be Smart.
be Secure.
Phone: 800-441-6612

Train your Filters with Bayesian Email Filtering

Published: November 17th, 2015

LuxSci’s Basic Spam Filtering service has just been augmented to include Bayesian analysis.  with Bayesian analysis, each user can train his/her own Spam filters with examples of what that user considers “Spam” and “not Spam”.  With enough examples, Bayesian analysis allows for the classification of new messages by their likelihood to be Spam or not and this drastically  increases the accuracy of your Spam filtering.

All users of LuxSci’s Basic Spam Filtering system get Bayesian analysis at no additional charge — all you have to do is (1) enabled it and then (2) train it.

Read the rest of this post »

Does TLS Corruption Spell the end of SMTP TLS?

Published: November 3rd, 2015

We have seen discussions recently about how attackers can interfere with SMTP TLS, influencing connections, and causing them to be downgraded to insecure — SMTP without TLS.  E.g. Ars Technica’s – “Don’t Count on STARTTLS to Automatically Encrypt your Sensitive Emails“.

What is being discussed here is a very real attack on Opportunistic TLS. I.e. the kind of automated establishment of encryption that can happen when two email servers being their dialog and discover that “hey, great, we both support TLS so lets use it!”  In such cases, servers take the “opportunity” to use TLS to encrypt the delivery of an email message from one server to another.  Opportunistic TLS is great as it is enabling automatic encryption of more and more email over time (see: Who supports TLS?).

The problem is that the initial negotiation of the SMTP email connection, before TLS is established, occurs over an insecure channel.  A man-in-the-middle attacker can interfere with this connection so that it appears that TLS (i.e. the STARTTLS command) is not supported by the server (when it really is).  As a result, the sending server will never try to use TLS and the connection will remain insecure — transmitting the email message “in the clear” and ripe for eavesdropping.

Read the rest of this post »

WebAide and WebMail Features for More and Larger Files

Published: October 9th, 2015

LuxSci has introduced a series of new features and improvements over the past few months to enable better security, larger files, and more ease of use.  Here is a brief rundown of these:

No More JAVA Applets!

LuxSci previously provided JAVA Applets to enable the optional bulk uploading and downloading of files.  However, these days, one can bulk upload files using “drag and drop” and web browsers are moving away from support of JAVA applets for security reasons.  To simplify our interface and remove any need for JAVA, we have removed these applets altogether.

  • To upload files in bulk, simply use “drag and drop”
  • Downloading files in bulk is now done by providing you with a ZIP Archive of the selected files

This change impacts email message composition, downloading attachments from email messages, and uploading and downloading files from WebAides and the File Manager.

Read the rest of this post »

Infographic – SSL vs TLS: What is the Difference?

Published: October 9th, 2015

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are foundations of security on the Internet.  However, between colloquial usage and the relationship between these security protocols, there is a lot of confusion regarding how they are related, how they are different, and what to use in what situation.

For a detailed analysis of these differences and similarities, see: TLS versus SSL: What is the Difference?

The following infographic simplifies and summarizes the comparison.

Read the rest of this post »

Next Generation Data Loss Prevention (DLP) with LuxSci Secure Email

Published: September 29th, 2015

Data Loss Prevention (DLP) describes a plan for companies to control the sending of sensitive data.  E.g. this can include controls to stop the flow of sensitive data or to ensure that sensitive data is always well-encrypted (for compliance) when sent.

In the context of email, DLP is usually achieved through the following formula:

  1. Construct a list of words, phrases, or patterns that, if they are present in an email, signify an email message that may contain sensitive information.
  2. Have all outbound email scanned for these words, phrases, or patterns
  3. For messages that match, take action:
    1. Block: Refuse to send the message, or
    2. Encrypt: Ensure that the message is encrypted
    3. Audit: (and maybe send a copy of the message to an “auditor”)

This classic DLP system is available through many email providers and has been available at LuxSci for many years as well. However, it does have a glaring limitation — no matter how complete and complex your DLP pattern list is, it is almost certain that some messages containing sensitive information will not quite match (or the information will be embedded in attachments that can’t be searched properly).  If they do not match, then they will escape in a way that may be considered a breach.

Read the rest of this post »

Get facebook Email Notifications Securely with LuxSci Email

Published: September 23rd, 2015

facebook has a great feature where you can have all facebook notifications sent to you using PGP-encrypted email.  This is great if you want to be sure that noone except for you can read these messages.

LuxSci has supported sending and receiving PGP-encrypted email for the last 10 years, since the introduction of SecureLine email encryption services (10 years old this month).

In this article, we show you how users of LuxSci WebMail with SecureLine can setup facebook so that all facebook notices will be encrypted and delivered securely to their email Inboxes.

If you don’t have LuxSci email hosting yet, you can try it free.

If you are a LuxSci customer but don’t have SecureLine yet, you can upgrade.

Read the rest of this post »

Are you Minimizing your Risk by using the Next Generation of Opt In Email Encryption?

Published: September 11th, 2015

We have long held that leaving it to each sender/employee to properly enable encryption for each sensitive message (a.k.a “Opt In Encryption”) is too risky.  Why? Any mistake or oversight immediately equals a breach and liability.

Instead, LuxSci has always promoted use of “Opt Out Encryption,” in which the account default is to encrypt everything unless the sender specifically indicates that the message is not sensitive.  The risk with Opt Out Encryption is very much smaller than with Opt In.  (See Opt-In Email Encryption is too Risky for HIPAA Compliance).

The problem is: many companies use Opt In Encryption because it is convenient when sending messages without sensitive information — you just send these messages “as usual,”  without forethought.  These companies are trading large risks in return for conveniences.

LuxSci has solved the “Opt In vs. Opt Out” conundrum with its SecureLine Email Encryption Service.  You could say that SecureLine enables the “Next Generation” of Opt In Email Encryption — combining both usability and security.

Read the rest of this post »

Toggling Between TLS-Only and More Secure Encryption Methods

Published: September 10th, 2015

There are many ways to send an email securely.  These range from the super-easy-to-use but less secure “TLS” method (see About SMTP TLS) to the universal “pick it up on a secure portal method” (that we call Escrow), to the very secure but harder to deal with PGP and S/MIME methods.

Many people like to use just TLS for email transmission security whenever possible, simply because it is so easy for everyone to use — you can encrypt everything, using TLS when possible and Escrow when TLS is not supported by your recipients.

However, if you have compliance needs or deal with sensitive information, there are many situations where you may like to “jack up” the level of encryption from just enforced TLS to TLS if possible plus one of the other methods … one that is more secure and which provides for encryption at rest.  (See: Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?)

Disabling “Just TLS” on a per-message basis is quite easy with LuxSci.

Read the rest of this post »

Is Email Encryption via Just TLS Good Enough for Compliance with Government Regulations?

Published: August 24th, 2015

There are many ways to encrypt email, TLS being the simplest and most seamless.  With SMTP TLS (the use of TLS encryption to secure the “SMTP Protocol” used for the transmission of email between computers), messages are transported between the sender, recipient, and all servers securely.  TLS is a layer that fits seamlessly over “regular email” to ensure transport email encryption when supported by both the message sender and the recipient.  With SMTP TLS, sending a secure message works and feels the same as sending any other email message.

“It just works.” That is the ideal combination of security and usability.

SMTP TLS for Email Encryption

However, SMTP TLS only solves the problem of email encryption during transmission from sender to recipient.  It does not in any way secure an email message while it is at rest, whether while in the sender’s “sent email” folder, queued or backed up on the email servers of the sender or recipient, or saved and stored in the email recipient’s folders.  While SMTP TLS is really easy to use, it is important to consider if use of SMTP TLS alone is “good enough” for companies to comply with the many U.S. government laws which apply to email.

When it  is “good enough,” organizations may opt for the seamless simplicity of TLS over the added complexity of other modes of secure email communication.

In this article, we shall examine the security afforded by SMTP TLS and compare that to other modes of email encryption such as PGP, S/MIME, and Escrow (i.e. picking up your message from a secure web portal).  We shall then look at many of the most important laws (HIPAA, GLBA, Sarbanes-Oxley, SB1386, NASD 3010, FRCP, SEX 17a-4, FINRA, and PCI DSS)  to see what is said or implied about using “Just TLS” vs. other, stronger forms of encryption.  We won’t spend a lot of time explaining each law; if you are interested there are innumerable articles on the web for that.  We  focus only on what they say or imply about encryption for email transmission and storage.

The short answer is that many of these laws outline various requirements for email storage, archival, and retrieval for legal proceedings without specifically delineating requirements for the encryption of those messages.  So, use of TLS is just fine with respect to those.

For PCI compliance, avoid email if at all possible; however, if you must use email for sending credit card data, “Just TLS” is not sufficient.

For the rest, the burden ends up being on each individual organization to decide for itself the level of encryption appropriate to protect sensitive data.  Use of encryption methods that provide protection for data at rest can mitigate liability in the case of a breach, but they are not mandated.  There are also ways of protecting data at rest that do not involve more onerous methods of email encryption.

Indeed, your internal risk analysis may find that “Just TLS” is best in some cases and methods that provide explicit data-at-rest email encryption are warranted in others.

Read the rest of this post »

7 Ways You Could be Unknowingly Violating HIPAA

Published: August 14th, 2015

Non-compliance with HIPAA can easily lead to unintended breaches where data is exposed to unauthorized parties.  This can be very expensive!  The cost of a breach depends on your degree of negligence; it ranges from $100 to $50,000 per violation (or per data record).

You don’t want to be caught in a situation where inaction, neglect, or lack of knowledge can result in unintended breaches.  Many small and large organizations are often unknowingly using systems in a way that is either already in breach or which results in frequent sporadic breaches.

Check your organization!

If any of the following scenarios apply to you, it is worth bringing them up the person responsible for compliance (your HIPAA Security Officer) to include in your mandatory yearly Risk Analysis.  Is the risk of breach worth continuing with “business as usual?”

Read the rest of this post »

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries