Results 1 to 4 of 4

Thread: Email Encryption

  1. #1
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Wink Email Encryption

    Virchanza and I were having a conversation via email and he asked me if I
    had a public key he could use to encrypt the email sent to me.

    Now this opened up to a completely new topic for me.
    So I've been wondering how often encryption is implemented
    into companies? From the penetration testers point of view, how vital is this?

    Companies sending mail internally with Microsoft Exchange implemented - do
    they get encrypted by standard? Or is it the actual session connection
    between the host and server when data is being exchanged that is
    encrypted, the email alone is not?
    - Poul Wittig

  2. #2
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by Deathray View Post

    Companies sending mail internally with Microsoft Exchange implemented - do
    they get encrypted by standard? Or is it the actual session connection
    between the host and server when data is being exchanged that is
    encrypted, the email alone is not?
    There is a setting in Exchange for encrypting the communication between the client and the server, but it is not on by default.

    Of course, that doesn't matter if you're sending mail to someone outside your organization, as that won't be encrypted.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  3. #3
    Very good friend of the forum Virchanza's Avatar
    Join Date
    Jan 2010
    Posts
    863

    Default

    Quote Originally Posted by Deathray View Post
    Virchanza and I were having a conversation via email and he asked me if I
    had a public key he could use to encrypt the email sent to me.
    Yup, I use Thunderbird with the "Enigmail" plug-in, best thing since sliced bread (actually OpenVPN is the best thing since sliced bread, but Enigmail isn't too far behind)

    Oh yeah by the way, were you able to read that e-mail I sent back to you? I encrypted it using your public key and signed it using my private key.

    Now this opened up to a completely new topic for me.
    So I've been wondering how often encryption is implemented
    into companies? From the penetration testers point of view, how vital is this?
    90% of why I do encrypted e-mail is just for the craic. It's rare that I send an e-mail that contains delicate information. I have my entire hard disk encrypted with TrueCrypt though, just in case anyone gets their hands on my laptop. Have you ever seen those cop TV shows where the police burst in and find some middle-aged man throwing his computer into the bath? I'd love it, I'd pull the plug if I heard a sound and then just sit there eating a Cornetto til they make their way in.

    Companies sending mail internally with Microsoft Exchange implemented - do
    they get encrypted by standard? Or is it the actual session connection
    between the host and server when data is being exchanged that is
    encrypted, the email alone is not?
    I hate all that crap, really I hate. Networking is simple, there's no need for all that extravagant crap. When I want to "set up a network", I don't go to "Control Panel -> Set up a home or office network", instead I open up the network card settings and set the IP address. Then I go to the next computer and set the IP address. Then I see if they can ping each other. Next, if I want to access services running on either machine, e.g. FTP, I simply open up a browser of some sort and type "ftp://192.168.1.1". That's networking at its most basic. I hate all that "NetBIOS" crap as well, I disable it every time I add a new network interface.
    Ask questions on the open forums, that way everybody benefits from the solution, and everybody can be corrected when they make mistakes. Don't send me private messages asking questions that should be asked on the open forums, I won't respond. I decline all "Friend Requests".

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Quote Originally Posted by Deathray View Post
    Virchanza and I were having a conversation via email and he asked me if I
    had a public key he could use to encrypt the email sent to me.

    Now this opened up to a completely new topic for me.
    So I've been wondering how often encryption is implemented
    into companies? From the penetration testers point of view, how vital is this?
    Extremely important, along with disk encryption and protection of physical reports/documents.

    One of the first things we agree upon with our clients when starting a new project is how to transmit emails, reports, documents etc between our company and the client. This can range from exchanging crypto keys, certs for SMIME, setting up scp or ftps services, to agreeing upon passwords (or out of band transmission of passwords) for Winzip AES archives.

    Internally the entire team/company uses GPG for cryptography.

    Companies sending mail internally with Microsoft Exchange implemented - do
    they get encrypted by standard?
    No.
    Or is it the actual session connection
    between the host and server when data is being exchanged that is
    encrypted, the email alone is not?
    No.

    As someone else pointed out you can choose to implement client/server encryption with Outlook/Exchange. However, that would not affect any stored emails.

    If you want a free solution for encrypted exchange/outlook email checkout gpg4win.

    (Don't forget to securely backup your primary key).

    I hate all that crap, really I hate. Networking is simple, there's no need for all that extravagant crap. When I want to "set up a network", I don't go to "Control Panel -> Set up a home or office network", instead I open up the network card settings and set the IP address. Then I go to the next computer and set the IP address. Then I see if they can ping each other. Next, if I want to access services running on either machine, e.g. FTP, I simply open up a browser of some sort and type "ftp://192.168.1.1". That's networking at its most basic. I hate all that "NetBIOS" crap as well, I disable it every time I add a new network interface.
    Wow that's so far from being on topic it actually made me laugh.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •