Archive for category Security

Setting Up Secure Email with S/MIME

Posted by on Thursday, 9 April, 2015

Although often overlooked, many standard email clients (not web-based) provide the ability to send S/MIME secure email. S/MIME has been around for quite some time, but you typically only see it used by perhaps government employees or maybe security-minded folks.

What is S/MIME anyway? It stands for Secure/Multipurpose Internet Mail Extensions.

Using client certificates, similar in concept to server certificates, a user sending an email can do two major things:

1) Digitally Sign an email – this marks the email as having come from the actual sender and will show the receiver if the mail has been altered after the sender signed and sent the email. Nifty!

2) Encrypt an email – once two users both have S/MIME configured and have exchanged messages (thus exchanging public keys), they can exchange encrypted messages back and forth. Note that this is different in concept than TLS level transport encryption between SMTP servers. Transport level encryption ensures that while in transit the message is not sent in the clear. S/MIME level message encryption ensures that the only one who can read the message is the intended recipient – who of course has the private key.

What’s really nice is that a user on an email system or client that doesn’t support S/MIME will still be able to read the signed (but not encrypted) messages. They simply see a smime.p7s file attachment with the message.

Read the rest of this entry »

It doesn’t make sense to filter websites as blogs, and it hasn’t for at least half a decade.

Posted by on Friday, 4 January, 2013

Wow, time flies when you’re busy billing. As we enter 2013 it’s easy to see how neglectful we’ve been of this blog. 2012 was our busiest year yet, and we thank all our wonderful clients for all the great opportunities to help them solve their technical challenges.

One challenge that repeatedly comes up is in regards to permitted web browsing. A few of our clients work under a much larger entity that controls web access through proxy appliances, namely devices by Blue Coat. This isn’t to point them out specifically, as what I’m about to describe seems de rigeur across the web filtering industry niche.

These specific customers are troubled often when trying to research a technical issue. Perhaps they, like many of us, do a google search of the problem. They see in the results something germane to their issue. When they click on the link however, the proxy appliance that is maintained by the controlling organization’s IT team blocks access to the page, because that organization decided they wanted to block anything in the “Blogs/Personal Pages” category. (Click here to see the definitions for these categories used by Blue Coat)

So while researching the issue I noticed that Blue Coat’s own security blog was not classified as a “Blogs/Personal Pages” and pointed this out to them. They agreed that it should be put in this category according to their current definitions. Blue Coat helpfully pointed out that an IT Department could craft rules that would, for example, allow websites marked as “Blogs/Personal Pages” only if they were also categorized as “Computers/Internet.” While useful, the cold hard fact is that often IT teams don’t do this: it’s simply more effort on already overworked IT groups, and such groups are apt to want to keep things as simple as possible.

Read the rest of this entry »

How Safe is that Cloud?

Posted by on Monday, 14 June, 2010

Cloud computing has some strong elements, but be mindful of your legal exposure. Having your business information stored on the cloud does not appear to afford the same legal protection as storing it on your office PC.

IT has a history of latching onto hot trends and buzzwords, and the latest is no different: cloud computing. Let me first say that it’s an exciting concept, but not necessarily a new one. While it has evolved over the years, it’s had a number of names that date back to the early days of IT and MIS. Here’s a few you might have heard in previous decades: application service provider, hosted service provider, network computing, time-sharing, multitenancy. All of these are variations on the same theme – someone else hosts the system or application, the client using the system pays for only the portion they use, without the overhead expense of maintaining the infrastructure.

Read the rest of this entry »