Re: E-mail Security

From: Jay D. Dyson (jdyson@treachery.net)
Date: 08/07/01 

Date: Mon, 6 Aug 2001 19:35:37 -0700 (PDT)
From: "Jay D. Dyson" <jdyson@treachery.net>
To: Security-Basics List <security-basics@securityfocus.com>
Subject: Re: E-mail Security
Message-ID: <Pine.GSO.3.96.1010806192942.29550K-100000@crypto>

-----BEGIN PGP SIGNED MESSAGE-----

On 4 Aug 2001, Robert Ireland wrote:

> I'm putting together some documentation and a major article on e-mail
> security in order to try and highlight just how insecure sending
> financial/legal confidential documentation can be over the internet,
> what the risks are, the techniques used to intercept, decrypt and view
> their documentation.

        This is not an email security issue; this is a cleartext issue.
That sort of problem could be readily mitigated through the secure use of
public key cryptographic systems such a PGP and/or GPG.

> The main focus of my article will be tyring to dispell the theory that
> e-mail is safe. Far to many times i've heard "large companies" tell me
> that they send out documents contianing financial, legal and priveleged
> information via e-mail, and that "the document is secure because it's
> password protected!"

        E-mail is neither inherently safe nor unsafe. Some mail transport
agents (MTAs) are more insecure and some mail user agents (MUAs) are more
insecure (Outlook Express comes immediately to mind). But the Sendmail
Transport Protocol (SMTP) is sound. All that need be done is use secure
MTAs such as Qmail or Postfix, secured MUAs on a secured OS, and never
engage in meaningful communication without first exchanging -- in a
verified and verifiable manner -- public keys.

> The article will come in three parts. An "Executive Part" aimed at
> highlighting to coporate executives just how insecure e-mail can be. I
> have to make it very simple to understand for reasons that I think we
> all probably keep coming across when talking to CEO's, MD's.

        I'd be more than happy to speak to this issue. Bottom line is,
there's a right way and a wrong way to do things...and most folks just
don't care.

> The second article will be aimed at "Technical" people and increasing
> their knowledge of not only how to insecure e-mail is but the tricks
> used to access documents.

        Count me in for that as well.

> Finally, the final article along with a summary will be aimed at your
> everyday user.

        Ditto.

> I would be very interested if anybody can point me in the direction of
> existing documentation, statistics, news stories, articles relating to
> e-mail security which will benefit the article outlined above. I'd be
> very interested to hear from anybody that has had first hand experience
> of documents being intercepted and how it was being done.

        By and large, most mail isn't "intercepted" en route. It's
snagged after it's reached its destination.

- -Jay

  ( ( _______
  )) )) .-"There's always time for a good cup of coffee."-. >====<--.
C|~~|C|~~| (>------ Jay D. Dyson - jdyson@treachery.net ------<) | = |-'
 `--' `--' `- Black as hell, sweet as love, swift as death. -' `------'

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iQCVAwUBO29F6rlDRyqRQ2a9AQFGvgP+KEsZjyvc1eK8BPOnHeKMya/COPjwxviw
RRycK0DXaeL2GatUj6ZlsoUFccNq6fJLBFsY6lqdyjau+O0ZPrYJ/kcm+34Rsu5x
tM/QXly3X2DLba+L5ZzKO0gYqIv0DtrbGHVtGIzndUZT7Y57L3HTl4cwyMXuJCKs
jYtdptEz85s=
=Vk0A
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: Inviting malware
    ... long enough to make sure patches are up to date. ... So then the complete documentation on IE/OE group policies and their effective security design criteria are imagination? ... My point was that ms products are not secure. ... I know only exactly two supported Microsoft product which are considered as insecure, but are not documented to be insecure in untrusted environments: Windows 2000 and IIS. ...
    (alt.computer.security)
  • Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw
    ... documentation wouldn't know about it, and you have to explicitly enable ... making the default behaviour to be insecure the result will be many more insecure sites than if it was secured and had to be made insecure by design. ... Unfortunately although they have disabled it by default, once enabled it presents a huge security hole that most people would not expect. ... And you require a user account to be created and passworded, or provide the ability to use PAM for example and require that a user belong to a specific group ...
    (Bugtraq)
  • E-mail Security
    ... Subject: E-mail Security ... I'm putting together some documentation and a major ... Part" aimed at highlighting to coporate executives just ... how to insecure e-mail is but the tricks used to ...
    (Security-Basics)
  • Re: unable to open one website, can open all others
    ... I don't believe it's secure and can't find anything in ... documentation about it. ... Please respond in Newsgroup only. ... Do not send email http://www.fjsmjs.com Protect your PC ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: password for 1 time use
    ... either the password is expired or the account is disabled ... Is there a documentation I can read? ... convoluted, arguably secure, and terrible inefficient, but it would work. ...
    (microsoft.public.inetserver.iis.security)