They say old tricks are the best tricks — at least in the movies.
In “The Fifth Element,” a future Bruce Willis learns that he wins a contest. But he was tricked with one of the oldest tricks in the book, er, movie.
And so it is today. According to a new report, hackers have long been able to spoof digital signatures and email with a decades-old bug.
For the everyday internet user, spoofed email is a known enemy. It’s annoying when you get one, and worse when you send one.
That’s because you didn’t send it; somebody spoofed your email and you have to explain it to your recipients. That could be complicated, for example, if you solicited opposing counsel for legal assistance to a Nigerian prince.
Ars Technica says that some of the most popular email encryption tools have that kind of vulnerability. A decades-old bug allows hackers to spoof the digital signature of anybody with a public key.
So that means just about everybody. For techies, it means a problem with encryption tools like GnuPG, Enigmail, GPGTools, and python-gnup.
A Big Bug
Researchers discovered and patched the problem, but it doesn’t undo the past. According to their report, “decades’ worth of email messages” may have been spoofed.
“The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure,” wrote software developer Marcus Brinkmann. “GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git.”