person presses the Power button from the Lock screen, their video is also sent to the caller — unbeknownst to them. In this situation, the receiver can now hear your own audio, but they do not know they are transmitting their audio and video back to you. From their perspective, all they can see is accept and decline. (Another update: It seems there are other ways of triggering the video feed eavesdrop too.)

We have also replicated the problem with an iPhone calling a Mac. By default, the Mac rings for longer than a phone so it can act as a bug for an even longer duration.

Apple has taken Group FaceTime offline in an attempt to address the issue in the interim. They have said the issue will be fixed in a software update later in the week. Until then, if you are concerned, you should disable FaceTime in iOS Settings.

By Tehillah Niselow for Fin24 

Liberty Holdings customers received SMSs on Saturday alerting them that personal information related to their insurance policies could have been stolen by an external party.

The Information Regulator, which has asked for information about the Liberty breach, is clearly concerned about the increasing number of cyber attacks affecting personal data in South Africa.

“Without a fully functional Information Regulator, these breaches will continue to occur without sanctions provided for in the Protection of Personal Information Act (POPIA),” said chairperson Advocate Pansy Tlakula.

Tlakula urged “the powers that be to assist it in fast tracking its operationalisation”.

According to corporate law firm Michalsons, certain limited sections of POPIA have already been implemented. However, the bulk of the legislation will only commence at a later date, to be proclaimed by the president. As there is a one-year grace period, the POPIA deadline might only be set for the end of 2019 or in 2020.

In the meantime, South Africans are coming under heightened attack from cyber criminals and hackers.

Andrew Chester, MD of Ukuvuma Security, told Fin24 that affected clients or users should immediately alert their banks and cellphone provider. They should also undertake a credit check as well as a Google search to determine whether their personal information is in the public domain.

Liberty email hack

In SMSs to clients on Saturday, financial services company Liberty informed them that its email repository had been breached by a third party trying to demand a “ransom” in exchange for the data.

Liberty has not revealed much about the breach, citing a police investigation. CEO David Munro confirmed that Liberty’s insurance clients were the only ones affected, and that none of its other business had been compromised.

The company said none of its clients have been impacted financially, and that individuals will be personally advised if their information has been affected.

ViewFines licence details

In May the Hawks, the State Security Agency and the Information Regulator said they would probe the breach of personal records of 943 000 South African drivers, allegedly from online traffic fine website ViewFines.

The information reportedly contained the names, identity numbers and email addresses of South African drivers stored on the ViewFines website in plaintext.

The ViewFines website is owned by Aggregated Payment Systems. News24 reported that its operations manager confirmed the company was “implementing security measures immediately” to improve the website after being informed of the breach.

The source of the data was located by Troy Hunt, an Australian security researcher and creator of the free service Have I Been Pwned, which checks whether an individual’s information has been compromised.

Facebook scandal

While Facebook founder and CEO Mark Zuckerberg had to face angry lawmakers in the US and European Union, it was reported that the data breach involving the UK political consultancy affected almost 60 000 South African users.

In May, the Information Commissioner’s Office of the United Kingdom (which regulates Facebook outside the US and Canada) advised the Information Regulator of South Africa that over 87 million people had been affected worldwide.

However, no evidence could be found of South Africans having been targeted, as the majority of users involved were in the US.

Master Deed’s data breach “biggest” digital security threat in SA

Hunt was once again instrumental in revealing what was known as the “biggest” data breach in South African history, together with iAfrikan CEO Tefo Mohapi in October 2017.

Over 60 million South Africans’ personal data, from ID numbers to company directorships, was believed to have been affected.

The information was traced to Jigsaw Holdings, a holding company for several real estate firms including Realty1, ERA and Aida. The information reportedly came from credit bureau agencies, and was used to vet potential clients.

The information trove was found not to have been hacked, as it was stored in an easily accessible manner on an open web server.

Ster-Kinekor’s database compromised

Movie theatre chain Ster-Kinekor was responsible for up to 7 million South Africans falling victim to a data leak in March 2017.

Fin24 reported that Durban developer Matt Cavanagh announced he had discovered a flaw in Ster-Kinekor’s booking website, and that he had reported it to the company.

There were between 6 and 7 million users in the database. Of those, 1.6 million people had email addresses linked to them on the movie theatre chain’s database.

Liberty Life hacked, user data exposed

Financial services group Liberty Life sent out an SMS to their clients on Saturday evening informing them of a major security breach.

Liberty launched an investigation after its systems were hacked, and said the hackers alerted the company to potential vulnerabilities in its systems and were now demanding compensation.

The Sunday Times reported that the hackers obtained sensitive information about some top clients and have demanded payment of millions of rand not to release the data.

Liberty has communicated with its customers regularly, advising them to change passwords as applicable.

Liberty Life hack could be ‘an inside job’: expert

A security expert has questioned how hackers gained access to Liberty Life clients’ information, suggesting it could have been an inside job.

The financial services provided confirmed on Saturday that its information technology system was hacked last week, by people who demanded payment. It has since regained control of the system.

“It most likely happened in one of two ways: it was either an inside job or someone with the correct privileges was hacked, which means that they could have used that person’s permissions to get into the system,” said managing director of Ukuvuma Cyber Security, Andrew Chester.

He said the hack could have been avoided by applying general data security practices such as encrypting sensitive data, segregating it from vulnerable systems, and building in rigorous access control and monitoring systems.

“Why did Liberty have unstructured email data and attachments that were left unmonitored and more importantly, why was this sensitive data not encrypted? When doing threat-hunting or a security analysis for any company, the first thing one looks for is how easy it is to extract data without being detected.

“Additionally, how did the hackers know where to find the data? If it was an inside job they might have been tipped off, but if it wasn’t, it means that they spent enough time on the infrastructure to know where to look, which is very alarming,” he said.

Chester said it was also concerning that no-one detected the breach until the hackers themselves informed the company.

“There’s a common saying that you sometimes don’t know you’ve been hacked until law enforcement comes knocking at your door, but in this case, Liberty only found out once the criminals had contacted them,” he said.

The company said its investigation into the breach was at an “advanced stage”.

Source: eNCA 

By Vicky Sidler for MyBroadband / Nick Saunders at Mimecast

When I say the word “bat”, what image comes to mind? A flying mammal? A cricket bat?

In English, they call this a “homograph”: when two or more words are spelled the same but don’t have the same meanings or origins.

In cyber-security, a homograph is a lot more sinister. It’s a term given to a type of impersonation attack where an email address or website URL looks legitimate but isn’t. It’s designed to trick people into clicking on malicious links or to fool them into transferring money or sharing sensitive information.

Recent research by Vanson Bourne and Mimecast found that more than 85% of respondents had seen impersonation fraud in the past 12 months, and 40% had seen an increase in this type of attack in the same period. In South Africa, 36% of respondents had seen an increase in impersonation fraud asking to make wire transactions, and 37% had seen an increase in impersonation fraud asking for confidential data.

Despite this growth, many organisations do not have a cyber resilience strategy in place to help them detect, prevent and recover from these types of attacks.

Easy to execute, hard to detect
Homograph attacks are difficult to detect – by both the user and regular email security systems.

To create these lookalike domains, attackers use non-Western character sets or special characters found in Greek, Cyrillic and Chinese, to display letters which, to the naked eye, look identical to the western alphabet. Mimecast.com, for example, looks like мімесаѕт.com in Cyrillic. According to one domain name checker, there are 117 possible Mimecast domains that can be misrepresented with just one character from a non-English alphabet.

These subtle changes are likely to go unnoticed by users. In South Africa, 31% of respondents were not confident that employees could spot and defend against impersonation attacks, which easily and often slip through an organisation’s security systems.

Some 21% of South African respondents were not confident that their organisation’s security defences could defend against impersonation fraud asking for confidential information, rising to 25% for fraud asking to make wire transactions – in line with global trends.

This is because the emails themselves don’t contain malware and the URLs often have legitimate (read: stolen) security certificates.

Is it me you’re looking for?
Website URLs aren’t the only avenues for impersonation attacks; email address impersonation is also on the rise.

These types of attacks are designed to trick users such as finance managers, executive assistants and HR representatives into transferring money or disclosing information that can be monetised by cybercriminals. The email appears to come from someone they trust – a C-suite executive or a third-party supplier that they regularly do business with – and therefore wouldn’t think twice about responding to.

South Africans reported that, in the past 12 months, cybercriminals have attempted to impersonate finance teams (24%), third-party vendors (20%), a member of the C-suite (7%), as well as HR, sales, operations, legal and marketing team members (between 5% and 8%).

Again, these emails do not contain malware, which means they can go undetected by most email security systems. Social engineering attacks such as these rely on our inability to spot anomalies in URLs and email addresses – and the fact that we believe we’re communicating with someone we know.

Know what to do
Cybercriminals have figured out that they can bypass security systems by switching from malware-laden attacks to malware-less impersonation attacks. Now, social engineering meets technical means to put us in the middle of the next evolution of cyber-attacks.

Here are some measures organisations can implement to guard against these types of attacks:

  1. Education – when users know how social engineering and spoofing attacks work and then understand they shouldn’t click on links in emails, breach incidents can be drastically reduced. Users should be encouraged to physically type an address into a browser rather than click on a link in an email, even if it was supposedly sent by someone they know and trust. Education and awareness will always be the most important defence mechanisms.
  2. Protection – email security systems are getting better at stopping malware which enter the network through dodgy files and attachments, but few are effective against impersonation attacks. Organisations need a solution that can deep-scan all inbound emails and inspect for header anomalies, domain similarity, sender spoofing and the existence of keywords and suspicious impersonation emails. These can then be blocked, quarantined, or delivered as flagged to alert the receiver of potential risk.
  3. Resilience – having the right threat protection in place is just one part of a robust cyber resilience strategy. Organisations also need to be able to adapt their strategies to stay ahead of attacks, while having the durability to continue with business as usual in the event of an attack, and the recoverability to ensure data and emails are always accessible.
  4. Oversight – often, lax security on a third-party supplier’s side provides an entry point into an organisation’s network. Enterprises should continuously evaluate and manage the security and privacy policies of their suppliers and include security in their service level agreements. They should also perform on-site security assessments with new suppliers before sharing sensitive information.
  5. Visibility – organisations need to know who their vendors are and who has access to company information, and for what reasons. This is even more important now that the EU’s General Data Protection Regulation has come into force and will affect all South African organisations when the Protection of Personal Information Act is finalised.

Thirty-seven percent of South African organisations have suffered data loss because of email-based impersonation attacks in past 12 months. These organisations also reported reputational damage (34%), loss of customers (29%), direct financial loss (17%) and lost market position (19%).

Email continues to be the number one threat to organisations globally and accounts for 96% of all incidents that organisations face.

Clearly, there is an urgent need to work towards a higher standard of email security. Cyber-criminals have evolved their attack methods. It’s time the security strategies organisations use to protect their users and their businesses evolve as well.

By Eric Limer for Popular Mechanics 

Twitter is suggesting all users change their passwords as a precaution after a reported glitch caused some passwords to be stored in plain text. If you’ve ever used your Twitter password for another service, you’d be wise to change it in both places.

Twitter says there is no evidence of a breach, but the error would have allowed any snoopers inside the system to scoop up unprotected passwords with ease. Typically, passwords are “hashed” before they are stored, a process which transforms them password into a unique series of numbers and letters that can’t be translated back into the actually sequence of numbers and letters you type in. This prevents hackers from snagging a phrase they can try on your other accounts.

Even with no evidence of an actual breach, this bug serves as a good reminder for some basic security hygiene. Use unique passwords for every service you use; a password manager can help you keep track of them all. Turn on two-factor authentication where available (it is available on Twitter). And while you’re at it, go look at the apps that have access to your account. These apps, if they’re insecure themselves, can offer hackers a limited way into your account without ever having to figure out your password.

Make your router hacker-proof

By Sandeep Nair Narayanan, Anupam Joshi and Sudip Mittal for The Conversation 

In late April, the top federal cybersecurity agency, US-CERT, announced that Russian hackers had attacked internet-connected devices throughout the U.S., including network routers in private homes. Most people set them up – or had their internet service provider set them up – and haven’t thought much about them since. But it’s the gateway to the internet for every device on your home network, including Wi-Fi connected ones. That makes it a potential target for anyone who wants to attack you, or, more likely, use your internet connection to attack someone else.

As graduate students and faculty doing research in cybersecurity, we know that hackers can take control of many routers, because manufacturers haven’t set them up securely. Router administrative passwords often are preset at the factory to default values that are widely known, like “admin” or “password.” By scanning the internet for older routers and guessing their passwords with specialized software, hackers can take control of routers and other devices. Then they can install malicious programs or modify the existing software running the device.

Once an attacker takes control
There’s a wide range of damage that a hacker can do once your router has been hijacked. Even though most people browse the web using securely encrypted communications, the directions themselves that let one computer connect to another are often not secure. When you want to connect to, say, theconversation.com, your computer sends a request to a domain name server – a sort of internet traffic director – for instructions on how to connect to that website. That request goes to the router, which either responds directly or passes it to another domain name server outside your home. That request, and the response, are not usually encrypted.

A hacker could take advantage of that and intercept your computer’s request, to track the sites you visit. An attacker could also attempt to alter the reply, redirecting your computer to a fake website designed to steal your login information or even gain access to your financial data, online photos, videos, chats and browsing history.

In addition, a hacker can use your router and other internet devices in your home to send out large amounts of nuisance internet traffic as part of what are called distributed denial of service attacks, like the October 2016 attack that affected major internet sites like Quora, Twitter, Netflix and Visa.

Has your router been hacked?
An expert with complex technical tools may be able to discover whether your router has been hacked, but it’s not something a regular person is likely to be able to figure out. Fortunately, you don’t need to know that to kick out unauthorized users and make your network safe.

The first step is to try to connect to your home router. If you bought the router, check the manual for the web address to enter into your browser and the default login and password information. If your internet provider supplied the router, contact their support department to find out what to do.

If you’re not able to login, then consider resetting your router – though be sure to check with your internet provider to find out any settings you’ll need to configure to reconnect after you reset it. When your reset router restarts, connect to it and set a strong administrative password. The next step US-CERT suggests is to disable older types of internet communications, protocols like telnet, SNMP, TFTP and SMI that are often unencrypted or have other security flaws. Your router’s manual or online instructions should detail how to do that.

After securing your router, it’s important to keep it protected. Hackers are very persistent and are always looking to find more flaws in routers and other systems. Hardware manufacturers know this and regularly issue updates to plug security holes. So you should check regularly and install any updates that come out. Some manufacturers have smartphone apps that can manage their routers, which can make updating easier, or even automate the process.

By Alison DeNisco Rayome for Tech Republic

Microsoft is doubling down on its promise to rid the world of passwords and replace them with more convenient and secure options, the company announced in a Tuesday blog post.

“Nobody likes passwords. They are inconvenient, insecure, and expensive,” according to the post. The tech giant wants to deliver on two key promises: That end users “should never have to deal with passwords in their day-to-day lives,” and to replace passwords with “user credentials [that] cannot be cracked, breached, or phished.”

Microsoft first made a move to reduce password use with Windows Hello, introduced in Windows 10, which uses biometric sensors to verify a user’s identity based on a fingerprint or face scan. It has since introduced the Authenticator app, which allows users to log into their Microsoft account on their desktop using their phone. Finally, Microsoft is working with the Fast Identity Online (FIDO) working group to update Windows Hello with physical FIDO2 security keys that allow for more secure authentication.

The Windows Hello FIDO2 Security Key feature is now in limited preview, the post noted.

“At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker,” according to the post.

The Windows 10 April 2018 Update includes the ability to do just that, the post noted: Using Windows 10 in S mode, cloud users (with Managed Service Account or Azure Active Directory) can use their PC without ever entering a password. Users can take advantage of this feature by setting up the Microsoft Authenticator App, installing the Windows 10 April 2018 Update with S mode enabled, and setting up Windows Hello.

To achieve a password-less future for all devices, Microsoft laid out a four-step plan:

1. Develop password-replacement offerings. This would involve replacing passwords with a new set of alternatives that retain the positive elements of passwords while also improving their shortcomings.

2. Reduce user visible password-surface area. Microsoft wants to upgrade all elements in the lifecycle of a user’s identity, including provisioning of an account, setting up a new device, and accessing apps and websites, to make sure they work with password replacements.

3. Simulate a password-less world. This means helping end users and IT administrators to transition into a password-less world easily.

4. Eliminate passwords from the identity directory. Deleting passwords from the identity directory represents “the final frontier,” according to the post.

It remains to be seen if other tech giants will follow Microsoft’s lead and eliminate passwords. With the rise of biometric security in a number of fields, the future for businesses could very well be password-less.

Ropemaker: a new email security weakness

Most people live under the assumption that email is immutable once delivered, like a physical letter. A new email exploit, dubbed ROPEMAKER by Mimecast’s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.

Described in more detail in a recently published security advisory, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.

So what is ROPEMAKER?

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML. While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.

Clearly, giving attackers remote control over any aspect of ones’ applications or infrastructure is a bad thing. As is described in more depth in the ROPEMAKER Security Advisory, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users. ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.

Changing this:

Into this, post-delivery (without having direct access to the user’s desktop):

To date, Mimecast has not seen ROPEMAKER exploited in the wild. We have, however, shown it to work on most popular email clients and online email services. Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them. However, this is no guarantee that cybercriminals aren’t currently taking advantage of ROPEMAKER in very targeted attacks.

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is? For sure attackers don’t care why a system can be exploited, only that it can be. If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself. Experience tells us that cybercriminals are always looking for the next email attack technique to use. As an industry let’s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!

by Matthew Gardiner for Mimecast

 

  • 1
  • 2

Follow us on social media: 

               

View our magazine archives: 

                       


My Office News Ⓒ 2017 - Designed by A Collective


SUBSCRIBE TO OUR NEWSLETTER
Top