Re: CRIME secure mail programs/internet

From: Alan (alan@private)
Date: Fri Nov 30 2001 - 11:13:49 PST

  • Next message: Heidi: "Re: CRIME secure mail programs/internet"

    On Friday 30 November 2001 08:18, Heidi wrote:
    > As I have seen here on the list that some do not recommend that Outlook or
    > Outlook Express be used for e-mail due to security holes, I would
    > appreciate recommendations. This would be for people working on home
    > computers, who have medical information stored on their systems.  These are
    > only connected to a network when they log in to transfer their work to the
    > network. When the work is transferred they log in using a VPN.  Otherwise,
    > they are stand-alone PCs, which are used by some of the people for their
    > work, as well as personal internet use.  Hotmail is being used on the
    > network end to send information to the home PCs.  The concern here is when
    > these people are surfing the internet that the medical files would be
    > vulnerable to access, especially after reading the latest advisory sent
    > below, in relation to internet explorer and previous postings I have read
    > here on the list about not using Outlook.  This system for these people is
    > fairly new and they are in the learning stages of file protection, VPN,
    > etc.
    > Also, does any one in the medical related industry know what the dates are
    > that we will have to be complaint using encryption on our files, and if
    > there will be training provided using the required encryption, etc. to meet
    > the compliance requirements for HIPA?  . I have been asked by my employer
    > to relay any of this information regarding security issues back to them. 
    > Thank you for any help in advance. Heidi
    > This is the latest advisory I make reference to:
    >
    > National Infrastructure Protection Center
    > "Multiple Vulnerabilities in Microsoft Internet Explorer - All Versions"
    > Assessment 01-028
    > 29 November 2001
    > You can respond to me individually at mcps@private <mailto:mcps@private> .
    > Thank you, Heidi Henry
    
    Where do I start... There are so many things wrong here.
    
    First of all, Hotmail is VERY insecure.  Anything going through hotmail 
    should be encrypted.  (PGP or GPG is highly recommended here.) Hotmail has 
    been broken more times than I care to think about. Hushmail ios a better 
    choice, if you can get them to switch.
    
    There are free versions of PGP available from http://www.pgp.com/. Gnu 
    Privacy Guard is an Open Source version of PGP and can be obtained from 
    http://www.gnupg.org/.
    
    As for the "home pcs".  I assume these are Windows 9x boxes.  There is no 
    security there.  (With tooks like BackOrifice/B2K and its varients, your 
    system can be rooted and you would never know it.) Win 9x passwords are next 
    to useless. (Just hit "cancel"!) WindowsNT/2k will give you a bit more 
    security, but the little sprogs will probably not be able to play games on 
    the machine any more. (Like that is a bad thing.) At least the account 
    passwords work...
    
    Eudora is a safer e-mail client. (Not perfect, but it is much better than 
    Outlook.) If they need the calendar functionality, get them to install 
    Mandrake Linux and use Evolution for mail.
    
    As for the VPN...  What *kind* of VPN?  If it is PPTP from Microsoft, you 
    need to replace it with something that is secure. (It has multiple 
    vulnerabilities in version one. They "fixed" them in version two, but made it 
    possible to default back to version one. Pretty sad...)
    
    What you described is an accident waiting to happen.  It can be fixed, but it 
    is going to require changing a number of bad habits, both from the people 
    handing out the data and the people working with it at home.
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:19 PDT