Worried that ‘email is no longer a secure means of communication’ in light of the past 24 hours of hyperbolic headlines? Well, a) dare we say email itself was never secure; b) you may have cause for concern if your provider uses legacy PGP or S/MIME for email encryption; and c) Mimecast – used by the vast majority of UK Top 200 clients – is not affected by EFAIL, for one.
Tech sites such as Gizmodo were among the first to quote Sebastian Schinzel, a professor of computer security at Germany’s Münster University of Applied Sciences, who yesterday (14 May) told the German news outlet Süddeutschen Zeitun: “Email is no longer a secure communication medium.”
Schinzel and his team discovered a critical vulnerability they are calling EFAIL that exposes encrypted emails in plaintext, even messages sent in the past.
Steven Malone, director of security product management at Mimecast, which within its cloud email security suite offers policy-based TLS encryption for emails on the wire, told Legal IT Insider: “Mimecast email clients and services are not affected by EFAIL.
“EFAIL attacks highlight the on-going security weaknesses inherent within the legacy standards of email and the internet and clearly highlight the need for robust layers of additional 21st century defence.
“S/MIME is legacy technology that is often hard to setup and maintain. Too often it’s perceived that because it’s a mature technology, it’s a good technology. That’s simply not the case. It’s vital that organisations review their exposure to any use of these encryption standards and affected clients and consider opting for a suite of technology that can deliver true cyber resilience. That should include protection from attacks as well as control of sensitive content whether it resides inside or outside the corporate network.”
He adds: “Privacy and security often have competing demands that need to be carefully balanced for any organisation. Simply choosing disparate technology components piecemeal because they’re mature is not a good strategy.”
We asked Mimecast to clarify the wider risk/next steps and here is what you need to know in brief:
How big is the risk?
o The precise conditions needed to exploit this are complex and the likelihood of a successful attack in the wild is low. It is important however that email users treat any encrypted email they receive as a potential threat and all users should ensure their systems are fully patched, anti-virus is up-to-date and adequate secondary protections are in place.
What type of encryption is under threat?
o PGP and S/MIME. PGP offers end-to-end encryption specifically for sensitive communication in view of these powerful attackers. S/MIME is an alternative standard for email end-to-end encryption that is typically used to secure corporate email communication.
What do law firms need to know?
o Law firms should check directly with their email client suppliers as to whether thy may be vulnerable or not.
If you don’t use PGP / S/MIME, is there any risk?
o There are no new risks to your infrastructure if you are not using these technologies.
How do you respond to the report quote: “Email is no longer a secure communication medium?”
o The report is hyperbolic. Email was never designed with security in mind and requires additional layers of advanced security protection. This new weakness does not materially affect the security of email as whole.
We’ll bring you more detail as it comes in.