Hacking Book | Free Online Hacking Learning


if you can't stop fourth, you can't open it

Posted by verstraete at 2020-03-09

The underlying solution of false transmission is the various filtering introduced in the previous part. However, even if these measures are taken, it is a little difficult to eradicate the false transmission. Considering the above, I would like to consider the preparation of the important information.

Then, it appears in the product and service which can set the password for the inspection of the attachment file. It is a countermeasure which mainly considers the false transmission of the attachment file containing important information. Even if you send a file that is different from the file you want to send, you can send it to another. In addition, the effect of access restriction can be maintained even if mail is transferred to other users.

Encryption equipment is full of products

There are two methods. (1) to perform the encrypting process of the attachments automatically, and (2) to convert the attached file to web contents and to send only the URL (Table 1). In both cases, the password for browsing the contents of the attached file is set, and the access restriction can be made. Let's see how each concrete move.

(1) is a product realized by using encryption equipment. Various vendors offer, and the assortment is abundant. For example, there are "broadea safeattach" of orange software, "HDE secure mail2 for zip" of HDE, "ciphercraft / mail server edition of NTT software", and "Hitachi paper engineering's" secret AE mailguard ".

A rough mechanism does not fundamentally change any product. The SMTP gateway is installed at the backend of the mail server, and the mail sent to the mail server is received at the gateway (Fig. 6). If there is an attachment file, it is removed (encrypted) or encrypted (or compressed) and attached to the mail server again. The password is set in the encryption. The password must be transmitted to the other party by an email other than the original mail, and the recipient does not open the attachment.

The password generation method can be selected as "preset" and "random" which the encryption device automatically generates each time the mail is transmitted. Though the trouble of generation and notification of the password increases and becomes complicated, the random password is used, and it becomes the countermeasure of the false transmission.

Depending on the product, the sender can set the password every time the transmission. In the Hitachi mailguard e-mailguard, the user sends mail with the message file "request file" to mailguard at the time of e-mail creation. This is the first group group manager of business planning department, business planning headquarters, Hitachi Software Engineering Inc.

Usually, when the data is encrypted and exchanged, the receiver has software with the decoding function. However, the products which are introduced here can be decrypted without using exclusive software.

URL conversion type without attaching an attachment

On the other hand, what is the solution to make the attachment automatically web contents? Internet service provider (ISP) service. Specifically, the Internet Initiative (ij) is "ij secure MX service" (in conjunction with the company's online storage service).

The mechanism is this. For example, in the case of Iij secure MX service, an attachment with an attachment file is sent, and the attachment is saved on the ij service side. Delete the attached file from the mail body. Instead, add the download URL and send it to the body. If the recipient receives the password from the sender and accesses the URL in the mail, the content of the attached file can be viewed. If the sender notices the wrong transmission, it is only necessary to inform the other party of the password. It is also possible to delete an attachment file managed by the ij side (Fig. 7).

This solution takes the form of automatically removing the attachments and sending the URL to get the content to come to the other party. In the above encryption method, the attached file itself is passed to the other party. However, for users to use these services, it is necessary to modify the DNS server and mail server settings to send and receive mail via the ISP gateway.

Passwords must be delivered via sender

Even if an attachment file is encrypted, even if an URL is converted to a URL, it becomes a point on the user to use the password and how to send it. As described above, when a fixed password is set for each partner, the partner can browse the received file even if the error is transmitted. It is necessary to set the password so that the password is changed randomly. Of course, it is necessary to avoid setting the password which is easy to be easily broken (photograph 2).

At this point, I would like to note how to notify the password to the other party. In the false transmission countermeasure, the password should be sent only to the sender himself. If this is the case, the recipient will not open the attached file until the recipient receives a password. After sending the email, the sender will be able to secure a time of reconfirmation that "there is no problem even if the file is actually transmitted".

In any case, since the password is transmitted to the other party, it is not returned. It is necessary to be an additional countermeasure, even if it is an encryption or URL conversion, and an effort to stop the false transmission itself from outside of the company is necessary.

I recommend you


Attention event

Nikkei chronostat special

What's new



Application / db / Middleware

Operation management

Server / storage

Client / OA equipment

Network / communication services