IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Securing POP Mail on Windows Clients

1.0 Identification Data
1.1 BSP Number
00020
1.2 BSP Title/Name
Securing POP Mail on Windows Clients
1.3 Version Number
1.0
1.4 Adoption Date
June 12, 2001
1.5 Approving Authority
CIO Council Security Practices Subcommittee (SPS)
1.6 Responsible Organization
NASA Scientific and Engineering Workstation Procurement Security Center (SEWPSC), Goddard Space Flight Center,
Code 295.3
1.7 Level of BSP
Candidate
1.8 Security Processes or other Framework(s) Supported
BSP Security Process Framework (SPF) Section 2.6.2.8: Technical Security, Install/turn-on controls
1.9 Reserved
1.10 Points of Contact
Government BSP Owner:

Do not post this contact information with the publicly accessible BSP.

  • Dennis Taylor
    Director, SEWPSC
    QSS Group Inc.
    Goddard Space Flight Center, Code 295.3
    Greenbelt, MD. 20771
    Telephone No. 301-286-4290
    Fax No. 301-286-4549
    E-mail – dtaylor@sewp.nasa.gov

Alternate:

  • Dave Heimann
    SEWP Information Systems Manager
    QSS Group Inc.
    Same Address information as Dennis Taylor (above)
    Telephone No. 301-286-8656
    E-mail – dave@sewp.nasa.go
2.0 What This BSP Does
2.1 BSP's Purpose
This BSP discusses how to use Secure Shell (SSH) Internet Protocol to secure the transmission of email passwords between email clients (e.g. Eudora or MS Outlook) and Postoffice Protocol (POP) email servers. SSH clients are widely available as freeware applications. In addition, there are relatively low-cost commercial versions available that provide additional functionality. This practice is very low cost and simple to implement; yet, relatively few Government users take advantage of it.
2.2 Requirements for this BSP
  • NASA Procedures and Guidelines (NPG) 2810.1, Security of Information Technology applies to all NASA employees and NASA contracts (as provided by the terms and conditions of the contract), where appropriate in achieving Agency missions, programs, projects, and institutional requirements.
    • Section 4.11.1 Guidance for Using Encryption Technology discusses the risk of relying solely on user-password authentication and that use of encryption technology must be considered when doing risk assessments of IT systems.
    • Appendix A.6.3.8 Password Distribution requires that management give passwords "reasonable protection from unauthorized disclosure.”
2.3 Success Stories
This BSP has been used successfully by NASA SEWP staff members accessing the SEWP POP servers remotely, either from home or while on travel.
3.0 What This BSP Is
3.1 Description of BSP

POP mail, which is often the mail server for Eudora and Outlook clients, historically uses an insecure protocol. The mail password is transmitted between client and mail server in clear text. This password may also be (and typically is) a Unix account password, which could lead directly to an account compromise on the mail server.

Travelers and home workers are especially vulnerable since they send their passwords across the open Internet. The NASA SEWP Security Center has posted a short "How To" white paper.

For the technically inclined, this paper provides a brief technical overview of how SSH TCP port forwarding works at Internet nodes.

However, the bulk of the paper provides step-by-step directions, illustrated by screen-shots, for implementing SSH on Eudora and Outlook clients. The examples use the Tera Term freeware SSH application for illustration; however, the principles are easily applicable to other SSH applications.

The references section at the end of the document provides links for obtaining an SSH client.

3.2 Relationship to Other BSPs
Relationships will be identified as the BSP population increases.
4.0 How To Use This BSP
4.1 Implementation Guidance

See the white paper referenced in Section 3.1, above.

4.2 Implementation Resource Estimates

Software costs range from $0 for a freeware SSH client to around $100 for a fully supported commercial version.

A computer-literate end user can work through the step-by-step instructions in the NASA SEWP white paper in less than half an hour. An IT support professional should be able to set up a machine in just a few minutes.

4.3 Performance Goals and Indicators (Metrics)
The SEWPSC lab has tested the procedure to ensure that it effectively shields mail passwords.
4.4 Tools

Note: A computer-literate end user can work through the step-by-step instructions for installing these applications in less than half an hour. An IT support professional should be able to set up a machine in just a few minutes.

4.5 Training Materials
None employed.
Appendices
A Executive Overview and Briefing
None available
B Reference List
  • http://www.openssh.org/
  • For those wanting more technical detail, the O'Reilly Press book: SSH, the Secure Shell: The Definitive Guide by Daniel Barrett and Richard Silverman is a good bet.
C Procurement Information
None Available.
D Evaluation Information
None Available.
E Recommended Changes
None available.
F Glossary
None available.