Blog

How to setup encrypted email on OS X with a digital certificate

One of the features the OS X Mail app offers is encrypted email. OS X Mail allows the user to send digitally signed or encrypted email to protect your electronic communications. I’ve written about digital certificates before. The idea is to use a special key — a digital certificate — to sign and encode your email so that only the intended recipient can read it. Encrypted email is a great way to send confidential information — passwords, social security numbers etc. — without worrying about who might intercept my email. An SSL email certificate ensures your mail cannot be read by anyone but the intended recipients. It also ensures your message was not modified during transmission and allow recipients to confirm your identity as the sender of the message1.

In this post, I will walk you through the steps to securing email in OS X. The steps to follow should allow you to encrypt your email communications in any mail application on OS X.

Getting a digital certificate

I use free email certificates issued by certificate authority StartSS but you can also get free certificates from Comodo or spend some money and get one from Symantec. The key is to make sure you get a certificate from a trusted source. Getting an email certificate requires you to fill out a form on the certificate authority web site with some basic information and then waiting for a confirmation email. Once you have received the email, follow the instructions to download and install your certificate. On Mac OS X that means downloading the certificate file and opening it in Keychain.

Keychain Access

screen shot of new signed email

Once you receive the confirmation email from the certificate authority, follow the instructions to download the certificate to your Mac.

On Mac OS X digital certificates are stored in OS X Keychain Access. The certificate file will have a file extension that indicates it contains certificates—such as .cer, .crt, .p12, or .p7c. Locate the certificate file and double-click to import into Keychain Access. Once you import your certificate, it should be listed in the My Certificates category in Keychain Access. If Keychain Access can’t import the certificate, try dragging the file onto the Keychain Access icon in the Finder. If that doesn’t work, contact the CA to ask if the certificate is expired or invalid.

Alternatively, you can launch Keychain Access (look in the Utilities folder inside the Applications folder) and type Shift-CMD-I to import the file. Once the certificate file has been imported I strongly recommend that you save your certificate to a safe place if you need to reload it later. I keep mine on an encrypted USB flash drive.

Open your certificate in Keychain Access and make sure its trust setting is “Use System Defaults” or “Always Trust.” Now you can use the certificate to send and receive signed and encrypted messages.

Using the certificate for encrypted email

screen shot of new signed email

A signed message lets the recipients verify your identity as the sender; an encrypted message offers an even higher level of security. To send signed messages, you use your personal certificate from your keychain but to send encrypted messages, the recipient’s certificate must be in your keychain.

Open OS X Mail and create a new message. Choose the email account for which you have a personal email certificate in your keychain. OS X Mail includes a security field in the header area that indicates whether a message is signed or encrypted. A signed icon (containing a check mark) in the lower-right side of the message header indicates the message will be signed when you send it.

To send the message unsigned, click the Signed icon; an “x” replaces the check mark. An encrypt (closed lock) icon appears next to the signed icon if you have a personal certificate for every recipient in your keychain; the icon indicates the message will be encrypted when you send it.

screen shot of new encrypted email

If you don’t have a certificate for every recipient, you must cancel the message or send it unencrypted (click the Encrypt icon; an open lock icon replaces the closed lock icon).

screen shot of signed email

When you received a signed message, an icon (a check mark) appears in the header area of a signed message. To view the certificate details, click the icon.

If the message was altered after it was signed, OS X Mail displays a warning that it can’t verify the message signature. A lock icon appears in the header area of an encrypted message. If you have your private key in your keychain, the message is decrypted for viewing. Otherwise, Mail indicates it can’t decrypt the message.

screen shot of encrypted email

To include encrypted messages when you search for messages in Mail, set the option in the General pane of Mail preferences. Although the message is stored encrypted, the option enables Mail to search individual words.

  1. I’m simplifying a lot here. Read my original article for more detail on digital certificates

Starting a Security Tools Lab at Home

I recently realised that although I've worked in the information security space for almost 13 years, my hands-on work has decreased over the last few years. When my last full-time employer switched to a fully outsourced IT stack, the need for a security analyst to work directly with technology diminished. The team transitioned to a governance, risk, and compliance (GRC) model, with my role evolving into more of an internal security consultant. I was no longer responsible for day-to-day tasks like vulnerability assessment, network intrusion detection, and log management.

This didn't mean I lacked skills. It just means that my skill set was better suited to building or advising on information security architectures, critical controls, policies, procedures, and standards. I have good to great presentation skills. I've practised my writing over the years and written a few internal white papers. I could confidently discuss business strategy in front of senior managers and directors and collaborate across multiple business units to achieve shared goals. I can navigate both the language of technology and business.

When my role was eliminated in 2013, I returned to working as an independent security consultant. I realised how much my hands-on skill set had atrophied. I found myself struggling to remember how to use NMAP and wasn't up-to-date on the latest open-source security tools. I wasn't even aware that OpenVAS was essentially Nessus. I panicked, thinking, "I'm over the hill now!".

However, these hands-on technical skills are not what my current client finds valuable. Most of my achievements in consulting over the last two years have involved helping to build an information security architecture to meet certain business compliance objectives. My client appreciates my efforts and the results.

Nevertheless, I want to expand what I can offer future clients. There's an uptick in demand for experienced information security professionals, and I want to position my skills and services to take full advantage. I asked myself, "How can I dust off my technical skills and polish them?"

There are two strategies I am pursuing simultaneously:

  • Training
  • Building a lab

I aim to develop my penetration testing and vulnerability assessment skills. Perhaps due to the large number of highly public security breaches in 2013 and 2014, many organisations realise they need to do more to find and fix flaws in their systems. Attackers have become very adept at exploiting weaknesses — some of which have been around for decades — in some core services of operating systems and networks. I believe penetration and vulnerability testing is one area where demand will continue to grow. However, pursuing training is the toughest challenge.

Many of the training classes I want to take are expensive. A single SANS course is about $5000. The cost of the course, plus the loss of income during the week I am attending, makes the overall cost difficult to swallow. But... if I want to be successful, I have to find a way.

The other option is to do all the training online. This would allow me the flexibility to work during the day and study at night. Online courses tend to be cheaper as well. Some courses provide a lab for students to practice the techniques taught in the course. I haven't made any decisions on training yet, but I have put some thought into building a lab where I can experiment with some open-source security tools.

At first, I thought I might build the lab using OS X. I could use my iMac for assessment and monitoring and my MacBook Air for pen-testing. I could certainly find OS X ports of most, if not all, the tools. But I use these two machines for other purposes. The iMac is for photo editing and writing, and the MacBook Air is my minimal viable mobile office and presentation device. I really want devices dedicated to security-related tasks.

To build a test lab, I bought a used Dell Blade Server on eBay. It has enough CPU, memory, and storage for this purpose. I plan on installing a Linux distro. I'm not sure if it would be better to install Ubuntu Server and then install or build the security tools or just install a Linux distro like Kali Linux that's geared toward pen-testers. I'm not sure yet.

I plan on installing and configuring the following assessment tools:

  • OpenVAS for network and system vulnerability assessment
  • ZMap for network scanning
  • Nmap for network discovery and server profiling
  • Nikto for application security assessment
  • WhatWeb for application profiling

In addition to the tools mentioned, I want to try network and system monitoring tools such as Snort, OpenSCAP, Open Source Trip wire, and Splunk. It will be nice to re-familiarise myself with tools like Snort and Splunk.

My home network has 19 IP-enabled devices. I have iOS devices, a few Macs, two Raspberry Pi, and some embedded Linux devices. I think these will give me enough traffic to test these tools.

So far, progress has been slow. I have my blade server sitting in the basement, but I have yet to install the OS and connect it to the network. Many years ago (circa 2008?), I got rid of all the superfluous PC-style machines in my basement and bought an iMac and MacBook. I've bought only Macs since then. Part of the delay is that I have no power cables, display, or keyboards for the server. I may have to search eBay for a small used display and keyboard. I only need them to install the OS and set up SSH. After that, I can connect to it remotely.

In the meantime, I installed Kali Linux on one of my Raspberry Pi machines. I still can't use it since Kali Linux defaults to having no running services. I can't log in to turn on the service without a display. I am also hoping to repurpose an old Mac mini G4 to run Linux. Again, the lack of a display hinders those efforts.

So... I'm off to eBay. I need a minimum of a 14” monitor and a keyboard to get started.

Speculation about ResearchKit Deficiencies

[exif id="17428"]

I am not a statistician but I took issue with what Dr. Phil Jones, an Associate Professor at the University of Western Ontario in the Departments of Anesthesia & Perioperative Medicine and Epidemiology & Biostatistics has written about his concerns about Apple’s only recently announced ResearchKit. He starts off writing about selection bias.

iPhone users are more likely to be affluent and educated, and many minority groups may well be under-represented.

So what’s wrong with that? The report findings will be sure to indicate study participants as such. I think better information on some segment of the population is better than little information about the general population. Let’s not toss the baby out with the bath water. Besides, how would Apple fix this problem? Drop the price of their product down to money-losing levels?

Another problem involving selection bias is the fact that no verification of any of the information provided by the user is possible. The breast cancer app is only supposed to be done in women.

I understand the problem. But … why not use the same (or similar) verification process that is used for people who don’t have the technology?

At inception, ResearchKit is only available for iPhones.

ResearchKit is open source. Anyone can use it to develop on Blackberry, Android etc. Google has technical prowess but is known for monetizing everything by way of ad-revenue based on data collection. This is not a good match for healthcare.

Dr Jones then brings up the subject of attrition bias. If some groups of people drop out of a study more often than others, the remaining sample no longer resembles the original sample in the study. As a result, the remaining sample is not generalized to the original population that was sampled.

This will inexorably bias the results in favour of those who stay in the study, which may skew results in favour of better outcomes.

Isn’t this true for studies in general? All those who stay in a ResearchKit based study bias the study in favour of all those who stay in the study. This isn’t some specific problem with ResearchKit. It’s a problem with studies in general.

Observer bias occurs when people enter incorrect data, perhaps because they want or hope the results to be better than they actually are.

Presumably, writing down data with a pencil on a paper form prevents this today?

Then he goes ahead and offers a possible solution.

However, verifying some basic information would go a long way towards ResearchKit study legitimacy, and it does not mean that recruitment will go down to the low levels traditionally seen in “standard” clinical trials.

What bothers me about this article is that Dr Jones actually has no information what-so-ever about how any of this will actually work. Apple has not yet provided details. He may very well find that all his concerns will be are being addressed. I am not trying to defend ResearchKit but the title of this article, Apple’s ResearchKit is not (yet) ready for primetime — A medical researcher’s perspective, indicates Dr Jones KNOWS it’s done incorrectly.