Network and Systems Security

Messaging and Web components

Objectives
Describe security issues associated with e-mail. Implement security practices for e-mail. Detail the security issues of instant messaging protocols. Describe the functioning of the SSL/TLS protocol suite. Explain web applications, plug-ins, and associated security issues. Describe secure file transfer options. Explain directory usage for data retrieval. Explain scripting and other Internet functions that present security concerns. Use cookies to maintain parameters between web pages. Examine web-based application security issues.

E-mail Usage

Security of E-mail
Originally launched unsecure; remains unsecure. Internet e-mail depends on three primary protocols:

SMTP POP3 IMAP To spread viruses To forward hoaxes

Used as a medium:

Similar to Instant Messaging.

Example List of Spam E-mails

AOL Instant Messenger Program

Malicious Code
Can be found and dispersed by many different methods:

Worm Virus Trojan horse program Botnet

Viruses Commonly Spread Through E-mail Attachments

Malicious Code Protection Measures

Antivirus

E-mail scan Disable

Preview panes Scripting support

Follow safe practices and procedures Educating employees

Hoax E-mails
E-mail hoaxes are mostly a nuisance, wasting everyones time, taking up Internet bandwidth and server processing time as well. Sites like Snopes.com debunk such hoaxes.

10

Famous Hoax: The Neiman-Marcus story

11

Unsolicited Commercial E-mail (Spam)

Spam refers to unsolicited commercial e-mail whose purpose is the same as the junk mail you get in your physical mailboxit tries to persuade you to buy something. The term spam comes from a skit on Monty Pythons Flying Circus, where two people are in a restaurant that serves only the potted meat product. This concept of the repetition of unwanted things is the key to e-mail spam.

12

Fighting Spam
Ways to fight spam include:

E-mail filtering Educate users about spam

Cautious internet surfing Cautious towards unknown e-mail

Shut down open relays Host/server filters Blacklisting or DNSBL Greylisting

13

Mail Encryption
Provision for confidentiality or more commonly known as privacy. E-mail is sent in the clearclear text unless the message and/or attachments are encrypted. E-mail content encryption methods include:

S/MIME PGP

14

S/MIME
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a secure implementation of the MIME protocol specification. MIME was created to allow Internet e-mail to support new and more creative features. MIME allows e-mail to handle multiple types of content in a message, including file transfers. Every time you send a file as an e-mail attachment, you are using MIME. S/MIME takes this content and specifies a framework for encrypting the message as a MIME attachment.

15

Configuration Settings in Outlook

16

Pretty Good Privacy (PGP)

PGP implements e-mail security in a similar fashion to S/MIME, but uses completely different protocols. The basic framework is the same:

The user sends the e-mail, and the mail agent applies encryption as specified in the mail programs programming. The content is encrypted with the generated symmetric key, and that key is encrypted with the public key of the recipient of the e-mail for confidentiality.

17

Pretty Good Privacy (PGP)

PGP manages keys locally in its own software. This is where a user stores not only local keys, but also any keys that were received from other users. A free key server is available for storing PGP public keys.

18

Decoding a PGP-encoded Message in Eudora

19

Pretty Good Privacy (PGP)

PGP has plug-ins for many popular e-mail programs, including Outlook and Qualcomms Eudora. These plug-ins handle the encryption and decryption behind the scenes, and all that the user must do is enter the encryption keys passphrase to ensure that they are the owner of the key.

20

Instant Messaging
Technology that allows individuals to chat online. AOL Instant Messenger (AIM) is a prevalent chat application.

21

Instant Messaging
To work properly IM has to:

Attach to a server (typically announcing the IP address of the originating client) Announce your presence on the server

22

Instant Messaging

23

Current Web Components and Concerns

Security concerns can be grouped into three main tasks:

Securing a server that delivers content to users over the Web. Securing the transport of information between users and servers over the Web. Securing the users computer from attack over a web connection.

24

Web Protocols
Common protocols used on the Web:

Encryption (SSL and TLS) The Web (HTTP and HTTPS) Directory Services (DAP and LDAP) File Transfer (FTP and SFTP)

25

Encryption (SSL and TLS)

Secure Sockets Layer (SSL) is a generalpurpose protocol developed by Netscape for managing the encryption of information being transmitted over the Internet. Transport Layer Security (TLS) SSL and TLS are essentially the same, although not interchangeable. Cryptographic methods are an ever-evolving field, and because both parties must agree on an implementation method, SSL/TLS has embraced an open, extensible, and adaptable method to allow flexibility and strength.

26

IE 8 Security Options

27

Encryption (SSL and TLS)

Firefox SSL Security Options

28

Encryption (SSL and TLS)

Firefox SSL Cipher Options

29

SSL/TLS Handshake

30

How SSL/TLS Works

IE 8 Certificate Management Options

31

IE 8 Certificate Store

32

Firefox Certificate Options

33

Firefox Certificate Store

34

SSL/TLS Attacks
SSL/TLS is specifically designed to provide protection from man-in-the middle attacks. A Trojan program that copies keystrokes and echoes them to another TCP/IP address in parallel with the intended communication can defeat SSL/TLS.

35

The Web (HTTP and HTTPS)

HTTP is used for the transfer of hyperlinked data over the Internet, from web servers to browsers. When a secure connection is needed, SSL/TLS is used and appears in the address as https://.

36

The Web (HTTP and HTTPS)

High-assurance notification in IE 7

High-assurance notification in Firefox

37

Directory Services (DAP and LDAP)

A directory is designed and optimized for reading data, offering very fast search and retrieval operations. LDAP offers all of the functionality most directories need and is easier and more economical to implement.

38

SSL/TLS LDAP
SSL/TLS provides several important functions to LDAP services:

Establish the identity of a data source through the use of certificates. Provide for the integrity and confidentiality of the data being presented.

39

File Transfer (FTP and SFTP)

FTP is a standard network protocol used to exchange and manipulate files over a TCP/IP based network. Secure FTP (SFTP) is used when confidential transfer is required and combines both the Secure Shell (SSH) protocol and FTP.

40

Vulnerabilities
Because SSL is enabled does not mean the user is safe. Key loggers can record what is being typed on a users computer before it is encrypted. A companys database can get hacked releasing your information to the world.

41

Code-based Vulnerabilities
Buffer overflows Java and JavaScript ActiveX Securing the browser CGI Server-side scripts Cookies Signed applets

Browser plug-ins

42

Buffer Overflows
The buffer overflow vulnerability is a result of poor coding practices on the part of software programmers. This occurs when an application can accept more input than it has assigned storage space, and the input data overwrites other program areas.

43

Java
Java is a computer language invented by Sun Microsystems as an alternative to Microsofts development languages. Designed to be platform-independent Java offered a low learning curve and a way of implementing programs across an enterprise. Although platform independence never fully materialized, Java has found itself to be a leader in object-oriented programming languages. Java can still perform malicious activities, and the fact that many users falsely believe it is safe increases its usefulness for attackers.

44

JavaScript
JavaScript is a scripting language developed to be operated within a browser instance. The primary purpose is to enable features such as validation of forms. Enterprising programmers found many other uses for JavaScript, such as manipulating the browser history files, now prohibited by design. JavaScript actually runs within the browser, and the code is executed by the browser itself. This has led to compatibility problems.

45

Java and JavaScript

Java Configuration Settings in Microsoft Internet Explorer 7

46

Java and JavaScript

Security Setting Functionality Issues

47

ActiveX
ActiveX is a broad collection of application programming interfaces (APIs), protocols, and programs developed by Microsoft.

Used to download and execute code automatically over an Internet-based channel. Can enable a browser to display a custom type of information in a particular way. Can perform complex tasks, such as update the operating system and application programs.

48

ActiveX
ActiveX Security Settings in IE 8

49

Securing the Browser

Added features means weaker security. No browser is 100 percent safe. Currently Firefox coupled with the NoScript plug-in provides good protection.

The NoScript plug-in allows the user to determine from which domains to trust scripts.

50

CGI & Server-Side Scripts

Common Gateway Interface (CGI) is a method for having a web server execute a program outside the web server process, yet on the same server. Server-side scripting allows programs to be run outside the web server and to return data to the web server to be served to end users via a web page. This is replacing CGI.

51

Cookies
Cookies are small chunks of ASCII text passed within an HTTP stream to store data temporarily in a web browser instance. It a series of name-value pairs that is stored in memory during a browser instance.

Expires Domain Path Secure

52

Cookies
Firefox Cookie Management

53

Cookies
Microsoft Internet Explorer 7 Cookie Management

54

Cookies

Microsoft Internet Explorer 7 Cookie Store

55

Signed Applets
The ability to use a certificate to sign an applet allows the identity of the author to be established. A signed applet can be hijacked as easily as a graphic or any other file. Inlining is using an embedded control from another site with or without the other sites permission.

56

Browser Plug-ins
Plug-ins are small application programs that increase a browsers ability to handle new data types and add new functionality. Dynamic data such as movies and music can be manipulated by a wide variety of plug-ins, and one of the most popular comes from Real Networks.

57

Browser Plug-ins
Add-ons for IE 8

58

Open Vulnerability and Assessment Language (OVAL)

OVAL comprises two main elements: an XML-based machinereadable language for describing vulnerabilities, and a repository. Common Vulnerabilities and Exposures (CVE) is a system that provides a reference-method for publicly known information-security vulnerabilities and exposures.

59

Web 2.0 and Security

The foundations of security apply the same way in Web 2.0 as they do elsewhere. With more capability and greater complexity comes a greater need for strong foundational security efforts.

60

Summary
Describe security issues associated with e-mail. Implement security practices for e-mail. Detail the security issues of instant messaging protocols. Describe the functioning of the SSL/TLS protocol suite. Explain web applications, plug-ins, and associated security issues. Describe secure file transfer options. Explain directory usage for data retrieval. Explain scripting and other Internet functions that present security concerns. Use cookies to maintain parameters between web pages. Examine web-based application security issues.

61

References
[princ00] Principles of Computer Security: CompTIA Security+ and Beyound, Second Edition, Wm. Arthur Conklin, et. al., McGraw Hill, 2010 [gmail00] Gmail http://www.gmail.com [thun00] Thunderbird http://www.mozillamessaging.com/en-US/thunderbird/ [enig00] Enigmail http://enigmail.mozdev.org/home/index.php [gpg00] GPG http://www.gnupg.org/ [seti00] Setting up Thunderbird to work with gmail and gpg http://www.ericpuryear.com/2007/09/24/setting-up-thunderbird-to-work-with-gmailand-gpg/ [spam00] Dealing with Spam http://www.us-cert.gov/cas/tips/ST04-007.html [hoax00] Hoax Emails http://www.snopes.com [oval00] OVAL http://oval.mitre.org/index.html [vir00] Virus and Spyware http://news.zdnet.com/2422-13569_22156290.htmlhttp://news.zdnet.com/2422-13569_22-156290.html [spam01] Spam http://news.zdnet.com/2422-13569_22-156230.html [mail00] Mail Encryption http://cnettv.cnet.com/secure-your-e-mail-from-pryingeyes/9742-1_53-50004023.html [conf00] Conficker Worm http://www.cbsnews.com/video/watch/?id=4905403n [frse00] Free Security Apps http://cnettv.cnet.com/best-free-security-apps/97421_53-50002962.html
62