Email and Email and Mobile Code IssuesMobile Code Issues

CS432 - Security in Computing

Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University

Section OverviewSection Overview

Email architectureEmail architecture

SPAM CountermeasuresSPAM Countermeasures

Browser IssuesBrowser Issues

Mobile Code issuesMobile Code issues

Code signingCode signing

ReferencesReferences

Security in Computing, 3Security in Computing, 3rdrd Ed. Ed. Chapter 7 (pgs. 420-424, 442-443, 474-Chapter 7 (pgs. 420-424, 442-443, 474-

479)479)

TCP/IP-Based EmailTCP/IP-Based Email

pop, imappop, imap

smtpsmtp

smtpsmtp

ClientClient ServerServer

InternetInternetServersServers

Email HeadersEmail HeadersReturn-Path: smo@ix.netcom.com

Received: from dfw-ix4.ix.netcom.com by klingon (SMI-8.6/SMI-SVR4) id TAA24482; Sun, 2 Nov 1997 19:19:38 -0500Received: (from smap@localhost) by dfw-ix4.ix.netcom.com (8.8.4/8.8.4) id SAA19695 for <sorr@cs.iupui.edu>; Sun, 2 Nov 1997 18:18:14 -0600 (CST)Received: from ind-in13-20.ix.netcom.com(207.220.129.116) by dfw-ix4.ix.netcom.com via

smap (V1.3) id rma019634; Sun Nov 2 18:18:01 1997

Message-ID: <345D17E0.DA801FDC@ix.netcom.com>Date: Sun, 02 Nov 1997 19:16:33 -0500From: Scott Orr <smo@ix.netcom.com>Organization: Purdue U. CS Dept. - IUPUIX-Mailer: Mozilla 4.03 [en] (Win95; I)MIME-Version: 1.0To: sorr@cs.iupui.eduSubject: Hello from NetComContent-Type: text/plain; charset=us-asciiContent-Transfer-Encoding: 7bitContent-Length: 43

Hi Scott,

You work too hard!!! :-)

~smo

Secure Email RequirementsSecure Email Requirements

Message ConfidentialityMessage Confidentiality Message IntegrityMessage Integrity Sender AuthenticitySender Authenticity NonrepudiationNonrepudiation

Great use of Public Key CryptographyGreat use of Public Key Cryptography

Email SpamEmail Spam Mass transmissions of electronicMass transmissions of electronic junk mail junk mail

USENET NewsUSENET News Electronic MailElectronic Mail

Often use legitimate systems as Often use legitimate systems as remailersremailers Section 227, Title 47 of the US. CodeSection 227, Title 47 of the US. Code

It Shall be unlawful for any person within the United States:It Shall be unlawful for any person within the United States:

(C) to use any telephone facsimile machine, computer, or (C) to use any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a other device to send an unsolicited advertisement to a telephone facsimile machine;...telephone facsimile machine;...

Coalition Against Unsolicited Commercial Email

Opening Spam-dora’s BoxOpening Spam-dora’s Box

April 12, 1994 – Lawyers Laurence Canter April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about and Martha Siegel sent message about upcoming Green Card lottery to some upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 6000+ Usenet News Groups in less than 90 minutesminutes

Arizona ISP Internet Direct received so many Arizona ISP Internet Direct received so many email complaints, their email server(s) email complaints, their email server(s) crashed more than 15 times.crashed more than 15 times.

C&S account gets cancelled and threaten to C&S account gets cancelled and threaten to sue (although never do)sue (although never do)

C&S publish C&S publish How to Make a Fortune on the How to Make a Fortune on the Information SuperhighwayInformation Superhighway (1995) (1995)

15 years later…15 years later…

SPAM (Unsolicited Commercial Email) 72% SPAM (Unsolicited Commercial Email) 72% of all email (1of all email (1stst Qtr. 2009) Qtr. 2009)

Phishing Attacks less than 1% of all email Phishing Attacks less than 1% of all email but growingbut growing

Significant increase in BotnetsSignificant increase in Botnets Top Spam-Sending CountriesTop Spam-Sending Countries

United States (28.36%)United States (28.36%) Spain (9.16%)Spain (9.16%) China (5.86%)China (5.86%) Italy (5.71%)Italy (5.71%) Brazil (3.8%)Brazil (3.8%)

Source: Source: Commtouch Software Online Labs

Costs of SpamCosts of Spam

SpammersSpammers Great ROI!!!Great ROI!!! Malware writer partnershipsMalware writer partnerships PhishingPhishing

RecipentRecipent TimeTime BandwidthBandwidth Storage spaceStorage space

Illiad’s Solution to Spam…Illiad’s Solution to Spam…

Source: Source: www.userfriendly.org

SPAM LegislationSPAM Legislation

CAN-SPAM Act of 2003CAN-SPAM Act of 2003 Label Messages as “unsolicited Commercial”Label Messages as “unsolicited Commercial” Prohibit False subject lines/header infoProhibit False subject lines/header info Include OPT-OUT instructions Preempt state Include OPT-OUT instructions Preempt state

lawslaws Computer Owner’s Bill of RightsComputer Owner’s Bill of Rights

FTC maintained subscribed do-not-email listFTC maintained subscribed do-not-email list FTC can impose civil penalties on offendersFTC can impose civil penalties on offenders

Wireless Telephone SPAM Protection ActWireless Telephone SPAM Protection Act Prohibit sending Unsolicited AdVerts to wireless Prohibit sending Unsolicited AdVerts to wireless

devicesdevices

Preventive Measures to Preventive Measures to SPAMSPAM

Personal MethodsPersonal Methods Don’t post email address on web pagesDon’t post email address on web pages Send Send Unsubscribe Unsubscribe email to Spammers?email to Spammers? Configure filters within email programsConfigure filters within email programs Third party SPAM prevention listsThird party SPAM prevention lists

System Administrator MethodsSystem Administrator Methods Direct contact with SpammersDirect contact with Spammers Configure filters on Mail Servers (RBL)Configure filters on Mail Servers (RBL) Block offending address blocksBlock offending address blocks

SPAM Filtering TechniquesSPAM Filtering Techniques

Black listsBlack lists White listsWhite lists Content (keyword blocking)Content (keyword blocking) Invalid addresses/header valuesInvalid addresses/header values HeuristicsHeuristics Bayesian FilteringBayesian Filtering

GreylistingGreylisting

Each message identified by a tripletEach message identified by a triplet Envelope recipientEnvelope recipient Envelope senderEnvelope sender IP address of delivering hostIP address of delivering host

Delivery based on following rules:Delivery based on following rules: If IP address or recipient on whitelist – send msg to recipientIf IP address or recipient on whitelist – send msg to recipient If not seen triplet before – send tempfail msg and record If not seen triplet before – send tempfail msg and record

triplettriplet If time limit on triplet not expired – send tmpfail msgIf time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and If time limit on triplet expired – send msg to recipient and

update last seen time.update last seen time. Remove triplet from database after not seen for set period Remove triplet from database after not seen for set period

of timeof time

Sender Policy Framework Sender Policy Framework (SPF)(SPF)

Receiving host verifies sender is legitimate mail Receiving host verifies sender is legitimate mail server for originating domainserver for originating domain

Add TXT (SPF) records to Domain DNSAdd TXT (SPF) records to Domain DNS Domain specificDomain specific Each host with MX record (also A, PTR, IP addr, external Each host with MX record (also A, PTR, IP addr, external

hosts)hosts) cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu"cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu"

IssuesIssues Breaks email forwardingBreaks email forwarding Spammers can still send messages if they have an Spammers can still send messages if they have an

account on domainaccount on domain Most major ISPs do not support SPF (yet)Most major ISPs do not support SPF (yet)

Yahoo DomainKeysYahoo DomainKeys

Verifies sending domain and message Verifies sending domain and message integrityintegrity Sender digitally signs messageSender digitally signs message Receiver gets sender public key from sender’s Receiver gets sender public key from sender’s

DNS server to verify signatureDNS server to verify signature IssuesIssues

User is not authenticatedUser is not authenticated No central Certificate AuthorityNo central Certificate Authority DNS Security?DNS Security?

World Wide Web World Wide Web ComponentsComponents

Widget Widget WebWeb

ServerServer

UserUserWorkstationWorkstation

Widget 2.0------------------------------------------------------------

Download Demo

Buy it Now

Name:CC #:

SubmitSubmit ResetReset

Browser

Browser Security ConcernsBrowser Security Concerns

Rapidly developed (buggy) codeRapidly developed (buggy) code Stores a history of visited sitesStores a history of visited sites Password cachingPassword caching Helper ApplicationsHelper Applications

External programs started to handle External programs started to handle certain (MIME) linkscertain (MIME) links

Helper application bugsHelper application bugs Viruses and Trojan HorsesViruses and Trojan Horses

““Plug-ins”Plug-ins”

Loads directly into browserLoads directly into browser Full access to all data on computerFull access to all data on computer Written by third partyWritten by third party Security concernsSecurity concerns

Rogue Plug-insRogue Plug-ins Trojan Horse of “good” Plug-inTrojan Horse of “good” Plug-in Plug-in bugsPlug-in bugs Plug-in macro languagePlug-in macro language

Java “Safety”Java “Safety”

Automatic Garbage CollectionAutomatic Garbage Collection Built-in bounds checkingBuilt-in bounds checking No pointersNo pointers Single inheritanceSingle inheritance Strong type checkingStrong type checking Powerful Exception HandlingPowerful Exception Handling

Java SystemJava System

Java SystemJava System

Java Runtime LibrariesJava Runtime LibrariesJava Runtime LibrariesJava Runtime Libraries

JavaJavaVirtualVirtual

MachineMachine(JVM)(JVM)

JavaJavaVirtualVirtual

MachineMachine(JVM)(JVM)

SandboxSandboxProgramsPrograms

andandappletsappletsrunningrunning

SandboxSandboxProgramsPrograms

andandappletsappletsrunningrunning

ByteCodeByteCodeVerifierVerifier

ByteCodeByteCodeVerifierVerifier

ClassClassLoaderLoader

ClassClassLoaderLoader

Java SecurityJava SecurityManagerManager

Source: Source: Web Security and CommerceWeb Security and Commerce Simson Garfinkel and Gene SpaffordSimson Garfinkel and Gene Spafford

Hello

ComputerComputerScreenScreen

ProgramProgramdownloadeddownloadedinto sandboxinto sandboxfrom WWWfrom WWW

JavaScript SecurityJavaScript Security

FeaturesFeatures No direct access to computer file No direct access to computer file

systemssystems Inability to directly open network Inability to directly open network

connections to other computersconnections to other computers IssuesIssues

Automatic submission of email via formsAutomatic submission of email via forms Access to browser Access to browser historyhistory information information Monitor URLs accessed in other windowsMonitor URLs accessed in other windows

Java/JavaScript AttacksJava/JavaScript Attacks

Denial of Service AttacksDenial of Service Attacks CPU and Stack attacksCPU and Stack attacks Inability to interrupt while runningInability to interrupt while running Swap space attacksSwap space attacks Window system attacksWindow system attacks

Spoofing AttacksSpoofing Attacks

ActiveX ControlsActiveX Controls

Types of codeTypes of code Java ByteCodeJava ByteCode Native machine code (Visual Basic, C, etc.)Native machine code (Visual Basic, C, etc.)

Automatically run when downloadedAutomatically run when downloaded Can be Digitally Signed (Authenticode)Can be Digitally Signed (Authenticode)

Helps ensure control is from trusted sourceHelps ensure control is from trusted source Not a guarantee of Not a guarantee of safetysafety !!! !!!

AuthenticodeAuthenticode

ExecutableExecutableProgramProgram

SignatureSignature

Author CertificateAuthor Certificate

Source: Web Security and Commerce Simson Garfinkel and Gene Spafford