All valid points, but in this particular case it is very important that one receiver can never access the data from another receiver. Putting all the reports in a secure location together contradicts that. I think it's better to keep the reports totally separated and secure them individually. I just can't see a replacement for self extracting archives.
I would never put medical info in a cloud owned by a third party, no matter how secure it's supposed to be. You have no guarantee that the people managing the cloud are as secure as the software. Andrew Ellis wrote: > What about putting the files on a publicly accessible linux box and > letting the users SCP them down. > > A tool like WinSCP runs on Windows, is free, has no installation, and > makes moving the files around as easy as drag-and-drop > > > > On Tue, Jan 26, 2010 at 4:40 PM, David A. Gershman > <[email protected]> wrote: > >> I agree (contradicts myself I agree). Any other suggestions though? >> >> As for passing scanning tools, the dumber ones can be defeated simply by >> changing the .exe extension. Unfortunately, this adds to the steps on >> the receivers side. >> >> Perhaps not sending the .exe file via email in the first place. Anyone >> heard of a "secure" web file sharing site? A place where N people can >> create a shared area which requires authentication to access. This >> would be a fair place to put the .exe file (NOT a replacement for the >> encryption). >> >> >> >>> That scares me telling users to not run exe files emailed to them >>> >> except the exe files that are emailed to them. I would not send the >> files as self extracting to avoid mixed messages. Just my .02 >> >>> Sent from my Verizon Wireless BlackBerry >>> >>> -----Original Message----- >>> From: Bert Van Kets <[email protected]> >>> Date: Tue, 26 Jan 2010 22:56:51 >>> To: PaulDotCom Security Weekly Mailing >>> >> List<[email protected]> >> >>> Subject: Re: [Pauldotcom] e-mail attachments and security >>> >>> I just tested 7Zip and it does create self extracting files (SFX >>> option). Combined with the 256bit AES encryption it's a pretty good >>> solution. The only hurdle now is that EXE files are not accepted by some >>> e-mail applications, ex. Outlook. Of course zipping the EXE with regular >>> Windows Zip compression prior to emailing is one possible solution. I >>> know that with Outlook renaming the EXE to something else is enough to >>> make it pass. Of course that is a bit less user friendly. >>> >>> Thanks for the solution! >>> You guys rock! >>> >>> Bert >>> >>> David A. Gershman wrote: >>> >>>> Sounds to me the only way to go would be for your brother to install the >>>> software that would encrypt but make a self-extracting executable. This >>>> way the other end would (hopefully) scan for viruses and just run the >>>> program which would prompt for the password key. >>>> >>>> Any one know of specific programs that do the encryption *and* create >>>> self-extracting .exe's? >>>> >>>> >>>> >>>>> Hi Guys, >>>>> >>>>> I got a pretty interesting question from my brother yesterday. He's a >>>>> medical doctor in the UK and he needs to send reports to other doctors >>>>> by e-mail regularly. The reports are in MS Word format. These doctors >>>>> are in different locations and not connected to a common organization >>>>> (hospital or company). >>>>> At the moment he uses the MSWord password protection to try to keep the >>>>> sensitive data away from prying eyes. We all know how secure that >>>>> >> method >> >>>>> is (not!). >>>>> I told hem he'd better use some other system that guarantees a bit more >>>>> protection but the problem is he can not ask of the people who receive >>>>> the reports to install extra software (like PGP or GPG encryption). The >>>>> security may not get in the way of the usability. Asking the receivers >>>>> to install extra software and configuring it is not an option. >>>>> >> These are >> >>>>> not IT guys and don't even know how to spell GPG, let alone install it. >>>>> Passing a password over by telephone is the maximum these guys are >>>>> willing to go. 8-O >>>>> >>>>> Do you guys have some ideas on what could be a better solution for this >>>>> "three legged stool" problem? >>>>> >>>>> Thanks. >>>>> >>>>> Bert >>>>> _______________________________________________ >>>>> Pauldotcom mailing list >>>>> [email protected] >>>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>>> Main Web Site: http://pauldotcom.com >>>>> >>>>> >>>>> >>>>> >>>> ---------------------------------------- >>>> David A. Gershman >>>> [email protected] >>>> http://dagertech.net/gershman/ >>>> "It's all about the path!" --d. gershman >>>> _______________________________________________ >>>> Pauldotcom mailing list >>>> [email protected] >>>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>>> Main Web Site: http://pauldotcom.com >>>> >>>> >>>> >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >>> >>> >>> >> ---------------------------------------- >> David A. Gershman >> [email protected] >> http://dagertech.net/gershman/ >> "It's all about the path!" --d. gershman >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> >> > > > > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
