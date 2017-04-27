Slashdot is powered by your submissions, so send in your scoop

 


'World's Most Secure' Email Service Is Easily Hackable (vice.com) 38

Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."

  • Sorry but most secure email server is qmail. End of. That also can run on a pi.

  • "world's most secure" = "hack me, I'm yours" (Score:3)

    by evolutionary ( 933064 ) on Thursday April 27, 2017 @02:09PM (#54314453)
    Claims like that are just hacker bait. First point of security, don't broadcast the strength of your security.
  • https://www.nomx.com/ [nomx.com] No nomx user was affected by this threat. No nomx user could be affected by this threat in the future. No nomx data was compromised, and the blogger has (finally) reluctantly verified this. He still has not publicly shared these statements, except via an email response to the BBC when directly asked on April 25 the response was: From the BBC to nomx: "I understand from your replies that you state categorically that no nomx accounts have been affected by this hack. I have put your que

    • Re: (Score:2, Insightful)

      by evolutionary ( 933064 )
      Uh, this feels like something posted by a Nomx employee...
    • You fail to realize why this response is, inadequate, fallacious, and utterly garbage. 1) Of course no nomx data was compromised, it was a test machine 2) How do they know that no nomx account has been compromised. They don't. They aren't a web service. This is a physical device, managed by individuals, not monitored by the company 3) Even if no one has been compromised, that doesn't negate the real, high risk vulnerabilities 4) Statistics don't tell a compelling story. Nomx is not used by billions of peopl

      • nevermind this:

        future devices would be built around different chips that would also be able to encrypt messages as they travelled.

        So it's a fail right off the bat if it doesn't encrypt the mail in the first place.

        • Re: (Score:2)

          by IMightB ( 533307 )

          What exactly does that mean... encrypt as they travel? As someone that spent nearly a decade at a SaaS email security firm, SMTPS is only PtoP. If there are points in between, there's a chance that your email will have an unencrpyted hop. otherwise your looking at GPG/SMIME solutions... based on the info provided, I don't see what they are doing any different other than providing a "dedicated" box....

  • Just learn the basics of postfix or qmail on a FreeBSD server (you could use Debian or CentOS but, FreeBSD is supposedly best for security applications).
    • Sorry, I should have said OpenBSD. Think OpenBSD may be better than FreeBSD both are still good but OpenBSD had move specifics for security. Sorry about that slip.

  • Nomx has a reply on their site (Score:3)

    by zerofoo ( 262795 ) on Thursday April 27, 2017 @02:36PM (#54314637)

    It appears the "hack" requires local hardware access to accomplish:

    https://nomx.com/ [nomx.com]

    The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

    • Re: (Score:2)

      by EvilSS ( 557649 )

      It appears the "hack" requires local hardware access to accomplish:

      https://nomx.com/ [nomx.com]

      The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

      Yea but was all that part of the exploit, or just the blogger picking apart the system to find the holes in the first place? In other words, would any of the exploits the blogger claimed to discover work on an out-of-the-box device?

    • Re: (Score:1)

      by Anonymous Coward

      The statement on nomx's website is horribly misleading. None of the attacks described require physical access or rooting; the security researcher just did those things to help find things. The CSRF attacks he was performing would work on any out-of-the-box nomx device.

  • They are selling a mail server for who? It's not like you can run this device on a residential internet account, at least not here in the US. Running a server is against most major ISP's TOS and the majority block smtp ports, Since reverse DNS will not resolve correctly you will be blacklisted by every major email provider. So who exactly is this for?

  • Who would think that unscrupulous people would trick people... now excuse me while I help this Nigerian prince rescue his fortune.

