Fred Avolio's Musings

musings on security and other topics topics archives
July
Sun Mon Tue Wed Thu Fri Sat
   
   
most recent headlines other links, other blogs  


Advanced Search
Search:
Entire Site This Topic Only
Match:
Any All
Partial Whole Words only
Wed, 08 Nov 2006
Those Dirtbags

I’ve noticed emails with an exe at the end of them… just not “.exe.” For example, I have one with attachment “attach3781.txt.  exe”.

Be careful out there.

Comment on this.
[/e-mail/] permanent link

Thu, 12 Oct 2006
Tweak to my Spam Barrier

I—like a lot of you—was getting lots of “buy this hot stock” spam. The latest change I made to my Postfix installation is to add a check against the Spamhaus Bloclk List. The addition to main.cf is under smtpd_client_restrictions, which now looks like this:

smtpd_client_restrictions =
check_client_access hash:/etc/postfix/accessi
reject_rbl_client sbl-xbl.spamhaus.org

Previous articles and blogs:

It seems to be working well.

Well, Spamhause has been in the news. This will give you all you need to know in case you’ve missed it.

Comment on this.
[/e-mail/] permanent link

Wed, 30 Nov 2005
Secure Email Day in the Big Apple

I am again leading Secure Email Day at Interop New York on Monday, December 12, at the Jacob Javits Convention Center.

Secure Email Day is a mixture of lecture, expert-lead group discussion, and a vendor panel. Again, Jon Callas, CTO and CSO of PGP Corporation will join me for part of the day. You can go to the interop link, above, to get a look at the schedule for the day, or visit my blog posted before Vegas at SecureEmailDay.html.

Comment on this.
[/e-mail/] permanent link

Sat, 29 Oct 2005
Thunderbird, Again

I’ve written and lectured many times about e-mail security. Sometimes, I discuss securing e-mail systems. I rarely discuss protecting e-mail against modification or eavesdropping, because it seems we just don’t care. See what I’ve written in the past at my Secure E-mail Collection. And recently, I blogged E-mail Security: We Still Don’t Bother

I also have written about my love affair with the Eudora e-mail client, but thoughts of moving over to Thunderbird.

But, I like Thunderbird’s interface. I like its being free. I like its older brother, Firefox. I recommend moving to Thunderbird to others. I almost moved a while back. But, there were some speed bumps, blogged here. But, recently I decided to slowly give it another try.

So far, things are working smoothly. I’ve not cut over to using it instead of Eudora, yet. But, I find some interesting security features. Recall, in the aforementioned E-mail Security: We Still Don’t Bother, my friend Dave wrote,

I am disappointed that I have to give up PGP but could not reasonably continue to purchase $100-200 worth of email and security software for the purpose of communicating with 9 people. What a sad indictment on the state of email security, huh?

Well, I’ve got Thunderbird with PGP and S/Mime now. It was fairly straightforward. First, S/MIME: Thunderbird comes with it. I followed the instructions for Getting an S/MIME certificate. I got mine from Thawte. Then I followed those for installing the certificate. And it just worked.

For PGP, I used the Thunderbird Enigmail plugin. But first, I installed GPG (in this case, for Windows), using the installer I found at www.gnupg.org. It installed smoothly.

if you are not going to install existing key rings you can skip the next step.

I then downloaded my secret and private PGP key rings, and used GPG from the command line to read convert them to GPG from PGP. (I did this in the GnuPG folder.) Once I did this, I installed the Enigmail extension to Thunderbird, restarted it and imported the key files using Enigmail’s key manager.

If you are new to all this, you’ll use Enigmail to create your first key pair and store it. This will be your decryption and signing key pair. Since I had one already, I needed to fiddle with Thunderbirds configuration file to point to my key. Actually, I had created a keypair, and had a horrible time trying to get it to use my old one. But, finally I figured it out. So, go ahead and generate a new one. Ff you want to use the old one, edit the prefs.js file (in your Thunderbird identity folder), and edit the “mail.identity.id3.pgpkeyId” value to have your key ID. Mine looks like this:
user_pref(“mail.identity.id3.pgpkeyId”, “0x3521CEA0”);

A restart of Thunderbird, and everything is working. If only people actually used encrypted mail…

Okay, I spoke too soon. There are imcompatibilities I cannot figure out between GPG and PGP Personal Privacy 6.5.2 that I run. GnuPG can decrypt and verify a PGP signed and encrypted file. And GnuPG can handle one that GnuPG signs and encrypts. But, PGP cannot decrypt a GPG-encrypted file. I get the error “An error has occurred : encrypted session key is bad”. So, what is Mom and Pop supposed to do?

Arrrrg!

I was unclear in explaining how I did some of the above. I used Firefox to get my certificate. Following Mozilla instructions, which say, “If you use Firefox to get your certificate and take the Netscape/Messenger option, a certificate silently installs into Firefox.” I got a Netscape/messenger certificate from Thawte. It works fine with Tbird.
I just got a PGP ecrypted message from a Thunderbird/Enigmail user, Jason Wyman. He wrote,
Just wanted to let you know that I have PGP set up with Enigmail in Thunderbird and it is working GREAT for me. I’ve had a lot of time to fiddle with several different set ups as I’ve “converted” my friends and clients at work.

With me using PGP Desktop 9.0 and Mail.app on my PowerBook, it decrypted and authenticated great. Thanks, Jason!

Jason wrote back:
I just noticed you updated your blog with an excerpt from my email to you. I was going to suggest that you post this email address along with my PGP key for anyone who may need help…. I’d be happy to help. I believe it’s very important that more people begin to take their privacy seriously. This would be an opportunity for me to help others make their own lives a little more secure.

You can contact Jason and get his public PGP key at http://home.comcast.net/~jason.wyman/ or at keyserver http://keyserver.pgp.com/.

Comment on this.
[/e-mail/] permanent link

Sat, 22 Oct 2005
From Nigeria, With Love

I cannot believe anyone reading this has not heard of the “Nigerian Scam” (also called 419 after the Nigerian anti-fraud statute). The most common, that I receive every once in a while, has to do with someone — a widow or son of the recently assassinated political leader someone-or-other in some African nation. (I suppose they assume, rightly, that Americans especially won’t have a clue of this particular person exists, was recently assassinated, etc.) There are millions of dollars in a bank account and the sender of the email heard about your integrity doing an Internet search. They suggest a money laundering scheme for which the recipient gets %10 just for playing… er, helping.”

I just read a fascinating piece on this at news.yahoo.com/s/latimests/20051020/ts_latimes/iwilleatyourdollars describing this in interesting detail.

Comment on this.
[/e-mail/] permanent link


 

Avolio Consulting has no control over what Google ads show up here.