Chapter List
Chapter 8: Securing E-Mail from Prying Eyes Chapter 9: File and Storage Strategies Chapter 10: Authentication Systems Chapter 11: Secure E-Commerce
Chapter 12: Virtual Private Network (VPN) Encryption Chapter 13: Wireless Encryption Basics
In this part . . .
In this part I look at some of the most common encryption technologies you are likely to find in the workplace. And if they are not in your workplace, maybe they should be.
This part goes in depth into e-mail encryption and takes a look at some of the other types of data you should be encrypting. Don’t forget that you need to protect all that private information you gather on your e-commerce customers.
There are many new state and federal regulations that require that certain types of data be encrypted.
And don’t forget authentication, either. It’s well and good to encrypt your data, but you also have to make sure that you really know who you are working with on the other end of the Internet.
Chapter 8: Securing E-Mail from Prying Eyes
In This Chapter
Learning the basics of e-mail encryption Discovering the standards of S/MIME and PGP
Deciding on Digital Certificates or public/private PGP keys Setting up e-mail programs to use S/MIME and PGP Obtaining Digital Certificates
Generating your PGP keys
Sending and receiving encrypted messages
Storing your Digital Certificates and PGP keys with confidence Trying other encryption programs and plug-ins
In 1998, an online bookstore called Alibris was caught intercepting e-mail that their clients had been sending to their competitor, Amazon.com. In court, Alibris contended that they had done no harm and had gained no economic advantage, so there was no crime, really. The court didn’t accept this argument and charged Alibris $250,000.00 for snooping into other people’s e-mails.
In recent years, courts have decreed that the company-supplied e-mail belongs to the company and not the employee.
Therefore, all e-mail sent on the company’s system belongs to the company and is subject to review at any time by the company’s technicians and/or management. Because of this ruling, some companies have directed their technical staff to snoop in e-mails to try to detect fraud and abuse. The courts have upheld the rights of companies to do this, but now companies have another problem at hand — how do they monitor e-mail while still complying with new privacy laws?
There’s an oft-quoted rule of thumb regarding company e-mail that I’ll relate here: Never say anything in an e-mail that could get you in trouble if everyone in the company could read it. That’s good advice because management now has the right to snoop in your e-mail.
If you share a home computer with others in your family, you may not want everyone in the family to be able to read all of your e-mails. But, your e-mail program probably saves all your outgoing e-mail in a “sent mail” folder anyway. Do you think it would be all that difficult for your family members to sneak a look at those e-mails? Whether or not they have the right to do this is not a question I think would stand up in court.
Surprisingly, most e-mail clients (e-mail programs) have the ability to use some sort of encryption to secure e-mail from prying eyes, but most users are not aware of this capability. In this chapter I look at the two easiest and most popular forms of e-mail encryption and show you how to set your system up to use them.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.
E-Mail Encryption Basics
When e-mail programs were first created, no one ever conceived of the fact that eventually some security measures would have to be added to keep people from reading others’ mail. The early Internet users were a very naïve group — they tended to believe in the honesty and integrity of people and envisioned the Internet as a self-policing community.
Sigh. How wrong they were.
Eventually, the people who created the e-mail protocols and the e-mail programs realized that they had to go back to the drawing board to try to retrofit some form of security.
Before they ever got to the security aspects, they first had to create a way for e-mail to interpret data other than straight text in the e-mail messages. Early e-mail programs could not handle attachments or fancy formatting in messages. The vendors of e-mail programs got together and created MIME — Multipurpose Internet Mail Extensions.
MIME allowed e-mail programs to send and receive data other than text — pictures, audio, HTML, and so on. And, it didn’t matter whether everyone was using the same e-mail programs because MIME became the standard for translating different types of file formats into something the e-mail programs could understand.
S/MIME
I had to start out with MIME to lay the groundwork for the next transition in e-mail. When problems with e-mail security raised their ugly heads, the vendors of e-mail programs realized that they would have to figure out a way for everyone to be able to send secure e-mail. That is, e-mail in some sort of coded or encrypted form. It only made sense that this new feature be standardized, so they created S/MIME — Secure Multipurpose Internet Mail Extensions.
Standards being as they are, I don’t have to remind you that the assorted vendors have interpreted the standards to suit their needs. That means that S/MIME (or MIME, for that matter) doesn’t always work perfectly between different e-mail programs. But, it works well enough to at least give it a try.
Technical Stuff Not too long ago there weren’t many security options for computer users, and it was even illegal for individuals to own any form of strong encryption device. Encryption was considered “munition” by the government along with chemical and biological weapons, tanks, heavy artillery, and military aircraft. This is a throwback to WWII and the Cold War when all governments were developing new ways to keep secrets from one another.
Export of encryption software is still controlled because hostile forces could exchange encrypted files and messages and the government wouldn’t be able to figure out what they were saying. Luckily for us, the government has recently relaxed their attitude about encryption and the average user doesn’t have a thing to worry about.
In addition to the standard of S/MIME, another standard came to be in a rather unusual way. I’m talking about PGP, or Pretty Good Privacy.
PGP
The PGP program is a competing standard with S/MIME and was created in 1991 in response to the government’s request to put “back doors” into encryption programs so that the government could read encrypted files and messages that they suspected of containing criminal information. This raised the hackles of privacy rights advocates and programmers alike. Phil Zimmermann created PGP and distributed it throughout the world on the Internet. It quickly became so popular that it was accepted as a standard worldwide. The government charged him for the crime of exporting munitions. The whole battle took on a cult following and, at times, even bordered the surreal, but eventually the government dropped charges against Zimmermann and relaxed their stance on the exportation of encryption.
The PGP program is now available both as commercial software (with support) and as freeware. The source code of the program has been extensively examined by experts the world over and has been deemed safe and strong. Many e-mail programs now include PGP plug-ins that create buttons on the toolbar for ease of use.
PGP has some problems coordinating its actions with S/MIME, but these problems are trivial and can usually be handled with some configuration changes done by power users or network administrator.
This document was created by an unregistered ChmMagic, please go to http://www.bisenter.com to register it. Thanks.