Penetration testing blog

I already talked a bit about encryption software you can use to store files safely in your computer, but what about transferring sensitive information? what about sending sensitive information through e-mail?

For encrypted e-mail to work properly, we need software and/or practices on both ends. This means that if you want your communication with your clients encrypted, then you need to get your clients to do something - which is not an easy thing to do. Actually you just convinced your clients to pay attention to you and you even sold them a product/service, now you need to use your m4d jedI skills to get them to encrypt their communication - good luck on that.

Truth is that most of them will pay attention, they are already putting money in the table for you, they somehow trust that you will perform as expected or even far beyond their expectations; then why in the hell wouldn’t they say ‘yes’ to encrypted communications?

And so it begins. What are your options? What’s out there for you?

I personally use PGP (http://en.wikipedia.org/wiki/Pretty_Good_Privacy) but in its GNU version (http://www.gnupg.org/), where I represent myself using my Public Key (visible to anyone I want to share it with) and using my Public Key then clients can encrypt sensitive information and send it over. I then have something very private, called a Private Key - which I need to use in order to decrypt any information that was encrypted using my Public Key. It works the same way for both ends, therefore I need to request the public keys for anyone on the other side, and use that public key to encrypt any sensitive information before I send it over.

So what do you encrypt? If you need to send any outstanding sensitive components then you could simply use the GPG command line utility, encrypt the files and attach them encrypted to your e-mail.

But what happens when you need to send several e-mails a day, and say more, where the contents of the e-mail themselves are sensitive. Dialing information for a conference call, pricing information in the form of ballpark estimates or more? Launching a command line tool to encrypt the e-mail contents and storing those in a file, attaching the file or pasting the encrypted contents in an e-mail to then send the e-mail…sure turns into a headache.

But thanks to lots of very clever programmers and project managers, and QA…and…thanks to lots of people, there are a series of programs that you can use to Adapt PGP to your e-mail client.

The process then turns into:

- You request public keys and import them to your keys database (most of the times just 1 click away)

- You write an e-mail as usual (making sure that the Encrypt e-mail feature is enabled)

- You hit the send button.

- Any other variation that may require one additional step.

- You’re done.

 So back to discussing the alternatives around PGP/GPG - how do you integrate it with your e-mail client?

1. Enigmail (http://enigmail.mozdev.org/) - Works with Thunderbird, SeaMonkey, Mozilla and Netscape. This is the one I currently use and it kicks ass.
2. PGP Desktop (http://www.pgp.com/) - Works at least with Outlook. This is the one your valuable clients may already be using. It isn’t free - so good luck in trying to convince someone into buying a license.
3. What could the third one be? I encourage anyone to submit more options!

Tired of writing - hope you found this useful.

Thanks for reading.