SSL v3 and TLS v1 are subject to a serious exploit, according to a recently published attack mechanism (called BEAST).  This sounds foundation-shattering and kind of scary. When people see this, as when we did, the first panicky questions that arise are:

• What is really affected?
• How serious is it?
• What can I do to protect myself?
• How does the BEAST attack actually work?

After researching this issue, we have digested what we have found and produced this article to answer all of these questions for you.

Read the rest of this post »

We are frequently approached by customers in need of HIPAA compliant email who are currently using Gmail, or who have users that are familiar with and like Gmail.   They would, of course, like to add HIPAA compliance without changing any of their business processes or habits.

For example, some customers may want to setup HIPAA compliant email with LuxSci and have those secure messages forwarded to Gmail, where they can access them in their “usual way”.  In general, this is a bad idea — this will almost always be non-compliant and leave them at significant risk for breaches, disclosure, and HIPAA liability.

No one who must abide by HIPAA should be accessing ePHI though Gmail.

Read the rest of this post »

I read about how Gmail supports “multiple Inboxes” and this seemed like a nice new feature.  However, LuxSci has allowed users to access the Inboxes and other folders from other accounts in its unified WebMail interface for over a year and a half now … i.e. this is old news. However, it’s not really “old news” as their “multiple Inbox” feature is named in misleading way — it is not supposed to give you access to other people’s Inboxes!

In this post, I’ll show you how to simulate multiple Inbox access in Gmail using the “multiple Inboxes” feature and indicate how this is not really a true multiple Inbox scenario and has some significant limitations.  Then, we’ll show you how to set up the same thing in LuxSci. Finally, you’ll see how to use LuxSci for true shared folder access.

Read the rest of this post »

When diagnosing issues with email delivery and analyzing the properties of an email message, it is almost always the case that one needs to obtain either the “full headers” of the message or the “source” of the message.

The “message source” is the complete raw content that represents the message.  This includes all of the “metadata” about the message (who its from and to, the subject, etc.) as well the body content and all of the attachments. The full message source really contains two distinct parts — the full headers and the body.  The full headers are at the beginning of the message source and continue until a blank line is reached;  one or more blank lines separate the headers from the body.

In this article, we are not going to discuss what is in the headers or body, or how that information is formatted.  Instead, we will show you how to retrieve this information when using different kinds of email programs and web-based systems.  With these instructions, you should be able to get the “full headers” from any email message located in most email systems.  This information can be helpful to your technical support representatives when analyzing message behavior.

Read the rest of this post »

Frequently, we are asked to verify if an email that someone sent or received was encrypted using SMTP TLS while being transmitted over the Internet.  For example, banks, health care organizations under HIPAA, and other security-aware institutions have a requirement that email be secured at least by TLS encryption from sender to recipient.  This can and should be locked down to ensure that the email message content cannot be eavesdropped upon.  This check, to see if a message was sent securely, is fairly easy to do by looking the the raw headers of the email message in question.  However, it requires some knowledge and experience.  It is actually easier to tell if a recipient’s server supports TLS than to tell if a particular message was securely transmitted.

To see how to analyze a message for its transmission security, we will look at an example email message sent from Gmail to LuxSci, and see that Gmail does not use TLS when sending messages, even when it can.  This indicates that Gmail is probably not a service to be used when you have any kind of encryption requirements.

Read the rest of this post »