File sharing is one of the cornerstones of workplace collaboration. However, there are some inherent security vulnerabilities associated with sharing sensitive documents and other information across public and private networks. Or, worse still via email.
With such a diverse cyber-security threat landscape, file-sharing breaches don’t often grab the headlines. This doesn’t make the threat any less real, and users would do well to remember that convenience and practicality should not be pursued at the cost of security.
In an article published earlier this year on neowin.net, Muhammad Jarir Kanji discusses a paper published by Munster University of Applied Sciences. In the paper Efail: Breaking S/MIME and OpenPGP Email Encryption, researchers issued a warning about a critical flaw in the S/MIME and OpenPGP email encryption tools which would allow attackers to read supposedly encrypted content in plaintext form.
“OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails.
We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption.
The attack works for emails even if they were collected long ago and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker.”
By now, we would have thought it should go without saying that sensitive information and attachments should not be sent via email across public data networks. Of course, most organisations are intolerant of security practices that act as a barrier to collaboration and convenience. Users demand flexible solutions that do not adversely impact on performance and productivity.
Public “box-type” Cloud-based file sharing services offer convenient file-sharing, and may include added encryption security, but the reality is these services have two critical vulnerabilities. First, your data in stored “in the cloud”. This means it could literally be anywhere on the planet. For any organisation with concerns over data sovereignty, this is a problem.
Second, the encryption technology used to secure the system is likely to be what we refer to as “low-assurance”, where the encryption keys remain with the service provider.
The unearthing of these vulnerabilities in OpenPGP and S/MIME standards for email encryption demonstrates that email is not a suitable channel for exchanging sensitive or high-value data. If you need to share a sensitive or confidential document with someone, use a secure file sharing platform that uses end-to-end encryption.
Look for a solution that has been designed with maximum file security in mind. Something that offers 100% control over data sovereignty and doesn’t act as a barrier to effective collaboration.