Gwebs Cryptographer

This guide will help you understand the basic facts about email security — what it is and why you need it.

What is Email Security?
On one level, email security is ensuring that your emails are secure: that is, it involves the maintenance of the basic information security concepts:

• Integrity - ensuring that your message has not had unauthorized alteration
• Confidentiality - ensuring that no unauthorized person (or process) has viewed the content
• Accountability - being able to prove who wrote the email
• Availability - ensuring that the email can be sent/received
• Non-repudiability - being able to prove that the recipient really did receive it

But more than the email itself is involved in email security. It also involves:

• Ensuring that you neither receive nor send malware hidden within the email or any attachments
• Minimizing the receipt of spam, scams, phishing expeditions and illegal content
• Ensuring that staff neither accidentally nor with malicious intent allow or send confidential, sensitive or illegal content within or outside of the company

Why do I need Email Security?

You need email security simply because failure to do so has both commercial and legal ramifications. An example that can illustrate both aspects would be infection with a highly destructive and virulent virus. Let us assume that your own systems are infected, and the virus payload is delayed but destructive: that is, you manage to infect, say, a competitor before this virus destroys your system.

The commercial implication is obvious: loss of your systems, data, records, etc. will be severely damaging if not fatal. But on the legal side, many lawyers believe that you could be held liable for any loss suffered by a third party that you infect, whether intentionally or even knowingly or not. If that third party were a competitor, then it would have little incentive not to sue the elbow off you.

And the history of internet litigation is already strewn with examples of both staff and competitors suing companies that have allowed compromising information to circulate within, or worse, to escape from, the company network.

It would be much safer to ensure your email is secure rather than risk the potential problems of insecure emails.

What do I need in Email Security?

Since so much is involved in email security, it is not surprising that you will be lucky to find everything you need in a single product. Just on the basis of the above discussion, you will need:

• Anti-virus software (to ward off viruses and worms)
• Anti-spyware software (to ward off trojans, adware and spyware)
• Anti-spam, -phishing, -scam software (to cut down on wasted staff time)
• Content security software (to make sure confidential, sensitive or illegal content is neither circulated within nor leaked from the company)
• A company email usage policy (to reduce staff misuse of the email, and give you some redress for when they do misuse it)
• And last but not least, a secure email (as opposed to email security) capability

The secure email system is possibly the hardest of all. The problem is that it inevitably involves encryption - and the only form of encryption that does not create administrative problems between the sender and the receiver is a Public Key Infrastructure (PKI). But PKI is expensive to run and administer - and gets you involved with even more requirements. For example, if you operate a PKI, then you need to consider identity management software and provisioning software. Nevertheless, if you are a large company with lots of sensitive data, then PKI is the obvious route. For single user RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) encryption method is a bit simplier and lighter to use. Quite many free encryption softwares are using RSA instead of PKI. The encryption is still “hack-proof”, which means that cracking it, it takes more than 100 years.

In particular, PKI and RSA can demonstrably provide four of the five security basics we noted at the outset of this article: integrity, confidentiality, accountability, availability, non-repudiability (availability is the one not specifically provided by PKI).

Where do I get Email Security?

If you are looking for email security software then you have a basic choice: you can look for best of breed point products in all of the above; you can look for an email security specialist that bundles different aspects within a single product or suite; or you can go for a hosted service. Or then you can just download our MailCloak-software from our company’s website (www.gwebs.com/mailcloak.html). Yes, it’s free!

Other related topics:

Encryption for Dummies
http://opsec.spaces.live.com/blog/cns!62F870188540FB1E!1097.entry

Public Key Infrastucture, PKI, encryption for dummies
http://www.networkworld.com/news/64452_05-17-1999.html

Public Key Infrastructure, PKI (Wikipedia)
http://en.wikipedia.org/wiki/Public_key_infrastructure

RSA encryption (Wikipedia)
http://en.wikipedia.org/wiki/RSA

Terminology and encryption algorithms
http://www.easeus.com/resource/encryption-algorithms.htm

Gwebs, PGP, Security, email, encryption, how to, personal, privacy email, encryption, guide, MailCloak, PKI, RSA, Security

I guess everyone who is using Gmail and/or other Google Apps have heard about this new Google Wave, which suppose to be mind blowing and transform the concept of email. Well, so far it’s a bit too early to say will this happen, because the release date of Google Wave will be at the end of this month, Sep 30th.

According several blog writings and articles Google Wave won’t put Gmail or Google Apps aside, at least not yet. It just seems to be Gmail with some extra features. So far, I have been using Gmail, G-talk (also with voice and video), Google Docs, calendar and other functions too as well. So when I’m watching the picture, it doesn’t seem to be SO different than Gmail. It just that all the functions and features are in a same box, inbox.

At the beginning this seems to be a bit confusing, but unfortunately the pictures or videos are not giving the whole truth. For me, I really want to experience it by myself before making any judgement.

Some other concerns, mostly about our business, is that will Gmail change too much when Google Wave is released, I mean that will our product MailCloak still work with this new concept of email. Like said, too early to say, because we didn’t get developers’ access to the Wave. Of course, we are going to test Wave immediately when it’s released so we can check the functionalities and see if our software is adaptable enough, or should we make some changes.

I guess, the biggest change will be the “waves”, that in what kind of concept they really are. And how easy it will be to secure all that data which is shared through those waves: Text, pictures, videos, links and other stuff.

Well, I go with the Google specialists’ comments “It’s very, very early to say..”. But we will see, in near future what’s gonna happen. I anyway assume that Gmail will still stand there for users at least for a while that the adaptation for the new system will be easy.

Thanks for Google’s official Blog and Gina Trapani about the pictures and all the information!

From the following links you’ll find more information about Google Wave:
http://googleblog.blogspot.com/2009/05/went-walkabout-brought-back-google-wave.html
http://smarterware.org/2021/google-wave-qa

Click the pictures to see them in full-size!

Gwebs, Security, email, google, privacy gmail, Google Apps, Google Docs, Google Wave, MailCloak, Security

Finally we got a new layout for Cryptographer’s English blog. Now the layout is about the same as our Chinese blog’s layout.
I personally like this layout much better than previous one. The blog is now easier to follow and older posts are organized with categories and of course you can also browse the archives to see what has happened previously.
The layout and blog-features will update bit by bit, and hopefully soon everything is working well. So far we have faced some inconveniences of the new layout, but I believe that those problems are mostly handled by tweaking the CSS-style sheets.

Gwebs, new blog, chinese, english, Gwebs, layout, new

When I started my work at Gwebs, this was one of my first questions. I mean, so far that our own products don’t support mobiles, smartphones, pdas, etc.  Anyhow, our product co-operates nicely with all software that use GnuPG (GPG), it’s tested with quite wide scale of applications.

I wanted to know how I can access my encrypted messages whenever and wherever. I just got so dependent on mobile usage of email from my previous job at one telecommunications company, sometimes you just have to be there 24/7 available, for your colleagues all around the world, your customers and clients. This is it what’s going on right now within IT-industry. Although, no-one is paying me 24/7 salary, but it just integrated for me as a habit. And now, sometimes I found myself at the bus stop reading my email, thanks for the reasonable price of data transfer.

I made some research about this topic and found out that encryption with GPG in smartphones is not so common than I thought. Although, nowadays, when smartphones are having Windows Mobile, Linux, Android, Apple, Symbian and maybe some other operating systems too. It seems to be easier to find a solution for encryption from PGP (Pretty Good Privacy).

I found out that Symbian used to have one component, made by Nokia, but no-one really knows is it still usable or not. About Apple and Android I really cannot say so clearly, ’cause both systems are pretty unfamiliar to me. So far Apple seems to have quite much research and development around iPhone, so I’m pretty sure that there are some encryption software as well.

Windows Mobile then, there seems to be a huge gap between versions (5.0/6.0/6.1/6.5) while searching supported applications, anyhow there are some software for encryption available. I haven’t tested these yet by myself, but will do later. At first I’d like to have the official update for WM 6.5.

Well, Linux is another chapter of it’s own. There are so many free, open-source encryption software available that it will be more difficult to find the one which suits the best for your needs, than just find one.

The other solution for encryption in mobile devices is PGP (Pretty Good Privacy), it’s not open-source and normally these applications are not free. But this also makes the difference to availability. There are so many PGP applications available for all these operating systems that I mentioned earlier. And of course, while the software is not freeware, you can expect some support for troubleshooting and equivalent for your money.

Anyway, I think that this is one of the main things nowadays while talking about email security and privacy. Because so big share of today’s business emails are sent by mobile devices, it’s really needed to have some software to obtain privacy within this communication way too. And for covering usability issues, it’s nice to have a software which co-operates with the same encryption method as while using a PC.

I’ll let you know later about my testing, WM 6.5 + PGP or GPG encryption software + MailCloak in PC. Having my own key in every single device (work, laptop and smartphone). And then testing it out, how it works and how easy it is really to use. But that’s going to happen after the Windows Mobile 6.5 release, which suppose to be soon.

Gwebs, PGP, Security, email, encryption Android, Apple, email, Email Encryption, Email Security, encryption, GPG, Gwebs, linux, Mobile, PGP, privacy, Symbian, windows

The end of last week (Sep 2nd - Sep 5th) this expo was held in Beijing Exhibition Center. The main goal for this exhibition was to gather agents through banking, financial and security companies together and spread information about new technology, risks and solutions. Share knowledge and get networked with other ones. We were asked to attend this exhibition too, to tell about our technology to offer safer and more secured options to face today’s demands about privacy, when companies are communicating with each other or with customers.

Of course we took this challenge to meet all these agents, spread our knowledge and tools for better and safer communication.  We had a stand in an exhibition area and then we also had some meetings for sharing knowledge and presentations about our products. So many nice ideas popped up and also we got plenty of valuable information how to improve our products and what kind of features are needed the most.

My first comment of this exhibition was “Wow!”, there are so many stands and so many people attending. Now, I guess I have a bit better clue the real scale of Chinese business.
Later I might write more about those nice ideas and other things we found out at the expo, but at first we have to sum them up and see which ones are the best ones for current requests.

Here are some photos about the exhibition. Enjoy!

(Click to see the full-size picture)

Gwebs, Security, exhibition, privacy banking, Beijing, China, ciftee, exhibition, financial