Security | Jason Palmer, CPA, CITP

Mobile Device Management – Containing The Mobile Invasion

April 11, 2013 By Jason Palmer Leave a Comment

Mobile Devices

When Dorothy in the “Wizard of Oz” was walking through the Forrest, she exclaimed, “Lions and Tigers and Bears – Oh my.” Trust me when I say that most Information Technology Staff have the very same sentiment, “Cell Phones, Tablets, and Notebooks – Oh My” when walking through the office and seeing the extreme variety, feel every bit as much in peril as Dorothy.

Why? Because every one of those devices is a potentially unsecured entry point in to the corporate network and might be able to access sensitive data.

What is an Information Technology Manager to do? Ban all mobile devices from accessing the Network? Demand that only mobile devices issued by the Company and properly secured may connect to the Network? Tell the CEO that she cannot use her iPad to read her mail? Tell the CFO that he cannot access or look at the latest corporate financials on his iPhone because Apple does not understand “enterprise security?” Make everyone use a Blackberry curve?

There must be a better answer and there is.

It is called Mobile Device Management. The technology is available from a number of different vendors. It enables Information Technology Staff to secure and manage most well know brands of Smart Cell Phones, Tablets, and Notebooks from a centralized console.

Each Mobile Device Management vendor implements the solution slightly differently but with the same general result: the Information Technology Staff can apply and enforce usage policies, approve specific apps, determine the location of the device, enforce proper login credentials, and remotely wipe lost or stolen devices.

Another great feature is the standardization of Management Interface (Dashboard) of the various mobile platforms. The Information Technology person does not need to be concerned about if he or she is managing an iPhone or an Android phone. The Mobile Device Management software presents a single, unified view by class of device: All Cell Phones and All Tablets. Of course the granularity is there should one want to take advantage of specific features available in say an IOS device (iPhone, iPod, iPad) vs. and Android phone or tablet.

When performing a review of Mobile Device Management software platforms, there are a number of considerations to review. These include how many devices you have to manage? Are they predominantly Apple devices, Android Devices or something else? Are the mobile devices being used in your corporate environment by your employees supported? Does the Mobile Device Management Platform support all the versions of the mobile device operating systems in-use? And, from an Administrative perspective: Is the software license purchased as a one-time fee or is this a monthly service?

The important take-away from this article is that mobile devices, especially ones that your own Information Technology Department do not official support represent a real threat to your sensitive corporate data and need to be “cleared” prior to being allowed to access data on your network.

Think of it this way: For those of you that work in larger offices, visitors are signed in, logged, and guided. They don’t just wander in the front door and walk aimlessly around office.

Why would you allow a perfect stranger, such as someone’s personal smart phone, access your corporate data network without being escorted in?

The answer: You wouldn’t

It’s 2013 – Do you know where your sensitive corporate data is?

April 10, 2013 By Jason Palmer Leave a Comment

Data File Security

There was a time in the 1970’s through about 1995, before the modern Internet, when the person who managed your Information Technology could say with absolute certainty that he or she knew all of the possible entry points in to your network and exactly where your sensitive corporate data was stored.

In the early days of Information Technology, data resided on a mini-computer or mainframe that was installed in a special room that was physically locked in the center of your office space. Green Screen “Dumb” terminals were the only way to access the Corporate Data. There was no connectivity to the outside world. The only way data entered or exited your office was on paper or possibly a heavily guarded backup tape in-transit to an off-site storage location.

In the late 1980’s, the Green Screen “Dumb” Terminal begins to be replaced with the “Smart” Personal Computer. In fact, the mini-computer and mainframe for many applications also begins to be replaced by more powerful Personal Computers known as Servers. With the dawn of the Personal Computer, came the Floppy Disk, Zip Disk, and similar precursors to the modern day USB Flash Stick Drive.

Even though data was now being created and stored outside the highly secured “Server Room”, the Information Technology Manager still had a significant amount of control as floppy disk drives could be disabled. Data stored on Floppy Disks or Tape had the potential for “mobility” but could be serialized and tracked like any other corporate asset.

Few PC’s had direct communications capabilities to the outside world and even if they did, Modems were extremely slow. Since Modems used regular phone lines, and all pricing was “per minute” it was easy, even if after the fact, to notice a multi-hour phone call to AOL or Compuserve (early online services) and investigate.

Data, up until the turn of the century, mostly left an organization the old fashioned way: on paper. Again, depending on the volume of information being printed, the Information Technology person might notice excessive printing activity and then investigate.

After about 1995, with the accessibility of the Internet starting to become common place and significant price drops in the cost of Personal Computers, for the first time, an employee might actually be able to take data from the office and bring it home to continue working on it. Communication speeds increase dramatically and now instead of taking hours for a file to be transferred via Electronic Mail or a File Sharing Service, it takes minutes or seconds.

It is at this point in the timeline of the modern computer era that the Information Technology Staff can no longer say with any certainty or confidence that they “know were all of the corporate data is.”

No longer is the transport of sensitive corporate data limited to that which could be physically carried out the door on paper or a disk, but now it can be sent across town or across the country or globe in an almost untraceable manner over the Internet. I say almost untraceable because the tools were not widely available to the average Information Technology person, nor was there a mindset, of securing and tracking both the creation, management, and transport of sensitive corporate data in the majority of businesses. (Banks, Public Companies, and Government Agencies are generally the exception.)

As the realization hits home that data has become mobile, technology catches up and businesses start to create policies and implement tools that are able to track the movement of sensitive information within an organization and in many cases prevent it from leaving the confines of the company.

Tools to accomplish this include the ability to log the username of every person who accessed specific files, such as Microsoft Word Document or Excel Spreadsheet for real time or after the fact review (audit trails); Advanced Content Filtering Firewalls that can scan every email and attachment going in and out of a company via the Internet looking for key words that might indicate a security breach or espionage; and, Company Policy Manuals that explicitly and politely remind employees about the definitions of “Confidential” and “Proprietary.” Even though most every Personal Computer has a USB or CD/DVD drive, the Write functions can be disabled or password controlled as an added measure of security.

So when you walk in to your office today, take a look around and ask yourself, “Do you know where your sensitive Corporate Data is?” And, more importantly, “What have you done to secure it?”

If you or your Information Technology person cannot answer this question with the same certainty of 30 years ago, engage a Data Security Professional who can help put the “Genie back in the Bottle” and keep your sensitive corporate data secure.

Securing your Home Network – Close the Ad-Hoc Wi-Fi® Backdoor

October 22, 2012 By Jason Palmer Leave a Comment

In an effort to make data sharing easy, many Wi-Fi® devices support both Infrastructure Mode connections and Ad-Hoc peer-to-peer connections. Infrastructure mode is most common and is when a Wi-Fi® device connects directly to a Wi-Fi® Router or Access Point. (See my article on “Wi-Fi® – Wireless Router vs. Wireless Access Point.”) There is another type of connection, known as an “Ad-Hoc” peer-to-peer connection which enables two Wi-Fi® capable devices to connect directly to each other without going through your Home or Office Wi-Fi® network.

Ad-Hoc peer-to-peer connections are very common with Apple Mac Computers, iPhones, and iPads. Almost any two Apple devices will “find” each other automatically and if security permissions are not set correctly, will immediately share their resources. This will occur regardless of if the Apple devices are connected over hard-wire Ethernet or Wi-Fi®. Visible resources on your computer can include the entire hard drive, specific folders, external devices like printers and specifically, access to your Home or Office Wi-Fi® network – which may not be your intention – to share.

When the Ad-Hoc sharing capability of a Wi-Fi® computer or device is configured properly, it can be beneficial as it designed to allow guests to access your Printer. In addition, Ad-Hoc peer-to-peer networking may be enabled to share a PUBLIC folder specifically to allow for the exchange of documents, photos, and files.

The security risk is that if you have a computer attached to your Home or Office network and the Wi-Fi® Ad-Hoc peer-to-peer network support is turned “On” without any security engaged, you risk unauthorized access to your files and Network. Both Mac and Windows based Computers as well as many other Tablets, Smartphones, Printers, and Wi-Fi® enabled devices support Ad-Hoc Wi-Fi® peer-to-peer networks. In fact, many Wi-Fi® enabled printers make Ad-Hoc connections directly to the Computer bypassing your Home or Office Wi-Fi® network completely. Printer manufacturers do this as it eliminates the need to know your Wi-Fi® SSID (network name) and access password. The Printer setup software takes care of creating the connection from the printer to each computer via an Ad-Hoc peer-to-peer network without any assistance from the user.

Protecting yourself and your network is easy: Unless you specifically need Ad-Hoc peer-to-peer network support on your computer, TURN IT OFF! The risk is not just from someone connecting to your Computer or Wi-Fi® enabled device while in your Home or Office, but anywhere.

The next time you are in a public place with many Wi-Fi® users around you, look closely at the “Available Wireless Networks” list of networks you can join. Notice that many will say “Ad-Hoc.” Each of these Computers or Wi-Fi® enabled devices is at risk for having almost anyone potentially access the data on the device especially if the Security options have not been properly configured. Any network listed that has a “lock” symbol or says it is “closed” is properly secured.

To turn-off or configure Ad-Hoc peer-to-peer network, do the following:

On a Mac, go to “System Preferences” – “Sharing” and UN-CHECK all of the boxes. If you do require sharing of resources such as Files, the DVD Drive, or Printers, then make sure to properly configure Group or User level access to these resources.

On a PC running Windows XP, go to “Network Connections” – the “Wireless Connection” – “Advanced” “Networks to Access” options and click the Radio Button “Allow Access Point – Infrastructure Networks Only.” (This is the same general section to both create and share the Resources from your Windows XP computer via an Ad-Hoc peer-to-peer network as well as to restrict your ability to connect to one.) For Windows 7, go to “Control Panel” and select “Manage Wireless Networks” and the instructions are similar. Using your favorite Search Engine, use the term “ad-hoc networks Windows XP (or Windows 7) to find numerous tutorials.

Summary: Turn off “Ad-Hoc” peer-to-peer networking unless you absolutely need it. If you do need it, make sure to review which resources are shared and properly secure the guest access, specific user name, or group with a strong, complex password. (See my article, “A Complex Password may not be a Strong Password.”)

Securing the Home Network – Wi-Fi® Protected Setup™

October 4, 2012 By Jason Palmer Leave a Comment

Almost every modern day Wi-Fi® Router and Access Point supports Wi-Fi® Protected Setup™ which is an optional hardware method for quickly enabling security on a Wi-Fi® network. As you may recall, you have the option of manually naming your network with an SSID (Service Set Identifier) and specifying the specific password to be used by devices to connect. (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Using the hardware based Wi-Fi® Protected Setup™ can be much faster than going in to the setup pages of the Router or Access Point. It is far simpler and easier to “press a button” than to have to navigate through the configuration screens or even use a vendor provided setup program. This does assume that all of the Internet enabled devices that you want to connect to your Wi-Fi® network support the Wi-Fi® Protected Setup™ feature.

To create a secure connection using Wi-Fi® Protected Setup™, you press a button (appropriately marked on the Router or Access Point), it usually flashes for a short period of time and then you press the equivalent Wi-Fi® Protected Setup™ button on your Internet enabled device or click on a soft button in the configuration screen of your Internet enabled device. Either way, in a matter of minutes, you have created a random SSID (network name) and random passphrase using WPA2 secure encryption to create a connection between your Router or Access Point and your Internet enabled device.

An alternative implementation of the Wi-Fi® Protected Setup™ is a predetermined “Personal Identification Number” (PIN) code that is usually printed on a sticker on the Router or Access Point. If the Internet enabled device you want to connect does not have a Wi-Fi® Protected Setup™, you can enter in the PIN code from the sticker on the Router or Access Point in to the appropriate setup screen and accomplish the same automated setup.

In some cases, especially with Verizon FiOS Wi-Fi® Routers, both the SSID (network name) and Password (Passphrase) are written on a sticker attached to the Router. No additional configuration of the Router is necessary. You simply enter in the predefined SSID and Password to your Internet enabled device (Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and other Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets), and you will be securely connected to your new Wi-Fi® network.

Security Note: Unfortunately, in December 2011 a gentleman named Stefan Viehböck determined that the Wi-Fi® Protected Setup™ PIN could be guessed in a brute force attack of a Wi-Fi® Protected Setup™ Router or Access Point in an average of four hours. This is due to a design flaw that enables an attacker to know when the first half of the eight digit PIN is correct. Since there is no lockout after failed attempts at guessing the PIN, the attacker can more easily determine that the first half of the eight digit PIN is correct. In addition, the fact that the last digit is checksum for the other seven digits, it takes only approximately 11,000 attempts to crack the PIN code completely. For more details, read the United States Computer Emergency Response Team (CERT) Vulnerability Note: VU#72355 and Alert (TA12-006A) “Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack”

It is for this reason that CERT recommends that Wi-Fi® Protected Setup™ NOT be used and that it be specifically “disabled” in the affected Routers and Access Points. A few manufactures have corrected the design flaw and updated the firmware (programming) in their Routers and Access Points but many have not.

Keep in mind that your Wi-Fi® Router or Access Point would have to be the target of a specific attack for this to be an issue. More likely, you would be the target of someone randomly testing their hacking skills than of someone specifically trying to gain access to your home Wi-Fi® network. The risk of your Wi-Fi® Protected Setup™ is minimal. To be absolutely safe, turn off the “Wi-Fi® Protected Setup™” completely and manually configure your Wi-Fi® Network Security. (See my article on “Securing the Home Network – Wi-Fi® Security.”)

Securing the Home Network – Show me your MAC ID please

October 3, 2012 By Jason Palmer Leave a Comment

Every network device has a MAC (Media Access Control) address. This unique twelve hexadecimal digit identifier is similar to either a phone number or social security number for your network equipment. No two should ever be identical. This number is usually stored permanently in the device. It is usually displayed on a label on the device in the form of: 00:23:6C:7F:38:43 or it can be displayed in the network information screen of the device.

If you want added assurance that only devices with “proper id” are allowed on to your Wi-Fi® network, you can explicitly enter the MAC address of each of your Wi-Fi® connected network devices in to your Wi-Fi® Router or Access Point, such as your Wi-Fi® (or Wired) Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets.

Even if a user has the proper SSID (Wi-Fi® Network Name) and Password, if the MAC address is not listed in the table in your Router or Access Point of “permitted MAC addresses” access will be denied and the device will not be able to connect.

The ability to configure MAC address restrictions is usually in the “Advanced Security Setup” area of your Router, Access Point, or Switch. Almost all Wi-Fi® Routers and Access Points support MAC Address connection tables and restrictions.

Only higher end Wired Routers and Switches offering some form of Management have the MAC Address restriction capability. Not to worry, the likelihood that someone you don’t know is directly plugging in via a “Wired” connection to your network in your home without your permission or knowledge is very small.

Technical Note: In some cases, there are legitimate reasons why a network device would broadcast a MAC address different from the one permanently assigned. This is called MAC Spoofing. Some earlier Internet connection types required that the Cable or xDSL modem, the device that converts the signal from outside your home to Ethernet, be in “bridge” mode, or for all practical purposes, invisible. In these situations, the Cable or xDSL modem would actually broadcast the MAC Address of your Computer instead of its’ own MAC Address.

Security Note: MAC Spoofing can also be used for bad purposes and is not a fool proof security method. It is just an added layer of security. Even if you have a MAC Address permission table set for both your Wi-Fi® Router and any Access Points, almost anyone, with a reasonable amount of skill, can Spoof, or duplicate a legitimate MAC address which could allow them access to your Wi-Fi® network PROVIDED THAT they also know the correct SSID (network name) AND Password. That is three layers of security instead of two.

In general, if you are extremely concerned about securing the access to your Wi-Fi® enabled network, setting the MAC Address of each Wi-Fi® enabled device in your Wi-Fi® Router and/or Access Points for your Primary (“Private”) Wi-Fi® network will provide an added level of assurance that only legitimate, authorized devices are connecting to your network. (For a discussion on Primary/Private vs. Secondary/Guest Wi-Fi® networks, see my article, “Securing the Home Network – Guest Wi-Fi® Networks”)

Securing the Home Network – Guest Wi-Fi® Networks

October 2, 2012 By Jason Palmer Leave a Comment

The newest Wi-Fi® Routers support both a Primary “Private” and a Secondary “Guest” Wi-Fi® network. This allows you to have two separate SSID’s, (the names of your Wi-Fi® networks), at the same time. Specifically, the Primary Private Wi-Fi® network would be for your exclusive use and connect all of your Wi-Fi® or Wired Home Computers, Printers; Cell Phones, Tablets, Gaming Computers and Internet enabled devices like Blu-Ray Players and Internet enable Flat Panel TV Sets to each other and the Internet.

The Secondary Guest Wi-Fi® network would connect visiting Internet enabled devices, like Tablets, Notebook Computers, Smartphones, and Gaming Computers ONLY to the Internet. After all, you have no idea where those Internet enabled devices have been nor can you be sure they have been practicing “Safe Computing” with proper Antivirus and Firewall software installed.

Guests are given a different SSID and password to access the alternate, dedicated Wi-Fi® “Internet Only Access” network in your home. You may be wondering, “If it is a Guest Wi-Fi® network, why do I need to set a password at all?” Answer: You do not want to be providing “Free” Internet access to your neighbors and more specifically, anyone who just happens to be passing by.

If you already have a Wi-Fi® Router installed and it does not support both Primary Private and Secondary Guest networks, you have two options: upgrade your Router or purchase an Access Point. The advantage of purchasing a new Wi-Fi® Router that supports both Primary and a Secondary network is that most likely it will also be Dual Band. This means that it operates at both the 2.4Ghz and 5Ghz spectrums. (See my article on “Understanding the Wi-Fi® 802.11 Network Standard” for more details.) The 5Ghz spectrum is less crowded and may give you better Wi-Fi® performance in your home.

If you purchase an Access Point to create a Secondary Guest Wi-Fi® network, most support the option to configure in “AP Isolation Mode.” This means that Wi-Fi® connected devices cannot see other Wi-Fi® connected devices on the same Wi-Fi® (SSID) network but they can see all of the devices on the Wired network. For example, with AP Isolation Mode enabled, two Wi-Fi® connected Notebook computers will not see or be able to connect to each other to share files but both would be able to see a Printer physically connected with an Ethernet (wired) cable to the Network Router. If every device in your home is connected via Wi-Fi® to your Primary Private Wi-Fi® network, then adding an Access Point is a good solution to create a Secondary Guest Wi-Fi® network.

If you have devices in your home attached to your Primary Private Wi-Fi® Network and you also have devices connected via Ethernet (wired) cables, then you need to configure the specific physical Ethernet port that your Guest Access Point is connected to on the Local Area Network side of the Router to only connect to the Internet/Wide Area Network of the Router. This completely isolates Guest Wi-Fi® connections through the Access Point exclusively to the Internet. Otherwise, your Guests will be able to see any device that is connected via an Ethernet (wired) cable to your network.

Securing the Home Network – Wi-Fi® Security

October 1, 2012 By Jason Palmer Leave a Comment

Most Cable and Phone Company Internet providers are installing Routers with Wi-Fi® capability. Unfortunately, not all Carriers take Wireless Security seriously. Many early Carrier Wi-Fi® Router installations did not set any network security at all. To be fair, many early Wi-Fi® enabled Computers did not properly support the newly defined security methods so it was easier to just leave the Security Features off. Modern day Internet Enabled devices no longer have these issues so you should make sure that your Wi-Fi® Router has its’ Security Features enabled.

Public Wi-Fi® HotSpots are great and extremely convenient. Your Home or Office should not be one as this could allow anyone who connects to your Wi-Fi® network to potentially access your computers and their files without your knowledge or permission.

The best and easiest way to secure your Wireless Router’s Wi-Fi® network capability is to set strong and complex password [See my article on “A Complex Password may not be a Strong Password”] and to select the highest grade of encryption supported. For most modern day Wi-Fi® Routers, that is WPA2 or WPA encryption. Older Wi-Fi® Routers may only support WEP Encryption, which is sub-optimal as any determined hacker can break the encryption fairly quickly using readily available tools found on the Internet.

An important security tip is to make sure that the SSID, (the name of your Wi-Fi® network), does not personally identify your home or small office. Try to select a name that completely not associated with your family, likes, favorite vacation spots or anything else that might identify your Wi-Fi® network to someone who might be trying to locate and access your network without authorization.

The logic is simple: If the hacker cannot see or find you, it makes it that much more difficult to compromise your network. Instead of selecting an SSID name like “Palmer-Home” select something for like “Butterfly.” Someone passing by and scanning for Wi-Fi® Routers broadcasting SSID’s would have no reason to believe that the Wi-Fi® network named, “Butterfly” is associated with me. (And neither does anyone reading this article at that is not an SSID that I use.)

An even more secure option is to turn off the broadcasting of the SSID completely. To a user “Scanning for Wi-Fi® Networks”, your network will be invisible. Anyone who wants to connect to your Wi-Fi® network will need to explicitly enter the SSID Network Name and Security Key provided by you.

Securing your Email – Assigning and Using a Digital Certificate for Secure Email in Thunderbird

August 28, 2012 By Jason Palmer 1 Comment

In order to use a Digital Certificate for Secure Email, you need to install the Certificate in to Thunderbird. Installing the Certificate is straightforward. Unfortunately, to use PGP – Public Key and Private Key Encryption in Thunderbird takes a little bit of effort to setup and install.

The steps are clearly defined with Screen Shots at the Thunderbird Documentation Site:

https://support.mozillamessaging.com/en-US/kb/digitally-signing-and-encrypting-messages

In short, Thunderbird uses the PGP (Pretty Good Privacy) Protocol to Encrypt and Digitally Sign email messages implemented through Open Source software. The two required components are GnuPG: (GNU Privacy Guard): a free software implementation of the commercial version of PGP and the free Enigmail Thunderbird add-on. (An add-on is small helper application software program that “adds-on” specific functionality.)
To learn more about Public Key and Private Key encryption read my article, “Securing your Email – Understanding Public Key and Private Key Encryption.”

In the documentation referenced above, you download the appropriate version of GnuPG for Windows, Mac, or Linux, the follow the instructions for installing the Enigmail Add-on.

Next, you create your Public Key and Private Key using a Key Generation Wizard. Then you have the option of setting your configuration to sign all of your outgoing Email with your Digital Signature or on a per message basis. This operates pretty much the same way in every Email client regardless of vendor.

Digitally signing a messages is as easy as selecting, “Sign Message” from the NEW OpenPGP tab on your Thunderbird Menu Bar. Same holds true for “Encrypting” a message.

As with all Public Key and Private Key encryption, when you Digitally Sign an email, you must make sure to attach your Public Key with your message. This allows the Recipient to save your Public Key so that they can encrypt an email message to you. It also allows them to Authenticate an email Digitally Signed by you.

When you receive an email encrypted with your Public Key, you will use your Private Key Passphrase to decrypt the message and read it. Once both you and your Recipient have each other’s Public Key’s you can start to send and receive Encrypted and Digitally Signed email at will.

The Thunderbird OpenPGP add-on makes Digitally Signing, sending and receiving Encypted Email a breeze.

GnuPG Project Information
http://www.gnupg.org/

Enigmail Information
http://www.enigmail.net

Securing your Email – Assigning and Using a Digital Certificate for Secure Email in Outlook

August 27, 2012 By Jason Palmer Leave a Comment

In order to use a Digital Certificate for Secure Email, you need to install the Certificate in to your specific version of Outlook and assign it to the correct profile. This is usually the default profile if you are the only one that uses your copy of Microsoft Outlook.

In most cases, when you retrieve the Digital Certificate for Secure Email, the Internet Explorer Web Browser will automatically store it in the Windows Digital Certificate Store for you. Most editions of Microsoft Outlook can automatically access the Microsoft Windows Digital Certificate Store. If for some reason the Digital Certificate for Secure Email does not properly appear visible in a version of Outlook, use the tutorials below to verify the settings.

If you used FireFox to request and retrieve your Digital Certificate for Secure Email, you may need to Export/Backup then Import/Restore the Digital Certificate for Secure Email in to Internet Explorer so that it is visible to Microsoft Windows Digital Certificate Store.

Please visit the following links for excellent tutorials on the process.

Outlook 2003
https://www.globalsign.com/support/personal-certificate/per_outlook03.html

Outlook 2007
https://www.globalsign.com/support/personal-certificate/per_outlook07.html

Outlook 2010
https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1348

Outlook Express – Versions 5 and 6
http://www.comodo.com/support/products/email_certs/oe_5_6.php

Microsoft Outlook 98 – 2000
https://www.globalsign.com/support/personal-certificate/per_outlook9800.php

Windows Mobile PDA
https://www.globalsign.com/support/personal-certificate/per_wm_pda.php

In general, to Digitally Sign or Encrypt an email message, when composing the message look under the OPTIONS tab, – More Options, Security Settings, or Permissions – depending on your version of Outlook. There you will be presented with the option to Digitally Sign and/or Encrypt your message.

REMEMBER: Before you can encrypt a message to a Recipient, you must have that Recipients PUBLIC key. To exchange your key with a potential recipient, send him or her any email message that is Digitally Signed. This message will include your PUBLIC key and for future Authentication, allow the Recipient to store your key in his or her contact list. Then, the Recipient should reply back to you with his or her Public key. Once you have your intended Recipients Public Key, you can encrypt your email communications on a selective basis and vice-versa.
To learn more about Public Key and Private Key encryption read my article, “Securing your Email – Understanding Public Key and Private Key Encryption.”

Securing your Email – Understanding Public Key and Private Key Encryption

August 24, 2012 By Jason Palmer 2 Comments

With Public Key Encryption, also known as asymmetric key encryption, two different keys, a Private Key and Public key are used simultaneously to both Digitally Sign and Authenticate an email message and/or encrypt it.

The Private Key and Public Key are a mathematically related unique pair of really long random that are 100% mated to each other. The Private and Public Keys are created by using the information from your “Personal or Business Digital Certificate for Secure Email” and a “Key Generation Utility.” The Certificate authenticates your email address and optionally your identity. (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.) Note: The Key Generation Utility is usually included as part of the Email Client Software or Web Mail Browser Plug-In. It may not be necessary to explicitly create the key pair as it may automatic.

So, how does Public and Private Key Encryption work? For starters, recall that the Private Key and Public key are a related pair – they work together. Important Safety Tip: As the names imply, the Private Key must remain private and its’ “pass phrase” (the password to use the key) must remain “private” and ONLY known to you personally. The Public Key is widely distributed to everyone you want to communicate with so that the recipients can either Authenticate a message from you as genuine, decrypt an encrypted message you send them, or they can encrypt a message that only you can decode with your Private Key. The Public Key can also be placed on a “Trusted Public Key Server” (think phone directory for everyone’s Public Key) so that others can look up your Public Key to encrypt messages to be sent that only you can decrypt with your Private Key.

NOTE: For purposes of this discussion we need to assume that regardless of if you are using a Class 1 (Email Address Validated) or Class 2 (Email Address and Identity Validated) Digital Certificate for Secure Email, that YOU are the one and only person associated with your email account and that the Pass Phrase to your Private Key is known ONLY to you. With a basic Class 1 Digital Certificate for Secure Email, ANYONE who has access to your email account and who may have requested a Digital Certificate for Secure Email without your knowledge could masquerade as you for purposes of sending Digitally Signed and Encrypted Email.

If I want to Digitally Sign an email message so that a recipient will have a high degree of assurance that I was the actual sender of the message, similar to when I have a paper document Notarized, I use my Private Key along with my Public key to tell my Email Client to “Digitally Sign” the message. I then attach my Public Key with the message as I send it to the recipient. The Recipients’ Email Client uses the attaché Public Key to process my Digital Signature and verify that the Digital Signature is Authentic and Genuine. (Recall when I have a paper document Notarized, a licensed independent third party Authenticates my signature by reviewing other Identity documents. This is similar to what a Certificate Authority would do when issuing a Class 2 Digital Certificate for Secure Email.)

You may be wondering, “How is this any different than if I just sent a regular message since I included the Public Key, the part required for the recipient to authenticate the message?” The answer is that when I Digitally Signed the message with my Private Key, I had to enter in my super-secret, ultra-secure “pass phrase” known only to me. The Private Key and Public Key are a mated pair that must be used together to be of any value. Since only my Public Key can be used to authenticate a message that I personally, Digitally Sign, the message has to be authentic and sent by me. Assuming that the Recipient uses either the Public Key that I sent along with the message or retrieves my Public Key from a Trusted Public Key Server, the message can be authenticated as legitimately Digitally Signed by me.

Technical Note: The Email Clients are performing a massive amount of mathematical calculations in the background creating hash totals and checksums which are shorter strings of numbers that represent the original extremely long numbers to expose tampering. It is possible that the body text which is not encrypted in a Digitally Signed Message could be altered in transit. The message would still correctly show the Digital Signature as “Authentic” however the “math” would also show that the message had been altered from its’ original content.

To Encrypt a message requires one extra step: Before I can send a recipient an encrypted message, I need to know their Public Key. My Email Client software will use the Recipients’ Public Key to encrypt the message. Then, the Recipients’ Email Client will use the Recipients’ Private Key to decrypt the message.

Taking it one step further, if I use my Private Key and the Recipients Public Key at the same time, I can both Digitally Sign the message and Encrypt it so that the Recipient can Authenticate that I actually sent the message with my Public Key and Decrypt the message with the Recipients Private Key so only the Recipient can read it.

The best way to get started in using Digital Signatures and encrypting email, when appropriate, is to obtain a Digital Certificate for Secure Email and then send a Digitally Signed message to people you want to be able to communicate with securely. (See my article, “Securing your Email – Digital Certificate for Secure Email” for information on obtaining one.) Since your Public Key is automatically included in your Digitally Signed Message, the Recipients’ Email Client will automatically store it so that it can be used to either decrypt messages sent by you or encrypt messages that are sent to you from the Recipient.

Note: If you are not using Microsoft Outlook or Lotus Notes, you will need an “Add-on” application for your email client or web browser. Options will be discussed in a future article.