Security experts are at odds over how to respond to new research showing hackers could decrypt emails that were supposed to be protected by a popular encryption tool known as PGP, or Pretty Good Privacy.
A group of European researchers on Monday revealed a flaw in the way certain email programs handle PGP and S/MIME, a similar encryption protocol commonly used by businesses and other enterprises, as my colleague Brian Fung and I reported yesterday.
The discovery of the flaw, dubbed Efail, blew open a rift between defenders of PGP who insist the encryption is sound — and others who say it’s time to move away from the 30-year-old technology in favor of encrypted messaging apps such as Signal.
“This whole PGP infrastructure is kind of a mess and needs to be hardened up and fixed, or we need to start using something better,” Matt Green, a cryptography expert and assistant professor at Johns Hopkins University, told me. “Signal, Wired and other encrypted chat applications aren’t vulnerable the way PGP is. They’re not only more secure, they’re more widely used.”
PGP has been the gold standard for encrypting emails since it was released in 1991. But today, people want the convenience of using their smartphones. And encrypted apps are more widely available than ever.
With the discovery of this flaw, it’s a good time to make the switch, tweeted Barton Gellman, a senior fellow at the Century Foundation and former Washington Post reporter who covered the National Security Agency leaks by Edward Snowden:
The best advice TBH is just to stop using GPG / PGP (for most purposes) and start using Signal. Safer, easier, free, works on your phone at least as well as on a computer. Messages, attachments, audio or video calls. Just get it. https://t.co/lrdDVSuU6g
— Barton Gellman (@bartongellman) May 14, 2018
Yet the flaw isn’t in PGP itself but in the way certain email programs handle it. Researchers said affected email applications include Mozilla Thunderbird, Apple Mail and some versions of Outlook. (A full list is available from the researchers’ report.)
The vulnerability allows hackers to read an encrypted email by making changes to its HTML, which essentially tricks the affected email applications into decrypting the rest of the message. To do this, a hacker would need access to the victim’s encrypted emails — for example, by snooping on network traffic or otherwise compromising email accounts.
Green explains it simply: “The attacker can modify the encrypted email, and when the person for whom it’s intended opens it or previews it, the mail program will send the contents out to a remote server the attacker has set up,” he said. “All you have to do is look at it and it will decrypt itself and send it out to the attacker.”
This could put whistleblowers, political activists and others who depend on encrypted email at risk, the researchers said in a blog post. That added urgency to warnings from the digital rights group Electronic Frontier Foundation, which urged users of the affected email programs to immediately disable tools that allow the email apps to use PGP or S/MIME.
“Until the flaws described in the paper are more widely understood and fixed,” EFF said, “users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email.”
But some security experts said these dire warnings were overkill.
Andy Yen, chief executive of the encrypted email service ProtonMail, criticized the way EFF and the researchers portrayed the issue, saying it was reckless to tell users to stop exchanging encrypted emails. The problem, he said, was not with PGP but with the way email clients have implemented it.
“It’s like any software — if the vendors are actively patching and updating, it’s secure,” Yen told me, adding that ProtonMail was unaffected by the flaw. “If you look at the top 10 clients out there, most have long since patched it. What the researchers have really done is catalogued clients that haven’t done this properly.”
Werner Koch, the principal author of the cryptographic software GNU Privacy Guard, also called warnings about the vulnerability “pretty overblown.” In a post Monday, he said that his team was not contacted about the flaw and noted that the attack could be mitigated by avoiding HTML emails or using authenticated encryption, which adds a layer of protection to confirm the message hasn’t been changed.
Ryan Duff of the start-up Point3 Security tweeted similar recommendations, saying he saw “no reason to disable PGP altogether”:
There is a simple fix here.
Disable HTML rendering for e-mails. You should be doing that for e-mails with PGP anyways. Not only will this secure you from this attack, but it will protect you from lots of other attacks.
I see no reason to stop using PGP all together.
— Ryan Duff (@flyryan) May 14, 2018
Jake Williams, founder of Rendition Security, took issue with the way the flaw was disclosed:
The big problem with #efail is how it was disclosed. Nobody should be disabling PGP. You are far safer with it than without it, even if your email client is buggy. Also, patch your software. Really. It helps.
— Jake Williams (@MalwareJake) May 14, 2018
So did Lesley Carhart of Dragos:
But seriously, this was a bad disclosure and we should all feel bad.
— Lesley Carhart (@hacks4pancakes) May 14, 2018
Apple said Monday that it is aware of the issue and that updates to fully address it will soon be released. Microsoft did not immediately respond to a request for comment. Mozilla referred questions to the Thunderbird Council, the third-party open-source software group that maintains the Thunderbird email app. Ryan Sipes, a Thunderbird community manager, said in a statement that a patch is being developed and will be distributed as an update by the end of the week.
Whether people decide to keep PGP or make the switch, the flaw shows how difficult it is to perfect the art of sending secure messages, said Riana Pfefferkorn, a cryptography fellow at Stanford University.
“Even after withstanding years’ worth of widespread scrutiny by security experts, a flaw in an encryption standard may still turn up,” she told me. “Plus, even if the vulnerability is fixed by the maintainers, users’ configuration of their email client may not be perfect, potentially leaving them unwittingly exposed.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: The Energy Department will look for “game-changing solutions” to secure the power grid in the future, according to a report released on Monday outlining the agency’s cybersecurity strategy for the energy sector.
The report makes the risks clear: “Today, a cyber incident has the potential to disrupt energy services, damage highly specialized equipment, and threaten human health and safety,” it says. “This makes energy cybersecurity a top national priority that will require the federal government and the energy sector to work together to reduce cyber risks that could trigger a large-scale or prolonged energy disruption.”
The use of digital tools to control the energy grid has created “new opportunities for malicious cyber threats,” according to the report. “Growing interdependence among the nation’s energy systems increases the risk that disruptions might cascade across organizational and geographic boundaries,” it adds.
PATCHED: The Cambridge Analytica fallout continues. Facebook announced on Monday that it has suspended about 200 apps while it investigates whether they improperly accessed users’ data, The Washington Post’s Drew Harwell and Tony Romm report.
Facebook hasn’t said which apps were suspended. “We have large teams of internal and external experts working hard to investigate these apps as quickly as possible,” Ime Archibong, Facebook’s vice president of product partnerships, said in a statement. Archibong also said Facebook will ban apps if it finds evidence that they mishandled data and will notify users on this page.
“The suspensions support a long-running defense of Aleksandr Kogan, the researcher who provided Facebook data to Cambridge Analytica, that many apps besides his had gathered vast amounts of user information under Facebook’s previously lax data-privacy rules,” Harwell and Romm write.
PWNED: And it looks like more privacy dustups may be coming. On the same day that Facebook announced the app suspensions, a New Scientist investigation found that about 3 million users of the social network who answered questions about their personality on an app had their private data exposed online for years.
“Academics at the University of Cambridge distributed the data from the personality quiz app myPersonality to hundreds of researchers via a website with insufficient security provisions, which led to it being left vulnerable to access for four years,” Phee Waterfield and Timothy Revell wrote in New Scientist yesterday. “Gaining access illicitly was relatively easy.”
Facebook suspended the myPersonality app last month and said it may have violated its policies, according to Waterfield and Revell. The app’s website has also gone offline.
David Stillwell, one of the academics involved in the project, told New Scientist that Facebook knew about the app and had meetings with him about it. “It is therefore a little odd that Facebook should suddenly now profess itself to have been unaware of the myPersonality research and to believe that the use of the data was a breach of its terms,” Stillwell said.
— More cybersecurity news:
— Democratic senators said the Senate will hold a vote Wednesday on whether to undo the Federal Communications Commission’s decision last year to terminate net-neutrality regulations, Reuters’s David Shepardson reports.
“The repeal of net neutrality is not only a blow to the average consumer, but it is a blow to public schools, rural Americans, communities of color and small businesses,” Senate Minority Leader Charles E. Schumer (D-N.Y.) said in a statement. “A vote against this resolution will be a vote to protect large corporations and special interests, leaving the American public to pay the price.”
But even if the Senate cancels the FCC’s repeal of net-neutrality regulations, it is unclear whether the House would hold a vote on a similar measure, Shepardson writes.
From Sen. Catherine Cortez Masto (D-Nev.):
We’re on the clock. The Senate will be voting on the CRA to save #NetNeutrality this Wednesday, 5/16. If you want to continue to enjoy the free & open internet as you do today, please make your voices heard before it’s too late! pic.twitter.com/c7qgBet1Kp
— Senator Cortez Masto (@SenCortezMasto) May 14, 2018
— Ongoing tensions within the National Security Council’s cyber team have delayed the release of reports that were scheduled to go out last Friday on the one-year anniversary of President Trump’s executive order on cybersecurity, Politico’s Eric Geller reports.
Joshua Steinman, a senior director for cyber policy at the NSC, persuaded national security adviser John Bolton’s aides to postpone the publication of the reports, according to Geller.
NSC senior director Josh Steinman (see: https://t.co/a7ldCgLwfK) convinced Bolton’s aides to delay the rollout.
One source said it was to spite outgoing cyber adviser Rob Joyce, whose job he wanted. Another said it was to avoid more attention to the NSC team after my last story.
— Eric Geller (@ericgeller) May 14, 2018
— Read more government cybersecurity news:
— Google, YouTube and Archive.org are playing terrorist whack-a-mole. Even as those companies work to shut down Islamic State propaganda, the group still finds plenty of ways to spread extremist materials online, according to a new report by the cyberintelligence company Flashpoint.
Ken Wolf, a senior analyst at Flashpoint and the author of the report, wrote that “despite the efforts of tech giants to eradicate extremist content from their platforms, ISIS and the group’s supporters have not only adapted to challenges, but have also continued to make use of the services provided by some of the companies leading the effort to eradicate this material.”
Other assessments from the report include:
- “Based upon the data reviewed by Flashpoint analysts, archive[.]org has been one of the top content-hosting providers used by these actors to upload and distribute materials throughout the three-year period that was reviewed.”
- “[The] frequency of URLs from Twitter posted to the ISIS forums declined sharply between January 2015 and January 2016. While we do not have specific evidence that shows a causative relationship between the decline in frequency and Twitter’s efforts to close these accounts and block the content, discussions in the forums suggest that the efforts have been effective.”
- “As tech companies such as Twitter seek to disrupt the efforts of these actors to leverage their platforms, ISIS and the group’s supporters have also sought to find alternate means of distributing and providing access to their content.”
— An internal debate at Google about its partnership with the Defense Department on a project to bring artificial intelligence to military drones is roiling the company with an intensity not seen in years, Bloomberg News’s Mark Bergen reports.
“Employees against the deal see it as an unacceptable link with a U.S. administration many oppose and an unnerving first step toward autonomous killing machines,” according to Bergen.
Almost 4,000 employees have signed a letter asking Google chief executive Sundar Pichai to terminate the tech giant’s involvement in the program, called Project Maven, Bergen writes. About a dozen Google employees are resigning to protest the company’s involvement in the program, Gizmodo’s Kate Conger also reported yesterday.
THE NEW WILD WEST
— Andrew Parker, the director general of Britain’s domestic intelligence agency MI5, publicly lambasted the Russian government on Monday for its attempts at weakening Western democracies, the Guardian’s Ewen MacAskill reports. Parker was addressing a conference in Berlin, marking the first time that a sitting chief of the agency was delivering a public speech abroad.
“The Russian state’s now well-practiced doctrine of blending media manipulation, social media disinformation and distortion along with new and old forms of espionage, and high-levels of cyber-attacks, military force and criminal thuggery is what is meant these days by the term hybrid threats,” Parker said, as quoted by MacAskill.
— Cyber crime increased last year in Britain, and a widespread reluctance by companies to disclose data breaches only makes matters worse, the British National Crime Agency said Monday in its annual report on serious and organized crime.
“UK cyber crime continues to rise in scale and complexity but under-reporting of data breaches continues to erode our ability to make robust assessments of the scale and cost of network intrusions,” the agency said in a statement.
Here are some highlights about cyber crime from the report:
- “The distinction between nation states and criminal groups in terms of cyber crime is becoming frequently more blurred, making attribution of cyber attacks increasingly difficult.”
- “Cyber crime groups, many of which operate internationally and are Russian-speaking, continue to pose a threat to UK interests.”
- “The threat from UK domestic cyber criminals continues to mature, and these domestic actors are capable of damaging attacks.”
— Read more international cybersecurity news:
— The Brookings Institution yesterday launched a database of underrepresented experts in cybersecurity and technology policy. The effort “aims to help journalists, conference planners, and others to identify and connect with experts outside of their usual sources and panelists,” wrote Susan Hennessey, a Brookings fellow and executive editor of Lawfare.
The first database from Sourcelist includes women whose areas of expertise include national security, artificial intelligence, cybersecurity, software development and several other fields. Hennessey also asked Twitter users to name women whose expertise should be recognized, sending tech Twitter abuzz with the hashtag #YouShouldTalkTo:
In honor of the launch of #SourceList, a database of qualified women in tech policy, I want to hear from other experts in the field about which women they recommend to reporters and organizers. Chime in with #youshouldtalkto. https://t.co/JJVprDSEh5pic.twitter.com/KBCk8qnNXJ
— Susan Hennessey (@Susan_Hennessey) May 14, 2018
I’m proud to be featured on #SourceList, a database of qualified women experts in tech policy, along with other women that #youshouldtalkto. Many more to add, like @marasawr, @bodinebaron, @lorrietweet, @CDionSchwarz, @CynthiaRCook, @cortney_dc@MarjorySB. https://t.co/FzKibN9vaF
— Lillian Ablon (@LilyAblon) May 14, 2018
— Rebecca Ingber (@becingber) May 14, 2018
Check out #SourceList, a database of qualified women experts in tech policy! On tech and national security, #youshouldtalkto@bridgewriter, @jendaskal , and @oonahathaway. Thanks to @Susan_Hennessey for this great project! https://t.co/MzPKYWBwbZ
— Kristen Eichensehr (@K_Eichensehr) May 14, 2018
— Amy Chang (@quelquefois) May 14, 2018