As you may have noticed Ipswitch maintains a robust network of qualified partners and distributors (including GSA providers) from which you can buy our technology.

There are also a number of web sites and other “grey” operations that sell old or “backup” WS_FTP products, dispensing license keys from old lists Ipswitch provided to resellers, dispensing copies of product that should be free (e.g., WS_FTP LE) or dispensing dead copies of the software.

From a technical point of view, there have always been risks from accepting these software packages, from installing software that may have been tampered with to add spyware to getting old product that may not work with Windows Vista and Windows 7 because it was developed before those OS’s existed.

However, you also take a risk against your credit history when you do business with these “grey” reseller firms, as they often use dubious financial services to convert your credit card information into cash.  Assuming these services aren’t stooping to the level of unabashed credit card harvesting, a recent security incident demonstrates why doing these transactions is still unsafe.

One of these “grey” financial services, Amsterdam-based, Russian-run Fethard, was recently reported as hacked, possibly by a rival.  This hack exposed shady internal processes and personally identifiable customer data to the entire Internet – information that criminals could use to impersonate and then draw on the credit of customers of sites that use Fethard.

Do you have any experiences with “grey” software vendors or the financial services that enable them (whether you used them for WS_FTP or not)?  If so I’d like to hear them.

Frank: “Hey Dad, before I go off into the world what is the one bit of advice that you would give me?”

Frank’s Dad: “If I had to give you one piece of advice it would be save all your receipts and tax returns for seven years in a file cabinet someplace in the back of your closet.”

Frank: “That’s it?! You mean nothing about women? Nothing about credit? Nothing like own at least one suit and a pair of good shoes?”

Frank’s Dad: “Nope that’s it. Trust me you’ll see…”

Now that I’m older I can give this advice to my son. I can also give the same advice to e-mail administrators, “save all your e-mails, someplace safe, for at least three years… preferably more.”

Now here’s the technology part:

It’s becoming more and more apparent that offloading large file attachments from e-mail using a third-party technology integrated with e-mail servers, requires a rethinking of strategy of e-mail and data archival and storage strategy. read more “I’m not a lawyer I just play one on TV OR getting whipped by the tail of the e-mail offloading”

A small Wyoming bank made national headlines when it filed a lawsuit against Google after an employee inadvertently sent sensitive customer data to the wrong user’s Gmail account (http://www.informationweek.com/story/showArticle.jhtml?articleID=220100410).  This incident reaffirms that a company doesn’t need to be the target of a massive plot by hackers to suffer a costly and damaging data breach.  In this case, simple user error resulted in the disclosure of sensitive data to unintended parties.

Obviously companies need a mechanism to exchange sensitive data with their partners and customers in order to conduct business.  Ignoring the obvious problem, using email to pass data in plain-text and no authentication to speak of along with the risk of the “Fire and Forget” nature of email is what really struck me about this incident.  Once the email containing sensitive data was sent, the sender had zero control or visibility into what happened afterwards.

Deploying a solution like MOVEit DMZ with Secure Messaging is a reasonable way to reduce the risk posed by sending sensitive data by email.  Using MOVEit DMZ provides for end-to-end encryption of the data, integrity checking, audit logging and non-repudiation, but in this incident, the two-step approach to sending sensitive data really saves the day.

When using MOVEit DMZ and Secure Messaging to send sensitive data to an external partner or customer, rather than pushing the sensitive data all the way to the intended (or unintended) recipient, that data is pushed to the MOVEit DMZ server where it is stored encrypted and available for pickup.  The intended recipient is sent temporary credentials and a link he/she can use to access the sensitive data.  All access is audited, so the sender knows exactly who, if anyone, has accessed the sensitive data.

In this particular incident, had MOVEit DMZ been used to send the sensitive data to the customer, the temporary credentials sent to the unintended recipient’s email account could have been immediately recalled as soon as the mistake was noticed, before any sensitive data was accessed.  Even if the mistake went unnoticed for days, the MOVEit DMZ tamper-evident audit logs would show whether the account had been used to access the sensitive data, or if the account credentials were sitting unread in someone’s inbox.  If the account had been used by the unintended recipient to access the sensitive data, once again the tamper-evident audit logs would provide non-reputable evidence of the unauthorized data access, giving the company stronger means to pursue legal action to recover the data.