Email encryption flaw helps criminals and snoops hide hijacked messages

A flaw in Microsoft Outlook email clients potentially exploitable by curious cyber criminals has been unearthed by bug hunters on the Full Disclosure forum.
Trend Micro global vice president of security research Rik Ferguson told V3 the bug relates to how Microsoft Outlook handles message signatures. "The thread talks about how Microsoft Outlook in particular – although this is probably common to other email clients – does not show a warning when the signing certificate does not match the ‘From:' address in an email," he said.

"Digitally signing an email is a way of assuring the recipient that the content, while not encrypted, has not been modified in transit, it's effectively a cryptographic hash of the content and attributes of the mail. If the from address is rewritten, for example, a signed mail is sent to a distribution list and then forwarded onto each of the members of the list with a new ‘From:' address – usually the address of the distribution list – then the content has been modified and the signing will no longer match.”

Ferguson warned that the flaw could cause a number of problems for businesses, making it more difficult to spot messages that have been tampered with or hijacked by cyber criminals. He said to secure the services Outlook would have to begin alerting recipients to the mismatch, a task that has several potential pitfalls.

"There is a bigger issue, in a post-PRISM world, more people are beginning to pay attention to how they can secure their email communication from prying eyes. Simply signing will not achieve this anyway, as mails not encrypted, merely ‘certified', so full-blown mail encryption is the answer," he said.

"In addition to public key encryption such as GnuPG, there are options that allow you to encrypt mail content before it is pasted into the client interface. Of course you still have to find a way to transmit the decryption key to your recipient, and that should be done through an alternative channel to the email itself, otherwise you simply give anyone else seeing your mail the key as well."

The PRISM scandal began Earlier this month when leaked documents revealed that the US National Security Agency (NSA) had been siphoning information from Microsoft, Facebook and Google through a programme called PRISM.
Ferguson touted the firm's hybrid identity-based encryption (IBE) tool to email encryption as one course of action for firms concerned by this issue. "With an IBE solution, you are able to generate an encrypted email to any recipient, regardless of whether they have signed up with any service, simply by knowing their email address," he said.