On Friday 30 November 2001 14:42, Crispin Cowan wrote: > Heidi wrote: > > As I have seen here on the list that some do not recommend that > > Outlook or Outlook Express be used for e-mail due to security holes, I > > would appreciate recommendations. > > Other people have gone over some of the many security issues involved in > this architecture. While I agree with these analyses, it is unlikely > that Heidi can respond to all of them in a timely fashion. Here's my > shopping list of things that can be done quickly, sorted in > priority-order of "bang for the buck": > > 1. Chang mail client from MS Outlook to ANYTHING else. It doesn't > matter what you choose, it will be better than Outlook for > security. Why? Because, apart from being the target of choice for > virus hackers everywhere, Outlook eagerly executes vbscript in > mail attachments, making it all too easy to craft e-mail virii > that self execute as soon as Outlook's preview pain sees the > e-mail. Any alternate mail client is better. Some practical > choices for Windows desktop users are: > * Eudora: as others have pointed out, Eudora uses IE to render > HTML mail. I THINK (but I'm not sure) that you can get it to > use Netscape or Mozilla instead if those are installed as > the browser of choice. That can be turned off. > * Netscape, Mozilla: these browsers come with nice mail > clients. It's what I'm typing this note on. They do not have > the security problems that Outlook has. Make sure that Java and Javascript are turned off for mail. Otherwise there are other gotchas designed for those browsers. > * TheBat: lesser known, but growing in popularity. > 2. Dump Hotmail: As others have said, involving 3rd party servers in > the transmission of confidential info is a bad idea, and using > Hotmail is a particularly bad idea. Keep all e-mail with > confidential content on servers and clients that you can control. > And then make sure you control them :-) There are free web mail software available that is much more secure than Hotmail and it can be installed on a machine controlled and administered locally. Squirrelmail is very user friendly and in wide use. (Just make sure the person doing the install knows what they are doing.) > 3. Put a virus scanner on your mail servers. I'm sure Jimmy can help > you with that :-) > 4. Make virus scanners mandatory on client workstations. Make > updating the virus profiles at least weekly mandatory on these > workstations. > 5. Make "personal firewalls" mandatory on these client workstations. > These products are not perfect, but they are quite likely to > detect hanky panky on the client workstations that involves > exporting private data. ZoneAlarm is good for showing what is going out, as well as coming in. You would be amazed at the amount of "spyware" that can get installed on a system. Also, keep the kids off the computer. My mother's machine is infected with multiple viruses due to little sister's e-mail bad habits. (Every try to instruct someone of using regedit over the phone? Now try it with the average AOL user. Double-plus un-fun...)
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:36:36 PDT