Some time ago, we noticed at Realmode Labs that Amazon Kindle has an interesting feature called “Send to Kindle”. This feature allows Kindle users to send e-books to their device as email attachments. We immediately thought of the potential security concerns of this feature: what if we can send malicious e-books to unsuspecting users?

source: R

This post is about the situation with Domain Keys Identified Mail (DKIM), a harmless little spam protocol that has somehow become a monster. My request is simple and can be summarized as follows: Dear Google: would you mind rotating and publishing your DKIM secret keys on a periodic basis? This would make the entire Internet quite a bit more secure, by removing a strong incentive for criminals to steal and leak emails. The fix would cost you basically nothing, and would remove a powerful tool from hands of thieves.

source: green

The way it originally worked is that you would sign up with your email, and to login a “magic link” with a secret token would be emailed to you, which will set the cookie and log you in. I did it like this after a suggestions/discussion at Lobste.rs last year, and I thought it would be easier to implement (it’s not) and easier for users (it’s not).

source: L

>November 2019 is, as best I can recall, the 40th anniversary of the conception of Usenet. (What’s Usenet? The Wikipedia article is ok but not perfect.) I should have written a proper paper; instead, there will (probably) be an irregular series of blog posts.

I didn’t notice the series concluded a while back, so if you were waiting to read the whole thing, it’s done.

In this paper I present an analysis of 1,976 unsolicited answers received from the targets of a malicious email campaign, who were mostly unaware that they were not contacting the real sender of the malicious messages. I received the messages because the spammers, whom I had described previously on my blog, decided to take revenge by putting my email address in the ‘reply-to’ field of a malicious email campaign. Many of the victims were unaware that the message they had received was fake and contained malware. Some even asked me to resend the malware as it had been blocked by their anti-virus product. I have read those 1,976 messages, analysed and classified victims’ answers, and present them here. The key takeaway is that we need to train users, but at the same time we should not count on them to react properly to Internet threats. Despite dealing with cybercrime victims daily for the last seven years I was surprised by most of the reactions and realized how little we, as the security industry, know about the average Internet user’s ability (or rather inability) to identify threats online. We need to build solutions that will protect users, without their knowledge, sometimes against their will, from their ability to harm themselves.

The fifth group is actually the most worrying. I call this group ‘MY ANTI-VIRUS WORKED, PLEASE SEND AGAIN’, as these are recipients who mention that their security product (mostly anti-virus) warned them against an infected file, but they wanted the file to be resent because they could not open it. The group consisted of 44 individuals (2.35%).

source: grugq

Qualys contacted by e-mail to tell me they found a vulnerability in OpenSMTPD and would send me the encrypted draft for advisory. Receiving this kind of e-mail when working on a daemon that can’t revoke completely privileges is not a thing you want to read, particularly when you know how efficient they are at spotting a small bug and leveraging into a full-fledged clusterfuck.

Legacy code bad, even when it’s freshly written legacy code.

GitHub’s forgot password feature could be compromised because the system lowercased the provided email address and compared it to the email address stored in the user database. If there was a match, GitHub would send the reset password link to the email address provided by the attacker- which was technically speaking, not the same email address.

This is beautiful.

source: HN

It is therefore very important that we don’t let the myth propagate further. Our best interest is to have a WIDE variety of mail hosts and providers, small and big, commercial and not. We must not allow the number of mail hosts to shrink, they must increase so the e-mail address space out of the control of Big Mailer Corps remains significant.

source: L

“We have insane levels of virality that haven’t been seen since Dropbox or Slack,” Mr. Vohra added.

And it gets worse after that.

What makes an email different from a web page? Depending on how it’s presented, not a lot—but they also might be miles apart. Things that might have taken a few minutes to lay out for a website can take significantly longer to do when targeting an email client, and with a lot of pain in the middle. With that in mind, I felt like it was good to talk a little bit about the process that goes into email, and where it’s really falling short. Today’s Tedium is an email … about email. Particularly where it needs a little modernizing.

I reflexively did some basic security hygiene checks. The email was from an @cam.ac.uk email address. I hovered over the link in the email - people.ds.cam.ac.uk/grh37/awards/Adam_Smith_Prize. It pointed to the same URL that the email text claimed it did, and was located on a valid cam.ac.uk subdomain. It did strike me as a little odd that the page was hosted inside gh327’s personal directory instead of the main economics department’s site; but hey, it’s probably less bureaucracy that way. I clicked on the link and read a little about the history of the Adam Smith prize.

source: HN

Google Groups ignored this rejection and began sending email messages from the group/mailing list to my spamtrap address. Each of these messages was rejected at SMTP time, and each of them contained a unique MAIL FROM address (a VERP), which good mailing list software uses to notice delivery failures and unsubscribe addresses. Google Groups is, of course, not good mailing list software, since it entirely ignored the rejections. I expect that this increases the metrics of things like ‘subscribers to Google Groups’ and ‘number of active Google Groups’ and others that the department responsible for Google Groups is rewarded for. Such is the toxic nature of rewarding and requiring ‘engagement’, especially without any care for the details.

In this particular case, RCE means Remote *Command* Execution, not Remote Code Execution: an attacker can execute arbitrary commands with execv(), as root; no memory corruption or ROP (Return-Oriented Programming) is involved.

This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim’s code, we cannot guarantee that this exploitation method is unique; faster methods may exist.

source: solar

We show practical attacks against OpenPGP and S/MIME encryption and digital signatures in the context of email. Instead of targeting the underlying cryptographic primitives, our attacks abuse legitimate features of the MIME standard and HTML, as supported by email clients, to deceive the user regarding the actual message content. We demonstrate how the attacker can unknowingly abuse the user as a decryption oracle by replying to an unsuspicious looking email. Using this technique, the plaintext of hundreds of encrypted emails can be leaked at once. Furthermore, we show how users could be tricked into signing arbitrary text by replying to emails containing CSS conditional rules. An evaluation shows that 17 out of 19 OpenPGP-capable email clients, as well as 21 out of 22 clients supporting S/MIME, are vulnerable to at least one attack. We provide different countermeasures and discuss their advantages and disadvantages.

A hacker or group of hackers had first broken into a customer support account for Microsoft, and then used that to gain access to information related to customers’ email accounts such as the subject lines of their emails and who they’ve communicated with.

But the issue is much worse than previously reported, with the hackers able to access email content from a large number of Outlook, MSN, and Hotmail email accounts, according to a source who witnessed the attack in action and described it before Microsoft’s statement, as well as screenshots provided to Motherboard. Microsoft confirmed to Motherboard that hackers gained access to the content of some customers’ emails.

Google just announced a plan to “modernize” email with its Accelerated Mobile Pages platform, allowing “engaging, interactive, and actionable email experiences.” Does that sound like a terrible idea to anyone else? It sure sounds like a terrible idea to me, and not only that, but an idea borne out of competitive pressure and existing leverage rather than user needs. Not good, Google. Send to trash.

From https://techcrunch.com/2019/03/26/google-makes-emails-more-dynamic-with-amp-for-email/

Google today officially launched AMP for Email, its effort to turn emails from static documents into dynamic, web page-like experiences.

source: HN

I’m happy to announce a new release of “mblaze”, a Unix command line mail client system in the spirit of RAND MH, but developed from scratch and focused on Maildir.

email isn’t dead yet.

Also: https://github.com/chneukirchen/mblaze

source: L

In a Lingua Franca post headed “Elimination of the Fittest” five years ago I poured scorn on Orwell’s insistence that you should “never use a metaphor, simile, or other figure of speech which you are used to seeing in print.” Silly, I said. There must always be some phrases that are currently the most popular. Banning them ipso facto would pointlessly whittle away the language, phrase by phrase, forever.

I didn’t propose going to the opposite extreme and championing clichés, of course. Yet as Gmail filled in that phrase for me, I realized that it was automating exactly what Orwell recommended against. The program lies in wait for the beginning of a letter sequence that it is used to seeing in Gmail messages, and fills in the rest for your approval, constantly tempting you toward familiar phrases.

I *FINALFUCKINGLY* commited proc filters support allowing full filtering in OpenSMTPD.

eric@ implemented fc-rDNS lookups.

I won’t expand on the features in the 6.4 release as I already wrote about the configuration file changes, the issues that required it and the refactors involved, this was the one true major feature of the release. One notable aspect though is that we dropped our support for OpenSSL in favor of LibreSSL, and THAT I should expand upon ;-)

And looking forward...

Filters have been a (the most ?) long awaited feature in OpenSMTPD. I finally committed most of the filters code to OpenBSD.