gnupg encrypted mail and malware/spam

Steve Butler
Mon May 12 17:08:02 2003

Now that HPIAA is in force within the USA, many of us in the health care
industry must install encryption software for individuals who must exchange
protected health information (PHI) with cooperating institutions.  Thus, we
have PGP and GnuPG on several client machines around the company.

However, this is not the major problem of bringing unintended viruii into
the company.  Folks do use the web to check their personal email accounts
during breaks or the lunch hour.  An attachment can be zipped with a
password (another form of encryption).

Finally, there are folks who must be allowed on to the Web as part of their
work day.  These folks will surf it during breaks.  More viruii pop in on
their machines.

We have found it best to have two competing virus scanning software.
Usually written by different authors.  One sits near (or on) the firewall
and monitors the traffic (including email).  The other sits on each client
within the company and monitors that particular box.  There have been
incidents that demonstrate the wisdom of spreading the virus checking
around.  Don't depend on a single point of failure.

--Steve Butler
Oracle Administrator
First Choice Health Network

"Those who give up liberty for the sake of security deserve neither liberty
nor security."
-- Ben Franklin

-----Original Message-----
From: Thomas Scheffczyk
Sent: Sunday, May 11, 2003 4:29 AM
To: Anthony E. Greene
Subject: Re: gnupg encrypted mail and malware/spam

Hash: SHA1

Anthony E. Greene schrieb:

>>If gnupg is used to protect mail messages it also disables all server
>>based protection measures against malware and spam. No virus scanner nor
>>spam filter an firewalls or gateways can check the encrypted messages.
> Your needs are not well addressed by GnuPG. You should consider buying
> some of the tools offered by PGP Corp.
Hello Tony, hello all,

thank you all for your comments and suggestions.

Perhaps I'm to pessimistic, but I do not share the opinion that it would
to much work for spammers to encrypt (not sign) their messages. I can
imagine that the success ratio of an encrypted spam would be remarkably
higher compared with a unencrypted and often filtered message :-(

Just a comment to pgp: I used the commercial version of pgp for a
while, but if even possible I will never do again. I bought quite a
couple of licences just a month before NAI decided to set the
development of pgp to hold. The worst thing was, that it wasn't possible
to use pgp on WinXP and I really didn't want to maintain different
programs for each platform.

I guess that my question was a little misleading and to spam centric. A
graphical firewall and a gateway for checked files would be a possible
solution. Another solution would be to accept encrypted messages only
for functional (i.e. non personal) mail to avoid any kind of key escrow
for personal keys.

Until now, no comment was given to my first post scriptum:

'I do not fear 'ordinary' viruses or other malware. What i really fear
is a sophisticated attacker that send on a very slow rate backdoors to
single users in my network. I can not guarantee the really no user will
start the program. If it is started, it's easy to create a backchannel
over allowed traffic like http.'

Does nobody fear this, too? I'm very surprised that this threat was
never discussed in the context of public key infrastructures. I know a
couple of big institutions (please apologize that I don't list the
institutions right here) that do allow personal use of encryption, but
only one (a health insurance company) was aware of this problem. (Their
solution is to allow cryptography only for special messages like data
exchange with universities ;-)

Hoping for more comments and suggestions,


Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Debian -


Gnupg-users mailing list

CONFIDENTIALITY NOTICE:  This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure or distribution is prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.