" New Feature Announcements Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more

Archive for the ‘New Feature Announcements’ Category

LuxSci to upgrade all Systems to support only TLS v1.2+ only

Monday, April 8th, 2019

LuxSci will be removing the remaining support for TLS v1.0 and TLS v1.1 from its services starting July 1st, 2019. This update will be a rolling change to all servers that will take place between July 1st and August 31st, 2019.

TLS v1.0 and TLS v1.1 are very old transport security protocols that have been succeeded by the much more secure TLS v1.2, which came out way back in 2008. All major web browsers released in the last 6+ years support TLS 1.2. Older web browsers may or may not support it (check your browser); however, less than 1% of web traffic across the world actually use the older protocols

Read the rest of this post »

Email Open and Click Tracking for Everyone

Tuesday, April 2nd, 2019

Have you ever sent an email message and then wondered:

  • Did they open your email message?  
  • Did they click on any of the links that you included?  
  • Which links?  
  • Was the message forwarded on and opened by other people?  
  • When did they read it?

Typical email marketing platforms, like LuxSci’s Spotlight Mailer, include features that expose this information for the email marketing campaigns sent through them.   However, not all email marketing systems include email open and click analysis.  And, what about sending email via other means, e.g., through WebMail, Outlook, iPhone, API, basic SMTP relaying, etc.   Most outbound email systems that are not explicitly geared towards email marketing do not provide any means to learn the answers to these important questions.

With LuxSci’s new email open and click tracking options, LuxSci will add codes to your messages so that you can gather then answers to such business critical questions for any messages sent through LuxSci:

  • WebMail
  • API
  • SMTP Relaying — i.e., Outlook, Mac Mail, iOS, Android, and other all programs that connect via SMTP

Open and click tracking is included as a standard feature with LuxSci email hosting, LuxSci high volume secure sending, and LuxSci smart hosting.


When LuxSci email open tracking is enabled, LuxSci adds a small image to the end of the HTML part of every message sent to every recipient.  When the recipient opens this message, that image is requested from LuxSci’s servers and we record the “email open” event.   This includes the date/time it was opened, the recipient of that message, and the IP address / physical location where the message was opened.

When LuxSci email click tracking is enabled, LuxSci modifies the links in all HTML parts of every message sent to every recipient.  When the recipient clicks on any of these links, they are taken first to LuxSci.  We record the click event. This includes the URL clicked, date/time it was clicked, the recipient of that message, and the IP address / physical location where the link was clicked.  Then, LuxSci redirects your recipient to the actually intended web address.  This happens so fast that most people never notice the tracking.


Open and/or click tracking can be enabled in LuxSci on an account-wide, domain-wide, or per-user basis; you can customize its usage to match your business needs.

To enable account-wide, for all messages sent by all users in your account, go to:

  • Account Settings > Email
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

To enable domain-wide, for all messages sent by all users whose email addresses belong to a specific domain, go to:

  • Account Settings > Domains
  • Click on the domain in question (if you have multiple in your account).
  • Click on “Outbound Email Settings” on the left
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”

To enable for all messages sent by a specific user, go to

  • Your user outbound email settings:
  • Scroll down to “Open Tracking” and “URL Click Tracking”
  • Toggle the settings to “On” and press “Save Changes”


Once you have enabled open or click tracking and have sent some messages, you can look and see what has happened. Did anyone open the messages? Who clicked on what links? When?

There are several ways to dig into this juicy data.

User-Level Reports

Login to you LuxSci Account and go to your Reports area. From there, open up the menu area on the left for “Sent Email – From WebMail” or “Sent Email – From SMTP Server,” depending on which messages you are interested in. Next, you can look at the “Message Opens” and “URL Clicks” reports to see what has been opened and clicked. Note that you can export data using the “Download CVS File” button on the upper right of the page. Also, Open and Click details are also available in the “Delivery Status” reports via the “Advanced” reporting tab.

Account-Level Reports

As an account administrator, you can view reports covering sending across all users in your account. Go to your Account Reports area. Then, open the “Sent Email” menu on the left and you can find reports analogous to the user-level ones, described above, but inclusive of the sending from all users.

API Reports

If you would like to integrate email open, click, and other deliverability information into our own database or application, your can use LuxSci’s REST API. The API provides all of the functionality of the user and account user interface reports, but through programmable queries and filters.


When open or click tracking are enabled, images and/or links are added to your email email messages that reference luxsci.com.  If you would like to customize this so that your own domain name is used for these images and links, LuxSci offers “Private Labeling.”  Customers with Private Labeling can customize many aspects of LuxSci, including the look of the WebMail interface and the domain name used for these links and images.  If you already have Private Labeling enabled, then your configured secure domain name will be automatically used with open and click tracking.

Want to learn more about HIPAA-compliant email marketing and reporting? Contact us.

How Secure Is Your Email Provider?

Tuesday, March 26th, 2019

Most people don’t put a lot of thought into the security of their email. As long as it sends and receives messages without overloading them with spam, it seems to be enough, right?

Well, that depends on what you use your email for.

If you only use it for reading chain letters from your aunt and skimming through the newsletters from your favorite organizations, then you might not have much to worry about.

But very few people use their email in such a limited manner. It’s often used as a second authentication factor for other accounts, many people get their bank statements sent to them via email, and others use it to talk about critical work details.

That’s not to mention the countless other pieces of sensitive and valuable information that people communicate over email each day.

If you use your email for any of the above, then you need to think twice about your email’s security.


Because email is inherently insecure.

Without additional protective measures, the plaintext of your emails can easily be intercepted by attackers.

That’s right. Someone could have seen your online banking passwords that time you emailed them to your husband. A hacker could have read that message you sent to a friend where you called your boss every bad name in the book, then used it to blackmail you. An attacker could even receive the link to reset your password and use it to hijack your account.

If that’s not bad enough, your messages can also be modified or deleted in transit. And this is just the tip of the iceberg when it comes to the security and privacy issues that surround email.

Let’s look at some of the particular problems associated with some of the world’s most popular email providers, Gmail and Outlook:


Thankfully, in 2017, Google announced that it would no longer be automatically scanning emails for advertising purposes. It’s good news that they are no longer diving through their customers’ messages with their tools. However, third-party apps that are installed on people’s devices can still be configured to scan through emails instead.

So maybe Google isn’t going through your messages any more, but there is the potential that other companies are.

Messages are encrypted within Gmail’s systems and when traveling to some of the major email providers. However, this all depends on the recipient’s email provider, and some providers may not offer TLS encryption. This means that a message may travel part of the way as cleartext.

When you add in Google’s strong history of collecting as much user data as they can, it’s safe to assume that Gmail is not the best option for those who are privacy conscious.


Outlook does offer configuration options to send completely encrypted email, but it is not set up by default and can easily be misused. It operates under a different funding model to Gmail, so one positive aspect is that it hasn’t been as rife with privacy issues as Google’s offering.

While it is possible to sign a Business Associate’s Agreement with Microsoft, Outlook isn’t really set up to be HIPAA-compliant, so using it for your HIPAA needs can be very dangerous.

Looking for a Provider that Takes Your Email Security Seriously?

None of the major providers make it easy to be HIPAA compliant, nor are they designed with your security needs in mind. These organizations are also huge targets for hackers and they have massive attack surfaces that they need to defend. All of them have had a number of serious data breaches over the years as well.

LuxSci is a security provider that specializes in HIPAA compliance, and keeping our customers safe is one of the foremost design objectives in all of our services. That’s why we’ve tailored our secure email service to offer completely encrypted email in a number of different ways, including TLS, portal-pickup, PGP and S/MIME.

We also offer a range of configuration options that make it easy to prevent user errors, such as opt-out encryption.

If you really care about your email’s security, then you should be choosing a provider who prioritizes it at the core of their service, rather than a mainstream competitor who has only tacked it on over the years after countless damning media reports. Keep your messages safe with LuxSci.

Want to discuss how LuxSci’s HIPAA-Compliant Email Solutions can help your organization?  Contact Us

CalDAV & CardDAV: The Keys to Syncing Your Calendar & Contacts

Wednesday, February 6th, 2019

If you use a calendar app to organize your life, you may have noticed that you can add a new event on your phone and it will be immediately updated to your desktop. Likewise, your contacts can also be updated instantly across your devices whenever you make changes.

Have you ever stopped to wonder how this happens?

Unfortunately, it’s not magic, unless you consider the painstaking process of a bunch of engineers sitting in a room and bickering to be magical.

The answer behind what is actually going on will depend on which system we are talking about, but some of the most common underlying protocols for syncing are CalDAV and CardDAV.

Calendaring Extensions to WebDAV (CalDAV), and vCard Extensions to WebDAV (CardDAV) are Internet Standards that are frequently used to sync calendars and contacts, respectively. They are both based on the HTTP extension, WebDAV, which enables clients to remotely edit documents on a web server.



What Does CalDAV Do?

To understand what CalDAV does, let’s first discuss one of the main problems that led to its development. Let’s say you’re a businesswoman in 1995. You have a secretary who normally handles your scheduling, but you run into an old friend on the street.

You have a quick conversation and then, knowing that you have the night free, you agree to meet up that for dinner. The problem? Just minutes before, your secretary had scheduled drinks with your superiors at the exact same time.

When you see your secretary a little while later, you find out that you have been double-booked and face the difficult decision of either ditching your friend or skipping the business drinks, which could lead to numerous career opportunities.

The real issue here is that previous systems just weren’t reliable enough to make real-time changes to your schedule. Well, what if a current version of your schedule could be accessed at any time from anywhere?

This is what CalDAV can give us. There is a range of other calendar systems that perform similar functions, but CalDAV is an interoperable standard that is now used in a range of calendar applications.


Where Is CalDAV Used?

Some of the most common clients that use the CalDAV standard include:

    • iCloud Calendar (i.e., iOS and macOS)
    • Google Calendar
    • Windows 10 (for integration with both iCloud and Google’s calendars)
    • Open Sync (an open source Android synchronizer)
    • BusyCal
    • Many other apps for mobile and desktop

There is also a range of third-party applications that support CalDAV and make it easy to use on systems like Windows.

At LuxSci, we also offer CalDAV synchronization as part of our HIPAA-compliant secure email. Our setup makes it simple for users to access, share and update their calendars across their devices. On top of this, our CalDAV solution also comes with our security-first approach. Your calendar is guarded by TLS and can only be accessed with your password, meaning that only authorized individuals have access to your data.


How Does CalDAV Work?

To understand CalDAV and how it can update in real-time, we have to think about where the calendar is actually stored. Is it stored on your computer? On your phone? In the ether? Or is it somehow simultaneously stored everywhere?

The answer is that your calendar is stored on a remote server. This provides a central hub that gives your devices up-to-date information.

If someone wants to schedule something on your calendar, they can perform queries to find when you have free time available. The owner of a particular calendar can set their own security levels, as well as nominate who can make changes to their calendar. Since CalDAV is an interoperable standard, it can do this between organizations and across a range of different types of software.


What Does CardDAV Do?

As you might have already guessed, CardDAV allows people to keep their address books and contact information updated in real-time and across all of their devices.

With CardDAV, you can alter the personal details of a contact on your phone and the same changes will be made on your computer, without you having to do anything else. Its interoperable nature makes it easy to sync contacts between a variety of different platforms, saving you the hassle of doing it manually.


Where Is CardDAV Used?

Some of the most common clients that use the CardDAV standard include:

    • iCloud Contacts (i.e., iOS and macOS
    • Google Contacts
    • Windows 10 (for integration with both iCloud and Google’s contacts applications)
    • BusyContacts
    • Many other apps for mobile and desktop

Third-party applications can also be used to integrate your contacts into platforms that don’t natively support CarDAV.

Just like with CalDAV, CardDAV synchronization is also a part of LuxSci’s HIPAA-compliant secure email. This makes it easy for you to sync your contacts, all with LuxSci’s renowned approach to security keeping your information safe.


How Does CardDAV Work?

Since we have already introduced CalDAV, which is similar in a number of ways, much of the mystery behind CardDAV is pretty easy to figure out. Once again, your address book is kept on a remote server. When updates are made from your phone or computer, the changes are put through to the server, which keeps all of your other devices in sync.

The CardDAV standard makes it much easier to keep your contacts in order and up-to-date. Without it, we’d either be faced with the arduous task of constantly editing our own address books or having to deal with confusing address books that are filled with duplicates and errors.

The Government Shutdown’s Impact on Cybersecurity

Thursday, January 31st, 2019

The Federal Government shutdown put a halt to many government processes and threw the lives of many of its workers into turmoil. But it also had an effect on the nation’s cybersecurity, causing damage that could last well into the future.

Many national security employees were working without pay and other departments were operating with significant cuts to their workforces. While many of the organizations that normally battle cybercrime were operating at reduced capacities, the threat level remained just as high. This led to a number of potential cybersecurity issues.

government shutdown impact on cybersecurity

Disruptions to Criminal Investigations

The government shutdown caused significant problems for federal cybercrime investigations, which could have long-term impacts. KrebsonSecurity quotes an anonymous federal source who said that the shutdown was “a giant distraction and people aren’t as focused.” The same source also said that there was no money for travel budgets and important meetings had been delayed, which prevented cases from moving forward.

The shutdown also cut off funding for confidential human source payments, which are payments to sources that provide intelligence which is used to protect the U.S.. Without these payments, the intelligence stopped coming in, putting the nation at risk. Similarly, the FBI could no longer make payments to informants for ongoing investigations, which was detrimental to its cases.

The shutdown also affected the Justice Department’s ability to hand out subpoenas and warrants. An article in Data Breach Today quoted an agent about how it impacted their work.

“As a result, only ’emergency’ subpoenas are being issued, and any ‘non-emergency’ subpoenas will not be processed until after the shutdown. This is causing affected [sic] investigations to be put on hold until the shutdown ends.”

Subpoenas and warrants are critical for many federal cybersecurity investigations. Without them, cases cannot proceed. Since many investigations are time sensitive, this interruption caused a series of problems

The Shutdown Makes Federal Work Less Appealing

Many people work for government agencies because they perceive the jobs to be more stable than the private sector. Frequent government shutdowns and the suspended payments that come with them begin to make federal employment seem far less appealing.

According to the anonymous source quoted in KrebsonSecurity, the shutdown has caused many individuals to either retire or seek other employment.

“The talent drain after this is finally resolved will cost us five years. Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

Hiring new agents was not so simple, because the clearance process had also been interrupted by the shutdown. Even if they could have been hired, the shutdown has likely made government opportunities seem far less attractive, which could lead to less-skilled applicants in the future.

NIST & CISA Operated at Minimal Capacity

Most of the National Institute of Standards and Technology’s (NIST) workforce was furloughed, meaning that the agency was no longer making progress on its documentation and other initiatives. During this period, its website was no longer being updated, preventing the latest developments from reaching security professionals.

The Cybersecurity and Infrastructure Security Agency (CISA) had its staff reduced from 3,431 employees to 2,008. CISA is responsible for securing the nation’s critical infrastructure, so such a dramatic cut represented a significant vulnerability in the nation’s overall security.

Security Certificates Expired on Government Websites

The shutdown also led to the expiration of many government website security certificates. According to Netcraft, the number was up to at least 130 by January 16, but it could have been higher.

This was an issue because many browsers discourage users from visiting sites that have expired certificates. This could prevent many people from accessing government information and services

Who Was Monitoring & Maintaining Government Systems?

With such huge proportions of the federal workforce furloughed, it is likely that many essential monitoring and maintenance processes were being overlooked or performed poorly. If there were fewer workers to analyze logs and alerts, then its possible that serious threats may have been missed. There is also a chance that the backlog of alerts could cause some critical events to be overlooked.

The shutdown could also have prevented regular maintenance from taking place. Unless auto-updates were in place, these systems would have been vulnerable to the latest flaws.

Online threats stay just as high even when these agencies are operating at a limited capacity. Because of this, it’s likely that such a long shutdown could have caused long-lasting damage to the nation’s cyber health.