Not all email encryption providers are created equal: S/MIME & the Outlook Bug

By Trustifi on Nov 07 2017

Email encryption has become a pivotal tool for businesses and average citizens around the world, due to the simplicity and ease that emails can be hacked. Encrypted email providers are constantly developing new ways to better protect your information and keep you and your business safe. Now that there are solutions which protect organizations from hacked emails and information, it is even more important to ensure said solutions function correctly.

Recently, an end-to-end encryption protocol, S/MIME (Secure/Multipurpose Internet Mail Extensions) has fallen under fire for its failure in keeping the emails of its Microsoft Outlook users encrypted. Companies using this protocol in Outlook need to beware. For the past six months, emails thought to be encrypted, were actually not.

The problem was due to a bug (CVE-2017-11776) in Microsoft Outlook that occurs when users format their emails as plain text while using the S/MIME encryption. This causes the “encrypted” emails to be sent in a human-readable clear text form along with the encrypted version. This was not the service that was promised.

One of the biggest issues is also that the users would have no idea that the sent email was compromised. It would still show up in the sent folder as “encrypted” leaving the user with a false peace of mind. Tracking is a key part of email security and companies such as Trustifi have great solutions to this tracking error.

Many consumers do not understand how to encrypt an email and trust their providers with their personal information. Trustifi’s solution avoids these issues because they are a military grade, court validated interface that encrypts your emails with absolute ease. They continue to compete with the best cyber security companies in the industry due to their dedication to security. Trustifi’s solutions for encrypting emails is simply one way they can avoid what happened with S/MIME.

Cybercrime is a serious matter, and how a company protects themselves with a secure email gateway should be taken with care and certainty. The best cyber security companies around the globe understand the trust their clients put in them, and the importance of their role in their clients’ lives.

Trustifi, a patented email solution that encrypts and tracks emails, and is the first federally-accepted method of sending legal documents online, is one of many solutions for avoiding problems that S/MIME ran into. Their solution is predicated on providing top-notch security and strict confidentiality to their clients in order to provide peace of mind.

According to researchers, the magnitude of the vulnerability depends on the configuration on the user’s Outlook.

  1. Outlook with Exchange

The encrypted emails of Outlook with Exchange users would only reach one hop (to the sender’s exchange) and the plain text message would be removed because they were sent to external exchange. However, if the sender and recipient were in the same exchange, the plain text would be attached.

  1. Outlook with SMTP (Impact on the entire email path)

If Outlook was being used with SMTP the plaintext would be received by the recipient as well as all mail servers along the path. So not only was the failure in encrypting emails, but your email could be seen by anyone on the mail servers.

Since one of the biggest problems with the S/MIME bug was that users would view their email as encrypted in their own sent folder. Trustifi’s email tracking system avoids this issue as their product users will be able to track where the email was sent to, as well as who opened it and on what device. This is yet another way to avoid any mishaps with the security of your emails.

The S/MIME bug truly demonstrates the importance of having a trustworthy encrypted email provider. Sending legal documents with confidential information is too risky if you are using a sub-par provider. Only the best cyber security companies will suffice, who understand the ins and outs of encrypting emails, and keeping you and your clients’ information, safe.

For instance, having a federally-approved form of legal delivery allows a company like Trustifi to have confidence in its solutions. This in turn gives a sense of security to its users that all is well regarding their email.

From legal records, to medical records, to intellectual property, encrypted emails and documents must be kept as safe as possible when the consumer trusts a company to do so. It is the obligation of any encrypted email provider to deliver the best possible service, with no negative outcomes.

Unfortunately, hacked emails are a part of the modern world. The more technology and security that is out there, the more people will attempt to take advantage. This is where cyber security companies must step up to the challenge. Trustifi is one said company that uses modern technology and ideas to come up with the best possible strategies and solutions to deter any negative activity.

Another reality this incident with S/MIME brings to the surface is how serious businesses must take their private information. Human relations divisions must take note, they are in charge of protecting all the personal information for the employees and their company. It would be detrimental to any business owner if any single email with private information were to be hacked due to faulty encryption. Encrypting emails safely is the only way to avoid the major consequences that occur when an email is compromised. You must find an industry leader you can trust.

Trustifi offers a demo so you can understand exactly how their solution works before you even sign up. Understand that this matter is only becoming more and more serious, and encrypting your emails is more pertinent than ever before.

The average consumer does not understand how to encrypt an email and therefore is truly putting all their trust in cyber security companies. Mistakes such as the bug with S/MIME and many others demonstrate the risks of the modern technological world we live in. It is the providers job to protect and secure all of its clients’ documents to the highest standard, anything short of this is simply unacceptable.

To protect your most important information, sign up for a free trial of Trustifi’s patented solution.

Try Trustifi Today

For Individuals

Our Free Trial Is Forever Free

For Business

See if Trustifi Is Right for Your Organization

1 of 3 Part Email Dangers Blog Series: Business Security – Vendor Exposure

By Trustifi on Apr 18 2017

Certain industry types require extra security and data sensitivity. When you make your career in one of those fields you get used to certain standards when it comes to protecting the data that you process. But even the most diligent of us can inadvertently overlook securing sensitive information, or think the document that we’re emailing internally is relatively innocuous and not worthy of protecting.

In this four-part series, we’ll be talking about what you should be securing, encrypting, and tracking so that you can protect yourself, your business, and your clients.

What You Need to Know About Exposure — from Your Vendors

At every level of the organization, as long as an employee is picking up the phone, or sending and receiving emails, that employee is making security decisions for the organization every day. Despite the sophistication of technology and the cybercriminals that employ its use, old-fashioned social engineering is still the go-to resource for infiltrating an organization.

Let’s take a look at how a cybercriminal might use LinkedIn to breach your organization.

LinkedIn is actually one of the biggest resources for criminals seeking to subvert a company’s security. The nature of LinkedIn is for its users to remain open to they can be searched for by business connections, clients, and vendors. But that openness also exposes organizations to attack. The larger an employee’s social network increase their risk of attack as they build connections.

LinkedIn also makes it incredibly easy for a cybercriminal to impersonate a legitimate connection. Let’s say that you work for Acme Optics. Acme Optics has its own LinkedIn corporate page, so it’s fairly easy to determine what kind of service Acme Optics provides and what connections it’s making with other organizations, such as vendors and procurement sources (and remember — those connections are still made by humans at the ends of the terminals).

Our cybercriminal — we’ll call him Vlad — figures out that you work for Acme Optics, determines that Acme Optics gets its lenses from Shine Glass, and sends you a spoofed email from Shine. In three relatively simple steps, Vlad has convinced you to open an email and unknowingly download malware to your internal network.

One of the more insidious ways that Vlad may hurt your organization’s bottom line was discovered during the Yahoo breach, where auto-forward was turned on for thousands of accounts. These “set it and forget it” settings — that almost no one checks regularly — set Yahoo users’ up for years of exposure. Everything from grandma’s cookie recipe to last year’s tax filings was being auto-forwarded to hackers.

And that’s relatively easy to do on company servers, too — once you’ve been let in the back door via malware.

Fortunately, you can protect yourself and your organization by requiring your vendors send any attachments through a secure email lifecycle solution. By utilizing a secure solution, you can be assured that you and your vendors are protected through end-to-end secure email, lifecycle tracking, and dual validation technology.

Also, remember to “trust but verify.” Despite your familiarity with a vendor, even our most trusted associates are open to being spoofed. Vlad is depending on your trust to open that email. If you’re not sure why your vendor is sending you an attachment, pick up the phone and call to confirm that your vendor sent you an email. An ounce of prevention is worth a pound of cure.


Try Trustifi Today

For Individuals

Our Free Trial Is Forever Free

For Business

See if Trustifi Is Right for Your Organization