Just in:
French Leaders Gather for Interfaith Iftar Dinner // TUMI Hosts Global Launch Event in Singapore to Unveil Women’s Asra Collection and Announce Global Ambassador, Mun Ka Young // Samsung Partners National Heritage Board to Bring a Slice of Singapore’s Cultural Heritage to Samsung The Frame TV // Melco Style Presents “SANRIO CHARACTERS STUDIO CITY CARNIVAL” – Explore a SANRIO World of Unlimited Love and Cuteness // 2024 Lok Sabha Elections Will Be The Costliest One Till Now In The Whole World // Andertoons by Mark Anderson for Fri, 29 Mar 2024 // Hong Kong Crypto Exchange Application Stalled by US Lawsuit // Simplified Business Moves for Al Reem Island Firms // US reiterates concern over Kejriwal arrest, Cong accounts // CABSAT 2024 Ushers in 30 Years of Media Innovation // Experience Ultimate Shopping Freedom at 4.4 Shopee Spree: Don’t Worry, Shop Shopee! // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // No running of govt from jail, says Delhi Lt Governor // Sunshine’s Debut Features Leave Tech World Scratching Its Head // Ingdan Announces 2023 Annual Results // Sharjah Chamber Breaks Ground on Final Expansion with New HQ Pact // U.S. Compliance Takes Center Stage at OKX Following Industry Jitters // Aid is at the core of Israel, Palestine struggle to control post-war Gaza // Digital Hub Unveiled: Xposure Launches Platform for Global Photography Community // DrGo launches DrGo Me+ Ready Pack portable nutritional supplement pack //
HomeBiz TechWhy you shouldn’t trust the “world’s most secure” email service

Why you shouldn’t trust the “world’s most secure” email service

pinocchio cnet news 680 thumb

(Image: stock photo)

If something seems too good to be true, it probably is.

In the cybersecurity world, if something is said to be “unhackable” or provides “absolute security,” you should run for the hills, because — spoiler alert — there is no such thing as “absolute” security.

ADVERTISEMENT

Anyone who tells you otherwise is stupid enough not to know, or smart enough to try to lie.

Enter one security startup, Nomx, an Arlington, Va.-based hardware maker founded by chief executive Will Donaldson, which builds (in his words) the “world’s most secure” email service. The company promises “absolute security” in its email-in-a box offering for anyone who buys the $199 device.

But those claims were refuted by two leading UK-based security researchers, commissioned by the BBC earlier this year to examine the Nomx device.

Scott Helme, a security researcher, and Alan Woodward, a professor at the University of Surrey, found several flaws in the device, which turned out to be built around a homebrew Raspberry Pi micro-computer. Helme and Woodward found a litany of serious flaws in the easily hackable device, which they said can lead to a “full compromise.” An attacker can “read, delete, and send emails” from the device with a simple cross-site request forgery attack, in which a malicious website can trick a computer into running malicious code, said Helme in a blog post.

Their findings were later independently reviewed by Paul Moore, an information security consultant.

ADVERTISEMENT

Nomx, however, disputed the research in a statement on its website, arguing that the kind of simulated attack is “not an action a typical user would do.”

“No Nomx devices, accounts or data was ever compromised and the blogger could not show any evidence of such actions,” said Nomx’s website.

But the company’s rebuttal doesn’t stand up, nor can it substantiate its counter-claims — while leaving more questions than answers about the device’s (lack of) security.

“I guess ‘total compromise’ is subjective,” said Helme in a message. “Some people expect you to pop a shell, but to me, such extensive control over your emails, which is the point of the device, is ‘total compromise’.”

Woodward agreed, telling me in a message that the Nomx device is “compromised to the extent that anything an admin user can do on the box, an attacker can do.”

True, both Woodward and Helme said that it’s not known if any customer Nomx devices have been compromised. Woodward said that the whole point about ethical hacking is that “you hope to work with a company to close vulnerabilities before users are damaged.”

“We were asked by the BBC whether we could say if any box had been compromised,” said Woodward. “We said we obviously couldn’t confirm that. It was this that Will Donaldson too out of context and moline that we had accepted the box was secure.”

When pressed, Donaldson repeated his claim in an email that none of his customers have been compromised, but he provided no evidence to back up his claim.

Instead, he said: “If you have any reports, issues, claims or statements that counter what I’ve said I’d like to see them and their source.”

With no way to remotely access a device (despite the fact that each device has an undocumented login account), Donaldson has no way to check the logs to see if any Nomx device has been compromised. Woodward and Helme only released their findings after Donaldson said that “no user was now at risk and all boxes had been exchanged or updated,” but because the researchers found no update mechanism on the device, there’s no way to patch the vulnerabilities even if Nomx had released a patch — of which there’s no evidence to show one has even been released.

In an email, Donaldson made several grandiose, bizarre, and unsubstantiated claims, among which he said that many mainstream email providers are “compromised daily.” He added that former Democratic presidential candidate Hillary Clinton “would have been president” had she used one of his email boxes.

But Donaldson did not answer our specific questions — particularly how the company plans to improve the device’s security following the disclosure. Instead, he referred to his website’s statement to address questions relating to the device’s security.

When he repeated his claim that he “no users were affected by this vulnerability,” we asked how the company came to that conclusion — which is when he stopped responding to our emails.

Donaldson’s attempt to counter the researchers’ fact-based narrative collapsed in the face of too many unanswered questions. Instead, Donaldson took a page out of the spin playbook by taking his website to boast a headline that claims Nomx “passes” security, a day before BBC Click aired its investigation.

Moore, who reviewed the researchers’ findings, tweeted: “You didn’t pass at all. Far from it.”

Like any security product, extraordinary claims require extraordinary evidence. And while Nomx may have bravado, it’s promises just don’t stand up.

Employees will hand over work passwords to hackers for money

(via PCMag)

ADVERTISEMENT

ADVERTISEMENT
Just in:
Andertoons by Mark Anderson for Fri, 29 Mar 2024 // Octa seeks to clarify Forex swap and swap-free accounts // Simplified Business Moves for Al Reem Island Firms // Emirati Aid Reaches Ukraine as Food Shortages Bite // Global Audience to Witness Thrill of Dubai World Cup // Digital Hub Unveiled: Xposure Launches Platform for Global Photography Community // CABSAT 2024 Ushers in 30 Years of Media Innovation // TUMI Hosts Global Launch Event in Singapore to Unveil Women’s Asra Collection and Announce Global Ambassador, Mun Ka Young // First-Ever Fortune Innovation Forum Draws Top Global Leaders to Hong Kong, Promoting Agendas On Collective Cross-Sector Advancement // Samsung Electronics Launches 2024 Neo QLED 8K, Neo QLED, and OLED Displays to Spark the AI Screen Era // German Job Market Resilience Bodes Well for Economic Recovery // Aid is at the core of Israel, Palestine struggle to control post-war Gaza // US reiterates concern over Kejriwal arrest, Cong accounts // Samsung Partners National Heritage Board to Bring a Slice of Singapore’s Cultural Heritage to Samsung The Frame TV // Sharjah Chamber Breaks Ground on Final Expansion with New HQ Pact // Saudi Arabia Unveils Green Financing Tool to Achieve Net-Zero Goals // A Tightrope Saudi Walk Towards Net-Zero // Following the Money Trail: US and UK Investigate $20 Billion in USDT Transfers Tied to Sanctioned Russian Exchange // No running of govt from jail, says Delhi Lt Governor // Universal Language for Healthcare: General Authority Embraces Global Coding System //