How S/MIME Encryption works, Part II

As promised, here is part two of our S/MIME encryption series (how to encrypt your email on TouchDown for Android) by our awesome support master, Dragonfly:

First off, I open the email with the certificate attached. Entering the attachment list, I download and long press it to bring up a menu, and choose ‘import certificate.’

Long press on the attached certificate.

Choose import certificate.

I enter the password.

Enter the password.

This menu pops up, make any changes you want, and hit Ok. Contact your IT team if you’re not sure if you need to choose any of these settings.

Now I have the certificate imported, and can send out signed or encrypted emails. As I want to send an encrypted email to welovenitrodesk, I’ll grab their public key in an email they sent to me.

The signed email from welovenitrodesk. I apparently can’t spell sign.

I click on the key icon in the top right, and am prompted to validate the certificate, which I do. Now I have their public key in my store.

Click Validate.

The certificate is valid.

Now I compose an email to them and click the menu button, and choose ‘options’.

The device I used for this doesn’t have a menu button, so Touchdown generates a soft one. Different devices will look different, but it usually isn’t too hard to find the menu key on the compose screen. (If you don’t see a soft menu button, and are on a device running Android 3.x or above, you want to be using Touchdown HD instead of Touchdown for Smartphones.). Optionally you can also press the Options button on the blue toolbar.

Choose to sign and encrypt it.

And just like that, I’ve sent welovenitrodesk a signed and encrypted message.

Meanwhile, in welovenitrodesk, the signed/encrypted message decrypts perfectly.

Hope this helps users get a better understanding on how to use S/MIME functionality with Touchdown for Android. If you have any questions, please feel free to contact us at support@nitrodesk.com for any iOS queries. Thanks for reading!

Securing your Email with S/MIME

Today we start an awesome mini-series from one of our support gurus, DragonFly, about how S/MIME works in general, with following tutorials on how to implement S/MIME in TouchDown on iOS, Android and Mac platforms.  Check out today’s tutorial on iOS!

Hi,

Dragonfly from NitroDesk support here. In the following, today I’ll be describing how to import and use S/MIME in Touchdown for iOS. Using this functionality you can sign messages, proving that you are the person sending that particular message, and optionally encrypt them, meaning the email will only be readable by people who you have included in the message. Signing provides you with non-repudiation and potentially detect tampering on the fly and encryption prevents unauthorized viewing of the message. This type of functionality is great for keeping your emails safe and ensuring that information’s coming from the right source. (For more information on how S/MIME works, here’s a good tutorial: http://technet.microsoft.com/en-us/library/aa995740%28v=exchg.65%29.aspx) Just know that to send an encrypted email, you need to have the recipient’s public key and vice versa- these can be verified from within Touchdown when that person sends you a signed message. Here’s what you’ll need before you get started:

First, you’ll need a certificate for S/MIME signing and the latest version of Touchdown. To get a certificate for S/MIME, you’ll want to contact your IT team. Also, keep in mind the only two certificate types Touchdown supports is .pfx and .p12. The certificate would need to include the complete chain to the root certificate authority.

If you have your certificate already in IE, but need to export it to your desktop,Here’s how (in IE):

1. Go into the Settings>Internet Options, and clicking on the Content tab.

2. Click on Certificates, and find the one you want to export

3. Click Export. Make sure you choose the option to export the private key and also to include all certificates in the certification path.

4. Choose a file path, and save it.

5. Don’t forget to  remember the password you use to perform the export. This password prevents anyone else from being able to access the certificate. If you’re having difficulty with this process, contact your IT team and see if there’s another way you should be doing it. As with any operations like this, make sure you are staying within your IT team’s best practices so you stay in alignment with any security policies.

6. Once you have your certificate backed up to a file, send that file to your email as an attachment, and you’re ready to go.

Let’s start with the iOS version.

S/MIME for iOS

In this demo, I show how to send an encrypted email to the ‘welovenitrodesk’ account.

First, I want to ensure that I have my certificate for S/MIME, so I find the email with the attached certificate, and view it in the attachment list.

The attached certificate, note the file type is .pfx. 

After downloading, I click the ‘I’ icon and choose to ‘Import for both.’

Choose Import for Both.

A password prompt appears.

Enter your certificate password here that was created when you generated the certificate. 

After entering the correct password (This is set up during certificate exporting from your browser, for help with this  please contact your IT team) it will tell you your certificate has been saved.

Saved certificate message. 

Now that I have a certificate, I’m ready to send the account  welovenitrodesk an encrypted message:

I click on the tools/options icon and enable Encryption and signing.

Tools icon to enable encryption signing.

Enable signing and encryption for the email.

I send the email. If you suddenly see this message (see below), it means you didn’t validate the recipient’s public certificate key from a signed message. (This can also be done over the GAL if your company supports it.) Remember how I said earlier that to send an encrypted email, you need the recipient’s public key? Now I just need to fetch it. Thankfully, a while back welovenitrodesk sent me a signed message, which contains the key.

Oops!

I find the email where welovenitrodesk sent me the key, and click on the lock icon.

Welovenitrodesk sent me a signed message.

I click ‘verify signature’ and it verifies.

Now I can send that encrypted message!

The second time, I attempt to send the encrypted message again. This time it comes through.

Back in welovenitrodesk, after having imported the public certificate and the welovenitrodesk certificate, I check the encrypted message, and am able to successfully decrypt it.

The signed and encrypted email.

Clicking on the lock icon, I can confirm that it is indeed signed and encrypted.

Hope this helps you get a better understanding on how to use S/MIME functionality with Touchdown for  iOS. If you have any questions, please feel free to contact us at  iossupport@nitrodesk.com for any iOS queries. Be sure to check in on Monday for Part II, SMIME for Android. Thanks for reading!

A little movie about TouchDown

Alex Fauske is a genius – we love what he did for us!

What the world thinks of TouchDown for Mac

We are loving the praises that are coming in for TouchDown for Mac…here’s why you NEED to get it NOW:

“Finally an all in-one corporate email, calendar, contact and task management system for the Mac.  The intuative interface has enhanced my workflow and increased producitivity whilst providing a clean and modern user experience.  At last, TouchDown has removed the ‘compromise’ of using a Mac within the corporate world.”  

– Ian Heathcock – Business Development Director   Griffiths Waite UK – http://www.griffiths-waite.co.uk 

 

“After many headaches trying to get Apple Mail to work with my work Exchange account, I had given up getting my work email on a native app.  I have downloaded it, and synced up my work email in less than a minute. The interface is simple, intuitive and best of all, it just works. Thanks so much for the opportunity to try out this amazing application. I look forward to the final release!”

Jessica S

 

“Downloaded your client and have been using it for a couple of days. Here is my feedback about the app:

 * Really Love the UI and the way fonts have been chosen. The option of themes is just awesome.

* One of the main critics of Mac mail has been that a new email is not so obvious to spot. But with TouchDown, with the bold and blue color, it takes just a blink of an eye to spot it.

* Integration with Contacts, Calendar and Notes into one single app is a HUGE one.

* The Calendar UI is also fascinating.

* Loved the option to associate an avatar to any contact in our contacts list.”

Deepak M

 

“Great app. I can finally now get my emails on my mac without having to VPN into my work.”

Eric S

 

“Kudos on the Touchdown beta. It is a FABULOUS first effort, and fulfils a long-held wish for me – a lightweight, Mac-centric Exchange client. Works great with our corporate Office 365 accounts.”

Susan K

 

“I bought my Mac in january and have been very frustrated that I couldn’t get my work email.  I can’t tell you how excited I am to find your product.  “

Cynthia Posey

 

“Great app, worked fantastic, try- love it” 

Deepak C

 

“Touchdown team,

 Thank you, thank you, thank you. It has been a long time since I’ve been able to have the same seamless experience with Exchange email on my Mac environment. Literally years. In 2009, I gave up using Entourage. When I gave up, I knew that I was giving up the messages, mail, notes, tasks, and calendar items that (almost) worked in Entourage. 

 Now, I’m loving that Touchdown brings back these missing real-life Exchange-hosted features on my Mac. 

 Keep up the good work,”

-Kent H

 

“Thanks for working on a Mac client. Touchdown is an amazing utility.”

Sirish K

 

“So far, the worst thing I can say is TouchDown keeps all my work email and calendars close at hand. <sigh> No more claiming that I didn’t bring my work computer home…”

Keith P

 

“Hi guys!

I have downloaded and tried TouchDown for Mac and I love it!

A clean and simple Active Sync who do work perfect with office 365!”

Robin J

 

“First and foremost a big Thank You! About time we got a decent mail client for the Mac platform. As an SMB IT Consultant for the past 20 or so years I hear from end users that they’re ‘OK’ with Mac’s mail client, from the admin side it’s pitiful. Just the fact that you’ve added encryption and security is huge! Now I have another awesome tool in my box to share with concerned clients.”

Jeff A

 

Thanks to all our amazing customers!

 

 

 

 

 

 

Android Security issues – but not for TouchDown!

Yesterday developer Sebastian Guerrero Selma was able to use Firefox to lift data from the local storage on an Android device – and even to access stored data within the browser itself.  As Androidcummunity.com described in a blog article yesterday, passwords and other private information can be taken using file:// syntax.  If a user visits a site that has potent javascript code, their password and other information will be sent on to the hacker who created the code – without the user ever being aware of their loss of privacy. The article cites SD Card files, like your pictures and documents, to be the kind of personal information you would not want anyone to get a hold of – I can’t imagine someone having access to photos of my kids! Other apps also store information on one’s device, so this could potentially allow hackers entry on to all the information on your device.  Luckily, TouchDown doesn’t allow any access from anywhere.  That’s right, TouchDown does not allow any other App to access information stored within TouchDown.  (We love that!)  And while that means you can’t instantly post a picture from an email to Facebook, it DOES mean that your information is safe.   I prefer my email, contacts, calendar and to-do list PRIVATE.

Why TouchDown will never be Fingerprint Scan Enabled

Those who know TouchDown, NitroDesk’s secure email and productivity client, know that we are obsessed with the security of your data – both corporate and personal.  With the new shiny iPhone5S coming out, a lot of users have asked us if we’ll incorporate the new fingerprint scan measures into our iOS app.  (Disclaimer – I do use an iPhone  as one of my devices, and love it, so I’m not just hating on the iPhone.)

Currently, Apple has not released any of its information to developers, so development of apps to include this technology is not possible , our developer says, until Apple decides to let developers in on its new feature.  For us at TouchDown however, there are more security-related issues to be concerned about.

Security usually works in two ways:  to protect your data, you either utilize something you know in your head, like a pin or password for example, or something you have – like a card that needs to be scanned, or in this case, your finger.  But what happens when the item is out of the control of the user? In the case of biometrics, specifically a user’s finger, there are several thoughts that come to mind..

Lets say you are just a bit too drunk at a corporate dinner, on a fabulous first date, or at that fabulous party sponsored by one of the tech companies after a long conference.  If you’re drunk enough it is not too difficult to ‘help you’ place your finger on your device.  Don’t drink too much, you say? There are plenty of substances out there meant to incapacitate you mentally by dropping a little something in said beverage.

Perhaps you are walking down the street with your new biometrically secured phone and “slam!” you are rendered unconscious by a blow to the head by a mugger.  Now that you are no longer in control of your finger, it is incredibly easy for said mugger to utilize your digit to unlock all your data.

Even if you are just in a super deep sleep, it would not take much to pick up the ever-present finger and touch it to your device with a bit of pressure.

So you see, the inherent problem lies in utilizing a security measure that is not in your head, but is instead something you have, especially when that something is attached to your body and fairly easy to get to (versus your pupil, for example).  As soon as you are mentally incapacitated, your fingerprint is just to easy to use. So, while we don’t think evil-doers will start cutting off fingers, it’s not to hard to imagine owners of high-in-demand fingerprint-secured devices being drugged, encouraged to inebriate themselves, knocked unconscious or otherwise forced to lose control over their digits.

Which all boils down to the fact that information in your head is still just safer.  Especially when unconscious.  Now, I did read somewhere that the fingerprint technology in the 5s is designed to detect a live finger from a dead one… If that technology gets to a point where it can detect an inebriated finger, it would be a completely different story of course. Until then…

 

Dr. Ferdico

TouchDown for Mac – Beta Key

Alright!  Beta testing for TouchDown for Mac is underway…and we LOVE the feedback.  The more feedback we get, the better we can make this product for our users (That’s YOU) , so if you use a Mac, come get your free beta version…which just may turn into a free subscription when you give us feedback…

The following key will work for a limited time only, so get it while you can!

Navigate to http://www.mactouchdown.com

Use TOUCHDOWNMACBETA as a license key.

Download and install TouchDown for mac, play with it, send us some feedback!

Enjoy.

The bad news about “single click” logins

We are all super busy, running from one place to the next, texting our spouse as we walk to the car and sending an email at the red traffic light (only at a red traffic light, correct?)  So yes, it is tempting to give in to all those supposed time savers like ‘one click’  log-ins.  But do they make your information vulnerable?  Craig Young from Tripwire thinks so.Young reports that the popular  ‘weblogin,’  which allows users to use their Google account credentials as authentication for third-party apps may seem secure because its not sharing the username and password itself; instead it creates a token to represent the your login details.  Google Apps are very popular across businesses of any almost any size due to their low cost, apparent security and ease of access.  However, the use of Google Apps on mobile devices (In this case, an Android device) was demonstrated to have some vulnerabilities by Young at this month DefCon21.

To demonstrate, Young created an Android app that asks for access to the user’s Google account to display stocks from Google Finance.  Once you grant the app permission, the app creates a token to access the data. This makes you feel safe and secure because its not passing on your actual username and password.  However, the evil app sends the issued token to the hacker who created it, who can then directly paste it into a web session, providing access to everyone of your Google Services.   No, not just the Google Finance App you gave permission to use, but Google Calendar, Google Docs, and even your Gmail.  Ooops.

It gets worse if you are an administrator for a Google Service – once the hacker can get into your information they can change your passwords and otherwise take control of every account which you administer, not to mention read private company data.  Which gets me to the more important point: Why is anyone who is remotely concerned about the safety of their email data not using a self-contained email service that doesn’t allow web-logins, single clicks and other vulnerability causing services?  If you are the owner, manager, or client/patient of a business, are you concerned about what security holes the business’ employees are causing when they ‘sign in with Facebook’ or “Google one click” on their Android device while watching their sons T-ball game?  We have to balance our thirst for ease of access with our need to not only keep our information private, but that of our clients and our work’s clients.  Mobile devices are what allow us the freedom to balance work and play, to multi-task, to keep every client and friend in constant contact.  But it is so easy to forget about workplace ethics (including security) wen we’re enjoying that Corona at the Park, checking email to keep up, but taking shortcuts to ‘make it easier.’

So stop using shortcuts, and most importantly, use self-contained data environments (especially for email) that don’t allow other applications on  your mobile device to interact with it.  If it’s too easy for you to access, its probably too easy for someone else to access too.

 

 

 

Who is Hijacking your email account?

 

Black Hat 2013 happened in Las Vegas yesterday – for those of you who don’t speak geek, Black Hat is the annual conference where top computer security officials and hackers get together to chat.  And this years conference even featured a certain general from the NSA.  There was some definite discord in the crowd as he spoke.  But I digress.

By now you all know how obsessed we are with your email security here at TouchDown and why we use encryption that is not vulnerable to the many exploits out there.   What I always find most interesting at Black Hat is all the ways hackers (technological wizards who are pushing the envelope, sometimes for good, sometimes for bad) find out that a user’s information is not secure… Well, at this years Black Hat some interesting tidbits have already come to the surface (and luckily, their exploits does not apply to TouchDown !)

Some of the world’s leading computer security researchers weighed in on security issues and  in somewhat eyebrow raising news, Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) explained how it is possible to utilize some loose ends in popular webbased email services.  The  TLS (Transport Layer Security) technology encrypts and secures website connections, and some of web-based email services have an inherent flaw in the TLS.  When a user goes to log out, it is possible to block this action when the ‘log-out’ request is sent TO the server side –  at which point an un-authorized user can inject an unencrypted TCP FIN message to close the connection. The server-side therefore never gets the request and is unaware of the abnormal termination, and your information is now vulnerable.  YOU get a message saying that you are logged out (you aren’t) and walk away.

What makes it worse is that this attack attack does not rely on software being installed on your computer or some other sort of more obvious way of snooping. All that has to happens is that someone (the bad guy) gets between your computer and and the server, with something as simple as a controlled router or even a wireless hotspot – the “Man in the Middle” Attack.  Its possible because the user receives feedback that the sign-out request has been successfully executed, where in actuality the server is unaware of the user’s request, so the attacker can now access email without the users knowledge.

The way the researchers explained it:

“In essence, we block encrypted messages that are sent over the network to de-synchronize authorisation: we force Gmail and Hotmail [Outlook.com] to display on your browser the page that announces that you have successfully signed-out, whilst ensuring that your browser maintains authorisation with Gmail and Hotmail [Outlook.com]. Given such an announcement, you should be assured that you are secure, in particular, a hacker should not be able to access your email, even if you [log out and] leave your computer unattended. However, we can violate this basic security premise and access your Gmail and Hotmail [Outlook.com] accounts just by reloading the web page.”

This of course caused quite the stir at Black Hat, because the services mentioned by the researchers such as Google and Microsoft are extremely popular.  Smyth and Pironti went so far as to say that:

“…shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).”

Now this “Man in the middle” type of attack is not a new one by any means, but the ease of which this can happen wasn’t apparent to most, especially with services that are considered by the masses as secure and private.  We’ll be reporting more from Black Hat later this week…and continuing to write emails using TouchDown.

 

 

 

Outlook on the go?

Yesterday Microsoft released an iOS version of their Outlook Web App (OWA) …have you tried it? Probably not, unless you have a subscription to Office 365.  Yes, its super cool that Microsoft offers these apps for free, but free with a price tag of Office 365 subscription just  isn’t….free.  But I digress.

I do love the fact that Microsoft is developing apps for iOS, Im a big supporter of across platform development.  The UI is pretty good, and is different for the iPad versus the iPhone, as it should be.   The UI utilizes touch gestures as well as voice commands, which is great when you are on the go or using it with one hand.

So, congrats to Microsoft for doing more iOS development – keep going, because the potential is there.  Just be aware that OWA apps are an online client, meaning that they only work online…when your device goes online, it simply mirrors what is on the Office 365 (or any other service you use) server.  When that connection is broken, you can not access  your information.  The security aspects of an online client versus an offline client also differ (more on this in tomorrows post).  And in today’s world of online snooping, I still insist the best way to control the safety of your data is to utilize SMIME and AES encryption with policies such as requiring a PIN.

If you want more information on TouchDown’s secure Email, Calendar, Contacts, etc, read the latest blog post about Encrypted email.  Come visit us at www.nitrodesk.com to see what the buzz about our Secure email that works with Exchange is all about.