guide to operating system security chapter 10 e-mail security
TRANSCRIPT
![Page 1: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/1.jpg)
Guide to Operating System Security
Chapter 10
E-mail Security
![Page 2: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/2.jpg)
2 Guide to Operating System Security
Objectives
Understand the use of SMTP in e-mail and attacks on SMTP
Explain how e-mail can be secured through certificates and encryption
Discuss general techniques for securing e-mail Configure security in popular e-mail tools
![Page 3: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/3.jpg)
3 Guide to Operating System Security
Overview of SMTP
Enables exchange of e-mail across networks and the Internet
Provides reliable – but not guaranteed – message transport
No logon ID or password required A client and server process
![Page 4: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/4.jpg)
4 Guide to Operating System Security
Sending E-Mail by SMTP
![Page 5: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/5.jpg)
5 Guide to Operating System Security
Parts of SMTP Messages
Address header Envelope Message header Domain literal Multihomed host Host names
Message text
![Page 6: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/6.jpg)
6 Guide to Operating System Security
Overview of SMTP
Protocols used to store and retrieve e-mail Post Office Protocol (POP) Internet Message Access Protocol (IMAP)
![Page 7: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/7.jpg)
7 Guide to Operating System Security
Operating Systems That Use SMTP by Default
Microsoft Outlook Express on Windows 2000/XP/2003
Microsoft Outlook in Windows-based systems that have Microsoft Office
Ximian Evolution Mail in Red Hat Linux 9.x Mail in Mac OS X
![Page 8: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/8.jpg)
8 Guide to Operating System Security
E-mail Server Software Systems That Use SMTP
Eudora Lotus Domino Mail Server Mailtraq Merak Email Microsoft Exchange Sendmail SuSE Linux Open Exchange Server
![Page 9: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/9.jpg)
9 Guide to Operating System Security
E-mail Attacks on SMTP
Surreptitious alteration of a DNS server Direct use of command-line e-mail tools to
attack SMTP communications Spread of unsolicited commercial e-mail
(spam)
![Page 10: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/10.jpg)
10 Guide to Operating System Security
DNS Server Directing E-mail
![Page 11: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/11.jpg)
11 Guide to Operating System Security
E-mail Attacks Through Altering DNS Server Information
![Page 12: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/12.jpg)
12 Guide to Operating System Security
Using Command-Line Tools for E-mail Attacks
Windows 2000/XP/2003 Attacker can use maliciously constructed e-mail to
attack an SMTP server UNIX/Linux
Easier; attacker can use built-in e-mail command-line options
![Page 13: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/13.jpg)
13 Guide to Operating System Security
Unsolicited Commercial E-mail (UCE)
Relatively inexpensive for sender Expensive for users whose resources are
diminished by UCE traffic Expensive in terms of wasted time (estimated
25% of all Internet e-mail traffic is spam)
![Page 14: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/14.jpg)
14 Guide to Operating System Security
Ways to Control UCE (Spam)
Turn off open SMTP relay capability Configure SMTP server to have restrictions Require a computer to authenticate to
Microsoft Exchange before e-mail is relayed Direct e-mail not addressed to internal
recipients to a bogus IP address Obtain tools to block e-mail
![Page 15: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/15.jpg)
15 Guide to Operating System Security
Securing E-mail Through Certificates and Encryption
Ensures privacy Reduces chances of forgery or someone other
than sender adding an attachment Accepted methods
Secure Multipurpose Internet Mail Extensions (S/MIME)
Pretty Good Privacy (PGP)
![Page 16: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/16.jpg)
16 Guide to Operating System Security
Using S/MIME Encryption
Provides encryption and authentication fore-mail transmissions
An extension of MIME
![Page 17: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/17.jpg)
17 Guide to Operating System Security
MIME
Provides extensions to original SMTP address header information
Different types of message content can be encoded for transport over the Internet
Additional header fields MIME-version Content-type Content-transfer-encoding Content-ID Content-description
![Page 18: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/18.jpg)
18 Guide to Operating System Security
Using S/MIME Encryption
Uses digital certificates based on X.509 standard
Has flexibility to use 168-bit key Triple DES Designed to follow Public-Key Cryptography
Standards (PKCS)
![Page 19: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/19.jpg)
19 Guide to Operating System Security
Using PGP Security
Provides encryption and authentication fore-mail transmissions
Sometimes preferred by users of open systems (UNIX/Linux); enables use of X.509 or PGP digital certificates
Unique characteristic of PGP certificate: web of trust
![Page 20: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/20.jpg)
20 Guide to Operating System Security
Contents of PGP Digital Certificate
PGP version number Public key Information about certificate holder Digital signature of certificate holder Validity period of the certificate Preferred algorithm for the key
![Page 21: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/21.jpg)
21 Guide to Operating System Security
Typical Encryption Methods Used by PGP
CAST IDEA Triple DES
![Page 22: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/22.jpg)
22 Guide to Operating System Security
Other Techniques for Securing E-mail
Train users Scan e-mail Control the use of attachments
![Page 23: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/23.jpg)
23 Guide to Operating System Security
Training Users for E-mail Security
Never send personal information or a password response via e-mail
Delete e-mail from unrecognized sources Use message filtering, if available
![Page 24: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/24.jpg)
24 Guide to Operating System Security
Scanning E-mail
Place virus scanning software on e-mail gateway
Update virus definitions frequently Quarantine specific kinds of attachments Scan zipped files Scanner code should be written to be relatively
fast
![Page 25: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/25.jpg)
25 Guide to Operating System Security
Controlling the Use of Attachments
Delete attachments from unknown sources Never configure software to automatically
open attachments Avoid using HTML format for opening e-mail Use virus scanner on e-mail before opening it Place attachments in quarantine
![Page 26: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/26.jpg)
26 Guide to Operating System Security
Backing Up E-mail
For storage To ensure that unread e-mail is not lost if
server goes down
![Page 27: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/27.jpg)
27 Guide to Operating System Security
Configuring Security in Popular E-mail Tools
Microsoft Outlook Express Microsoft Outlook Ximian Evolution Mail in Red Hat Linux 9.x Mail in Mac OS X
![Page 28: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/28.jpg)
28 Guide to Operating System Security
Microsoft Outlook Express
Included with Windows 2000/XP/2003 Can obtain messages from SMTP-based
servers running e-mail server software Can be used to access newsgroups
![Page 29: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/29.jpg)
29 Guide to Operating System Security
Microsoft Outlook Express
![Page 30: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/30.jpg)
30 Guide to Operating System Security
Security Measures Supported by Outlook Express
S/MIME (version 3) 40-bit and 128-bit RC2 encryption 64-bit RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Digital signatures encrypted using SHA-1
![Page 31: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/31.jpg)
31 Guide to Operating System Security
Configuration Options for Outlook Express
![Page 32: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/32.jpg)
32 Guide to Operating System Security
Microsoft Outlook Express
Enables you to export e-mail to Microsoft Outlook or a Microsoft Exchange server
Can be used to back up messages from other systems
Enables you to block or filter messages from unwanted sources
![Page 33: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/33.jpg)
33 Guide to Operating System Security
Microsoft Outlook
Included with Microsoft Office Has multiple capabilities
E-mail communications Calendar Ability to track tasks, list contacts, and make notes
![Page 34: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/34.jpg)
34 Guide to Operating System Security
Microsoft Outlook Security Features
S/MIME (version 3) 40-bit and 128-bit RC2 encryption 64-bit RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Digital signatures encrypted using SHA-1 V1 Exchange Server Security certificates
![Page 35: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/35.jpg)
35 Guide to Operating System Security
Configuration Options for Microsoft Outlook
![Page 36: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/36.jpg)
36 Guide to Operating System Security
Microsoft Outlook
Ability to back up messages by exporting to a file (many file types available)
Ability to add specific Web sites to junk e-mail list
![Page 37: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/37.jpg)
37 Guide to Operating System Security
Ximian Evolution Mail inRed Hat Linux 9.x
Processes e-mail Schedules activities on a calendar Records tasks Creates list of contacts Summary function (weather, inbox/outbox
totals, appointments, updates and errata)
![Page 38: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/38.jpg)
38 Guide to Operating System Security
Ximian Evolution Mail inRed Hat Linux 9.x
![Page 39: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/39.jpg)
39 Guide to Operating System Security
Ximian Evolution Mail inRed Hat Linux 9.x
Capability to configure more than one account with unique properties
Can be configured to use either PGP security or GnuPG
![Page 40: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/40.jpg)
40 Guide to Operating System Security
Configuration Options for Evolution Mail
![Page 41: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/41.jpg)
41 Guide to Operating System Security
Apple Mail (Continued)
Comes with Mac OS X Focuses on handling e-mail activities Enables creation of filters to reject mail from
unwanted or unknown sources Capability to configure different accounts
![Page 42: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/42.jpg)
42 Guide to Operating System Security
Apple Mail (Continued)
![Page 43: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/43.jpg)
43 Guide to Operating System Security
Apple Mail (Continued)
Uses PGP for security Can specify use of SSL for security over
Internet links to e-mail Provides different authentication methods for
verifying access to an e-mail account Password authentication Kerberos version 4 and version 5 MD5 challenge-response
![Page 44: Guide to Operating System Security Chapter 10 E-mail Security](https://reader036.vdocument.in/reader036/viewer/2022062300/56649d9f5503460f94a8a67b/html5/thumbnails/44.jpg)
44 Guide to Operating System Security
Summary
How operating systems use SMTP for e-mail Sources of e-mail attacks
Over 90% of malicious software strikes throughe-mail
How certificates and encryption can protecte-mail
How to configure security in e-mail software typically used with operating systems