Security + Certification - Chapter 6: Email and Web Security - Athena

Chapter 6 Email and Web Security Objectives in this chapter  Protect e-mail systems  List World Wide Web vulnerabilities  Secure Web communications  Secure instant messaging ATHENA Protecting E-Mail Systems  E-mail has replaced the fax machine as the primary communication tool for businesses  Has also become a prime target of attackers and must be protected ATHENA How E-Mail Works  Use two Transmission Control Protocol/Internet Protocol (TCP/IP) protocols to send and receive messages • Simple Mail Transfer Protocol (SMTP) handles outgoing mail • Post Office Protocol (POP3 for the current version) handles incoming mail  The SMTP server on most machines uses sendmail to do the actual sending; this queue is called the sendmail queue ATHENA How E-Mail Works (continued) ATHENA How E-Mail Works (continued)  Sendmail tries to resend queued messages periodically (about every 15 minutes)  Downloaded messages are erased from POP3 server  Deleting retrieved messages from the mail server and storing them on a local computer make it difficult to manage messages from multiple computers  Internet Mail Access Protocol (current version is IMAP4) is a more advanced protocol that solves many problems • E-mail remains on the e-mail serverATHENA How E-Mail Works (continued)  E-mail attachments are documents in binary format (word processing documents, spreadsheets, sound files, pictures)  Non-text documents must be converted into text format before being transmitted  Three bytes from the binary file are extracted and converted to four text characters ATHENA E-Mail Vulnerabilities  Several e-mail vulnerabilities can be exploited by attackers: • Malware • Spam • Hoaxes ATHENA Malware  Because of its ubiquity, e-mail has replaced floppy disks as the primary carrier for malware  E-mail is the malware transport mechanism of choice for two reasons: • Because almost all Internet users have e-mail, it has the broadest base for attacks • Malware can use e-mail to propagate itself ATHENA Malware (continued)  A worm can enter a user’s computer through an e-mail attachment and send itself to all users listed in the address book or attach itself as a reply to all unread e-mail messages  E-mail clients can be particularly susceptible to macro viruses • A macro is a script that records the steps a user performs • A macro virus uses macros to carry out malicious functions ATHENA Malware (continued)  Users must be educated about how malware can enter a system through e-mail and proper policies must be enacted to reduce risk of infection • E-mail users should never open attachments with these file extensions: .bat, .ade, .usf, .exe, .pif  Antivirus software and firewall products must be installed and properly configured to prevent malicious code from entering the network through e-mail  Procedures including turning off ports and eliminating open mail relay servers must be developed and enforcedATHENA Spam  The amount of spam (unsolicited e-mail) that flows across the Internet is difficult to judge  The US Congress passed the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) in late 2003 ATHENA Spam (continued)  According to a Pew memorial Trust survey, almost half of the approximately 30 billion daily e-mail messages are spam  Spam is having a negative impact on e-mail users: • 25% of users say the ever-increasing volume of spam has reduced their overall use of e-mail • 52% of users indicate spam has made them less trusting of e-mail in general • 70% of users say spam has made being online unpleasant or annoying ATHENA Spam (continued)  Filter e-mails at the edge of the network to prevent spam from entering the SMTP server  Use a backlist of spammers to block any e-mail that originates from their e-mail addresses  Sophisticated e-mail filters can use Bayesian filtering • User divides e-mail messages received into two piles, spam and not-spam ATHENA Hoaxes  E-mail messages that contain false warnings or fraudulent offerings  Unlike spam, are almost impossible to filter  Defense against hoaxes is to ignore them ATHENA Hoaxes (continued)  Any e-mail message that appears as though it could not be true probably is not  E-mail phishing is also a growing practice  A message that falsely identifies the sender as someone else is sent to unsuspecting recipients ATHENA E-Mail Encryption  Two technologies used to protect e-mail messages as they are being transported: • Secure/Multipurpose Internet Mail Extensions • Pretty Good Privacy ATHENA Secure/Multipurpose Internet Mail Extensions (S/MIME)  Protocol that adds digital signatures and encryption to Multipurpose Internet Mail Extension (MIME) messages  Provides these features: • Digital signatures – Interoperability • Message privacy – Seamless integration • Tamper detection ATHENA Pretty Good Privacy (PGP)  Functions much like S/MIME by encrypting messages using digital signatures  A user can sign an e-mail message without encrypting it, verifying the sender but not preventing anyone from seeing the contents  First compresses the message • Reduces patterns and enhances resistance to cryptanalysis  Creates a session key (a one-time-only secret key) • This key is a number generated from random movements of the mouse and keystrokes typed ATHENA Pretty Good Privacy (PGP) (continued)  Uses a passphrase to encrypt the private key on the local computer  Passphrase: • A longer and more secure version of a password • Typically composed of multiple words • More secure against dictionary attacks ATHENA Pretty Good Privacy (PGP) (continued) ATHENA Examining World Wide Web Vulnerabilities  Buffer overflow attacks are common ways to gain unauthorized access to Web servers  SMTP relay attacks allow spammers to send thousands of e-mail messages to users Web programming tools provide another foothold for Web attacks  Dynamic content can also be used by attackers • Sometimes called repurposed programming (using programming tools in ways more harmful than originally intended) ATHENA JavaScript  Popular technology used to make dynamic content When a Web site that uses JavaScript is accessed, the HTML document with the JavaScript code is downloaded onto the user’s computer  The Web browser then executes that code within the browser using the Virtual Machine (VM)―a Java interpreter ATHENA JavaScript (continued)  Several defense mechanisms prevent JavaScript programs from causing serious harm: • JavaScript does not support certain capabilities • JavaScript has no networking capabilities  Other security concerns remain: • JavaScript programs can capture and send user information without the user’s knowledge or authorization • JavaScript security is handled by restrictions within the Web browser ATHENA JavaScript (continued) ATHENA Java Applet  A separate program stored on a Web server and downloaded onto a user’s computer along with HTML code  Can also be made into hostile programs  Sandbox is a defense against a hostile Java applet • Surrounds program and keeps it away from private data and other resources on a local computer  Java applet programs should run within a sandbox ATHENA Java Applet (continued) ATHENA Java Applet (continued)  Two types of Java applets: • Unsigned Java applet: program that does not come from a trusted source • Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered  The primary defense against Java applets is using the appropriate settings of the Web browser ATHENA Java Applet (continued) ATHENA ActiveX  Set of technologies developed by Microsoft  Outgrowth of two other Microsoft technologies: • Object Linking and Embedding (OLE) • Component Object Model (COM)  Not a programming language but a set of rules for how applications should share information ATHENA ActiveX (continued)  ActiveX controls represent a specific way of implementing ActiveX • Can perform many of the same functions of a Java applet, but do not run in a sandbox • Have full access to Windows operating system  ActiveX controls are managed through Internet Explorer  ActiveX controls should be set to most restricted levels ATHENA ActiveX (continued) ATHENA Cookies  Computer files that contains user-specific information  Need for cookies is based on Hypertext Transfer Protocol (HTTP)  Instead of the Web server asking the user for this information each time they visits that site, the Web server stores that information in a file on the local computer  Attackers often target cookies because they can contain sensitive information (usernames and other private information) ATHENA Cookies (continued)  Can be used to determine which Web sites you view  First-party cookie is created from the Web site you are currently viewing  Some Web sites attempt to access cookies they did not create • If you went to wwwborg, that site might attempt to get the cookie A-ORG from your hard drive • Now known as a third-party cookie because it was not created by Web site that attempts to access the cookie ATHENA Common Gateway Interface (CGI)  Set of rules that describes how a Web server communicates with other software on the server and vice versa  Commonly used to allow a Web server to display information from a database on a Web page or for a user to enter information through a Web form that is deposited in a database ATHENA Common Gateway Interface (CGI) (continued)  CGI scripts create security risks • Do not filter user input properly • Can issue commands via Web URLs  CGI security can be enhanced by: • Properly configuring CGI • Disabling unnecessary CGI scripts or programs • Checking program code that uses CGI for any vulnerabilities ATHENA 83 Naming Conventions Microsoft Disk Operating System (DOS) limited filenames to eight characters followed by a period and a three-character extension (e.g., Filename.doc)  Called the 83 naming convention  Recent versions of Windows allow filenames to contain up to 256 characters  To maintain backward compatibility with DOS, Windows automatically creates an 83 “alias” filename for every long filename ATHENA 83 Naming Conventions (continued)  The 83 naming convention introduces a security vulnerability with some Web servers • Microsoft Internet Information Server 40 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename  Solution is to disable creation of the 83 alias by making a change in the Windows registry database • In doing so, older programs that do not recognize long filenames are not able to access the files or subdirectoriesATHENA Securing Web Communications Most common secure connection uses the Secure Sockets Layer/Transport Layer Security protocol  One implementation is the Hypertext Transport Protocol over Secure Sockets Layer ATHENA Secure Sockets Layer (SSL)/ Transport Layer Security (TLS)  SSL protocol developed by Netscape to securely transmit documents over the Internet • Uses private key to encrypt data transferred over the SSL connection • Version 20 is most widely supported version • Personal Communications Technology (PCT), developed by Microsoft, is similar to SSL ATHENA Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) (continued)  TLS protocol guarantees privacy and data integrity between applications communicating over the Internet • An extension of SSL; they are often referred to as SSL/TLS  SSL/TLS protocol is made up of two layers ATHENA Secure Sockets Layer (SSL)/ Transport Layer Security (TLS) (continued)  TLS Handshake Protocol allows authentication between server and client and negotiation of an encryption algorithm and cryptographic keys before any data is transmitted  FORTEZZA is a US government security standard that satisfies the Defense Messaging System security architecture • Has cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and even systems ATHENA Secure Hypertext Transport Protocol (HTTPS)  One common use of SSL is to secure Web HTTP communication between a browser and a Web server • This version is “plain” HTTP sent over SSL/TLS and named Hypertext Transport Protocol over SSL  Sometimes designated HTTPS, which is the extension to the HTTP protocol that supports it Whereas SSL/TLS creates a secure connection between a client and a server over which any amount of data can be sent security, HTTPS is designed to transmit individual messages securely ATHENA Securing Instant Messaging  Depending on the service, e-mail messages may take several minutes to be posted to the POP3 account  Instant messaging (IM) is a complement to e- mail that overcomes these • Allows sender to enter short messages that the recipient sees and can respond to immediately ATHENA Securing Instant Messaging (continued)  Some tasks that you can perform with IM: • Chat • Images • Sounds • Files • Talk • Streaming content ATHENA Securing Instant Messaging (continued)  Steps to secure IM include: • Keep the IM server within the organization’s firewall and only permit users to send and receive messages with trusted internal workers • Enable IM virus scanning • Block all IM file transfers • Encrypt messages ATHENA Summary  Protecting basic communication systems is a key to resisting attacks  E-mail attacks can be malware, spam, or hoaxes Web vulnerabilities can open systems up to a variety of attacks  A Java applet is a separate program stored on the Web server and downloaded onto the user’s computer along with the HTML code ATHENA Summary (continued)  ActiveX controls present serious security concerns because of the functions that a control can execute  A cookie is a computer file that contains user- specific information  CGI is a set of rules that describe how a Web server communicates with other software on the server  The popularity of IM has made this a tool that many organizations are now using with e-mail ATHENA