Re: CRIME secure mail programs/internet

From: Crispin Cowan (crispin@private)
Date: Fri Nov 30 2001 - 14:42:07 PST

Next message: jradke@private: "RE: CRIME secure mail programs/internet"

Previous message: Christiansen, John (SEA): "CRIME Computer Security and Cybercrime Conference"
In reply to: Heidi: "CRIME secure mail programs/internet"
Next in thread: jradke@private: "RE: CRIME secure mail programs/internet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Heidi wrote:

> As I have seen here on the list that some do not recommend that 
> Outlook or Outlook Express be used for e-mail due to security holes, I 
> would appreciate recommendations.
>
Other people have gone over some of the many security issues involved in 
this architecture. While I agree with these analyses, it is unlikely 
that Heidi can respond to all of them in a timely fashion. Here's my 
shopping list of things that can be done quickly, sorted in 
priority-order of "bang for the buck":

   1. Chang mail client from MS Outlook to ANYTHING else. It doesn't
      matter what you choose, it will be better than Outlook for
      security. Why? Because, apart from being the target of choice for
      virus hackers everywhere, Outlook eagerly executes  vbscript in
      mail attachments, making it all too easy to craft e-mail virii
      that self execute as soon as Outlook's preview pain sees the
      e-mail.  Any alternate mail client is better. Some practical
      choices for Windows desktop users are:
          * Eudora: as others have pointed out, Eudora uses IE to render
            HTML mail. I THINK (but I'm not sure) that you can get it to
            use Netscape or Mozilla instead if those are installed as
            the browser of choice.
          * Netscape, Mozilla: these browsers come with nice mail
            clients. It's what I'm typing this note on. They do not have
            the security problems that Outlook has.
          * TheBat: lesser known, but growing in popularity.
   2. Dump Hotmail: As others have said, involving 3rd party servers in
      the transmission of confidential info is a bad idea, and using
      Hotmail is a particularly bad idea.  Keep all e-mail with
      confidential content on servers and clients that you can control.
      And then make sure you control them :-)
   3. Put a virus scanner on your mail servers. I'm sure Jimmy can help
      you with that :-)
   4. Make virus scanners mandatory on client workstations. Make
      updating the virus profiles at least weekly mandatory on these
      workstations.
   5. Make "personal firewalls" mandatory on these client workstations.
      These products are not perfect, but they are quite likely to
      detect hanky panky on the client workstations that involves
      exporting private data.

Crispin

-- 
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

Next message: jradke@private: "RE: CRIME secure mail programs/internet"
Previous message: Christiansen, John (SEA): "CRIME Computer Security and Cybercrime Conference"
In reply to: Heidi: "CRIME secure mail programs/internet"
Next in thread: jradke@private: "RE: CRIME secure mail programs/internet"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:27 PDT