email and mobile code issues cs432 - security in computing copyright © 2005, 2009 by scott orr and...
TRANSCRIPT
Email and Email and Mobile Code IssuesMobile Code Issues
CS432 - Security in Computing
Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University
Section OverviewSection Overview
Email architectureEmail architecture
SPAM CountermeasuresSPAM Countermeasures
Browser IssuesBrowser Issues
Mobile Code issuesMobile Code issues
Code signingCode signing
ReferencesReferences
Security in Computing, 3Security in Computing, 3rdrd Ed. Ed. Chapter 7 (pgs. 420-424, 442-443, 474-Chapter 7 (pgs. 420-424, 442-443, 474-
479)479)
TCP/IP-Based EmailTCP/IP-Based Email
pop, imappop, imap
smtpsmtp
smtpsmtp
ClientClient ServerServer
InternetInternetServersServers
Email HeadersEmail HeadersReturn-Path: [email protected]
Received: from dfw-ix4.ix.netcom.com by klingon (SMI-8.6/SMI-SVR4) id TAA24482; Sun, 2 Nov 1997 19:19:38 -0500Received: (from smap@localhost) by dfw-ix4.ix.netcom.com (8.8.4/8.8.4) id SAA19695 for <[email protected]>; Sun, 2 Nov 1997 18:18:14 -0600 (CST)Received: from ind-in13-20.ix.netcom.com(207.220.129.116) by dfw-ix4.ix.netcom.com via
smap (V1.3) id rma019634; Sun Nov 2 18:18:01 1997
Message-ID: <[email protected]>Date: Sun, 02 Nov 1997 19:16:33 -0500From: Scott Orr <[email protected]>Organization: Purdue U. CS Dept. - IUPUIX-Mailer: Mozilla 4.03 [en] (Win95; I)MIME-Version: 1.0To: [email protected]: Hello from NetComContent-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitContent-Length: 43
Hi Scott,
You work too hard!!! :-)
~smo
Secure Email RequirementsSecure Email Requirements
Message ConfidentialityMessage Confidentiality Message IntegrityMessage Integrity Sender AuthenticitySender Authenticity NonrepudiationNonrepudiation
Great use of Public Key CryptographyGreat use of Public Key Cryptography
Email SpamEmail Spam Mass transmissions of electronicMass transmissions of electronic junk mail junk mail
USENET NewsUSENET News Electronic MailElectronic Mail
Often use legitimate systems as Often use legitimate systems as remailersremailers Section 227, Title 47 of the US. CodeSection 227, Title 47 of the US. Code
It Shall be unlawful for any person within the United States:It Shall be unlawful for any person within the United States:
(C) to use any telephone facsimile machine, computer, or (C) to use any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a other device to send an unsolicited advertisement to a telephone facsimile machine;...telephone facsimile machine;...
Coalition Against Unsolicited Commercial Email
Opening Spam-dora’s BoxOpening Spam-dora’s Box
April 12, 1994 – Lawyers Laurence Canter April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about and Martha Siegel sent message about upcoming Green Card lottery to some upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 6000+ Usenet News Groups in less than 90 minutesminutes
Arizona ISP Internet Direct received so many Arizona ISP Internet Direct received so many email complaints, their email server(s) email complaints, their email server(s) crashed more than 15 times.crashed more than 15 times.
C&S account gets cancelled and threaten to C&S account gets cancelled and threaten to sue (although never do)sue (although never do)
C&S publish C&S publish How to Make a Fortune on the How to Make a Fortune on the Information SuperhighwayInformation Superhighway (1995) (1995)
15 years later…15 years later…
SPAM (Unsolicited Commercial Email) 72% SPAM (Unsolicited Commercial Email) 72% of all email (1of all email (1stst Qtr. 2009) Qtr. 2009)
Phishing Attacks less than 1% of all email Phishing Attacks less than 1% of all email but growingbut growing
Significant increase in BotnetsSignificant increase in Botnets Top Spam-Sending CountriesTop Spam-Sending Countries
United States (28.36%)United States (28.36%) Spain (9.16%)Spain (9.16%) China (5.86%)China (5.86%) Italy (5.71%)Italy (5.71%) Brazil (3.8%)Brazil (3.8%)
Source: Source: Commtouch Software Online Labs
Costs of SpamCosts of Spam
SpammersSpammers Great ROI!!!Great ROI!!! Malware writer partnershipsMalware writer partnerships PhishingPhishing
RecipentRecipent TimeTime BandwidthBandwidth Storage spaceStorage space
Illiad’s Solution to Spam…Illiad’s Solution to Spam…
Source: Source: www.userfriendly.org
SPAM LegislationSPAM Legislation
CAN-SPAM Act of 2003CAN-SPAM Act of 2003 Label Messages as “unsolicited Commercial”Label Messages as “unsolicited Commercial” Prohibit False subject lines/header infoProhibit False subject lines/header info Include OPT-OUT instructions Preempt state Include OPT-OUT instructions Preempt state
lawslaws Computer Owner’s Bill of RightsComputer Owner’s Bill of Rights
FTC maintained subscribed do-not-email listFTC maintained subscribed do-not-email list FTC can impose civil penalties on offendersFTC can impose civil penalties on offenders
Wireless Telephone SPAM Protection ActWireless Telephone SPAM Protection Act Prohibit sending Unsolicited AdVerts to wireless Prohibit sending Unsolicited AdVerts to wireless
devicesdevices
Preventive Measures to Preventive Measures to SPAMSPAM
Personal MethodsPersonal Methods Don’t post email address on web pagesDon’t post email address on web pages Send Send Unsubscribe Unsubscribe email to Spammers?email to Spammers? Configure filters within email programsConfigure filters within email programs Third party SPAM prevention listsThird party SPAM prevention lists
System Administrator MethodsSystem Administrator Methods Direct contact with SpammersDirect contact with Spammers Configure filters on Mail Servers (RBL)Configure filters on Mail Servers (RBL) Block offending address blocksBlock offending address blocks
SPAM Filtering TechniquesSPAM Filtering Techniques
Black listsBlack lists White listsWhite lists Content (keyword blocking)Content (keyword blocking) Invalid addresses/header valuesInvalid addresses/header values HeuristicsHeuristics Bayesian FilteringBayesian Filtering
GreylistingGreylisting
Each message identified by a tripletEach message identified by a triplet Envelope recipientEnvelope recipient Envelope senderEnvelope sender IP address of delivering hostIP address of delivering host
Delivery based on following rules:Delivery based on following rules: If IP address or recipient on whitelist – send msg to recipientIf IP address or recipient on whitelist – send msg to recipient If not seen triplet before – send tempfail msg and record If not seen triplet before – send tempfail msg and record
triplettriplet If time limit on triplet not expired – send tmpfail msgIf time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and If time limit on triplet expired – send msg to recipient and
update last seen time.update last seen time. Remove triplet from database after not seen for set period Remove triplet from database after not seen for set period
of timeof time
Sender Policy Framework Sender Policy Framework (SPF)(SPF)
Receiving host verifies sender is legitimate mail Receiving host verifies sender is legitimate mail server for originating domainserver for originating domain
Add TXT (SPF) records to Domain DNSAdd TXT (SPF) records to Domain DNS Domain specificDomain specific Each host with MX record (also A, PTR, IP addr, external Each host with MX record (also A, PTR, IP addr, external
hosts)hosts) cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu"cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu"
IssuesIssues Breaks email forwardingBreaks email forwarding Spammers can still send messages if they have an Spammers can still send messages if they have an
account on domainaccount on domain Most major ISPs do not support SPF (yet)Most major ISPs do not support SPF (yet)
Yahoo DomainKeysYahoo DomainKeys
Verifies sending domain and message Verifies sending domain and message integrityintegrity Sender digitally signs messageSender digitally signs message Receiver gets sender public key from sender’s Receiver gets sender public key from sender’s
DNS server to verify signatureDNS server to verify signature IssuesIssues
User is not authenticatedUser is not authenticated No central Certificate AuthorityNo central Certificate Authority DNS Security?DNS Security?
World Wide Web World Wide Web ComponentsComponents
Widget Widget WebWeb
ServerServer
UserUserWorkstationWorkstation
Widget 2.0------------------------------------------------------------
Download Demo
Buy it Now
Name:CC #:
SubmitSubmit ResetReset
Browser
Browser Security ConcernsBrowser Security Concerns
Rapidly developed (buggy) codeRapidly developed (buggy) code Stores a history of visited sitesStores a history of visited sites Password cachingPassword caching Helper ApplicationsHelper Applications
External programs started to handle External programs started to handle certain (MIME) linkscertain (MIME) links
Helper application bugsHelper application bugs Viruses and Trojan HorsesViruses and Trojan Horses
““Plug-ins”Plug-ins”
Loads directly into browserLoads directly into browser Full access to all data on computerFull access to all data on computer Written by third partyWritten by third party Security concernsSecurity concerns
Rogue Plug-insRogue Plug-ins Trojan Horse of “good” Plug-inTrojan Horse of “good” Plug-in Plug-in bugsPlug-in bugs Plug-in macro languagePlug-in macro language
Java “Safety”Java “Safety”
Automatic Garbage CollectionAutomatic Garbage Collection Built-in bounds checkingBuilt-in bounds checking No pointersNo pointers Single inheritanceSingle inheritance Strong type checkingStrong type checking Powerful Exception HandlingPowerful Exception Handling
Java SystemJava System
Java SystemJava System
Java Runtime LibrariesJava Runtime LibrariesJava Runtime LibrariesJava Runtime Libraries
JavaJavaVirtualVirtual
MachineMachine(JVM)(JVM)
JavaJavaVirtualVirtual
MachineMachine(JVM)(JVM)
SandboxSandboxProgramsPrograms
andandappletsappletsrunningrunning
SandboxSandboxProgramsPrograms
andandappletsappletsrunningrunning
ByteCodeByteCodeVerifierVerifier
ByteCodeByteCodeVerifierVerifier
ClassClassLoaderLoader
ClassClassLoaderLoader
Java SecurityJava SecurityManagerManager
Source: Source: Web Security and CommerceWeb Security and Commerce Simson Garfinkel and Gene SpaffordSimson Garfinkel and Gene Spafford
Hello
ComputerComputerScreenScreen
ProgramProgramdownloadeddownloadedinto sandboxinto sandboxfrom WWWfrom WWW
JavaScript SecurityJavaScript Security
FeaturesFeatures No direct access to computer file No direct access to computer file
systemssystems Inability to directly open network Inability to directly open network
connections to other computersconnections to other computers IssuesIssues
Automatic submission of email via formsAutomatic submission of email via forms Access to browser Access to browser historyhistory information information Monitor URLs accessed in other windowsMonitor URLs accessed in other windows
Java/JavaScript AttacksJava/JavaScript Attacks
Denial of Service AttacksDenial of Service Attacks CPU and Stack attacksCPU and Stack attacks Inability to interrupt while runningInability to interrupt while running Swap space attacksSwap space attacks Window system attacksWindow system attacks
Spoofing AttacksSpoofing Attacks
ActiveX ControlsActiveX Controls
Types of codeTypes of code Java ByteCodeJava ByteCode Native machine code (Visual Basic, C, etc.)Native machine code (Visual Basic, C, etc.)
Automatically run when downloadedAutomatically run when downloaded Can be Digitally Signed (Authenticode)Can be Digitally Signed (Authenticode)
Helps ensure control is from trusted sourceHelps ensure control is from trusted source Not a guarantee of Not a guarantee of safetysafety !!! !!!
AuthenticodeAuthenticode
ExecutableExecutableProgramProgram
SignatureSignature
Author CertificateAuthor Certificate
Source: Web Security and Commerce Simson Garfinkel and Gene Spafford