You are safe! ROPEMAKER is nothing but a ruse


Full article

In last couple of days my security feed exploded with mention of ROPEMAKER (Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky) and my first reaction was "wow! someone broke the email, and that too post delivery. #WTF". I immediately opened the source i.e. the blogpost that Mimecast has posted explaining the issue. Frankly on first read, it was a disappointment! I think most of the people that are talking about it like a new, big fancy issue to panic about, do not understand the complete picture.

Disclaimer: This post is not to offense Mimecast, or in any way undermine the good work these guys do! It just addresses the fact that a security awareness article shouldn't be addressed as "Eureka!" moment with fancy acronyms.

Okay so let's see what the blogpost talks about? It quotes,

Using the ROPEMAKER exploit a malicious actor can change the displayed content in an email at will.

This is not completely (or always) true for the simple reason that it doesn't mention about who's sending this email? Is this the malicious actor who is the sender? If yes, then he would definitely have ways to alter the contents of the email (even after delivery) if the message contains the embedded URL to refer/ download/ include remote content (images, javascript, css etc.) which by assumption, is under his control! But, if the email has been sent by a "legit" source, but a malicious actor can "somehow" change the email content; then it's a vulnerability worthy of this spotlight.

The current web/ internet ecosystem is always considered untrusted; atleast when we talk about security in the network. Hence, the orthodox and old-school way of security is do not trust anything that comes from outside your trusted network, and emails are no exceptions! All of us who are security aware, have very well gone through the anti-phishing training. How is this attack any different than the fundamental awareness, do not trust unknown emails?

Lets see another quote from the blog,

Is ROPEMAKER a software vulnerability, a form of potential application abuse/exploit, or a fundamental design flaw resulting from the intersection of Web technologies and email? Does it really matter which it is?

Yes, it does matter! If you make a buzz of your acronym ROPEMAKER, then it better be something new and not just a sanity check, or a check of best practices or security awareness. This whole is just a ruse, and any security aware company would have already gone through such anti-phishing trainings. Also, the perimeter devices or mail security products can't always check the email contents and we know it well. These security tools can't check all of the email contents, the URLs or God foresaken attachments (even encrypted).
How did the vendors respond to it? As expected, they (Apple and Microsoft) did not consider this as a vulnerability and more of a security awareness and best practice. It depends on your level of paranoia that you want to enable remote loading of images, content or just old-school plain-text emails. Now mimecast whitepaper (search via the dork: inurl:whitepaper ropermaker) talks about different ways to attack or exploit using ROPEMAKER. While some talk about MITM with the remote URLs but then that can happen over webpage, or even legit emails. That's not the vulnerability. It's not like you execute something like BEEF, and get control of the email(s) or URLs accessed (or embedded) in an legitimate email.

So to me it's a ruse; yes it is important to be aware of what you are clicking on, and which emails are you opening; but I don't think it's a vulnerability or something for which you may need any defense or software/ product,

... Mimecast has been able to add a defense against this exploit for our customers ...

At best, I repeat - please be aware of what you click, have good awareness training and security education and be prepared for the incident. It's not about if you will be hacked, but when you will be hacked!

Finally, to conclude this part with a satire (no offense mimecast), here are some other acronyms worth mentioning,

  1. ROPCAT: Remotely Originated Post-delivery Content Alteration Trick
  2. ROCKMAN: Remote Originated Content Knowhow Manipulated All my Network
  3. WTFACRONYM: Web Traffic Filter Alters Content of Regulatory Office Notes You Manage!

Be aware, and stay safe!