Chapter 6
Email and Web Security


Objectives in this chapter

ATHENA



Protect e-mail systems



List World Wide Web vulnerabilities



Secure Web communications



Secure instant messaging


Protecting E-Mail Systems

ATHENA



E-mail has replaced the fax machine as the
primary communication tool for businesses



Has also become a prime target of attackers and
must be protected


How E-Mail Works


Use two Transmission Control
Protocol/Internet Protocol (TCP/IP) protocols
to send and receive messages
• Simple Mail Transfer Protocol (SMTP) handles
outgoing mail
• Post Office Protocol (POP3 for the current version)
handles incoming mail



ATHENA

The SMTP server on most machines uses
sendmail to do the actual sending; this queue is
called the sendmail queue


How E-Mail Works (continued)


ATHENA


How E-Mail Works (continued)

ATHENA



Sendmail tries to resend queued messages
periodically (about every 15 minutes)



Downloaded messages are erased from POP3
server



Deleting retrieved messages from the mail
server and storing them on a local computer
make it difficult to manage messages from
multiple computers



Internet Mail Access Protocol (current
version is IMAP4) is a more advanced
protocol that solves many problems

• E-mail remains on the e-mail server


How E-Mail Works (continued)

ATHENA



E-mail attachments are documents in binary
format (word processing documents,
spreadsheets, sound files, pictures)



Non-text documents must be converted into
text format before being transmitted



Three bytes from the binary file are extracted
and converted to four text characters


E-Mail Vulnerabilities


Several e-mail vulnerabilities can be exploited
by attackers:
• Malware

• Spam
• Hoaxes

ATHENA


Malware


Because of its ubiquity, e-mail has replaced
floppy disks as the primary carrier for
malware



E-mail is the malware transport mechanism
of choice for two reasons:
• Because almost all Internet users have e-mail, it
has the broadest base for attacks
• Malware can use e-mail to propagate itself

ATHENA


Malware (continued)


A worm can enter a user’s computer through an
e-mail attachment and send itself to all users
listed in the address book or attach itself as a

reply to all unread e-mail messages



E-mail clients can be particularly susceptible to
macro viruses
• A macro is a script that records the steps a user
performs
• A macro virus uses macros to carry out malicious
functions

ATHENA


Malware (continued)


Users must be educated about how malware
can enter a system through e-mail and proper
policies must be enacted to reduce risk of
infection
• E-mail users should never open attachments with
these file extensions: .bat, .ade, .usf, .exe, .pif

ATHENA



Antivirus software and firewall products must
be installed and properly configured to

prevent malicious code from entering the
network through e-mail



Procedures including turning off ports and
eliminating open mail relay servers must be
developed and enforced


Spam

ATHENA



The amount of spam (unsolicited e-mail) that
flows across the Internet is difficult to judge



The US Congress passed the Controlling the
Assault of Non-Solicited Pornography and
Marketing Act of 2003 (CAN-SPAM) in late
2003


Spam (continued)



According to a Pew memorial Trust survey,
almost half of the approximately 30 billion daily
e-mail messages are spam



Spam is having a negative impact on e-mail
users:
• 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
• 52% of users indicate spam has made them less
trusting of e-mail in general
• 70% of users say spam has made being online
unpleasant or annoying

ATHENA


Spam (continued)


Filter e-mails at the edge of the network to
prevent spam from entering the SMTP server



Use a backlist of spammers to block any e-mail
that originates from their e-mail addresses




Sophisticated e-mail filters can use Bayesian
filtering
• User divides e-mail messages received into two piles,
spam and not-spam

ATHENA


Hoaxes

ATHENA



E-mail messages that contain false warnings or
fraudulent offerings



Unlike spam, are almost impossible to filter



Defense against hoaxes is to ignore them


Hoaxes (continued)

ATHENA




Any e-mail message that appears as though it
could not be true probably is not



E-mail phishing is also a growing practice



A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients


E-Mail Encryption


Two technologies used to protect e-mail
messages as they are being transported:
• Secure/Multipurpose Internet Mail Extensions
• Pretty Good Privacy

ATHENA


Secure/Multipurpose Internet Mail
Extensions (S/MIME)



Protocol that adds digital signatures and
encryption to Multipurpose Internet Mail
Extension (MIME) messages



Provides these features:
• Digital signatures
• Message privacy
• Tamper detection

ATHENA

– Interoperability
– Seamless integration


Pretty Good Privacy (PGP)
Functions much like S/MIME by encrypting
messages using digital signatures
 A user can sign an e-mail message without
encrypting it, verifying the sender but not
preventing anyone from seeing the contents
 First compresses the message


• Reduces patterns and enhances resistance to
cryptanalysis



Creates a session key (a one-time-only secret
key)
• This key is a number generated from random
movements of the mouse and keystrokes typed

ATHENA


Pretty Good Privacy (PGP)
(continued)


Uses a passphrase to encrypt the private key on
the local computer



Passphrase:
• A longer and more secure version of a password
• Typically composed of multiple words
• More secure against dictionary attacks

ATHENA


Pretty Good Privacy (PGP)
(continued)

ATHENA



Examining World Wide Web
Vulnerabilities


Buffer overflow attacks are common ways to
gain unauthorized access to Web servers



SMTP relay attacks allow spammers to send
thousands of e-mail messages to users



Web programming tools provide another
foothold for Web attacks



Dynamic content can also be used by attackers
• Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)

ATHENA


JavaScript


ATHENA



Popular technology used to make dynamic
content



When a Web site that uses JavaScript is
accessed, the HTML document with the
JavaScript code is downloaded onto the user’s
computer



The Web browser then executes that code
within the browser using the Virtual Machine
(VM)―a Java interpreter


JavaScript (continued)


Several defense mechanisms prevent
JavaScript programs from causing serious
harm:
• JavaScript does not support certain capabilities
• JavaScript has no networking capabilities




Other security concerns remain:
• JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
• JavaScript security is handled by restrictions
within the Web browser

ATHENA


JavaScript (continued)

ATHENA