PaulDotCom mailing list archives
e-mail attachments and security
From: mailing at vankets.com (Bert Van Kets)
Date: Wed, 27 Jan 2010 09:40:02 +0100
All valid points, but in this particular case it is very important that one receiver can never access the data from another receiver. Putting all the reports in a secure location together contradicts that. I think it's better to keep the reports totally separated and secure them individually. I just can't see a replacement for self extracting archives. I would never put medical info in a cloud owned by a third party, no matter how secure it's supposed to be. You have no guarantee that the people managing the cloud are as secure as the software. Andrew Ellis wrote:
What about putting the files on a publicly accessible linux box and letting the users SCP them down. A tool like WinSCP runs on Windows, is free, has no installation, and makes moving the files around as easy as drag-and-drop On Tue, Jan 26, 2010 at 4:40 PM, David A. Gershman <dagershman_dgt at dagertech.net> wrote:I agree (contradicts myself I agree). Any other suggestions though? As for passing scanning tools, the dumber ones can be defeated simply by changing the .exe extension. Unfortunately, this adds to the steps on the receivers side. Perhaps not sending the .exe file via email in the first place. Anyone heard of a "secure" web file sharing site? A place where N people can create a shared area which requires authentication to access. This would be a fair place to put the .exe file (NOT a replacement for the encryption).That scares me telling users to not run exe files emailed to themexcept the exe files that are emailed to them. I would not send the files as self extracting to avoid mixed messages. Just my .02Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Bert Van Kets <mailing at vankets.com> Date: Tue, 26 Jan 2010 22:56:51 To: PaulDotCom Security Weekly MailingList<pauldotcom at mail.pauldotcom.com>Subject: Re: [Pauldotcom] e-mail attachments and security I just tested 7Zip and it does create self extracting files (SFX option). Combined with the 256bit AES encryption it's a pretty good solution. The only hurdle now is that EXE files are not accepted by some e-mail applications, ex. Outlook. Of course zipping the EXE with regular Windows Zip compression prior to emailing is one possible solution. I know that with Outlook renaming the EXE to something else is enough to make it pass. Of course that is a bit less user friendly. Thanks for the solution! You guys rock! Bert David A. Gershman wrote:Sounds to me the only way to go would be for your brother to install the software that would encrypt but make a self-extracting executable. This way the other end would (hopefully) scan for viruses and just run the program which would prompt for the password key. Any one know of specific programs that do the encryption *and* create self-extracting .exe's?Hi Guys, I got a pretty interesting question from my brother yesterday. He's a medical doctor in the UK and he needs to send reports to other doctors by e-mail regularly. The reports are in MS Word format. These doctors are in different locations and not connected to a common organization (hospital or company). At the moment he uses the MSWord password protection to try to keep the sensitive data away from prying eyes. We all know how secure thatmethodis (not!). I told hem he'd better use some other system that guarantees a bit more protection but the problem is he can not ask of the people who receive the reports to install extra software (like PGP or GPG encryption). The security may not get in the way of the usability. Asking the receivers to install extra software and configuring it is not an option.These arenot IT guys and don't even know how to spell GPG, let alone install it. Passing a password over by telephone is the maximum these guys are willing to go. 8-O Do you guys have some ideas on what could be a better solution for this "three legged stool" problem? Thanks. Bert _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com---------------------------------------- David A. Gershman gershman at dagertech.net http://dagertech.net/gershman/ "It's all about the path!" --d. gershman _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com---------------------------------------- David A. Gershman gershman at dagertech.net http://dagertech.net/gershman/ "It's all about the path!" --d. gershman _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- e-mail attachments and security Bert Van Kets (Jan 26)
- e-mail attachments and security Colin Vallance (Jan 26)
- e-mail attachments and security Joel Folkerts (Jan 26)
- e-mail attachments and security John Fitzpatrick (Jan 27)
- <Possible follow-ups>
- e-mail attachments and security David A. Gershman (Jan 26)
- e-mail attachments and security Bert Van Kets (Jan 26)
- e-mail attachments and security xgermx (Jan 26)
- e-mail attachments and security d4ncingd4n at gmail.com (Jan 26)
- e-mail attachments and security Bert Van Kets (Jan 26)
- e-mail attachments and security David A. Gershman (Jan 26)
- e-mail attachments and security Andrew Ellis (Jan 26)
- e-mail attachments and security Bert Van Kets (Jan 27)
- e-mail attachments and security Jim Halfpenny (Jan 27)
- e-mail attachments and security Bert Van Kets (Jan 27)
- e-mail attachments and security David Auclair (Jan 27)
- e-mail attachments and security John Fitzpatrick (Jan 27)
- e-mail attachments and security Andrew Ellis (Jan 26)
- e-mail attachments and security Joel Folkerts (Jan 27)