Encryption in Company Networks Foiled

http://www.heise.de/english/newsticker/data/anw-26.02.02-007/

The encrypting of e-mails in company networks is foiled if it is done in a Microsoft Exchange/Outlook 9x/200x environment. In a POP3/IMAP4 environment this is not the case. In answer to a question by heise online Microsoft confirmed that appended files encrypted with crypto plug- ins are transmitted in an unencrypted form from client to server even when the encryption function of the plug-in has been activated.

The problem lies in the fact that the appended file is transmitted immediately via the RPC protocol (Remote Procedure Call) to the server once the user has created a confidential e-mail and appended the file –- regardless of whether the encryption plug-in has been activated or not. Neither does the "Save Drafts" option within the Outlook e-mail program have an effect on the above procedure. Although Outlook does activate the desired plug-in, encrypting both mail and appended file once the user has completed his e-mail and presses the send button; however, prior to this taking place the unencrypted appended file has already been sent. The problem can be detected with the aid of a network sniffer.

Activating the RPC standard encoding procedure is the only means of protection available, in some versions, though, this amounts to an encoding of only 40 bits – a level widely considered unsafe. Microsoft confirmed that if the line to the server is not encrypted at this point the data are RPC-encoded only and not encrypted. A Microsoft employee declared towards heise online that about half the manufacturers of crypto plug-ins were affected; PGP, for instance, and most of the Sphinx products were vulnerable

Experts suspect, however, that virtually all marketed crypto plug-ins are affected. The problem has been discussed since January at the Forum of Incident Response and Security Teams (FIRST), without a result so far. When queried Microsoft informed heise online that "after an analysis of the technical details" this operation could not be labeled a "security breach within the MS Exchange/Outlook 9x/200x environment." The "automatic MAPI-RPC-based potentially unencrypted transmission of e-mail data" was "a standard procedure undertaken for performance reasons within the domain of a protected network" by the Outlook program.

An Exchange/Outlook environment might in the event of large amounts of data being transmitted impede the performance of client applications, Microsoft declared. Which is why Outlook for performance reasons engaged in "pro-active background storage" of data already existing in the message memory in question. These "optimizations" had been introduced "at the request of a large number of Outlook users" so as to optimize the use of the program in an exchange-server environment. Microsoft pointed out that the Outlook object model intended to be used for programming plug-ins gave plug-in manufacturers the opportunity of suppressing the automatic background transmission, thus preventing data from leaving the local PC before being encrypted.

A manufacturer affected had been informed of this by the Microsoft Service Department and was now discussing ways of redesigning his product. When approached by heise online the company in question, which did not want its name to be made public, denied this, however. The company said that rather than demand an elaborate redesign of the plug-ins, it was up to Microsoft to modify the transmission routine. (Robert W. Smith) / (Christiane Schulzki-Haddouti) / (anw/c't)

 

At first, I was astounded at this news, and then I caught the word "Microsoft", and everything became clear to me...