lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <190DFDD2F99A65469B4B15D3658C0D2B01D9C7B0@ptc6.ponderosatel.com>
Date: Tue Mar 28 17:54:00 2006
From: daniels at Ponderosatel.com (Daniel Sichel)
Subject: S/Mime Exchange 2003 how secure how to secure it?

Directive has just come down from on high, we WILL use email on our Cell
Phones/PDAs and non VPN'd laptops.  I am not a messaging guy but at a
small telco you wear lots of hats so I could use some real help here. We
are upgrading shortly to Exchange 2003 on Windows Server  2003 and want
secure email to and from our cell phones etc. So here are my questions

 

How secure is the built in S/Mime in Exchange 2003 assuming we are using
a certificate  for session encryption ? Don't laugh and hoot, I am
looking for real data not speculation. Are there exploits, and if so
what is needed to carry them out, physical access, just need the phone
number, or what?  Can this be brute forced? 

 

I would like two factor authentication using the users password and
something inherently in the cell phone like a burned in serial number or
the DN or something. Is there any support  for such a thing that will
work on cell phones and/or PDAs ?

 

I know OWA sucks on Exchange 5.5 and 2000, how about 2003? Same
questions as above, is it exploitable, and if so how? Can we require a
machine accessing the OWA site to flush its cache when done? Hopefully
this can be forced without requiring an OK click, I just want to do it,
no user intervention required (or allowed).

 

Any help would be welcomed, any Microsoft bashing would be a waste of
time since the higher powers have spoken and you know how that goes, So
it is written, so shall it be done. 

 

Thanks  

 

Daniel Sichel, MCSE, CCNP
Network Engineer
Ponderosa Telephone

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060328/edd30694/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ