Security advice needed - PGP

This is a discussion on Security advice needed - PGP ; Hi All I am asking for assistance to set up a security system for my computer and for transmission of messages. The purpose is to provide security for on-line counselling/therapy documents, and security for clients files generated on my Apple ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: Security advice needed

  1. Security advice needed

    Hi All

    I am asking for assistance to set up a security system for my computer
    and for transmission of messages.

    The purpose is to provide security for on-line counselling/therapy
    documents, and security for clients files generated on my Apple Mac
    computer.

    The client files (eg Court Reports, case plans, case notes etc) are
    generally in MS Word, and need a fairly good level of security. As they
    are protected documents (ie police etc have no power to examine unless
    by specific Court ord) they need to be secure from casual browsers (eg
    if my HD has to go in for repair etc), but not necessarily to LEOs - I
    think PGP should be sufficient for this. Yes? No?

    The other Documents I need to protect are emails and Yahoo/MSN/ICQ
    messages - to and from my clients - these may contain very personal or
    sensitive information about my clients and/or about other people (eg
    information about sexual assaults, crimes committed etc)

    Since many my clients will be not well versed in computer stuff, I need
    a simple way of protecting and unprotecting their messages to and from
    me - this would need to be based on freeware that I can supply to them
    or they can easily download, simple to operate, and provide good
    protection from casual and LEOs (as they could intercept based on
    claiming not to know this was protected information)

    My thinking is that it might be easier for clients to write in a text
    program, encode it, and send that to me as an attachments, rather than
    try and encode an actual email... but???? The only information would be
    text files - no illustrations or pics. They would also need to decode
    the text files I send - but any pics I need to send them would not need
    to be encoded as they would only be forms or handouts etc - nothing
    confidential.

    Not sure how to deal with theICQ.Yahoo/MSN etc though - maybe not use
    these?

    Another issue: is there anyway I could easily provide clients with
    anomynity? That is, they could communicate with me, and I (or others)
    would not be able to determine who they are? It is OK that they or LEOs
    can know who I am though as there is no reason for me to hide my
    identity as this will be freely available on the website. Only a very
    few clients would request this - most would be OK just using a hotmail
    account if their computer was used by other members of the family.

    As this service will be mostly probono work, any assistance will be much
    appreciated

    David






  2. Re: Security advice needed

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    quietguy wrote in
    news:41BA2E15.17E0C33@REMOVE-TO-REPLYoptusnet.com.au:

    > Hi All
    >
    > I am asking for assistance to set up a security system for my
    > computer and for transmission of messages.
    >
    > The purpose is to provide security for on-line counselling/therapy
    > documents, and security for clients files generated on my Apple Mac
    > computer.
    >
    > The client files (eg Court Reports, case plans, case notes etc) are
    > generally in MS Word, and need a fairly good level of security. As
    > they are protected documents (ie police etc have no power to
    > examine unless by specific Court ord) they need to be secure from
    > casual
    > browsers (eg if my HD has to go in for repair etc), but not
    > necessarily to LEOs - I think PGP should be sufficient for this.
    > Yes?
    > No?


    Yes, PGP is more than sufficient for this. Without having access to
    your private key, PGP public key encryption is as secure as you can
    get. You could encrypt files either individually, or use PGPdisk
    (which is what I would suggest).

    > The other Documents I need to protect are emails and Yahoo/MSN/ICQ
    > messages - to and from my clients - these may contain very personal
    > or sensitive information about my clients and/or about other people
    > (eg information about sexual assaults, crimes committed etc)
    >
    > Since many my clients will be not well versed in computer stuff, I
    > need a simple way of protecting and unprotecting their messages to
    > and from me - this would need to be based on freeware that I can
    > supply to them or they can easily download, simple to operate, and
    > provide good protection from casual and LEOs (as they could
    > intercept based on
    > claiming not to know this was protected information)


    Your clients could use PGP Freeware for this. You would need a
    commercial license - PGP Personal Desktop is sufficient for this.

    > My thinking is that it might be easier for clients to write in a
    > text program, encode it, and send that to me as an attachments,
    > rather than try and encode an actual email... but???? The only
    > information would be text files - no illustrations or pics. They
    > would also need to decode the text files I send - but any pics I
    > need to send them would not need to be encoded as they would only
    > be forms or handouts etc - nothing confidential.


    You can do either email encryption or file encryption. It doesn't
    really matter.

    > Not sure how to deal with theICQ.Yahoo/MSN etc though - maybe not
    > use these?


    PGP does include encryption for ICQ, but the ICQ plug-in requires the
    Personal Desktop level - not available in the Freeware.

    > Another issue: is there anyway I could easily provide clients with
    > anomynity? That is, they could communicate with me, and I (or
    > others) would not be able to determine who they are? It is OK that
    > they or LEOs can know who I am though as there is no reason for me
    > to hide my identity as this will be freely available on the
    > website. Only a very few clients would request this - most would
    > be OK just using a hotmail account if their computer was used by
    > other members of the family.


    If you want to get into annonymous remailers, you are expecting a lot
    from your clients, and likely from yourself. It can be done, but
    there is quite a learning curve.

    > As this service will be mostly probono work, any assistance will be
    > much appreciated


    There are many people around who will help. PGP is about as secure
    and easy as it gets, but for those not familar with encryption, there
    is still a lot of learning involved.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQbpKN2DeI9apM77TAQIWZggAh0OW2CKL+WV+bL6lPG h9p4PzgHb6G42m
    h55r4OBuk+i+EXpQFaEZ6TM0eFvz6G6yFYiuyXzSU9NwPLOpfS PazSPDb8piE+QQ
    wstORF0JXEh09ukwh0jV649vXVZgm4cNeo9dapu1BKxP64oK5/EXzwI8mMxc1siO
    MXEJ1GQPce9A600qE4bSuBeht+q1B4Gda7Mh4rI+8rdn806V4X iry6MqU9K11eb8
    7BC+N7eUA0Ki79ndyKmZXonmerQkYd2xg12OqQIRNMOUnb0iGA ttoDklIiYAbJvB
    6w/+gsmF0jwbivAcwgsI6kbUJZVK/c2gnZ7KR7L47orEOwM2Xdh8Vg==
    =6kgG
    -----END PGP SIGNATURE-----

  3. Re: Security advice needed

    Thanks for the info Tom.

    Another question if I may - am I worrying too much about security for
    the files while in transit? How likely is it that someone will/can
    intercept?

    Since simplicity is a key factor perhaps just encrypting all the
    documents on my computer would suffice at my end. Perhaps there is an
    easier application that clients could use on their computer to
    hide/secure their messages than PGP.

    David

    Tom McCune wrote:

    >....Lots of helpful information...



  4. Re: Security advice needed

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    quietguy wrote in
    news:41BAFA1F.E563C28D@REMOVE-TO-REPLYoptusnet.com.au:

    > Thanks for the info Tom.


    You are welcome.

    > Another question if I may - am I worrying too much about security
    > for the files while in transit? How likely is it that someone
    > will/can intercept?


    I don't think your worry is excessive. Here in the US, federal
    regulations require such patient information to be securely encrypted
    when transferred over the Internet. Your ISP and the recipients ISPs
    will probably keep copies of all this data transfer for a long time.
    And it is possible for other machines it goes through to capture
    copies of it as well. Likely, various governments (including the US)
    will scan it for interesting words. If other family members or
    coworkers of the patients have access to their machines, they too can
    download and read the non-encrypted data.

    A PGP option that will make it easier for the data you transmit,
    would be to send a Self Decrypting Archive. That would require you
    to use symmetric encryption only, and you would have to somehow
    transmit securely to each patient what password you use for him or
    her. That does not require the patient to have PGP installed, but he
    or she can only decrypt the SDA when using the same operating system
    you used for the SDA - Windows to Windows, or Mac to Mac.

    > Since simplicity is a key factor perhaps just encrypting all the
    > documents on my computer would suffice at my end. Perhaps there is
    > an easier application that clients could use on their computer to
    > hide/secure their messages than PGP.


    Whether they want to secure it for storage on their end, is really
    beyond your control. They won't find anything more secure than PGP,
    but there are other options ranging in levels of security. I don't
    use Macs, so can't comment much on them. Windows XP Pro users might
    feel comfortable with just using its Encrypted File System.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQbsMaGDeI9apM77TAQK1Mwf/U5C9aAafAJdJLHCdr3NPz+QQygfS6SZ7
    AFEidmxIc46EAzU9jnqa+HLARoKX+svfrdfEh8/nR+sz2SZeAGs7HMQY7JC+cW1O
    1gRoPEyk7I1Qzm6uRWaHvKBl1xEvWWiUzg1nZQrSGAYzr61jzl WiqkA2DmXi71lB
    hk5eGgBwYOkrGM5lNNFhOHvN2MGpQFjVtNtwC8bUn13hgEba3O 8lcxUhyNhr05vY
    u4fWB9bd8W2hQuod+7eoskEJdafuY528O6W2FcTYYq0LC7lht1 I6tJV30o9UZEoa
    05U6IZA3CumNE1QTNJ0QWwiv3AtE0pK/iFz2B4XCqyweDDc/wweA1g==
    =IYgX
    -----END PGP SIGNATURE-----

  5. Re: Security advice needed

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    I just happened to think that if ease of use for non-technical people
    is the major priority, you might want to consider using
    http://www.hushmail.com/

    I haven't used it in a very long time, and consider PGP to be more
    secure. But, if my recall is correct, it is secure and automates
    encryption anytime one Hushmail account writes to another Hushmail
    account. You might want to take a look at the details there.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQbsSHGDeI9apM77TAQKGJwf/fPyN5j9UqsFeb6h8KOV/ac9ZRk4wBpsJ
    l5nUQ/8feVrJea2EAguZOKQhuFmvk+0Xmlm+zYaBIzjzInnQG8wUyz9N Ri1mTchj
    Ueoz0QHdXPbVedFGq759bQ5Eujb/reYa/gQ8tMHYcK06pxnA51eIKoM8UxPFZE1z
    H/kgick+qljdLtMq1TiVi7pgKAErq/DYy5YplB+qDmFYvi5CoqOQC97FT53H/Urn
    /xd63giQmrXlER40EZgbV7Wh1+xkmCnY4s61DgELHD+xwfG+UCh +xVvhH/Vc5bn3
    /V0VE/3VZAUvGYBY37VcL8vkHwS1HjdYi4EDzsTcVUp/7NaWu7WERQ==
    =ZZmo
    -----END PGP SIGNATURE-----

  6. Re: Security advice needed

    Thanks Tom

    David

    Tom McCune wrote:

    >more helpful stuff



  7. Re: Security advice needed

    On Sat, 11 Dec 2004 15:28:53 GMT, Tom McCune
    wrote:

    >I just happened to think that if ease of use for non-technical people
    >is the major priority, you might want to consider using
    >http://www.hushmail.com/
    >
    >I haven't used it in a very long time, and consider PGP to be more
    >secure. But, if my recall is correct, it is secure and automates
    >encryption anytime one Hushmail account writes to another Hushmail
    >account. You might want to take a look at the details there.
    >


    "...you MUST enable ActiveScripting / JavaScript in your
    browser.."

    I just looked at it and noticed that it requires JavaScript. As I
    don't like sites that require JavaScript, I would suggest that a
    better alternative might be www.safe-mail.net.

    Geo


  8. Re: Security advice needed

    If I am understanding your needs correctly, you need to encrypt chat,
    hard drive, and email to preserve the confidentiality of your
    information.
    I would stay away from PGP for this use, and look into using digital
    certificates as the users mail client is more likely to support digital
    certificates then are PGP. You and your users can get a free
    certificate from http://www.thawte.com/email/index.html . Or if you
    want something with a few more gauruntees and insurance up 1K go with
    Verisign at
    http://www.verisign.com/products-ser...-id/index.html
    ..
    PGP requires the installation of third party software. Outlook, Mac OS
    X Mail, Entourage, etc. support digital certs out of the box.
    For your hard drive Apple has a encrypted disk option called file vault
    which you can turn on in the control panels. YOu have to be running
    10.2. x to have this feature I believe. From 10.x on there is the
    ability to create encrypted disk images via the disk utility. Which can
    be tossed onto a floppy or exchanged between machines.
    Chat is a little more complicated when it comes to encryption on the
    Mac. Your only option their is to configure GPG (a form of PGP) and
    install Fire ( http://fire.sourceforge.net/ ) . The user on the other
    side has to do the same thing. Their is no real good option for a
    encrypted community chat right now on the Mac. WIndows users I think
    can use AIM with digital certs.

    Cheers,
    Thomas Vincent


  9. Re: Security advice needed

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "Thomas Vincent" wrote in
    news:1103058950.533806.202140@c13g2000cwb.googlegr oups.com:

    > If I am understanding your needs correctly, you need to encrypt
    > chat, hard drive, and email to preserve the confidentiality of your
    > information.
    > I would stay away from PGP for this use, and look into using
    > digital certificates as the users mail client is more likely to
    > support
    > digital certificates then are PGP. You and your users can get a
    > free certificate from http://www.thawte.com/email/index.html . Or
    > if you want something with a few more gauruntees and insurance up
    > 1K go with Verisign at
    > http://www.verisign.com/products-ser...vices/pki/pki-
    > app lication/email-digital-id/index.html .


    I'm guessing you are referring to S/MIME? One of the reasons I've
    never even tried it is because it can only be used with email clients
    that support it - mine doesn't, and PGP can be used with any email
    client. I'm guessing that once S/MIME is properly installed (if you
    are using an email client that supports it), it is probably as easy
    to use as PGP - PGP is actually quite easy to use - the difficulty
    for a newbie is learning the concepts of encryption and specifically
    public key encryption; which is why PGP comes with such great
    documentation.

    > PGP requires the installation of third party software. Outlook, Mac
    > OS


    PGP does not require any third party software. What are you thinking
    of?

    > X Mail, Entourage, etc. support digital certs out of the box.
    > For your hard drive Apple has a encrypted disk option called file
    > vault which you can turn on in the control panels. YOu have to be
    > running 10.2. x to have this feature I believe. From 10.x on there
    > is the ability to create encrypted disk images via the disk
    > utility.
    > Which can be tossed onto a floppy or exchanged between machines.
    > Chat is a little more complicated when it comes to encryption on
    > the Mac. Your only option their is to configure GPG (a form of PGP)
    > and install Fire ( http://fire.sourceforge.net/ ) . The user on the
    > other side has to do the same thing. Their is no real good option
    > for a
    > encrypted community chat right now on the Mac. WIndows users I
    > think can use AIM with digital certs.


    PGP has a complete graphical user interface. If anyone thinks it is
    difficult to use, I can't imagine them using command line GPG. GPG
    is Open PGP compliant and generally quite compatible with PGP, but is
    not "a form of PGP." Because of its lack of memory locking when used
    in Windows (I don't know about Macs), I consider it a little less
    secure than PGP.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.mccune.cc/PGP.htm

    iQEVAwUBQb+IzGDeI9apM77TAQLQ9wf+Oi8eHt1ojxuNNIJkf1 uI/vyia1whiotq
    0RDwoPM7BETgErg1ie4yzTVHEPodK3mqUa2YgR6h2A9N8ay1pq DrMV85GE0B/a8H
    5EI11Nmi49Co09FTBgJYmY1PRE06onT7qqwrmRRcQFZ4MHg7zO ZwIwkARdulcUT9
    lVpBLEZvq7pcjOCvme+d7NoKhqfRf4ZMsiZC3hgqaPlrkXAGQe jufaTkhHs4oWqF
    oYdqj+vqXXvV0AN25pbdY94wBxCPvmjuN8AzhVnvR80sm6F/kBFhkZp7z41/8qPR
    nr/PjYgicAS92R7Sfhy2FxYNRIoMkHyjXFRLElPY4y6nDzRW2jGfT A==
    =QmRl
    -----END PGP SIGNATURE-----

  10. Re: Security advice needed

    Tom McCune wrote:

    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > "Thomas Vincent" wrote in
    > news:1103058950.533806.202140@c13g2000cwb.googlegr oups.com:
    >
    >> If I am understanding your needs correctly, you need to encrypt
    >> chat, hard drive, and email to preserve the confidentiality of your
    >> information.
    >> I would stay away from PGP for this use, and look into using
    >> digital certificates as the users mail client is more likely to
    >> support
    >> digital certificates then are PGP. You and your users can get a
    >> free certificate from http://www.thawte.com/email/index.html . Or
    >> if you want something with a few more gauruntees and insurance up
    >> 1K go with Verisign at
    >> http://www.verisign.com/products-ser...vices/pki/pki-
    >> app lication/email-digital-id/index.html .

    >
    > I'm guessing you are referring to S/MIME? One of the reasons I've
    > never even tried it is because it can only be used with email clients
    > that support it - mine doesn't, and PGP can be used with any email
    > client. I'm guessing that once S/MIME is properly installed (if you
    > are using an email client that supports it), it is probably as easy
    > to use as PGP - PGP is actually quite easy to use - the difficulty
    > for a newbie is learning the concepts of encryption and specifically
    > public key encryption; which is why PGP comes with such great
    > documentation.
    >
    >> PGP requires the installation of third party software. Outlook, Mac
    >> OS

    >
    > PGP does not require any third party software. What are you thinking
    > of?


    PGP is third party software was what he meant.
    ==snipped==

+ Reply to Thread