Introduction

Continuing from my last article on computer security, this month I’ll show you how to encrypt and digitally “sign” your e-mail to maintain privacy and security. E-mail, being the oldest Internet technology, still accounts for most of the traffic. But did you know that your e-mail is being transmitted in the “clear”? Anyone with a packet sniffer can read your email! Not very secure for sure.

The version of mail that ships with Mac OS X 10.3 (Panther) and 10.4 (Tiger) has the ability to sign and encrypt e-mail messages. This allows us to encrypt email messages and verify the identity of the sender of a received e-mail message – basically giving you the equivalent of a digital envelope to protect your mail from prying eyes.

I’m providing a step-by-step guide for getting started with using these features in mail. Apple doesn’t advertise this, but it’s really quite simple. Just so you know, Microsoft Entourage can also handle encryption, see “Using Mail” in this article on how to enable it.

The First step: The Digital Certificate

There are several trusted authorities which can validate a person’s identity in the form of a digital certificate.

An e-mail certificate is used to verify that the sender of an e-mail message is indeed the owner of the e-mail address that the message is sent from. You need a digital certificate to be able to sign and encrypt e-mail messages. In this guide, we will get the certificate from Thawte, a South African based company, owned by VeriSign, that offers free e-mail certificates.

Note: You will need to use either Safari in Tiger, or Mozilla in Panther to request and download certificates. Earlier versions of Safari don’t know how to handle the resulting certificate file.

Thawte: Personal E-mail Certificates

Ok, here we go! Head over to http://www.thawte.com/secure-email/personal-email-certificates/index.html and create an account by filling out the form provided when hitting the “join” button.

Pay special attention to provide a secure password for your Thawte account. Use the Keychain Access application provided with Mac OS X to store the password and the “challenge-response” questions you provide, as a “Secure Note.”

Once your account is created, you need to log in to prepare your e-mail addresses and certificate requests.

Thawte: Request A Certificate

Now you’ll need to request a new certificate for the e-mail address you want. But first you need to tell Thawte about the e-mail addresses you have. Click on “new email address” under “my emails” and fill in the details. Do this for each and every e-mail address you wish to obtain a certificate for. Thawte will send a validation e-mail to each account to make sure you’re the legitimate owner of the address. Follow the instructions in each e-mail you receive to “activate” the e-mail address in Thawte.

Once you’ve entered the e-mail addresses, you can request certificates for each one. Click on “request certificate” under “certificates” and click on the X.509 button. Leave the defaults as-in on the next few screens. On the second page, you can select which e-mail addresses you want certificates issued for. You can save some time by telling it to do all of them if you wish.

Accept the default values on each form page. On the last page choose to “Accept Default Extensions.” When proceeding past the sixth page, a keypair will be generated.

Thawte: Certificate Request Status

At first, the status of your new certificates will be “pending” and when the process is finally complete, the certificate’s status will change to “issued.” When the certificate is issued, you can click the link named “Navigator” to be taken to a page where the details of your certificate are presented, and with a “fetch” button to download the certificate.

After you click the fetch button, the download panel will open. Safari may complain about “deliver.exe” being an application. Click “download” to let the certificate come down. Once the download is complete, Safari will automatically launch the Keychain Access application to transfer the certificate. Now you’re ready to start using your new certificates!

If you’re using Panther, Safari will not recognize the certificate, which is why you have to use Mozilla. In Mozilla’s certificate manager, you can export the downloaded certificates and import them manually in Keychain access. Save the certificates with a .cert on the end so Keychain will understand them.

Using Mail

To send a signed e-mail, simply select the sign button (star icon) in the new message window. Similarly, to send an encrypted message, select the encrypt button (lock icon). The buttons show up automatically because mail will match the e-mail address in your account with the certificate it reads from the Keychain. In Microsoft Entourage, you need to click on the security tab in each account you have and select the appropriate certificate (read from the Keychain). Then you can choose to sign and encrypt e-mails in Entourage either automatically or manually.

You should always select both buttons (highlighted in red), if available, unless the recipient of the message has explicitly requested not to receive signed or encrypted messages.

A signed message will allow you to validate the integrity of the message (that it hasn’t been tampered with) and the identity of the sender – but the message is still delivered in clear text, unless also encrypted. An encrypted message will protect the body of the message from prying eyes, but it’s not signed.

If you have a certificate, you can send signed messages to anyone, but you can ONLY send encrypted messages when both you and ALL recipients of the message have certificates.

Mail needs the recipient certificates to encrypt the outgoing message. The easiest way to let Mail know that a recipient has a certificate, and to give Mail access to that certificate, is to have that recipient first send you a signed message (not encrypted, just signed). Mail will automatically store the certificates it receives in the Keychain for future reference.

The encrypt button will not be visible when the recipient doesn’t have a certificate, or if it has one but you don’t have a copy of the certificate stored in your Keychain.

This is what a signed and encrypted message will look like when you’re on the receiving end. The little badge with the checkmark is the seal that ensures that the identity of the sender is known to be correct, and that the message has not been modified since it was signed by the sender.

If Mail can’t verify the message signature (for example, if some text has been added to the message after it was signed), Mail will display a warning to alert the user.

How it works

Encrypting and signing e-mail is easy but under the hood something interesting is happening. When you sign an e-mail the public portion of your encryption certificate is embedded into the email. Mail normally hides this but you can see it if you chose to see “raw source” in an e-mail you’ve sent. This public key is what gets stored on the recipient’s end in their Keychain. Your public certificate contains no passwords or personal data, only the encryption data needed to scramble a message so that ONLY you can read the message when it comes back to you.

When a recipient has a valid certificate as well, when they create a new e-mail or reply to an e-mail you’ve sent, they can choose to encrypt the message so that only you can read it. When you receive the e-mail, Mail automatically will use your private certificate to decrypt the e-mail, since it recognizes the public certificate embedded in the email. It’s totally transparent and automatic. You can look at the raw e-mail if you choose to see “raw source.” You’ll see nothing but gibberish!

Some observations about E-mail client compatibility

Here are a few observations based on my experience with other email clients:

• Outlook XP on Windows can read signed and/or encrypted messages sent from Mail but Mail can’t open messages from Outlook XP that has been both signed and encrypted. However, an attachment will usually be present which you can open in a text editor.

• Netscape 7.01 doesn’t recognize signed messages sent from Mail. Upgrading to Netscape 7.1 solves this problem.

It seems that most of the more popular e-mail clients support digital certificates in their more recent versions. The best way to resolve problems with using digital certificates is probably to make sure that you use up-to-date versions!

Conclusion

Since Apple has made it so easy to protect your e-mail from prying eyes, it makes perfect sense to use this free method to give yourself the upper edge and protect your business and personal communications.

In a series of articles focusing on Mac OS X, you will learn new ways to make your workday more efficient and profitable. Some of the subjects I will be addressing are: troubleshooting, software updates (when and how), security issues, and integrating with Windows networks.

Is your computer secure?

What do I mean by this is: Do you have proper computer security in place to protect your proprietary business data from theft or loss? As a graphics business, what about the client files you have on your system(s)? Do you protect their data?

Too often when I visit a customer I see computers that are either unsecured or have poor security in place. Security is certainly a mind-set that most of us don’t think of when it comes to graphics data but everyone knows how bad things get when you experience data loss, corruption or theft, let alone a customers’ files. The first step in securing your computer is to look at the physical side.

Hardware Security

Every Mac made since I can recall has always had a security slot built-in. You know, the little slot with the “chain” icon? This slot is designed to take a standard security device such as a Kensington lock. PowerMac G5’s have a little latch under the side-door release that can be flipped down to accept a lock. Securing the desktop, display or laptop computer to a work table or desk is a sure way to prevent physical theft. These locks are not expensive and work very well.

Software Security

Mac OS X has built-in security features that are quite sophisticated. While we can’t go over every aspect of them we’ll deal with the simplest first: Passwords. What makes a good password?

When you buy a new Mac the setup assistant will help you create an initial user account. This account is very special. First, it has administrative rights. This means that this account can be used to change anything on the computer. I’ve seen a lot of customers either assign a simple password for this account or none at all!

When doing a Mac OS X setup, always create a standard administrative account with a good, secure password. This is your first-line of defense against intrusion. I then create a day-to-day non-administrative account for each user to work with. This is especially good for businesses running multiple-shifts by keeping user data and preferences individualized. A side benefit is a non-admin account has a much lower chance of compromising your careful setups.

A password should be easy to remember but not easily guessed. Typically, I use a phrase but substitute letters such as “3” for “e” and “7 for “T” and so on. Uppercase and lowercase are important too! Mac OS X Tiger has a Password Assistant in the Accounts System Prefs that can evaluate your password or suggest ones to you. Click on the “key” icon in a password field to run it.

In the Security section of System Prefs you can enable password protection for the screen-saver, secure the virtual memory system and more. Using all or a combination of items can make for a very secure system.

Don’t expose your system

Another area of potential intrusion is the items in the Sharing icon of System Prefs. Mac OS X is very secure out of the box in terms of network intrusion. Turning on sharing services on your Mac can expose you to network hacking. A router is a cost-effective way to keep out intruders. If you do chose to operate your Mac without a router and turn on some sharing, use the “Firewall” tab in Sharing to disable incoming connections for the items you want to secure. Don’t forget to click the “Start” button in the firewall section to enable it.

Keychains

Probably the least understood feature of Mac OS X that customers ask me about is the Keychain. The Keychain system is a central repository for user names, passwords, certificates, notes and more that is encrypted. Mac OS X and many applications (such as Safari) use the Keychain to store confidential information that can be retrieved when needed. In the past, applications and other utilities used to store this information in non-encrypted preference files on an individual basis. If you open the Keychain Access utility from /Applications/Utilities you will most likely see a few entries already there depending on the applications you use. There will be entries for file servers, your email server credentials, an entry for Safari to store forms information and more. One of the interesting features of Keychain is the ability to store personal notes and information. Since the Keychain is encrypted this is a great way to store personal information you want away from prying eyes. One word of caution though. The default keychain (login.keychain or username.keychain) located in ~/Library/Keychains is opened and decrypted by default when you login to your Mac. This means that someone who has access to your computer while you are logged in has the potential to read this info. Fortunately, Keychain Access allows you to create as many keychains as you like that are NOT opened when you login. It would be better to store your info in these since it will ask for a password to view them.

Encrypted Disk Images

Another way to secure information is via the use of encrypted disk images. A disk image (.dmg) is a single file that acts as if it was a CD or a floppy or hard drive. If you download software from the internet I’m sure you seen these. If you run Disk Utility from /Applications/Utilities you create a new disk image of your choice of size and you have the ability to make it secure. You enter a password that will be required to open it when double-clicked in the Finder. When you send files to a customer consider this method of delivering the files either on CD or email to protect the data. Send the .dmg file instead of loose files. Who knows what happens when CDs get lost in the mail or courier...

Data Backup and Protection

Everyone knows they should backup their computer data. Some never do, some lament it after the damage is done. It bewilders me to see computers coming with huge 250GB hard drives and people don’t think for a second on how to backup those drives. In this day and age, tape-drive technology is having a tough time keeping up with the rapid pace of hard drive capacity. Tapes however offer the most inexpensive method of increasing your off-line storage. A backup however is only as good as the configuration of the software and most importantly, the reliability and testing of the restore process. A carefully planned backup solution can help archive data, retrieve a misplaced file or restore your entire network or server from a catastrophic failure.

More Business Security

Mac OS X has matured quite a lot over the years. It has become what many call an “Enterprise-ready” operating system. To many this means user management. In a larger business Mac OS X workstations can be completely managed from a central server. In Apple’s case, Mac OS X Server. We’ve done several setups with Mac OS X Server where user data does not live on the workstation but on the server itself. While this is a project that is more involved than some would require, this method provides total control of the security of the workstations. If a computer goes down or is stolen, simply move to another workstation, login and your data follows you on the network. Laptops can be configured to automatically sync their data to the server using this system as well. What about your email? Aside from the performance improvement of archiving years of emails from your computer, you should protect it with as much importance as your other files.

As I mentioned when I began, security is mind-set. It’s a state of mind that should be as important as your workflow and daily-activities. Neglecting computer security is as bad as not locking the doors to your business when you leave for the day.

Since my last article on the Intel transition, something very interesting has happened on the Apple front. A while ago there was a public contest to get Windows XP running on new Intel-based Macs and that contest was won. My prediction was that it would be done eventually, but it happened a lot quicker than anticipated. Their install process was rather cumbersome and only the most technically savvy would most likely attempt it. Two weeks later, Apple released Boot Camp and made the process as easy as a few clicks.

Boot Camp is a simple and free download from www.apple.com/bootcamp and requires any Intel-based Mac, a blank CD and a Windows XP SP2 install disk.

Moving to the dark side

The install process was very easy, but since the installer will repartition your drive (non-destructive) to make room for Windows, I recommend that you perform a full backup first. After the repartition, Boot Camp will create a driver CD containing drivers for the Mac hardware for Windows, then reboot your computer to install Windows from the install CD.

If you’ve ever installed Windows, the process is quite easy, however, longer than a Mac OS X install. Once up and running, you insert the driver disk burned in step 2 and it’ll take care of the rest.

The Windows XP experience on a Mac

As with any PC, you’ll need to take some time to personalize it. Myself, I turn off the Fisher-Price Windows XP look and feel and turn on file name extensions, etc. The first thing you notice is that Windows feels extremely fast on these Macs. I’ve installed all sorts of software on mine and the speed never seems to fade. Perhaps Apple’s hardware is more efficient, but the jury is still out on this. I gave Windows a really good workout running all sorts of high-performance games (my only real need for Windows), and it ran flawlessly. The combination of the excellent Radeon X1600 graphics system in the iMac made for a very good gaming experience. I couldn’t find any software that wouldn’t run. After all, Intel Macs are just PCs now, albeit with better and more reliable hardware.

The only feature of the iMac that Windows would not recognize was the built-in iSight camera. AirPort wireless, Ethernet, Bluetooth, USB, and FireWire worked as expected. Booting into Mac OS X or Windows is as simple as holding down the option key on boot and selecting the OS you want.

Gotchas

The main downside to Boot Camp right now is the lack of file-exchange capability between the partitions. If you opt for a larger than 20 gigabyte partition for Windows, it’ll be formatted with NTFS, which Mac OS X can only read from (under 20GB can be formatted with FAT which is read/writable in Mac OS X). I expect write capability to NTFS in Mac OS X Leopard. The Windows side, however, cannot read HFS+ Mac disks without extra software. For the time being this is a good thing, since viruses you may contract in Windows can only affect the Windows partition.

Looking forward

Apple has publicly stated that Boot Camp will be included in Mac OS X Leopard. I expect the dual boot capability to stay intact, however, I’d put forward that Apple will take this further. What I think will happen is that we will see the ability to boot Windows inside Mac OS X (a la Classic) so we can run Windows applications alongside Mac OS X at the same time. Finally, the “Holy Grail” of computing will be upon us!

Trevor Page is the Chief Technical Officer of GraphicCARE, specializing in computer, network and technical support for the graphics industry.
T: 416-559-4905
E: trevor@graphiccare.ca