Wednesday, December 19, 2012 At 2:04AM
Imagine this scenario: It is 4PM on a Thursday afternoon. You’ve worked hard all week, doing what just may be your best work ever. You’ve been scrambling to finish up a report you owe your favorite, but most demanding client. You promised to deliver it to them by the end of day, since their boss needs the report before the go/no-go meeting in the morning.
It’s been peer reviewed, and you give it your final once over to make sure everything is perfect. You open your email client, attach the report to the message, and then press the GPG “Encrypt” button. The mail client chokes a few times, which you chalk up as normal when dealing with GPG, and finally the email is sent. Life is good.
As you reach into the beer fridge to crack open a celebratory stout in the mini fridge you keep below your desk (doesn’t everyone have one of those?), you see a reply come into your inbox. “Thanks for the report. I had to duck out of the office early today to make it to my son’s baseball game. Please send the report to my assistant instead so he can have it ready for tomorrow’s meeting. You’re the best!”.
Hmm, ok no problem…let’s just send the report to the assistant instead. Obviously, sending the plain-text file via email is not an option. You send the assistant an email asking for their GPG/PGP key. “What’s GPG?” the assistant replies. Ok, not surprising. Time to move to Plan B…send them an encrypted ZIP file. You start by generating a nice random combination of letters, numbers and symbols. You use that as the password to encrypt the ZIP with AES-256, and send it off. Now all you need to do is call them with the password.
As you pick up the phone to call them, a reply comes into your inbox from [email protected] “Error 582 – Email Attachment Security Policy Violation”. You curse to yourself as you vaguely remember suggesting to them a few months back that they bolster their email filtering capabilities by using a cloud service like Google’s Postini, rather than the traditional signature-based software they were previously using. Unfortunately to your disadvantage, this message confirms that they took your advice. In an act of desperation you rename the “report.zip” file to “report._”, hoping that the mail filter is dumb enough to just look at the file extension. The identical auto-reply that comes back moments later, confirming what you already knew…it wouldn’t be that easy.
Ok, time to move to Plan C, sending the file through a web-based server your company runs specifically for such situations. You remember the company network admin boasting about the steps he took to harden the server when it was first stood up, but you decide to stick with the encrypted ZIP as an extra layer of protection. You upload the file, publish it to an external link, email the link to the assistant, and call them to provide the password. “Ok, the file looks like its downloading…hold on and I’ll make sure I can open it.”. You start to breathe a sigh of relief as it looks like you are finally close to being done.
“I’m opening it now.”, says the assistant as you slowly reach down once again towards the mini fridge. “Hmm, it’s telling me Windows cannot complete the extraction.” You quickly realize you’ve been foiled once again, when you remember that Windows can’t natively open AES-encrypted ZIP files (Windows can only open ZipCrypto protected files natively). As a last ditch effort, you ask the assistant to Google the terms “WinZip” or “7Zip” and follow the download links for each, but the WebSense proxy they recently implemented (also based partly on your advice) quickly blocks both downloads. As you start to pull out your hair and think of what to do next, you wish there was a better way. Well now there is.
Some of you may know we recently previewed a new platform, which we developed, at OWASP AppSec USA in Austin, TX. The platform is called SendSafely, and it’s designed to facilitate secure file exchange using only a web browser. Being a team of security consultants, we were repeatedly faced with multiple variations of the scenario outlined above. With SendSafely, you only need a modern web browser to quickly and easily exchange encrypted files with anyone. No pre-shared keys, no software to install. If you’re interested to see how it works we’ve got a high-level explanation here and a more detailed explanation here. If you haven’t tried it out, we encourage you to sign up for free and take it for a test drive.
Our goal with SendSafely is to become the standard for secure file transfers. We aren’t a Dropbox replacement, nor do we aim to be. Think of them as the mini-storage unit you rent every month to hold onto all of that extra stuff you own. Instead, think of us as the secure FedEx or UPS of the digital world. If you want to send something important to someone else, and you want to get it there fast and securely, then use SendSafely.
You can also check out the SendSafely Blog, where we’ll be blogging about the challenges we’ve dealt with, and things we’ve learned, while building a secure cloud-based application platform. Stay tuned for more updates, and tell us what you think of SendSafely…we’re all ears! You can reach us at [email protected] or feel free to post your comments right here on our blog.
Author: Brian Holyfield
©Aon plc 2023