c10 messaging and web components
TRANSCRIPT
-
8/13/2019 C10 Messaging and Web Components
1/62
1
Network and Systems SecurityNetwork and Systems Security
Messaging and Web componentsMessaging and Web components
-
8/13/2019 C10 Messaging and Web Components
2/62
2
Describe security issues associated with e-mail.
Implement security practices for e-mail.
Detail the security issues of instant messaging protocols.
Describe the functioning of the SSL/TLS protocol suite.
Explain web applications, plug-ins, and associated securityissues.
Describe secure file transfer options.
Explain directory usage for data retrieval. Explain scripting and other Internet functions that present
security concerns.
Use cookies to maintain parameters between web pages.
Examine web-based application security issues.
Objectives
-
8/13/2019 C10 Messaging and Web Components
3/62
3
E-mail Usage
-
8/13/2019 C10 Messaging and Web Components
4/62
4
Security of E-mail
Originally launched unsecure; remains unsecure. Internet e-mail depends on three primary
protocols:
SMTP
POP3
IMAP
Used as a medium:
To spread viruses To forward hoaxes
Similar to Instant Messaging.
-
8/13/2019 C10 Messaging and Web Components
5/62
5
Example List of Spam E-mails
-
8/13/2019 C10 Messaging and Web Components
6/62
6
AOL Instant Messenger Program
-
8/13/2019 C10 Messaging and Web Components
7/62
7
Can be found and dispersed by manydifferent methods:
Worm
Virus Trojan horse program
Botnet
Malicious Code
-
8/13/2019 C10 Messaging and Web Components
8/62
8
Viruses Commonly Spread Through E-mail
Attachments
-
8/13/2019 C10 Messaging and Web Components
9/62
9
Malicious Code Protection Measures
Antivirus E-mail scan
Disable
Preview panes
Scripting support
Follow safe practices and procedures
Educating employees
-
8/13/2019 C10 Messaging and Web Components
10/62
10
Hoax E-mails
E-mail hoaxes are mostly a nuisance, wastingeveryones time, taking up Internet bandwidth andserver processing time as well.
Sites like Snopes.com debunk such hoaxes.
-
8/13/2019 C10 Messaging and Web Components
11/62
11
Famous Hoax: The Neiman-Marcus
story
-
8/13/2019 C10 Messaging and Web Components
12/62
12
Unsolicited Commercial E-mail
(Spam) Spam refers to unsolicited commercial e-mailwhose purpose is the same as the junk mail youget in your physical mailboxit tries to persuade
you to buy something. The term spam comes from a skit on Monty
Pythons Flying Circus, where two people are in arestaurant that serves only the potted meatproduct.
This concept of the repetition of unwanted thingsis the key to e-mail spam.
-
8/13/2019 C10 Messaging and Web Components
13/62
13
Fighting Spam
Ways to fight spam include: E-mail filtering
Educate users about spam
Cautious internet surfing Cautious towards unknown e-mail
Shut down open relays
Host/server filters Blacklisting or DNSBL
Greylisting
-
8/13/2019 C10 Messaging and Web Components
14/62
14
Mail Encryption
Provision for confidentiality or morecommonly known as privacy.
E-mail is sent in the clearclear text
unless the message and/or attachmentsare encrypted.
E-mail content encryption methods include:
S/MIME PGP
-
8/13/2019 C10 Messaging and Web Components
15/62
15
S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME)
is a secure implementation of the MIME protocolspecification. MIME was created to allow Internet e-mailto support new and more creative features.
MIME allows e-mail to handle multiple types of content in
a message, including file transfers. Every time you send a file as an e-mail attachment, you
are using MIME.
S/MIME takes this content and specifies a framework for
encrypting the message as a MIME attachment.
-
8/13/2019 C10 Messaging and Web Components
16/62
16
Configuration Settings in Outlook
-
8/13/2019 C10 Messaging and Web Components
17/62
17
Pretty Good Privacy (PGP)
PGP implements e-mail security in a similarfashion to S/MIME, but uses completely differentprotocols.
The basic framework is the same:
The user sends the e-mail, and the mail agentapplies encryption as specified in the mailprograms programming.
The content is encrypted with the generatedsymmetric key, and that key is encrypted withthe public key of the recipient of the e-mail forconfidentiality.
-
8/13/2019 C10 Messaging and Web Components
18/62
18
Pretty Good Privacy (PGP)
PGP manages keys locally in its ownsoftware.
This is where a user stores not only local
keys, but also any keys that were receivedfrom other users.
A free key server is available for storing
PGP public keys.
-
8/13/2019 C10 Messaging and Web Components
19/62
19
Decoding a PGP-encoded Message in
Eudora
-
8/13/2019 C10 Messaging and Web Components
20/62
20
Pretty Good Privacy (PGP)
PGP has plug-ins for many popular e-mailprograms, including Outlook andQualcomms Eudora.
These plug-ins handle the encryption anddecryption behind the scenes, and all thatthe user must do is enter the encryptionkeys passphrase to ensure that they are
the owner of the key.
-
8/13/2019 C10 Messaging and Web Components
21/62
21
Instant Messaging
Technology that allows individuals to chatonline.
AOL Instant Messenger (AIM) is a prevalentchat application.
-
8/13/2019 C10 Messaging and Web Components
22/62
22
Instant Messaging
To work properly IM has to: Attach to a server (typically announcing
the IP address of the originating client)
Announce your presence on the server
-
8/13/2019 C10 Messaging and Web Components
23/62
23
Instant Messaging
-
8/13/2019 C10 Messaging and Web Components
24/62
-
8/13/2019 C10 Messaging and Web Components
25/62
25
Web Protocols
Common protocols used on theWeb:
-
8/13/2019 C10 Messaging and Web Components
26/62
26
Encryption (SSL and TLS) Secure Sockets Layer (SSL) is a general-
purpose protocol developed by Netscape formanaging the encryption of information beingtransmitted over the Internet.
Transport Layer Security (TLS)SSL and TLSare essentially the same, although notinterchangeable.
Cryptographic methods are an ever-evolvingfield, and because both parties must agree on animplementation method, SSL/TLS has embracedan open, extensible, and adaptable method toallow flexibility and strength.
-
8/13/2019 C10 Messaging and Web Components
27/62
27
IE 8 Security Options
E i (SSL d TLS)
-
8/13/2019 C10 Messaging and Web Components
28/62
28
Encryption (SSL and TLS)
Firefox SSL Security Options
E i (SSL d TLS)
-
8/13/2019 C10 Messaging and Web Components
29/62
29
Encryption (SSL and TLS)
Firefox SSL Cipher Options
SSL/TLS H d h k
-
8/13/2019 C10 Messaging and Web Components
30/62
30
SSL/TLS Handshake
H SSL/TLS W k
-
8/13/2019 C10 Messaging and Web Components
31/62
31
IE 8 Certificate Management Options
How SSL/TLS Works
IE 8 Certificate Store
-
8/13/2019 C10 Messaging and Web Components
32/62
32
IE 8 Certificate Store
Firefox Certificate Options
-
8/13/2019 C10 Messaging and Web Components
33/62
33
Firefox Certificate Options
Firefox Certificate Store
-
8/13/2019 C10 Messaging and Web Components
34/62
34
Firefox Certificate Store
SSL/TLS Attacks
-
8/13/2019 C10 Messaging and Web Components
35/62
35
SSL/TLS Attacks
SSL/TLS is specifically designed toprovide protection from man-in-themiddle attacks.
A Trojan program that copieskeystrokes and echoes them toanother TCP/IP address in parallel
with the intended communication candefeat SSL/TLS.
The Web (HTTP and HTTPS)
-
8/13/2019 C10 Messaging and Web Components
36/62
36
The Web (HTTP and HTTPS)
HTTP is used for the transfer ofhyperlinked data over the Internet,from web servers to browsers.
When a secure connection isneeded, SSL/TLS is used andappears in the address as https://.
The Web (HTTP and HTTPS)
-
8/13/2019 C10 Messaging and Web Components
37/62
37
The Web (HTTP and HTTPS)
High-assurance notification in IE 7
High-assurance notification inFirefox
Directory Services (DAP and LDAP)
-
8/13/2019 C10 Messaging and Web Components
38/62
38
Directory Services (DAP and LDAP)
A directory is designed andoptimized for reading data, offeringvery fast search and retrieval
operations.LDAP offers all of the functionality
most directories need and is easierand more economical to implement.
SSL/TLS LDAP
-
8/13/2019 C10 Messaging and Web Components
39/62
39
SSL/TLS LDAP
SSL/TLS provides several importantfunctions to LDAP services:
Establish the identity of a data
source through the use ofcertificates.
Provide for the integrity and
confidentiality of the data beingpresented.
File Transfer (FTP and SFTP)
-
8/13/2019 C10 Messaging and Web Components
40/62
40
File Transfer (FTP and SFTP)
FTP is a standard network protocolused to exchange and manipulatefiles over a TCP/IP based network.
Secure FTP (SFTP) is used whenconfidential transfer is required andcombines both the Secure Shell(SSH) protocol and FTP.
Vulnerabilities
-
8/13/2019 C10 Messaging and Web Components
41/62
41
Vulnerabilities
Because SSL is enabled does notmean the user is safe.
Key loggers can record what is being
typed on a users computer before itis encrypted.
A companys database can gethacked releasing your information tothe world.
Code-based Vulnerabilities
-
8/13/2019 C10 Messaging and Web Components
42/62
42
Code based Vulnerabilities Buffer overflows
Java and JavaScript
ActiveX
Securing the browser CGI
Server-side scripts
Cookies
Signed applets
Buffer Overflows
-
8/13/2019 C10 Messaging and Web Components
43/62
43
Buffer Overflows
The buffer overflow vulnerability is aresult of poor coding practices on thepart of software programmers.
This occurs when an application canaccept more input than it hasassigned storage space, and the
input data overwrites other programareas.
Java
-
8/13/2019 C10 Messaging and Web Components
44/62
44
Java Java is a computer language invented by Sun
Microsystems as an alternative to Microsoftsdevelopment languages.
Designed to be platform-independent
Java offered a low learning curve and a way of
implementing programs across an enterprise. Although platform independence never fully materialized,
Java has found itself to be a leader in object-orientedprogramming languages.
Java can still perform malicious activities, and the factthat many users falsely believe it is safe increases itsusefulness for attackers.
JavaScript
-
8/13/2019 C10 Messaging and Web Components
45/62
45
JavaScript JavaScript is a scripting language developed to be
operated within a browser instance.
The primary purpose is to enable features such asvalidation of forms.
Enterprising programmers found many other uses forJavaScript, such as manipulating the browser historyfiles, now prohibited by design.
JavaScript actually runs within the browser, and the code
is executed by the browser itself.
This has led to compatibility problems.
Java and JavaScript
-
8/13/2019 C10 Messaging and Web Components
46/62
46
Ja a a d Ja aSc ptJava Configuration Settings in Microsoft
Internet Explorer 7
Java and JavaScript
-
8/13/2019 C10 Messaging and Web Components
47/62
47
p
Security Setting Functionality Issues
ActiveX
-
8/13/2019 C10 Messaging and Web Components
48/62
48
ct e ActiveX is a broad collection of application
programming interfaces (APIs), protocols, andprograms developed by Microsoft.
Used to download and execute code
automatically over an Internet-based channel. Can enable a browser to display a custom type
of information in a particular way.
Can perform complex tasks, such as update theoperating system and application programs.
ActiveX
-
8/13/2019 C10 Messaging and Web Components
49/62
49
ActiveX Security Settings in IE 8
Securing the Browser
-
8/13/2019 C10 Messaging and Web Components
50/62
50
gAdded features means weaker security.
No browser is 100 percent safe.
Currently Firefox coupled with the
NoScript plug-in provides good protection. The NoScript plug-in allows the user to
determine from which domains to trust
scripts.
CGI & Server-Side Scripts
-
8/13/2019 C10 Messaging and Web Components
51/62
51
p Common Gateway Interface (CGI) is a
method for having a web server execute aprogram outside the web server process,yet on the same server.
Server-side scripting allows programs to berun outside the web server and to returndata to the web server to be served to end
users via a web page. This is replacingCGI.
Cookies
-
8/13/2019 C10 Messaging and Web Components
52/62
52
Cookies are small chunks of ASCII textpassed within an HTTP stream to store datatemporarily in a web browser instance.
It a series of name-value pairs that is stored in
memory during a browser instance.
Expires
Domain
Path
Secure
Cookies
-
8/13/2019 C10 Messaging and Web Components
53/62
53
Firefox Cookie Management
Cookies
-
8/13/2019 C10 Messaging and Web Components
54/62
54
Microsoft Internet Explorer 7 CookieManagement
Cookies
-
8/13/2019 C10 Messaging and Web Components
55/62
55
Microsoft Internet Explorer 7 Cookie
Store
Signed Applets
-
8/13/2019 C10 Messaging and Web Components
56/62
56
The ability to use a certificate to signan applet allows the identity of theauthor to be established.
A signed applet can be hijacked aseasily as a graphic or any other file.
Inlining is using an embeddedcontrol from another site with orwithout the other sites permission.
Browser Plug-ins
-
8/13/2019 C10 Messaging and Web Components
57/62
57
Plug-ins are small application programsthat increase a browsers ability to handlenew data types and add new functionality.
Dynamic data such as movies and musiccan be manipulated by a wide variety ofplug-ins, and one of the most popularcomes from Real Networks.
Browser Plug-ins
-
8/13/2019 C10 Messaging and Web Components
58/62
58
Add-ons for IE 8
Open Vulnerability and AssessmentL (OVAL)
-
8/13/2019 C10 Messaging and Web Components
59/62
59
Language (OVAL) OVAL comprises two main
elements: an XML-based machine-readable language for describing
vulnerabilities, and a repository. Common Vulnerabilities and
Exposures (CVE) is a system that
provides a reference-method forpublicly known information-securityvulnerabilities and exposures.
Web 2.0 and Security
-
8/13/2019 C10 Messaging and Web Components
60/62
60
The foundations of security apply thesame way in Web 2.0 as they doelsewhere.
With more capability and greatercomplexity comes a greater need forstrong foundational security efforts.
SummaryDescribe security issues associated with e mail
-
8/13/2019 C10 Messaging and Web Components
61/62
61
Describe security issues associated with e-mail.
Implement security practices for e-mail.
Detail the security issues of instant messaging protocols.
Describe the functioning of the SSL/TLS protocol suite.
Explain web applications, plug-ins, and associated security issues. Describe secure file transfer options.
Explain directory usage for data retrieval.
Explain scripting and other Internet functions that present securityconcerns.
Use cookies to maintain parameters between web pages.
Examine web-based application security issues.
[princ00] Principles of Computer Security: CompTIA Security+ and Beyound
References
-
8/13/2019 C10 Messaging and Web Components
62/62
62
[princ00] Principles of Computer Security: CompTIA Security+ and Beyound,Second Edition, Wm. Arthur Conklin, et. al., McGraw Hill, 2010
[gmail00] Gmail http://www.gmail.com
[thun00] Thunderbird http://www.mozillamessaging.com/en-US/thunderbird/
[enig00] Enigmail http://enigmail.mozdev.org/home/index.php
[gpg00] GPG http://www.gnupg.org/
[seti00] Setting up Thunderbird to work with gmail and gpghttp://www.ericpuryear.com/2007/09/24/setting-up-thunderbird-to-work-with-gmail-and-gpg/
[spam00] Dealing with Spam http://www.us-cert.gov/cas/tips/ST04-007.html
[hoax00] Hoax Emails http://www.snopes.com
[oval00] OVAL http://oval.mitre.org/index.html
[vir00] Virus and Spyware http://news.zdnet.com/2422-13569_22-156290.htmlhttp://news.zdnet.com/2422-13569_22-156290.html
[spam01] Spam http://news.zdnet.com/2422-13569_22-156230.html
[mail00] Mail Encryption http://cnettv.cnet.com/secure-your-e-mail-from-prying-eyes/9742-1_53-50004023.html
[conf00] Conficker Worm http://www.cbsnews.com/video/watch/?id=4905403n
[frse00] Free Security Apps http://cnettv.cnet.com/best-free-security-apps/9742-1_53-50002962.html