Chapter 6
Email and Web Security
Objectives in this chapter
ATHENA
Protect e-mail systems
List World Wide Web vulnerabilities
Secure Web communications
Secure instant messaging
Protecting E-Mail Systems
ATHENA
E-mail has replaced the fax machine as the
primary communication tool for businesses
Has also become a prime target of attackers and
must be protected
How E-Mail Works
Use two Transmission Control
Protocol/Internet Protocol (TCP/IP) protocols
to send and receive messages
• Simple Mail Transfer Protocol (SMTP) handles
outgoing mail
• Post Office Protocol (POP3 for the current version)
handles incoming mail
ATHENA
The SMTP server on most machines uses
sendmail to do the actual sending; this queue is
called the sendmail queue
How E-Mail Works (continued)
ATHENA
How E-Mail Works (continued)
ATHENA
Sendmail tries to resend queued messages
periodically (about every 15 minutes)
Downloaded messages are erased from POP3
server
Deleting retrieved messages from the mail
server and storing them on a local computer
make it difficult to manage messages from
multiple computers
Internet Mail Access Protocol (current
version is IMAP4) is a more advanced
protocol that solves many problems
• E-mail remains on the e-mail server
How E-Mail Works (continued)
ATHENA
E-mail attachments are documents in binary
format (word processing documents,
spreadsheets, sound files, pictures)
Non-text documents must be converted into
text format before being transmitted
Three bytes from the binary file are extracted
and converted to four text characters
E-Mail Vulnerabilities
Several e-mail vulnerabilities can be exploited
by attackers:
• Malware
• Spam
• Hoaxes
ATHENA
Malware
Because of its ubiquity, e-mail has replaced
floppy disks as the primary carrier for
malware
E-mail is the malware transport mechanism
of choice for two reasons:
• Because almost all Internet users have e-mail, it
has the broadest base for attacks
• Malware can use e-mail to propagate itself
ATHENA
Malware (continued)
A worm can enter a user’s computer through an
e-mail attachment and send itself to all users
listed in the address book or attach itself as a
reply to all unread e-mail messages
E-mail clients can be particularly susceptible to
macro viruses
• A macro is a script that records the steps a user
performs
• A macro virus uses macros to carry out malicious
functions
ATHENA
Malware (continued)
Users must be educated about how malware
can enter a system through e-mail and proper
policies must be enacted to reduce risk of
infection
• E-mail users should never open attachments with
these file extensions: .bat, .ade, .usf, .exe, .pif
ATHENA
Antivirus software and firewall products must
be installed and properly configured to
prevent malicious code from entering the
network through e-mail
Procedures including turning off ports and
eliminating open mail relay servers must be
developed and enforced
Spam
ATHENA
The amount of spam (unsolicited e-mail) that
flows across the Internet is difficult to judge
The US Congress passed the Controlling the
Assault of Non-Solicited Pornography and
Marketing Act of 2003 (CAN-SPAM) in late
2003
Spam (continued)
According to a Pew memorial Trust survey,
almost half of the approximately 30 billion daily
e-mail messages are spam
Spam is having a negative impact on e-mail
users:
• 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
• 52% of users indicate spam has made them less
trusting of e-mail in general
• 70% of users say spam has made being online
unpleasant or annoying
ATHENA
Spam (continued)
Filter e-mails at the edge of the network to
prevent spam from entering the SMTP server
Use a backlist of spammers to block any e-mail
that originates from their e-mail addresses
Sophisticated e-mail filters can use Bayesian
filtering
• User divides e-mail messages received into two piles,
spam and not-spam
ATHENA
Hoaxes
ATHENA
E-mail messages that contain false warnings or
fraudulent offerings
Unlike spam, are almost impossible to filter
Defense against hoaxes is to ignore them
Hoaxes (continued)
ATHENA
Any e-mail message that appears as though it
could not be true probably is not
E-mail phishing is also a growing practice
A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients
E-Mail Encryption
Two technologies used to protect e-mail
messages as they are being transported:
• Secure/Multipurpose Internet Mail Extensions
• Pretty Good Privacy
ATHENA
Secure/Multipurpose Internet Mail
Extensions (S/MIME)
Protocol that adds digital signatures and
encryption to Multipurpose Internet Mail
Extension (MIME) messages
Provides these features:
• Digital signatures
• Message privacy
• Tamper detection
ATHENA
– Interoperability
– Seamless integration
Pretty Good Privacy (PGP)
Functions much like S/MIME by encrypting
messages using digital signatures
A user can sign an e-mail message without
encrypting it, verifying the sender but not
preventing anyone from seeing the contents
First compresses the message
• Reduces patterns and enhances resistance to
cryptanalysis
Creates a session key (a one-time-only secret
key)
• This key is a number generated from random
movements of the mouse and keystrokes typed
ATHENA
Pretty Good Privacy (PGP)
(continued)
Uses a passphrase to encrypt the private key on
the local computer
Passphrase:
• A longer and more secure version of a password
• Typically composed of multiple words
• More secure against dictionary attacks
ATHENA
Pretty Good Privacy (PGP)
(continued)
ATHENA
Examining World Wide Web
Vulnerabilities
Buffer overflow attacks are common ways to
gain unauthorized access to Web servers
SMTP relay attacks allow spammers to send
thousands of e-mail messages to users
Web programming tools provide another
foothold for Web attacks
Dynamic content can also be used by attackers
• Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)
ATHENA
JavaScript
ATHENA
Popular technology used to make dynamic
content
When a Web site that uses JavaScript is
accessed, the HTML document with the
JavaScript code is downloaded onto the user’s
computer
The Web browser then executes that code
within the browser using the Virtual Machine
(VM)―a Java interpreter
JavaScript (continued)
Several defense mechanisms prevent
JavaScript programs from causing serious
harm:
• JavaScript does not support certain capabilities
• JavaScript has no networking capabilities
Other security concerns remain:
• JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
• JavaScript security is handled by restrictions
within the Web browser
ATHENA
JavaScript (continued)
ATHENA