27 June 2019
File sharing is one of the cornerstones of workplace collaboration. However, there are some inherent security vulnerabilities associated with sharing sensitive documents and other information across public and private networks. Or, worse still via email.
With such a diverse cyber-security threat landscape, file-sharing breaches don’t often grab the headlines. This doesn’t make the threat any less real, and users would do well to remember that convenience and practicality should not be pursued at the cost of security.
In an article published last year on neowin.net, Muhammad Jarir Kanji discusses a paper published by Munster University of Applied Sciences. In the paper Efail: Breaking S/MIME and OpenPGP Email Encryption, researchers issued a warning about a critical flaw in the S/MIME and OpenPGP email encryption tools which would allow attackers to read supposedly encrypted content in plaintext form.
Abstract:
“OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails.
We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption.
The attack works for emails even if they were collected long ago and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker.”
Senetas Opinion
By now, we would have thought it should go without saying that sensitive information and attachments should not be sent via email across public data networks. Of course, most organisations are intolerant of security practices that act as a barrier to collaboration and convenience. Users demand flexible solutions that do not adversely impact on performance and productivity.
Public “box-type” Cloud-based file sharing services offer convenient file-sharing, and may include added encryption security, but the reality is these services have two critical vulnerabilities. First, your data in stored “in the cloud”. This means it could literally be anywhere on the planet. For any organisation with concerns over data sovereignty, this is a problem.
Second, the encryption technology used to secure the system is likely to be what we refer to as “low-assurance”, where the encryption keys remain with the service provider.
MS Office files, video clips, PDFs, rich-text documents, image files and more represent a potential risk to internal systems’ integrity as they are ideal vehicle in which to conceal malicious code. Simple detection and file sanitisation tools offer some protection against known threats, however they do not protect against unknown and zero-day attacks.
By leveraging content disarm and reconstruction technology (CDR) together with secure file-sharing, organisations benefit from an additional layer of security. CDR is an advanced cyber-threat prevention technology that is not dependent upon successful detection of malicious code (malware).
CDR assumes every file is malicious. It deconstructs all content before analysing and removing any suspicious code. Once disinfected, the file is reconstructed, ensuring 100% usability is retained. CDR technology is highly effective against both known and unknown threats; including zero-day targeted attacks, undetectable malware and obfuscation attacks.
The unearthing of these vulnerabilities in OpenPGP and S/MIME standards for email encryption demonstrates that email is not a suitable channel for exchanging sensitive or high-value documents in the form of attachments. If you need to share a confidential file or document with someone, use a secure file sharing platform that uses end-to-end encryption.
Look for a solution that has been designed with maximum file security in mind. Something that offers 100% control over data sovereignty and doesn’t act as a barrier to effective collaboration.
Discover more about secure file sharing by visiting sure-drop.com
