{"id":229915,"date":"2017-09-20T09:14:34","date_gmt":"2017-09-20T07:14:34","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=229915"},"modified":"2017-09-20T09:14:34","modified_gmt":"2017-09-20T07:14:34","slug":"ropemaker-email-security-weakness-vulnerability-or-application-misuse","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/industrynews\/229915-ropemaker-email-security-weakness-vulnerability-or-application-misuse.html","title":{"rendered":"ROPEMAKER email security weakness – Vulnerability or application misuse?"},"content":{"rendered":"

Most people live under the assumption that email is immutable once delivered, like a physical letter.\u00a0 A new email exploit, dubbed ROPEMAKER by Mimecast\u2019s research team, turns that assumption on its head, undermining the security and non-repudiation of email; even for those that use SMIME or PGP for signing.\u00a0 Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will. For example, a malicious actor could swap a benign URL with a malicious one in an email already delivered to your inbox, turn simple text into a malicious URL, or edit any text in the body of an email whenever they want. All of this can be done without direct access to the inbox.<\/p>\n

Described in more detail in a recently published\u00a0security advisory<\/a>, Mimecast has been able to add a defense against this exploit for our customers and also provide security recommendations that can be considered by non-customers to safeguard their email from this email exploit.<\/p>\n

So what is ROPEMAKER?<\/p>\n

The origin of ROPEMAKER lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML.\u00a0 While the use of these Web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable\u00a0attack vector for email<\/a>.<\/p>\n

Clearly, giving attackers remote control over any aspect of ones\u2019 applications or infrastructure is a bad thing.\u00a0 As is described in more depth in the\u00a0ROPEMAKER Security Advisory<\/a>, this remote-control-ability could enable bad actors to direct unwitting users to malicious Web sites or cause other harmful consequences using a technique that could bypass common security controls and fool even the most security savvy users.\u00a0 ROPEMAKER could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.<\/p>\n

Changing this:<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Into this, post-delivery (without having direct access to the user\u2019s desktop):<\/strong><\/p>\n

\"\"<\/a><\/p>\n

To date, Mimecast has not seen ROPEMAKER exploited in the wild.\u00a0 We have, however, shown it to work on most popular email clients and online email services.\u00a0 Given that Mimecast currently serves more than 27K organizations and relays billions of emails monthly, if these types of exploits were being widely used it is very likely that Mimecast would see them.\u00a0 However, this is no guarantee that cybercriminals aren\u2019t currently taking advantage of ROPEMAKER in very\u00a0targeted attacks<\/a>.<\/p>\n

For details on email clients that we tested that are and are not exploitable by ROPEMAKER and the specifics on a security setting recommended by Apple for Apple Mail, please see the ROPEMAKER Security Advisory.<\/p>\n

Is ROPEMAKER a software vulnerability, a form of potential application abuse\/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email?\u00a0 Does it really matter which it is? For sure attackers don\u2019t care why a system can be exploited, only that it can be.<\/p>\n

If you agree that the potential of an email being changeable post-delivery under the control of a malicious actor increases the probability of a successful email-borne attack, the issue simplifies itself.\u00a0 Experience tells us that cybercriminals are always looking for the next email attack technique to use.\u00a0 As an industry let\u2019s work together to reduce the likelihood that the ROPEMAKER style of exploits gains any traction with cybercriminals!<\/p>\n","protected":false},"excerpt":{"rendered":"

Is ROPEMAKER a software vulnerability, a form of potential application abuse\/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it matter?<\/p>\n","protected":false},"author":341030,"featured_media":229919,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28937],"tags":[35,12213,37931],"class_list":["post-229915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industrynews","tag-headline","tag-mimecast","tag-mimecast-south-africa"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/229915"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341030"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=229915"}],"version-history":[{"count":0,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/229915\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/229919"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=229915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=229915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=229915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}