Re: CRIME secure mail programs/internet

From: Crispin Cowan (crispin@private)
Date: Fri Nov 30 2001 - 14:42:07 PST

  • Next message: jradke@private: "RE: CRIME secure mail programs/internet"

    Heidi wrote:
    
    > As I have seen here on the list that some do not recommend that 
    > Outlook or Outlook Express be used for e-mail due to security holes, I 
    > would appreciate recommendations.
    >
    Other people have gone over some of the many security issues involved in 
    this architecture. While I agree with these analyses, it is unlikely 
    that Heidi can respond to all of them in a timely fashion. Here's my 
    shopping list of things that can be done quickly, sorted in 
    priority-order of "bang for the buck":
    
       1. Chang mail client from MS Outlook to ANYTHING else. It doesn't
          matter what you choose, it will be better than Outlook for
          security. Why? Because, apart from being the target of choice for
          virus hackers everywhere, Outlook eagerly executes  vbscript in
          mail attachments, making it all too easy to craft e-mail virii
          that self execute as soon as Outlook's preview pain sees the
          e-mail.  Any alternate mail client is better. Some practical
          choices for Windows desktop users are:
              * Eudora: as others have pointed out, Eudora uses IE to render
                HTML mail. I THINK (but I'm not sure) that you can get it to
                use Netscape or Mozilla instead if those are installed as
                the browser of choice.
              * Netscape, Mozilla: these browsers come with nice mail
                clients. It's what I'm typing this note on. They do not have
                the security problems that Outlook has.
              * TheBat: lesser known, but growing in popularity.
       2. Dump Hotmail: As others have said, involving 3rd party servers in
          the transmission of confidential info is a bad idea, and using
          Hotmail is a particularly bad idea.  Keep all e-mail with
          confidential content on servers and clients that you can control.
          And then make sure you control them :-)
       3. Put a virus scanner on your mail servers. I'm sure Jimmy can help
          you with that :-)
       4. Make virus scanners mandatory on client workstations. Make
          updating the virus profiles at least weekly mandatory on these
          workstations.
       5. Make "personal firewalls" mandatory on these client workstations.
          These products are not perfect, but they are quite likely to
          detect hanky panky on the client workstations that involves
          exporting private data.
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:27 PDT