email

The voice of America Online’s “You’ve got mail” has died at age 74

1989, 1990s, AOL, Elwood Edwards, email, Harry McCracken, Internet, internet history, Jimmy Fallon, modem, Obituaries, obituary, online history, online services, Quantum Link, retrotech, Steve Case, Tech, Technologizer, The Simpsons, Tom Hanks, You've Got Mail / Rejus Almole / November 8, 2024

In 1995, Wired Magazine’s AOL forum asked Edwards to record 10 humorous sound files using his iconic voice. The results, which include classics such as “You want fries with that,” “You’ve got credit card debt,” and “Stop touching me!” still live on in the depths of The Internet Archive. He also ran a side business recording custom sound files for AOL users.

A screenshot of America Online's version 2.5 client in 1995. — A screenshot of America Online’s version 2.5 client in 1995.

Over time, the “You’ve got mail” line became something of a cultural reference point, as tech journalist Harry McCracken pointed out in 2011 on his Technologizer blog, with various news headlines often borrowing the “You’ve got [something]” structure for humorous effect.

Edwards’ voice greeting became so embedded in American popular culture that it inspired the 1998 romantic comedy You’ve Got Mail. The film stars Tom Hanks and Meg Ryan as rival bookstore owners who unknowingly fall in love through anonymous email exchanges. Director Nora Ephron built the movie’s narrative around the anticipation that AOL users felt when hearing Edwards’ voice announce new messages, with the film grossing $250 million worldwide.

Elwood Edwards’ 2015 appearance on The Tonight Show Starring Jimmy Fallon.

At WKYC, Edwards worked behind the scenes as a graphics specialist, camera operator, and general production staff member since 2002. His voice work brought him occasional moments in the spotlight, including an appearance in a 2000 episode of The Simpsons, where he played a virtual doctor announcing, “You’ve got leprosy.” He appeared on The Tonight Show Starring Jimmy Fallon in 2015, performing his classic greeting along with phrases suggested by the audience.

Before his death, Edwards worked as an Uber driver. His voice continues to greet users of AOL’s current email service, maintaining an enduring connection to the early days of consumer Internet access.

The voice of America Online’s “You’ve got mail” has died at age 74 Read More »

Attackers exploit critical Zimbra vulnerability using cc’d email addresses

Biz & IT, email, Security, vulnerabilities, webshells, Zimbra / Paul Patrick / October 2, 2024

Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn.

The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.

Easy, yes, but reliable?

On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as “mass exploitation.” He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report.

On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable.

Security researcher Ron Bowes went on to report that the “payload doesn’t actually do anything—it downloads a file (to stdout) but doesn’t do anything with it.” He said that in the span of about an hour earlier Wednesday a honey pot server he operated to observe ongoing threats received roughly 500 requests. He also reported that the payload isn’t delivered through emails directly, but rather through a direct connection to the malicious server through SMTP, short for the Simple Mail Transfer Protocol.

“That’s all we’ve seen (so far), it doesn’t really seem like a serious attack,” Bowes wrote. “I’ll keep an eye on it, and see if they try anything else!”

In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details:

While the exploitation attempts we have observed were indiscriminate in targeting, we haven’t seen a large volume of exploitation attempts

Based on what we have researched and observed, exploitation of this vulnerability is very easy, but we do not have any information about how reliable the exploitation is

Exploitation has remained about the same since we first spotted it on Sept. 28th

There is a PoC available, and the exploit attempts appear opportunistic

Exploitation is geographically diverse and appears indiscriminate

The fact that the attacker is using the same server to send the exploit emails and host second-stage payloads indicates the actor does not have a distributed set of infrastructure to send exploit emails and handle infections after successful exploitation. We would expect the email server and payload servers to be different entities in a more mature operation.

Defenders protecting Zimbra appliances should look out for odd CC or To addresses that look malformed or contain suspicious strings, as well as logs from the Zimbra server indicating outbound connections to remote IP addresses.

Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp.

Attackers exploit critical Zimbra vulnerability using cc’d email addresses Read More »

Exim vulnerability affecting 1.5 million servers lets attackers attach malicious files

Biz & IT, email, exim, exploits, Security, vulnerabilities / Paul Patrick / July 11, 2024

GIRD YOUR LOINS —

Based on past attacks, It wouldn’t be surprising to see active targeting this time too.

Dan Goodin – Jul 11, 2024 8: 47 pm UTC

More than 1.5 million email servers are vulnerable to attacks that can deliver executable attachments to user accounts, security researchers said.

The servers run versions of the Exim mail transfer agent that are vulnerable to a critical vulnerability that came to light 10 days ago. Tracked as CVE-2024-39929 and carrying a severity rating of 9.1 out of 10, the vulnerability makes it trivial for threat actors to bypass protections that normally prevent the sending of attachments that install apps or execute code. Such protections are a first line of defense against malicious emails designed to install malware on end-user devices.

A serious security issue

“I can confirm this bug,” Exim project team member Heiko Schlittermann wrote on a bug-tracking site. “It looks like a serious security issue to me.”

Researchers at security firm Censys said Wednesday that of the more than 6.5 million public-facing SMTP email servers appearing in Internet scans, 4.8 million of them (roughly 74 percent) run Exim. More than 1.5 million of the Exim servers, or roughly 31 percent, are running a vulnerable version of the open-source mail app.

While there are no known reports of active exploitation of the vulnerability, it wouldn’t be surprising to see active targeting, given the ease of attacks and the large number of vulnerable servers. In 2020, one of the world’s most formidable hacking groups—the Kremlin-backed Sandworm—exploited a severe Exim vulnerability tracked as CVE-2019-10149, which allowed them to send emails that executed malicious code that ran with unfettered root system rights. The attacks began in August 2019, two months after the vulnerability came to light. They continued through at least May 2020.

CVE-2024-39929 stems from an error in the way Exim parses multiline headers as specified in RFC 2231. Threat actors can exploit it to bypass extension blocking and deliver executable attachments in emails sent to end users. The vulnerability exists in all Exim versions up to and including 4.97.1. A fix is available in the Release Candidate 3 of Exim 4.98.

Given the requirement that end users must click on an attached executable for the attack to work, this Exim vulnerability isn’t as serious as the one that was exploited starting in 2019. That said, social engineering people remains among the most effective attack methods. Admins should assign a high priority to updating to the latest version.

Exim vulnerability affecting 1.5 million servers lets attackers attach malicious files Read More »

Backdoors that let cops decrypt messages violate human rights, EU court says

csam, e2ee, email, end to end encryption, end-to-end, European Commission, European Court of Human Rights, European Court of Justice, European Union, Freedom of speech, Online Privacy, Policy, Private messaging, russia, telegram, Terrorism / Kris Guyer / February 15, 2024

Enlarge / Building of the European Court of Human Rights in Strasbourg (France).

The European Court of Human Rights (ECHR) has ruled that weakening end-to-end encryption disproportionately risks undermining human rights. The international court’s decision could potentially disrupt the European Commission’s proposed plans to require email and messaging service providers to create backdoors that would allow law enforcement to easily decrypt users’ messages.

This ruling came after Russia’s intelligence agency, the Federal Security Service (FSS), began requiring Telegram to share users’ encrypted messages to deter “terrorism-related activities” in 2017, ECHR’s ruling said. A Russian Telegram user alleged that FSS’s requirement violated his rights to a private life and private communications, as well as all Telegram users’ rights.

The Telegram user was apparently disturbed, moving to block required disclosures after Telegram refused to comply with an FSS order to decrypt messages on six users suspected of terrorism. According to Telegram, “it was technically impossible to provide the authorities with encryption keys associated with specific users,” and therefore, “any disclosure of encryption keys” would affect the “privacy of the correspondence of all Telegram users,” the ECHR’s ruling said.

For refusing to comply, Telegram was fined, and one court even ordered the app to be blocked in Russia, while dozens of Telegram users rallied to continue challenging the order to maintain Telegram services in Russia. Ultimately, users’ multiple court challenges failed, sending the case before the ECHR while Telegram services seemingly tenuously remained available in Russia.

The Russian government told the ECHR that “allegations that the security services had access to the communications of all users” were “unsubstantiated” because their request only concerned six Telegram users.

They further argued that Telegram providing encryption keys to FSB “did not mean that the information necessary to decrypt encrypted electronic communications would become available to its entire staff.” Essentially, the government believed that FSB staff’s “duty of discretion” would prevent any intrusion on private life for Telegram users as described in the ECHR complaint.

Seemingly most critically, the government told the ECHR that any intrusion on private lives resulting from decrypting messages was “necessary” to combat terrorism in a democratic society. To back up this claim, the government pointed to a 2017 terrorist attack that was “coordinated from abroad through secret chats via Telegram.” The government claimed that a second terrorist attack that year was prevented after the government discovered it was being coordinated through Telegram chats.

However, privacy advocates backed up Telegram’s claims that the messaging services couldn’t technically build a backdoor for governments without impacting all its users. They also argued that the threat of mass surveillance could be enough to infringe on human rights. The European Information Society Institute (EISI) and Privacy International told the ECHR that even if governments never used required disclosures to mass surveil citizens, it could have a chilling effect on users’ speech or prompt service providers to issue radical software updates weakening encryption for all users.

In the end, the ECHR concluded that the Telegram user’s rights had been violated, partly due to privacy advocates and international reports that corroborated Telegram’s position that complying with the FSB’s disclosure order would force changes impacting all its users.

The “confidentiality of communications is an essential element of the right to respect for private life and correspondence,” the ECHR’s ruling said. Thus, requiring messages to be decrypted by law enforcement “cannot be regarded as necessary in a democratic society.”

Martin Husovec, a law professor who helped to draft EISI’s testimony, told Ars that EISI is “obviously pleased that the Court has recognized the value of encryption and agreed with us that state-imposed weakening of encryption is a form of indiscriminate surveillance because it affects everyone’s privacy.”

Backdoors that let cops decrypt messages violate human rights, EU court says Read More »