Chapter 6: Web Security
Security+ Guide to Network Security
Fundamentals
Second Edition


Objectives
• Protect e-mail systems
• List World Wide Web vulnerabilities
• Secure Web communications
• Secure instant messaging


Protecting E-Mail Systems
• E-mail has replaced the fax machine as the primary
communication tool for businesses
• Has also become a prime target of attackers and
must be protected


How E-Mail Works
• Use two Transmission Control Protocol/Internet
Protocol (TCP/IP) protocols to send and receive
messages
– Simple Mail Transfer Protocol (SMTP) handles
outgoing mail
– Post Office Protocol (POP3 for the current version)
handles incoming mail

• The SMTP server on most machines uses sendmail
to do the actual sending; this queue is called the

sendmail queue


How E-Mail Works (continued)


How E-Mail Works (continued)
• Sendmail tries to resend queued messages
periodically (about every 15 minutes)
• Downloaded messages are erased from POP3 server
• Deleting retrieved messages from the mail server and
storing them on a local computer make it difficult to
manage messages from multiple computers
• Internet Mail Access Protocol (current version is
IMAP4) is a more advanced protocol that solves
many problems
– E-mail remains on the e-mail server


How E-Mail Works (continued)
• E-mail attachments are documents in binary format
(word processing documents, spreadsheets, sound
files, pictures)
• Non-text documents must be converted into text
format before being transmitted
• Three bytes from the binary file are extracted and
converted to four text characters


E-Mail Vulnerabilities

• Several e-mail vulnerabilities can be exploited by
attackers:
– Malware
– Spam
– Hoaxes


Malware
• Because of its ubiquity, e-mail has replaced floppy
disks as the primary carrier for malware
• E-mail is the malware transport mechanism of choice
for two reasons:
– Because almost all Internet users have e-mail, it has
the broadest base for attacks
– Malware can use e-mail to propagate itself


Malware (continued)
• A worm can enter a user’s computer through an email attachment and send itself to all users listed in
the address book or attach itself as a reply to all
unread e-mail messages
• E-mail clients can be particularly susceptible to
macro viruses
– A macro is a script that records the steps a user
performs
– A macro virus uses macros to carry out malicious
functions


Malware (continued)

• Users must be educated about how malware can
enter a system through e-mail and proper policies
must be enacted to reduce risk of infection
– E-mail users should never open attachments with
these file extensions: .bat, .ade, .usf, .exe, .pif

• Antivirus software and firewall products must be
installed and properly configured to prevent malicious
code from entering the network through e-mail
• Procedures including turning off ports and eliminating
open mail relay servers must be developed and
enforced


Spam
• The amount of spam (unsolicited e-mail) that flows
across the Internet is difficult to judge
• The US Congress passed the Controlling the Assault
of Non-Solicited Pornography and Marketing Act of
2003 (CAN-SPAM) in late 2003


Spam (continued)
• According to a Pew memorial Trust survey, almost
half of the approximately 30 billion daily e-mail
messages are spam
• Spam is having a negative impact on e-mail users:
– 25% of users say the ever-increasing volume of spam
has reduced their overall use of e-mail
– 52% of users indicate spam has made them less

trusting of e-mail in general
– 70% of users say spam has made being online
unpleasant or annoying


Spam (continued)
• Filter e-mails at the edge of the network to prevent
spam from entering the SMTP server
• Use a backlist of spammers to block any e-mail that
originates from their e-mail addresses
• Sophisticated e-mail filters can use Bayesian filtering
– User divides e-mail messages received into two piles,
spam and not-spam


Hoaxes
• E-mail messages that contain false warnings or
fraudulent offerings
• Unlike spam, are almost impossible to filter
• Defense against hoaxes is to ignore them


Hoaxes (continued)
• Any e-mail message that appears as though it could
not be true probably is not
• E-mail phishing is also a growing practice
• A message that falsely identifies the sender as
someone else is sent to unsuspecting recipients



E-Mail Encryption
• Two technologies used to protect e-mail messages
as they are being transported:
– Secure/Multipurpose Internet Mail Extensions
– Pretty Good Privacy


Secure/Multipurpose Internet Mail
Extensions (S/MIME)
• Protocol that adds digital signatures and encryption
to Multipurpose Internet Mail Extension (MIME)
messages
• Provides these features:
– Digital signatures

– Interoperability

– Message privacy

– Seamless integration

– Tamper detection


Pretty Good Privacy (PGP)
• Functions much like S/MIME by encrypting messages
using digital signatures
• A user can sign an e-mail message without
encrypting it, verifying the sender but not preventing
anyone from seeing the contents

• First compresses the message
– Reduces patterns and enhances resistance to
cryptanalysis

• Creates a session key (a one-time-only secret key)
– This key is a number generated from random
movements of the mouse and keystrokes typed


Pretty Good Privacy (PGP)
(continued)
• Uses a passphrase to encrypt the private key on the
local computer
• Passphrase:
– A longer and more secure version of a password
– Typically composed of multiple words
– More secure against dictionary attacks


Pretty Good Privacy (PGP)
(continued)


Examining World Wide Web
Vulnerabilities
• Buffer overflow attacks are common ways to gain
unauthorized access to Web servers
• SMTP relay attacks allow spammers to send
thousands of e-mail messages to users
• Web programming tools provide another foothold for

Web attacks
• Dynamic content can also be used by attackers
– Sometimes called repurposed programming (using
programming tools in ways more harmful than
originally intended)


JavaScript
• Popular technology used to make dynamic content
• When a Web site that uses JavaScript is accessed,
the HTML document with the JavaScript code is
downloaded onto the user’s computer
• The Web browser then executes that code within the
browser using the Virtual Machine (VM)―a Java
interpreter


JavaScript (continued)
• Several defense mechanisms prevent JavaScript
programs from causing serious harm:
– JavaScript does not support certain capabilities
– JavaScript has no networking capabilities

• Other security concerns remain:
– JavaScript programs can capture and send user
information without the user’s knowledge or
authorization
– JavaScript security is handled by restrictions within the
Web browser



JavaScript (continued)