20-year-old email bug is used to spoof signatures: Here's how to protect yourself

Several popular email encryption tools have been found to be vulnerable to spoofed signature attacks for decades, according to an advisory post published by Marcus Brinkmann, lead developer of NeoPG, on Wednesday.

The critical vulnerability–called SigSpoof, and indexed as CVE-2018-12020–was found in GnuPG, Enigmail, GPGTools, and python-gnupg, Brinkmann found. The root cause goes all the way back to GnuPG 0.2.2 in 1998, he told Ars Technica.

Digital signatures are used to verify the source of an encrypted message, data backup, or software update, Ars Technica noted. The source typically uses a private encryption key to make the application show that a message or file is signed. However, SignSpoof made it possible for attackers to fake signatures with only a person’s public key or key ID, which are often published online. Worse, users can’t tell if the spoofed email is malicious without complicated forensic analysis, so it’s likely that they’d never know, Brinkmann wrote in the advisory.

SEE: Encryption policy (Tech Pro Research)

Essentially, this means that decades of email messages used for sensitive business, government, or security matters may have been spoofs, Ars Technica noted. But, it goes further than that, affecting the daily operations of IT and developers as well.

“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure,” Brinkmann wrote in the advisory. “GnuPG is not only used for email security but also to secure backups, software updates in distributions, and source code in version control systems like Git.”

SigSpoof only affects vulnerable software when it enables a setting called “verbose,” which is used to troubleshoot bugs, Ars Technica said. While none of the vulnerable programs enable this by default, a number of recommended configurations available online will turn it on, opening the program to the attack.

The bugs have since been patched in updates to GnuPG, Enigmail, GPGTools, and python-gnupg. Enigmail and the Simple Password Store have also gotten patches for two related spoofing bugs, according to the advisory.

To protect yourself, users should do the following, according to Brinkmann:

Make sure you don’t have verbose in gpg.conf.
Do not use gpg –verbose on the command line.
Upgrade to GnuPG 2.2.8 or GnuPG 1.4.23
Upgrade to Enigmail 2.0.7
Upgrade to GPGTools 2018.3

Meanwhile, developers should add “–no-verbose” to all invocations of gpg, and upgrade to python-gnupg 0.4.3, Brinkmann advised in the post.

The big takeaways for tech leaders:

A decades-old flaw called SigSpoof was found in popular email encryption tools, leaving them vulnerable to spoofed signature attacks.
Users should update GnuPG, Enigmail, GPGTools, and python-gnupg to patch the bug.

TechRepublic Premium editorial calendar: IT policies, checklists, toolkits and research for download

TechRepublic Premium content helps you solve your toughest IT issues and jump-start your career or next project.

Payroll

The Best Human Resources Payroll Software of 2023

With a lot of choices in the market, we have highlighted the top six HR and payroll software options for 2023.

A computer running Windows 11. — Image: Microsoft.

Software

Windows 11 update brings Bing Chat into the taskbar

Microsoft's latest Windows 11 allows enterprises to control some of these new features, which also include Notepad, iPhone and Android news.

A software engineer works from home. — Image: tanatat/Adobe Stock

CXO

Tech jobs: No rush back to the office for software developers as salaries reach $180,000

Salaries for remote roles in software development were higher than location-bound jobs in 2022, Hired finds.

Project management process to manage and develop with resources to deliver quality product, agile development cycle, businessman project manager balance on clock juggling project management elements. — Image: Nuthawut/Adobe Stock

Software

The 10 best agile project management software for 2023

With so many agile project management software tools available, it can be overwhelming to find the best fit for you. We've compiled a list of 10 tools you can use to take advantage of agile within your organization.

A user typing a password. — Image: Song_about_summer/Adobe Stock

Security

1Password is looking to a password-free future. Here’s why

With phishing-based credentials theft on the rise, 1Password CPO Steve Won explains why the endgame is to 'eliminate’ passwords entirely.

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for employee performance reviews, which will clearly document accomplishments and areas of opportunity via an encouraging and thought-provoking analysis. This will assist in determining the next steps for employees as well as their future at the organization. This policy can be customized ...

PURPOSE The purpose of this policy from TechRepublic Premium is to provide guidelines for requesting, filing and permitting paid/unpaid time off as well as to ensure coverage during holidays, vacation(s) and other absences where staffing levels must be consistent to meet the needs of the business. From the policy: TIME OFF GUIDELINES All time off ...

PURPOSE This policy describes the organization’s employee privacy guidelines and outlines employee privacy expectations. From the policy: POLICY DETAILS The organization’s IT equipment, services and systems are intended for business use only. However, the organization acknowledges that staff, consultants and volunteers occasionally require opportunities to make or receive personal phone calls, access personal email, utilize ...

20-year-old email bug is used to spoof signatures: Here’s how to protect yourself