<sarcasm> Okay, sit down, I have some shocking news for you. TLS has been hacked, broken, smashed to bits. The technology that secures almost all of the secure Internet traffic we rely upon daily has been cracked. We’re all doomed, our bank accounts are going to be plundered, and ecommerce will come to an end. We might just as well all return to the trees; we made a good go of it, but society as we know it is done.</sarcasm>

In all seriousness though, the latest blow to the technologies that help to secure significant amounts of traffic on the Internet was delivered this week by Thai Duong and Juliano Rizzo, two security researchers who plan to demonstrate proof of concept code at the Ekoparty Security Conference in Buenos Aires, Argentina, that can actually decrypt TLS 1.0 traffic. It is a proof of concept, not a zero day exploit already developed into a Metasploit plug-in, so there’s no need to panic quite yet.

Continue reading Keep Calm and Carry On

It doesn’t matter if your company uses email to communicate corporate secrets, confidential financial information, or just an invite to the annual picnic; people who weren’t intended to see the message shouldn’t be able to. Continue reading Understanding Email Encryption (Part 1)

When Epsilon Data Management disclosed a breach of its email system panic struck cyberspace. Names like JP Morgan Chase, Citi Bank, Staples, Verizon and Hilton were listed as some of the customer databases that had been compromised as a result.

As many customers of these companies started receiving emails explaining that their email was exposed in the breach and could be used in illicit activities, email administrators starting looking at what they could learn as a result of this catastrophe.

Continue reading Lessons We Should Learn From Epsilon

Advanced persistent threats make email security a necessity

Most email administrators consider security to be a large part of what they do. With so many laws and regulations governing the storage, discovery and retrieval of email messages, security has become a second job to many.

Unfortunately, many administrators either forget, or simply aren’t aware, that securing email requires much more effort than hardening the email servers against attack. In order to fully protect your organization’s email and their contents the mailbox also needs to be defended. Especially when you consider how popular Advanced Persistent Threats are becoming with large cyber crime syndicates who use email not only as a way to harvest sensitive information, but also as a method of attack through phishing and social engineering. Continue reading Tips for Better Email Security

In just one week Google, the International Monetary Fund and Citigroup have all made headlines as a result of email associated with them being under attack. The reason we continue to see companies make the news as a result of email attacks is that email security is sometimes ignored when it comes to training users properly and making good decisions. In some cases, having the latest and greatest when it comes to security tools even creates a false sense of security that causes us, and our users, to overlook the little things. A multi-layered defense that has been properly configured with all the best technology can be rendered useless if the little things are forgotten.

Continue reading 5 Simple Mistakes When it Comes to Email Security

Information leaks can be harmful to an organization’s profitable operation. Microsoft Exchange 2010, with its rights management features, can give a company the kind of control over its information to reduce the risk of such leaks occurring.

In an Exchange environment, rights management can be imposed through the Active Directory Rights Management Server. Rights Management was introduced by Microsoft to its Windows Server product in 2003 and later renamed when Windows Server 2008 debuted. The name change reflected improved integration with Active Directory.

Rights Management allows administrators, as well as others, to control access to documents, emails and web pages. It also can be used to limit what can be done to those things. For example, functions such as printing, copying, altering or forwarding can be enabled or disabled for documents or emails. What’s more, administrators can bundle rights in templates that can be applied across a system.

Continue reading Plugging Leaks using Rights Management

Securing remote Outlook client access to Exchange

As more businesses embrace the distributed workforce, moving more and more employees from the traditional cubicle farm into more of a work remotely arrangement (whether these employees are the classical road warriors, or simply working from their own home office) one of the most important resources they will need to access is of course email. As more and more companies embrace SharePoint as an Internet connected portal, and as other applications move to the cloud these remote users have less and less reason to come into the office to connect to the corporate network. This may present the Exchange administrator and/or architect of the next email system with the question of whether to design a solution that depends upon a VPN connection, or to deploy a solution using Outlook Anywhere.

Both are perfectly secure and valid solutions for connecting Outlook clients to Exchange, and both have definite advantages and disadvantages. This article will discuss both solutions, and present the pros and cons of each.

Continue reading Outlook Anywhere versus VPN

Welcome to part two in a series on securing email. In part one we introduced the challenge, and three influences; compliance, technology, and support.

In this post, we’re going to look at two of the prevailing methods for securing email exchanges between servers… the way two businesses might wish to secure the email exchanges between them to prevent eavesdropping or interception on the Internet. We’ll look at SMTP/TLS and at routing SMTP over a VPN connection, and look at the pros and cons of each method.

Continue reading Securing Email Part Two-Server to Server

Most users will agree that email is a mission critical business tool. Confidential business information, proposals, and contracts are sent via email daily all over the Internet, and most of our users never give a second thought to the sensitive, privileged, and sometimes even critical information that they are sending over an unencrypted transmission, there for anyone with a protocol analyser to read.

They may not even realise that they could be violating company policy, contractual obligations, or even legal statutes regarding the transmission of confidential information. All companies should have policies regarding the transmission of sensitive information through email. While a policy that prohibits any such information being sent using email could greatly reduce the chance of disclosure, the reality of business communications is that this is not a practical approach.

This is part one of a three part series, where we will discuss some of the issues that surround and influence securing email. In part two of this series, we will discuss the pros and cons of server side solutions; SMTP/TLS and routing email over VPN connections. And in part three, we will look at the pros and cons of client side solutions; PGP and S/MIME. If you’d like to understand more about why we would want to encrypt email, please read on.

Continue reading Securing Email Part One – The Challenges

Thanks for sticking with us, and welcome to part three of this series on securing email. In part one we introduced the challenge, and three influences; compliance, technology, and support. And in part two, we looked at SMTP/TLS and routing SMTP over a VPN for server side solutions. In this final part, we’re going to look at client side solutions to ensure we are securing our email from sender to recipient.

There are two standard ways to do this. Both utilise the services of a PKI, and will require client side configurations. As such we may also find that we need to work with yet another part of the IT department; our desktop support team. They own the desktops and will likely be responsible for the client side configuration necessary with either of these solutions.

When securing email using client to client solutions, we may find this to be the most challenging approach for a number of reasons. We will need to ‘touch’ the clients, and we will need to ensure that we are implementing a solution that is compatible with the recipient systems. On the server side, we can split up our SMTP exchanges, sending some out to the Internet in the clear, others over a VPN, and still others using SMTP/TLS. When working with client side solutions, we need to make sure that what we implement on our clients is the same as what our partner organisation has implemented on their clients. If we have two partner organisations where one chose S/MIME and the other went with PGP, then we may need to purchase both for all the clients that must communicate with both partners.

Continue reading Securing Email Part Three – Client to Client