The state of Email encryption: GnuPG, PGP and PGP.Com

Recently, there have been some question about the status of email encryption, both within the Company, and for communication with external users. Currently, the Company has no policy or standards regarding encryption and encrypted email. We do support production processes using encrypted files. Specifically, PGP is used to exchange sensitive information with outside vendors for XXX and certain financial applications.

There are many other useful business tasks facilitated by Public-key cryptography. More information on this technology is available on our intranet server.

IT Audit and the Network and Data Security groups have been using PGP-Freeware with positive results. As explained below, use of PGP-Freeware for business communications is no longer permissible, under PGP.Com's interpretation of the license for that product.

PGP and GnuPG public key queries and key-registration using Internet keyservers will work for HTTP keyservers (after configuration of the client proxy settings, however, registration and queries will not work using LDAP protocol to servers on the Internet. Our team no longer operates an Intranet keyserver, due to a drive failure on our development machine

There are plug-ins for PGP and GnuPG for Outlook and Outlook Express, along with many other email clients. Microsoft has no plans to directly support PGP in Outlook, Exchange or Active Directory, instead, Microsoft provides integrated support for S/MIME, using the X.509 certificate format. Here is a (somewhat dated) comparison between the various protocols:

http://www.imc.org/smime-pgpmime.html

In general, S/MIME is easier to deploy in a Microsoft-centric (Exchange and AD) environment, for purely internal communications, yet PGP/MIME (and now OpenPGP) is the de-facto standard on the Internet.

The commercial PGP division was recently sold by Network Associates. There is a new "PGP.Com" site, with information on products and pricing:
http://www.pgp.com/faq.php

Will You Continue to Support Freeware Products?
Yes. PGP will continue the tradition of freeware products for non-commercial use. The next release of PGP freeware will be in November 2002 for PGP 8.0 for Windows and MacOS X. Customers using freeware products for commercial use - using PGP freeware to communicate with licensed business users - must immediately cease usage and purchase a commercial PGP license. Products can be purchased at https://store.pgp.com/.

Company employees using the "PGP Freeware" unlicensed application must immediately cease usage.

Promotional pricing for the commercial PGP product is available through October 31st. The promotional price for "Corporate Desktop" is $70, "PGP Mail" is $45. Prices are per-seat for any quantity, these prices will increase significantly on November 1st, 2002.
http://www.pgp.com/promo.php

An alternative to purchasing commercial PGP is to deploy GnuPG, the GNU-licensed freeware implementation:

• http://www.gnupg.org/
• http://www3.gdata.de/gpg/

SecurityFocus Article on EAS

Gotta love the FCC.

"Insecurity Plagues Emergency Alert System"
http://online.securityfocus.com/news/613

"Though it's not known to have ever been exploited,
the spoofing risk is one of the factors quietly
driving calls to reform the EAS"

Network World: "Spam filters revealing their darker side"

Last week's "Network World" has an interesting article (excerpts below) on the perils of keyword filters.

In our spam-filtering evaluation, we are taking the majority of the steps (and implementing all of the precautions) noted in the sidebar, with the exception of using IP-based "blacklists" to reject or otherwise limit incoming messages, based on the source IP address. I have tried using lists of "known spam sources" from free or commercial "RBL" services, but have not found any such blacklists that find the right balance between effectiveness and excessive false-positives.


"Spam filters revealing their darker side"
http://www.nwfusion.com/news/2002/0909spam.html

Wireless Network auditing tool

The "netstumbler" (Wireless network discovery for Orinoco) executable is attached, or can be downloaded from http://www.stumbler.net/


I have a small GPS receiver (no display, uses serial port with power from PS/2 keyboard port), if we want to do mapping around the perimeter of the main plant

A few months ago, I drove around the public roads (outside the Company property line) and found many distinct wireless networks, mostly from apartments nearby, however two appeared to be part of the main plant deployment (need to check MACs to be sure).