Lecture Security+ Certification: Chapter 6 - Trung tâm Athena

Chapter 6 - Email and web security. The main contents of this chapter include all of the following: Protect e-mail systems, list World Wide Web vulnerabilities, secure web communications, secure instant messaging.

Chapter 6 Email and Web Security

Objectives in this chapter

 Protect e-mail systems

 List World Wide Web vulnerabilities

 Secure Web communications

 Secure instant messaging

 Protect e-mail systems

 List World Wide Web vulnerabilities

 Secure Web communications

 Secure instant messaging

Protecting E-Mail Systems

 E-mail has replaced the fax machine as the

primary communication tool for businesses

 Has also become a prime target of attackers andmust be protected

How E-Mail Works

 Use two Transmission Control

Protocol/Internet Protocol (TCP/IP) protocols

to send and receive messages

• Simple Mail Transfer Protocol (SMTP) handles outgoing mail

• Post Office Protocol (POP3 for the current version) handles incoming mail

 The SMTP server on most machines uses

 Use two Transmission Control

Protocol/Internet Protocol (TCP/IP) protocols

to send and receive messages

• Simple Mail Transfer Protocol (SMTP) handles outgoing mail

• Post Office Protocol (POP3 for the current version) handles incoming mail

 The SMTP server on most machines uses

How E-Mail Works (continued)

How E-Mail Works (continued)

 Sendmail tries to resend queued messages

periodically (about every 15 minutes)

 Downloaded messages are erased from POP3server

 Deleting retrieved messages from the mail

server and storing them on a local computermake it difficult to manage messages frommultiple computers

 Sendmail tries to resend queued messages

periodically (about every 15 minutes)

 Downloaded messages are erased from POP3server

 Deleting retrieved messages from the mail

server and storing them on a local computermake it difficult to manage messages frommultiple computers

How E-Mail Works (continued)

 E-mail attachments are documents in binaryformat (word processing documents,

spreadsheets, sound files, pictures)

 Non-text documents must be converted intotext format before being transmitted

 Three bytes from the binary file are extractedand converted to four text characters

 E-mail attachments are documents in binaryformat (word processing documents,

spreadsheets, sound files, pictures)

 Non-text documents must be converted intotext format before being transmitted

 Three bytes from the binary file are extractedand converted to four text characters

 Because of its ubiquity, e-mail has replacedfloppy disks as the primary carrier for

malware

 E-mail is the malware transport mechanism

of choice for two reasons:

• Because almost all Internet users have e-mail, it has the broadest base for attacks

• Malware can use e-mail to propagate itself

 Because of its ubiquity, e-mail has replacedfloppy disks as the primary carrier for

malware

 E-mail is the malware transport mechanism

of choice for two reasons:

• Because almost all Internet users have e-mail, it has the broadest base for attacks

• Malware can use e-mail to propagate itself

Malware (continued)

 Users must be educated about how malwarecan enter a system through e-mail and properpolicies must be enacted to reduce risk of

infection

• E-mail users should never open attachments with these file extensions: bat, ade, usf, exe, pif

 Antivirus software and firewall products must

be installed and properly configured toprevent malicious code from entering thenetwork through e-mail

Procedures including turning off ports and

 Users must be educated about how malwarecan enter a system through e-mail and properpolicies must be enacted to reduce risk of

infection

• E-mail users should never open attachments with these file extensions: bat, ade, usf, exe, pif

 Antivirus software and firewall products must

be installed and properly configured toprevent malicious code from entering thenetwork through e-mail

Procedures including turning off ports and

 The amount of spam (unsolicited e-mail) thatflows across the Internet is difficult to judge

 The US Congress passed the Controlling theAssault of Non-Solicited Pornography andMarketing Act of 2003 (CAN-SPAM) in late2003

Spam (continued)

 According to a Pew memorial Trust survey,

almost half of the approximately 30 billion dailye-mail messages are spam

 Spam is having a negative impact on e-mail

• 70% of users say spam has made being online

 According to a Pew memorial Trust survey,

almost half of the approximately 30 billion dailye-mail messages are spam

 Spam is having a negative impact on e-mail

Spam (continued)

 Filter e-mails at the edge of the network to

prevent spam from entering the SMTP server

 Use a backlist of spammers to block any e-mailthat originates from their e-mail addresses

 Sophisticated e-mail filters can use Bayesian

filtering

• User divides e-mail messages received into two piles, spam and not-spam

 Filter e-mails at the edge of the network to

prevent spam from entering the SMTP server

 Use a backlist of spammers to block any e-mailthat originates from their e-mail addresses

 Sophisticated e-mail filters can use Bayesian

filtering

• User divides e-mail messages received into two piles, spam and not-spam

 E-mail messages that contain false warnings orfraudulent offerings

 Unlike spam, are almost impossible to filter

 Defense against hoaxes is to ignore them

Hoaxes (continued)

 Any e-mail message that appears as though itcould not be true probably is not

 E-mail phishing is also a growing practice

 A message that falsely identifies the sender assomeone else is sent to unsuspecting recipients

 Any e-mail message that appears as though itcould not be true probably is not

 E-mail phishing is also a growing practice

 A message that falsely identifies the sender assomeone else is sent to unsuspecting recipients

E-Mail Encryption

 Two technologies used to protect e-mail

messages as they are being transported:

• Secure/Multipurpose Internet Mail Extensions

• Pretty Good Privacy

Secure/Multipurpose Internet Mail Extensions (S/MIME)

 Protocol that adds digital signatures andencryption to Multipurpose Internet MailExtension (MIME) messages

 Provides these features:

• Digital signatures – Interoperability

• Message privacy – Seamless integration

• Tamper detection

 Protocol that adds digital signatures andencryption to Multipurpose Internet MailExtension (MIME) messages

 Provides these features:

• Digital signatures – Interoperability

• Message privacy – Seamless integration

• Tamper detection

Pretty Good Privacy (PGP)

 Functions much like S/MIME by encryptingmessages using digital signatures

 A user can sign an e-mail message withoutencrypting it, verifying the sender but notpreventing anyone from seeing the contents

 First compresses the message

• Reduces patterns and enhances resistance to cryptanalysis

 Creates a session key (a one-time-only secretkey)

• This key is a number generated from random

 Functions much like S/MIME by encryptingmessages using digital signatures

 A user can sign an e-mail message withoutencrypting it, verifying the sender but notpreventing anyone from seeing the contents

 First compresses the message

• Reduces patterns and enhances resistance to cryptanalysis

 Creates a session key (a one-time-only secretkey)

• This key is a number generated from random

Pretty Good Privacy (PGP)

(continued)

 Uses a passphrase to encrypt the private key onthe local computer

 Passphrase:

• A longer and more secure version of a password

• Typically composed of multiple words

• More secure against dictionary attacks

 Uses a passphrase to encrypt the private key onthe local computer

 Passphrase:

• A longer and more secure version of a password

• Typically composed of multiple words

• More secure against dictionary attacks

Pretty Good Privacy (PGP) (continued)

Examining World Wide Web

 Web programming tools provide another

foothold for Web attacks

 Dynamic content can also be used by attackers

 Buffer overflow attacks are common ways togain unauthorized access to Web servers

 SMTP relay attacks allow spammers to sendthousands of e-mail messages to users

 Web programming tools provide another

foothold for Web attacks

 Dynamic content can also be used by attackers

 Popular technology used to make dynamic

content

 When a Web site that uses JavaScript is

accessed, the HTML document with theJavaScript code is downloaded onto the user’scomputer

 The Web browser then executes that code

within the browser using the Virtual Machine(VM)―a Java interpreter

 Popular technology used to make dynamic

content

 When a Web site that uses JavaScript is

accessed, the HTML document with theJavaScript code is downloaded onto the user’scomputer

 The Web browser then executes that code

within the browser using the Virtual Machine(VM)―a Java interpreter

JavaScript (continued)

 Several defense mechanisms preventJavaScript programs from causing seriousharm:

• JavaScript does not support certain capabilities

• JavaScript has no networking capabilities

 Other security concerns remain:

• JavaScript programs can capture and send user

 Several defense mechanisms preventJavaScript programs from causing seriousharm:

• JavaScript does not support certain capabilities

• JavaScript has no networking capabilities

 Other security concerns remain:

• JavaScript programs can capture and send user

JavaScript (continued)

Java Applet

 A separate program stored on a Web server anddownloaded onto a user’s computer along withHTML code

 Can also be made into hostile programs

 Sandbox is a defense against a hostile Java

 Can also be made into hostile programs

 Sandbox is a defense against a hostile Java

applet

• Surrounds program and keeps it away from private data and other resources on a local computer

Java Applet (continued)

Java Applet (continued)

 Two types of Java applets:

• Unsigned Java applet: program that does not come from a trusted source

• Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered

 The primary defense against Java applets isusing the appropriate settings of the Web

 Two types of Java applets:

• Unsigned Java applet: program that does not come from a trusted source

• Signed Java applet: has a digital signature proving the program is from a trusted source and has not been altered

 The primary defense against Java applets isusing the appropriate settings of the Web

Java Applet (continued)

 Set of technologies developed by Microsoft

 Outgrowth of two other Microsoft technologies:

• Object Linking and Embedding (OLE)

• Component Object Model (COM)

 Not a programming language but a set of rulesfor how applications should share information

 Set of technologies developed by Microsoft

 Outgrowth of two other Microsoft technologies:

• Object Linking and Embedding (OLE)

• Component Object Model (COM)

 Not a programming language but a set of rulesfor how applications should share information

• Have full access to Windows operating system

 ActiveX controls are managed throughInternet Explorer

 ActiveX controls should be set to mostrestricted levels

 ActiveX controls represent a specific way ofimplementing ActiveX

• Can perform many of the same functions of a Java applet, but do not run in a sandbox

• Have full access to Windows operating system

 ActiveX controls are managed throughInternet Explorer

 ActiveX controls should be set to mostrestricted levels

ActiveX (continued)

 Instead of the Web server asking the user for

this information each time they visits that site,the Web server stores that information in a file

on the local computer

 Attackers often target cookies because they cancontain sensitive information (usernames and

 Computer files that contains user-specific

information

 Need for cookies is based on Hypertext TransferProtocol (HTTP)

 Instead of the Web server asking the user for

this information each time they visits that site,the Web server stores that information in a file

on the local computer

 Attackers often target cookies because they cancontain sensitive information (usernames and

• If you went to wwwborg , that site might attempt

to get the cookie A-ORG from your hard drive

 Can be used to determine which Web sitesyou view

 First-party cookie is created from the Website you are currently viewing

 Some Web sites attempt to access cookiesthey did not create

• If you went to wwwborg , that site might attempt

to get the cookie A-ORG from your hard drive

Common Gateway Interface (CGI)

 Set of rules that describes how a Web server

communicates with other software on the serverand vice versa

 Commonly used to allow a Web server to

display information from a database on a Webpage or for a user to enter information through

a Web form that is deposited in a database

 Set of rules that describes how a Web server

communicates with other software on the serverand vice versa

 Commonly used to allow a Web server to

display information from a database on a Webpage or for a user to enter information through

a Web form that is deposited in a database

Common Gateway Interface (CGI) (continued)

 CGI scripts create security risks

• Do not filter user input properly

• Can issue commands via Web URLs

 CGI security can be enhanced by:

• Properly configuring CGI

• Disabling unnecessary CGI scripts or programs

• Checking program code that uses CGI for any vulnerabilities

 CGI scripts create security risks

• Do not filter user input properly

• Can issue commands via Web URLs

 CGI security can be enhanced by:

• Properly configuring CGI

• Disabling unnecessary CGI scripts or programs

• Checking program code that uses CGI for any vulnerabilities

 Called the 83 naming convention

 Recent versions of Windows allow filenames tocontain up to 256 characters

 To maintain backward compatibility with DOS,Windows automatically creates an 83 “alias”

filename for every long filename

 Microsoft Disk Operating System (DOS) limitedfilenames to eight characters followed by a

period and a three-character extension (e.g.,Filename.doc)

 Called the 83 naming convention

 Recent versions of Windows allow filenames tocontain up to 256 characters

 To maintain backward compatibility with DOS,Windows automatically creates an 83 “alias”

filename for every long filename

83 Naming Conventions (continued)

 The 83 naming convention introduces asecurity vulnerability with some Web servers

• Microsoft Internet Information Server 40 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename

 Solution is to disable creation of the 83 alias

 The 83 naming convention introduces asecurity vulnerability with some Web servers

• Microsoft Internet Information Server 40 and other Web servers can inherit privileges from parent directories instead of the requested directory if the requested directory uses a long filename

 Solution is to disable creation of the 83 alias

Securing Web Communications

 Most common secure connection uses the

Secure Sockets Layer/Transport Layer Securityprotocol

 One implementation is the Hypertext TransportProtocol over Secure Sockets Layer

 Most common secure connection uses the

Secure Sockets Layer/Transport Layer Securityprotocol

 One implementation is the Hypertext TransportProtocol over Secure Sockets Layer