How S/MIME Encryption works, Part II

As promised, here is part two of our S/MIME encryption series (how to encrypt your email on TouchDown for Android) by our awesome support master, Dragonfly:

First off, I open the email with the certificate attached. Entering the attachment list, I download and long press it to bring up a menu, and choose ‘import certificate.’

Long press on the attached certificate.

Choose import certificate.

I enter the password.

Enter the password.

This menu pops up, make any changes you want, and hit Ok. Contact your IT team if you’re not sure if you need to choose any of these settings.

Now I have the certificate imported, and can send out signed or encrypted emails. As I want to send an encrypted email to welovenitrodesk, I’ll grab their public key in an email they sent to me.

The signed email from welovenitrodesk. I apparently can’t spell sign.

I click on the key icon in the top right, and am prompted to validate the certificate, which I do. Now I have their public key in my store.

Click Validate.

The certificate is valid.

Now I compose an email to them and click the menu button, and choose ‘options’.

The device I used for this doesn’t have a menu button, so Touchdown generates a soft one. Different devices will look different, but it usually isn’t too hard to find the menu key on the compose screen. (If you don’t see a soft menu button, and are on a device running Android 3.x or above, you want to be using Touchdown HD instead of Touchdown for Smartphones.). Optionally you can also press the Options button on the blue toolbar.

Choose to sign and encrypt it.

And just like that, I’ve sent welovenitrodesk a signed and encrypted message.

Meanwhile, in welovenitrodesk, the signed/encrypted message decrypts perfectly.

Hope this helps users get a better understanding on how to use S/MIME functionality with Touchdown for Android. If you have any questions, please feel free to contact us at support@nitrodesk.com for any iOS queries. Thanks for reading!

Securing your Email with S/MIME

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

Choose Import for Both.

A password prompt appears.

Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

Tools icon to enable encryption signing.

Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

A little movie about TouchDown

Alex Fauske is a genius – we love what he did for us!

KNOX Vulnerabilities

There is a lot of buzz going around the discovery that Samsung’s KNOX container has been found to have some vulnerabilities, as reported by the Wall Street Journal Tuesday and  PC World yesterday.  While it is very poor timing for Samsung, considering CES, the huge technology show in Vegas, starts next week, we are confident that Samsung is dedicated to security and will find a fix quickly.

What exactly is the concern? The vulnerabilities found by Israel’s Ben-Gurion University of the Negev indicate that Knox software (when used on a  Samsung Galaxy S4 or Note 3) could allow malicious apps to eavesdrop on data transferred within the secure environment.  The WSJ reports :“Samsung officials told the Journal that the vulnerability was found in developer phones that weren’t “fully loaded with the extra software that a corporate client would use in conjunction with Knox,” the paper reported. So far, the Knox vulnerability has only been discovered on the Galaxy S4.”

The PC World article compared KNOX to our TouchDown, since both are designed to keep data secure – so what does all this mean and how does it work?  TouchDown was specifically designed to keep data secure against this type of data breach.  It keeps corporate data secure through encryption and by keeping it ‘sandboxed’ away from a users personal data on their device (smartphone, laptop, tablet).  It works directly with ActiveSync Exchange and keeps email, contacts, calendar and notes data secure when kept within TouchDown.  Meanwhile Samsung’s KNOX creates a container around several third party apps, with the purpose of keeping data within those apps separate from app data not inside the KNOX container.  The security breach discussed  in the article regards the potential security breach of the KNOX container itself, meaning malware could have access to apps inside the container.  If there are apps inside the container that are not secure, they could potentially be breached. Luckily, TouchDown users can breathe easy, since even if a malware attack did get past the KNOX container it would not be able to breach TouchDown data. So whether you are using  TouchDown in or out of the KNOX container on a Samsung device, your data will remain secure and separate from other data on your device.  If you’re not using TouchDown…what are you waiting for??

TouchDown for Windows 8.1updates

Our Windows developer has been working like crazy adding in  more features and fixing the bugs on our latest platform added to the TouchDown family – Windows 8.1.

 

Currently, the focus is on stabilization of  the app and making it more even responsive. The next release, after the holidays, should show a huge improvement!  In the meantime, small bugs are being fixed now and new versions are being added to the Windows store on a weekly basis.

We are also adding user settings such as Calendar view settings, what working hours are, etc – simple ways to customize how  TouchDown for Windows looks and works for you.  Which brings me to the exiting part:

Now is your big chance!!  Add comments to this blog post about what features you want to see or change, and we’ll see what we can get in to the next big release in January.   This is your opportunity to shape this app and make it work just how you want – how often does that happen??

Why TouchDown for Mac?

Today we get to hear straight from the mind of our developer himself!

Why TouchDown for Mac?

Some of you may wonder why NitroDesk, traditionally a mobile email product developer, would build a Mac version of TouchDown. TouchDown has traditionally been available on mobile platforms Android and iOS, but Mac is really a desktop platform. So what gives?

Last year when we switched from a pure android shop to build an iOS version, it forced some of us to start using Macs as our desktops (it’s hard to build an iOS app on a Windows desktop). Initially we got by installing parallels on the Mac and with using Outlook.  We also had the native Mac client syncing our emails. But eventually we got tired of having to switch between Mac and Windows just to do everything unrelated to development (performance issues due to the two OSs, and the fact that we use Eclipse on Windows to build our android app was another reason – there are several legacy reasons why we could not switch to Eclipse on the Mac). So, we  switched from Parallels to BootCamp to dual boot Win8 and Mac on the same computer. That made life easy in some ways (we could actually boot back and forth and get the job done – Eclipse would actually run in Win8 on bootcamp). Personally the best windows PC I have used is a Mac PowerBook Retina (shhh, don’t tell anyone).

This was a good move in a sense. This helped us focus on one platform at a time. The pain of rebooting to switch from iOS to Android was enough to prevent our minds from wandering.

But it caused a couple of problems

• We would get a notification of emails on our mobile devices as soon as mail arrived. However, if the mail required us to write a reply from a computer, we had to wait and wait until Mac Email finally received the message. This was most frustrating for email junkies like us who needed to finish responding so we could move on to the next task.
• Tooling around in the Mac partition, we discovered this:

Every email received in the Mac Mail app was in plain view in Windows, when using Boot camp. While promiscuous sharing like this between platforms was just great when we need to copy files over from one platform to another, we were not too thrilled with the implications of this (each .emlx file contains the received message in base 64 encoding), which had some serious implications – consider this not too uncommon scenario:

Your CFO is traveling with a MacBook Air and an iPad. You have spent some serious coin on an MDM that would protect the email content on the iPad (probably even mandated the use of TouchDown and an MDM on your iPad). So your corporate data is more secure than Fort KNOX, with a GATE around it. Lose that iPad? You can whip out your cannon and do a remote wipe on it, disable it and nuke it to kingdom come. BUT what happens when he loses the MacBook Air? The MacBook probably syncs with either outlook or Mac Mail. It has waaay more data (no control on email history to download to it) than the mobile device you just nuked. This time around, all you can do is pray for the finder to simply format it rather than trying to get the data out.

YES, laptops are MOBILE!  And Macs are vulnerable when they have a partition!

Consider this other scenario:

Your employees use Macs. Every email they send or receive is in that directory in plain text. Any application they may have downloaded from the internet (you can side load applications with no restriction on what they can do) can contain a Trojan which looks for the Mac Mail directory, enumerating, reading and decoding emails, contacts, calendar, notes etc, looking for passwords, credit-card numbers, (PHI if you are a hospital).

This was indeed an OH CRAP moment for us. We have been working hard for the past five years to protect your corporate information, and still we haven’t done enough for our corporate customers.

Hence TouchDown for Mac.

With TouchDown for Mac, all the data in the application is encrypted, so no other application can read or decode it easily. Without explicit user action, none of the email data or attachments can leak outside the protected sandbox we place around it.  And no, They cannot be viewed in Windows if you dual boot.  Boot away 🙂 “And there’s more!”

…and all the nice tweaks and productivity measures we have added to our mobile apps, and a future resplendent with new ways to work with your corporate email account. (GTD, MYN ? anyone?)

…and PUSH email with an exchange client without being limited to an IMAP connection.

…and the ability for you to import SMIME certs to the application sandbox (not the whole computer) and have touchdown use those to encrypt and sign your emails.

…and the ability to set your OOF.

…and the fact that it may even be a viable solution for implementing the Direct Project (http://directproject.org/content.php?key=overview) – Physicians love Macs (at least mine does), and if we can get them to communicate via secure email, we would have done some good.

Well then, Why NOT TouchDown for Mac!

-g

TouchDown for Mac – Custom notifications

Despite working on the UI on the Mac version of TouchDown, there are still fun features that Goutham (who built it) surprised me with – especially my new favorite feature, the custom notification feature.

I like to know when I have new email, and since I am often working on a Mac desktop, a Macbook air and a Samsung PC  all at the same time, (meaning my eyes aren’t always staring at the inbox), I LOVE that I can create sound notifications.  Not the boring “Ding” that says you have a new email, but awesome, completely custom, speech notifications, PER account.  So lets says I have my main inbox,  which just happens to be my name @nitrodesk.com.  I might have it say “Heh, you have mail.”  or if Im having a bad day, I might even have it say “You are amazing” everytime I receive an email.

The coolest part is not the self-esteem booster, but the fact that I can then go to my second and their and fourth account that I have configured for Touchdown, and give each one a different sound/speech notification.  So for my support email I may have it say “check support email.”  So whether I am pouring over the PC working on some Windows 8 design issue, or having a snack in the lunchroom, I know exactly what account just landed an email that needs my attention.

Want to know who the email is from or who sent it?  You can do that too.  Here’s how:

In general, you will want to select the account you want to change the notification for – below, I have selected my main account, Daniela@nitro….

1. Click on Settings Icon (lower left hand corner)

2. Click on Notifications, making sure its the Notifications tab under the account you want to amend.

3. Select the Speak radio Button

 

4. Enter what you want it to say when you receive a new email in the “Speech String” box

5. If you are feeling down, have it say something positive about you, and send yourself email (ok, maybe that’s me…)

 

 

Differentiating notifications between accounts

If you want to have a different notification for additional accounts you have configured on your TouchDown for Mac, simply click on that account (mine is blank in this example) and repeat steps 1-4 above.  Easy Peasy!!

 

To get even more details, like WHO sent the email, or the title of the email, repeat steps 1-3, and then:

4.  If you want to hear the sender, write something like “Message from” (or email from) and then write “from” like this: %from%      An example would be “Email from %from%”

5. If you want to hear the subject of the email, write something like “email titled %subject%”
   You can even do both, such as “You have an email from %from% with the subject %subject%”

 

SO whether you want  differentiate your incoming email with speech notifications, boost your self-esteem or TouchDown tell you what the subject line is, this is one cool feature I am already hooked on.

Let me know what you think, and what your notification is.

TouchDown for Mac is here

So here at TouchDown, we are thrilled that we launched our Beta version of Touchdown!  Here are the details !!

Have you been dying for a completely secure Mac Productivity client?

At NitroDesk we’ve always been known as the ultimate in secure email and productivity on all your mobile devices. Whether you have an iPhone or an Android, TouchDown is there with secure email and integrated calendar, contacts and tasks. Mac users rejoice, for you can now have the same awesome power on your Mac OS! We are the only Mac productivity client that offers all the things you need, like SMIME, OOF and IRM along with integrated productivity and a complete set of customizable features. Mac users, your email and productivity has arrived.

TouchDown for Mac offers the same awesome features as TouchDown for Android, Windows8 and iOS, but goes even further:

Security

TouchDown for Mac brings Unparalleled Security on the Mac:
– Everything is encrypted, regardless of your server or technology
– Use of PIN when mandated by server administrator or MDM
– SMIME and IRM, per-email signing and encryption
– Native AES-256 Encryption on the data at rest! (this means other apps only see an encrypted blob of data)
– Selective remote wipe if your device is lost or compromised – only corporate data is removed.
– Support for client certs when connecting to server

Features
TouchDown for Mac has many more features than are available on Mac Mail or any other third party Exchange solution:
– ActiveSync push for lightning fast access to your corporate data
– Supports Microsoft Information Rights Management Server
– Incredible price – no monthly charges, lifetime license includes all upgrades.
– User-selectable themes, with quarterly updates
– Ability to search the server for email not synced to a device
– GAL searches
– Quick Replies when you simply want to send a one-liner
– Great UI – easy to read, sort and respond to mail efficiently while still having familiar MacOS interface elements

TouchDown for Mac is completely innovative – we actively listen to our users, and integrate requests like categorization support, messages and appointments at a glance from a selected user, and time management techniques like GTD, MYN, etc.

TouchDown for Mac is the ONLY secure Exchange ActiveSync solution for BYOD shops that have invested in mobile security; now you can feel secure in allowing employees to bring in their Macs without worrying about the security of your corporate data.

Thanks for being part of the TouchDown community and for your great feedback. We hope you love this new Mac App as much as we do, and that it brings you incredible productivity on your Mac. You won’t want to use anything else.

Complete, Secure, Productive. What are YOU waiting for??   Want in?  Download at http://mactouchdown.com/download.html

 

Touchdown – Getting to know your Diagnostics

Today’s post comes from Dragonfly, our trusty, awesome and beloved iOS Support Guru.

Getting diagnostic information from TouchDown for iOS.

Occasionally during the troubleshooting process, a support technician may request a diagnostic log.  Here’s a visual guide on how to retrieve one from TouchDown for iOS:

There are two locations where you can get diagnostic information from the iOS version of TouchDown.

1. During configuration, which can be useful to determine where TouchDown is failing to connect.
2. The diagnostics menu.

In this blog post, I will cover the two methods of obtaining a diagnostic log.

Obtaining a configuration diagnostic:

When you open TouchDown for the first time, or any time after you reset the database, you will be  prompted to configure. On this screen, there is a toggle to Enable Logging. To get a configuration log, slide that to the ‘on’ position (see red circle below) and enter in your information.

In the below screenshot, I intentionally entered wrong information and attempted to configure. Note  that as the configuration fails, there is an option to ‘Copy Log.’  Click that to put a copy of the log on your clipboard. Once you click it, you will get a notification that it has been added to your clipboard.

 

As I was unable to configure TouchDown, I entered my gmail account using the device web browser, and opened a new email to send to iossupport@Nitrodesk.com.  After long pressing on the body of the email, an option to paste appears. I click it, and it puts the contents of the diagnostic log into the body of the email:

After you paste the log into the email, send it to iossupport@nitrodesk.com with a description of the issue so the technicians there can see where the configuration is having issues.

Obtaining a regular diagnostic log:

If the support staff request an iOS diagnostic log of some specific behavior, here is how to retrieve it.  On the main mail screen, tap the circle triangle button, and choose the diagnostics button:

To ensure you get us a correct log, please tap ‘clear,’ which may return you to the main screen again. Enter diagnostics again via the circle triangle button, and enable logging:

Go back to TouchDown and perform the action you are having difficulty with.  Return to the diagnostics screen after you are done, and copy the log using the ‘copy’ button. You should receive a notification that it has been copied to the clipboard:

Open a new email, and long press on the body. An option to paste the log should appear. Select that, and you will have a diagnostic log pasted in the body of an email:

Thanks for reading and hope this was helpful in describing the different types of diagnostic logging in TouchDown for iOS.

Dragonfly

Who is Hijacking your email account?

 

Black Hat 2013 happened in Las Vegas yesterday – for those of you who don’t speak geek, Black Hat is the annual conference where top computer security officials and hackers get together to chat.  And this years conference even featured a certain general from the NSA.  There was some definite discord in the crowd as he spoke.  But I digress.

By now you all know how obsessed we are with your email security here at TouchDown and why we use encryption that is not vulnerable to the many exploits out there.   What I always find most interesting at Black Hat is all the ways hackers (technological wizards who are pushing the envelope, sometimes for good, sometimes for bad) find out that a user’s information is not secure… Well, at this years Black Hat some interesting tidbits have already come to the surface (and luckily, their exploits does not apply to TouchDown !)

Some of the world’s leading computer security researchers weighed in on security issues and  in somewhat eyebrow raising news, Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) explained how it is possible to utilize some loose ends in popular webbased email services.  The  TLS (Transport Layer Security) technology encrypts and secures website connections, and some of web-based email services have an inherent flaw in the TLS.  When a user goes to log out, it is possible to block this action when the ‘log-out’ request is sent TO the server side –  at which point an un-authorized user can inject an unencrypted TCP FIN message to close the connection. The server-side therefore never gets the request and is unaware of the abnormal termination, and your information is now vulnerable.  YOU get a message saying that you are logged out (you aren’t) and walk away.

What makes it worse is that this attack attack does not rely on software being installed on your computer or some other sort of more obvious way of snooping. All that has to happens is that someone (the bad guy) gets between your computer and and the server, with something as simple as a controlled router or even a wireless hotspot – the “Man in the Middle” Attack.  Its possible because the user receives feedback that the sign-out request has been successfully executed, where in actuality the server is unaware of the user’s request, so the attacker can now access email without the users knowledge.

The way the researchers explained it:

“In essence, we block encrypted messages that are sent over the network to de-synchronize authorisation: we force Gmail and Hotmail [Outlook.com] to display on your browser the page that announces that you have successfully signed-out, whilst ensuring that your browser maintains authorisation with Gmail and Hotmail [Outlook.com]. Given such an announcement, you should be assured that you are secure, in particular, a hacker should not be able to access your email, even if you [log out and] leave your computer unattended. However, we can violate this basic security premise and access your Gmail and Hotmail [Outlook.com] accounts just by reloading the web page.”

This of course caused quite the stir at Black Hat, because the services mentioned by the researchers such as Google and Microsoft are extremely popular.  Smyth and Pironti went so far as to say that:

“…shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).”

Now this “Man in the middle” type of attack is not a new one by any means, but the ease of which this can happen wasn’t apparent to most, especially with services that are considered by the masses as secure and private.  We’ll be reporting more from Black Hat later this week…and continuing to write emails using TouchDown.