ATTENTION ONLINE AND SELF-PROCESSING CREDIT UNIONS
Information About EFAIL Email Encryption Vulnerability
What Is EFAIL?
Last week, security researchers in Europe announced a vulnerability dubbed ‘EFAIL’, which affects certain types of encrypted email that use PGP or S/MIME encryption protocols. These vulnerabilities are actually more than a decade old, but are being exploited in new ways.
If successfully exploited, EFAIL could allow a skilled attacker with access to encrypted emails the ability to read their contents in plain text format.
Is CU*Answers Vulnerable to EFAIL?
CU*Answers uses a product from Zix to encrypt email. It is our understanding that ZixEncrypt is not vulnerable to EFAIL.
Is My Credit Union Vulnerable to EFAIL?
There are many variables that can affect potential exposure to EFAIL. You should work with your technology team to understand if your encrypted email system is at risk.
It is our understanding that:
- CNS clients that use ZixEncrypt email encryption are not vulnerable.
- A successful attack requires that the attacker already have access to the encrypted email or the email server itself.
- A properly patched and configured network should have additional controls in place (i.e. firewall) making this access difficult.
- Patch your systems promptly.
- Check with your vendor for fixes that address EFAIL.
- Fixing this may require updates to both email servers and email clients/readers.
- Test your encrypted email systems regularly.
- Email is NOT inherently secure.
- Email encryption, regardless of the solution/vendor, is an aftermarket solution.
- Make sure you are testing your email encryption systems regularly to/from an external account, to ensure it is functioning and encrypting as expected.
If you have questions or concerns, please contact the Help Desk at extension 266, or by email.