Privacy Security

'World's Most Secure' Email Service Is Easily Hackable (vice.com) 19

Posted by msmash from the reality-check dept.
Nomx, a startup that offers an email client by the same name, bills itself as the maker of the "world's most secure email service." The startup goes on to suggest that "everything else is insecure." So it was only a matter of time before someone decided to spend some time on assessing how valid Nomx's claims are. Very misleading, it turns out. From a report on Motherboard: Nomx sells a $199 device that essentially helps you set up your own email server in an attempt to keep your emails away from mail exchange (or MX) -- hence the brand name -- servers, which the company claims to be inherently "vulnerable." Security researcher Scott Helme took apart the device and tried to figure out how it really works. According to his detailed blog post, what he found is that the box is actually just a Raspberry Pi with outdated software on it, and several bugs. So many, in fact, that Helme wrote Nomx's "code is riddled with bad examples of how to do things." The worst issue, Helme explained, is that the Nomx's web application had a vulnerability that allowed anyone to take full control of the device remotely just by tricking someone to visit a malicious website. "I could read emails, send emails, and delete emails. I could even create my own email address," Helme told Motherboard in an online chat. A report on BBC adds: Nomx said the threat posed by the attack detailed by Mr Helme was "non-existent for our users." Following weeks of correspondence with Mr Helme and the BBC Click Team, he said the firm no longer shipped versions that used the Raspberry Pi. Instead, he said, future devices would be built around different chips that would also be able to encrypt messages as they travelled. "The large cloud providers and email providers, like AOL, Yahoo, Gmail, Hotmail - they've already been proven that they are under attack millions of times daily," he said. "Why we invented Nomx was for the security of keeping your data off those large cloud providers. To date, no Nomx accounts have been compromised."

  • Sorry but most secure email server is qmail. End of. That also can run on a pi.

  • Claims like that are just hacker bait. First point of security, don't broadcast the strength of your security.
  • https://www.nomx.com/ [nomx.com] No nomx user was affected by this threat. No nomx user could be affected by this threat in the future. No nomx data was compromised, and the blogger has (finally) reluctantly verified this. He still has not publicly shared these statements, except via an email response to the BBC when directly asked on April 25 the response was: From the BBC to nomx: "I understand from your replies that you state categorically that no nomx accounts have been affected by this hack. I have put your questions to [blogger] who has confirmed to me that he cannot say that any have." While nomx is no longer based on Raspberry devices, we still maintain that the users' data is secured as we’ve demonstrated to the blogger, the media and our customers. For Media: We request that any media desiring to profile nomx security or this blogger to use this website with attribution to nomx (www.nomx.com) and to also include the statistics below. Due to large number of interested media, we are not able to respond to every reporter directly within the deadlines imposed and believe it is only fair to share with all media these same details. We invite all media who care to see on onsite demonstration of the nomx in action request and schedule a time in the Washington, DC or NYC areas in the coming weeks. We will provide a nomx and allow video, use of the nomx and any third parties to attempt to access the device. For Media - Some statistics: Number of nomx accounts that have been compromised since inception: 0 Number of Gmail accounts that have been compromised in the United States (from 2014): About 5 million to 24 million depending on source Number of other cloud-based emails compromised as of 2016 = 272 million Number of Yahoo accounts (including email) compromised 2013-2016: more than 1 billion The Future: nomx is now finalizing the “Cloud in Your Attic” server that also includes an internal nomx email server, and a host of other servers that maintain users’ personal data off the clouds that are regularly attacked daily. nomx ensures absolute privacy for personal and commercial email and messaging. Today's digitally connected world may feel modern, but the core of how we communicate online is based on 50-year-old code and protocols that expose every one of us to significant security risks whenever we send information across the internet. In the last two years alone, every major email service provider was hacked, exposing the private information of millions of people to cybercriminals. nomx ensures absolute security and privacy when communicating online by resolving issues with the Transmission, Routing, Acceptance, Communication header data, Encryption and Storage (TRACES) vulnerabilities that have been present in email since its creation.
  • Just learn the basics of postfix or qmail on a FreeBSD server (you could use Debian or CentOS but, FreeBSD is supposedly best for security applications).

  • It appears the "hack" requires local hardware access to accomplish:

    https://nomx.com/ [nomx.com]

    The BBC provided the nomx devices for testing to a UK-based blogger who physically disassembled and rooted one of the nomx devices. Rooting was done, in his words, by disassembling the nomx case, physically removing memory card from the Raspberry and inserting it into his PC, and then resetting the root password. That is not an action a typical user would do, nor is it routine for a nomx device.

