[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] S/Mime Exchange 2003 how secure how to secure it?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: RE: [Full-disclosure] S/Mime Exchange 2003 how secure how to secure it?
From: the electric <electric_cissp@xxxxxxxxx>
Date: Tue, 28 Mar 2006 22:14:50 -0800 (PST)

One thing that you may want to considered is "hardening" the devices that are 
being used.  For instance, a users PDA or Blackberry can be easily attacked if 
there is protection on it, biometrics, one time passwords, passphrase, etc, are 
a big help. Second what means are you going to use for accessibility, VPN, SSL, 
etc.  The security aspect should be the first plan of action before putting 
rolling out any new platform.   Also you may want to make sure that your users 
know how to use their devices and what security precaution they should take.  I 
am sure your company would hate to have one of those devices stolen and find 
out that the user put his/her username and password in some TXT file.  
   
  

Lyal Collins <lyal.collins@xxxxxxxxxxxxx> wrote:
      st1\:* {   BEHAVIOR: url(#default#ieooui)  }      @page Section1 {size: 
612.0pt 792.0pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; }  P.MsoNormal {   
FONT-SIZE: 12pt; MARGIN: 0pt; FONT-FAMILY: "Times New Roman"  }  LI.MsoNormal { 
  FONT-SIZE: 12pt; MARGIN: 0pt; FONT-FAMILY: "Times New Roman"  }  
DIV.MsoNormal {   FONT-SIZE: 12pt; MARGIN: 0pt; FONT-FAMILY: "Times New Roman"  
}  A:link {   COLOR: blue; TEXT-DECORATION: underline  }  SPAN.MsoHyperlink {   
COLOR: blue; TEXT-DECORATION: underline  }  A:visited {   COLOR: purple; 
TEXT-DECORATION: underline  }  SPAN.MsoHyperlinkFollowed {   COLOR: purple; 
TEXT-DECORATION: underline  }  P {   FONT-SIZE: 12pt; MARGIN-LEFT: 0pt; 
MARGIN-RIGHT: 0pt; FONT-FAMILY: "Times New Roman"; mso-margin-top-alt: auto; 
mso-margin-bottom-alt: auto  }  SPAN.EmailStyle17 {   COLOR: windowtext; 
FONT-FAMILY: Arial; mso-style-type: personal-compose  }  DIV.Section1 {   page: 
Section1  }      Do you want data recovery?
  Just forget the password to a certificate/private key, and the company has 
lost access to any comany records 'protected' by S/MIME, generally in 
conventional S/MIME setups.  And forget virus/spam scanning too.
   
  Lyal
   
   
   
   
  
  -----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx 
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of Daniel Sichel
Sent: Wednesday, 29 March 2006 3:54 AM
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] S/Mime Exchange 2003 how secure how to secure it?


      Directive has just come down from on high, we WILL use email on our Cell 
Phones/PDAs and non VPN?d laptops.  I am not a messaging guy but at a small 
telco you wear lots of hats so I could use some real help here. We are 
upgrading shortly to Exchange 2003 on Windows Server  2003 and want secure 
email to and from our cell phones etc. So here are my questions
   
  How secure is the built in S/Mime in Exchange 2003 assuming we are using a 
certificate  for session encryption ? Don?t laugh and hoot, I am looking for 
real data not speculation. Are there exploits, and if so what is needed to 
carry them out, physical access, just need the phone number, or what?  Can this 
be brute forced? 
   
  I would like two factor authentication using the users password and something 
inherently in the cell phone like a burned in serial number or the DN or 
something. Is there any support  for such a thing that will work on cell phones 
and/or PDAs ?
   
  I know OWA sucks on Exchange 5.5 and 2000, how about 2003? Same questions as 
above, is it exploitable, and if so how? Can we require a machine accessing the 
OWA site to flush its cache when done? Hopefully this can be forced without 
requiring an OK click, I just want to do it, no user intervention required (or 
allowed).
   
  Any help would be welcomed, any Microsoft bashing would be a waste of time 
since the higher powers have spoken and you know how that goes, So it is 
written, so shall it be done. 
   
  Thanks  
   
  Daniel Sichel, MCSE, CCNP
Network Engineer
Ponderosa Telephone
   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

                        
---------------------------------
Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- RE: [Full-disclosure] S/Mime Exchange 2003 how secure how to secure it?
  - From: Lyal Collins

Prev by Date: [Full-disclosure] [xfocus-SD-060329]MPlayer: Multiple integer overflows
Next by Date: [Full-disclosure] [HV-INFO] Enova hardware encryption: false sense of security
Previous by thread: RE: [Full-disclosure] S/Mime Exchange 2003 how secure how to secure it?
Next by thread: [Full-disclosure] [SECURITY] [DSA 1021-1] New netpbm-free packages fix arbitrary command execution
Index(es):
- Date
- Thread