Tag

email

Browsing

Mailsploit is a Metasploit-like toolkit targeting vulnerabilities in email programs as a means of compromising an endpoint:

Now one researcher has dug up a new collection of bugs in email programs that in many cases strip away even the existing, imperfect protections against email impersonation, allowing anyone to undetectably spoof a message with no hint at all to the recipient.

On Tuesday, security researcher and programmer Sabri Haddouche revealed Mailsploit, an array of methods for spoofing email in more than a dozen common email clients, including Apple Mail for iOS and macOS, Mozilla’s Thunderbird, Microsoft Mail, and Outlook 2016, as well as a long list of less common clients including Opera Mail, Airmail, Spark, Guerrilla Mail and Aol Mail.

Over the years, administrators of email servers have increasingly adopted authentication systems, most recently one known as Domain-based Message Authentication, Reporting and Conformance, which blocks spoofed emails by carefully filtering out those whose headers pretend to come from a different source than the server that sent them.

By crafting email headers to take advantage of flawed implementation of a 25-year-old system for coding ASCII characters in email headers known as RFC-1342, and the idiosyncrasies of how Windows, Android, iOS, and macOS handle text, Haddouche has shown that he can trick email servers into reading email headers one way, while email client programs read them differently.

Haddouche’s full list of affected email clients and their responses to his Mailsploit research is here.1.

Blaming the server, rather than the email client, may be more than just a lazy dodge: Haddouche tells WIRED that email providers and firewalls can also be set to filter out his attack, even if email clients remain vulnerable.

Beyond the specific bugs Mailsploit highlights, Haddouche’s research points to a more fundamental problem with email authentication, says Kaminsky.

The State Department has released another batch of Hillary Clinton emails to demonstrate the types of mundane traffic she receives on a daily basis:

Among the thousands of messages — many of which appear to be missives on day-to-day tasks — is a 2010 note to Wikileaks founder Julian Assange, asking him not to publish 250,000 classified documents. The publication of the documents would risk “the lives of countless innocent individuals,” “ongoing military operations,” and “ongoing cooperation between countries.”

“Despite your stated desire to protect those lives, you have done the opposite and endangered the lives of countless individuals,” wrote State Department legal adviser Harold Koh. “You have undermined your stated objective by disseminating this material widely, without redaction and without regard to the security to the security and sanctity of the lives your actions endanger.”

The last email addressing Wikileaks is mostly redacted, save for a note at the top that wishes Clinton and her family, former president Bill and daughter Chelsea, a “Merry Christmas.”

Other messages, mostly from 2009 and 2010, include Clinton’s reactions to major political events during those years:

“Needless to say, I’m so distressed over all of this,” she wrote on Election Day 2010, when the GOP wave resulted in Democrats losing the House.

According to the State Department, approximately 125 of the emails in this batch were classified after-the-fact, not prior to Clinton having received them. In either case, it would have been prudent for her to take the necessary steps to clean the email server of these emails rather than keep classified information on an unclassified network.

Federico Viticco reviews Spark by Readdle, a brand new iOS email client aiming to help you enjoy your email experience yet again

I’ve had a complicated relationship with email over the years. Part of the problem has been the Sisyphean effort of third-party apps that tried to modernize email: the more developers attempted to reinvent it, the more antiquated standards, platform limitations, and economic realities kept dragging them down. I’ve seen email clients for iOS rise and fall (and be abandoned); I’ve tried many apps that promised to bring email in the modern age of mobile and cloud services but that ultimately just replaced existing problems with new ones. Sparrow. DispatchMailboxCloudMagicOutlook. Each one revolutionary and shortsighted in its own way, always far from the utopia of email reinvention on mobile.

Spark by Readdle, a new email app for iPhone released today, wants to enhance email with intelligence and flexibility. To achieve this, Readdle has built Spark over the past eighteen months on top of three principles: heuristics, integrations, and personalization. By combining smart features with thoughtful design, Readdle is hoping that Spark won’t make you dread your email inbox, knowing that an automated system and customizable integrations will help you process email faster and more enjoyably.

I’ve been using Spark for the past three weeks, and it’s the most versatile email client for iPhone I’ve ever tried. It’s also fundamentally limited and incomplete, with a vision that isn’t fully realized yet but promising potential for the future.

Read the entire review for the full details. Bottom line: Spark is an impressive email client but without companion iPad and OS X applications, it offers an iOS-only, incomplete, imperfect vision, but one that is better than anything else available today.

I continue to play with Spark and will offer some thoughts of my own by the end of the week. So far, I really enjoy what I am seeing but it is missing a major feature I really need because of my workflow.

I aggregate multiple email accounts, to include gmail accounts, and standard imap accounts, to a single fastmail account. Because of this process, I require email aliases so I can send-as any one of the aggregated accounts. Without this capability, it is nearly impossible for me to send email using Spark. I suspect I am not the only person in this situation.

More to come …