Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security

Chapter 10

E-mail Security

2 Guide to Operating System Security

Objectives

Understand the use of SMTP in e-mail and attacks on SMTP

Explain how e-mail can be secured through certificates and encryption

Discuss general techniques for securing e-mail Configure security in popular e-mail tools


Overview of SMTP

Enables exchange of e-mail across networks and the Internet

Provides reliable – but not guaranteed – message transport

No logon ID or password required A client and server process


Sending E-Mail by SMTP


Parts of SMTP Messages

Address header Envelope Message header Domain literal Multihomed host Host names

Message text


Overview of SMTP

Protocols used to store and retrieve e-mail Post Office Protocol (POP) Internet Message Access Protocol (IMAP)


Operating Systems That Use SMTP by Default

Microsoft Outlook Express on Windows 2000/XP/2003

Microsoft Outlook in Windows-based systems that have Microsoft Office

Ximian Evolution Mail in Red Hat Linux 9.x Mail in Mac OS X


E-mail Server Software Systems That Use SMTP

Eudora Lotus Domino Mail Server Mailtraq Merak Email Microsoft Exchange Sendmail SuSE Linux Open Exchange Server


E-mail Attacks on SMTP

Surreptitious alteration of a DNS server Direct use of command-line e-mail tools to

attack SMTP communications Spread of unsolicited commercial e-mail

(spam)


DNS Server Directing E-mail


E-mail Attacks Through Altering DNS Server Information


Using Command-Line Tools for E-mail Attacks

Windows 2000/XP/2003 Attacker can use maliciously constructed e-mail to

attack an SMTP server UNIX/Linux

Easier; attacker can use built-in e-mail command-line options


Unsolicited Commercial E-mail (UCE)

Relatively inexpensive for sender Expensive for users whose resources are

diminished by UCE traffic Expensive in terms of wasted time (estimated

25% of all Internet e-mail traffic is spam)


Ways to Control UCE (Spam)

Turn off open SMTP relay capability Configure SMTP server to have restrictions Require a computer to authenticate to

Microsoft Exchange before e-mail is relayed Direct e-mail not addressed to internal

recipients to a bogus IP address Obtain tools to block e-mail


Securing E-mail Through Certificates and Encryption

Ensures privacy Reduces chances of forgery or someone other

than sender adding an attachment Accepted methods

Secure Multipurpose Internet Mail Extensions (S/MIME)

Pretty Good Privacy (PGP)


Using S/MIME Encryption

Provides encryption and authentication fore-mail transmissions

An extension of MIME


MIME

Provides extensions to original SMTP address header information

Different types of message content can be encoded for transport over the Internet

Additional header fields MIME-version Content-type Content-transfer-encoding Content-ID Content-description


Using S/MIME Encryption

Uses digital certificates based on X.509 standard

Has flexibility to use 168-bit key Triple DES Designed to follow Public-Key Cryptography

Standards (PKCS)


Using PGP Security

Provides encryption and authentication fore-mail transmissions

Sometimes preferred by users of open systems (UNIX/Linux); enables use of X.509 or PGP digital certificates

Unique characteristic of PGP certificate: web of trust


Contents of PGP Digital Certificate

PGP version number Public key Information about certificate holder Digital signature of certificate holder Validity period of the certificate Preferred algorithm for the key


Typical Encryption Methods Used by PGP

CAST IDEA Triple DES


Other Techniques for Securing E-mail

Train users Scan e-mail Control the use of attachments


Training Users for E-mail Security

Never send personal information or a password response via e-mail

Delete e-mail from unrecognized sources Use message filtering, if available


Scanning E-mail

Place virus scanning software on e-mail gateway

Update virus definitions frequently Quarantine specific kinds of attachments Scan zipped files Scanner code should be written to be relatively

fast


Controlling the Use of Attachments

Delete attachments from unknown sources Never configure software to automatically

open attachments Avoid using HTML format for opening e-mail Use virus scanner on e-mail before opening it Place attachments in quarantine


Backing Up E-mail

For storage To ensure that unread e-mail is not lost if

server goes down


Configuring Security in Popular E-mail Tools

Microsoft Outlook Express Microsoft Outlook Ximian Evolution Mail in Red Hat Linux 9.x Mail in Mac OS X


Microsoft Outlook Express

Included with Windows 2000/XP/2003 Can obtain messages from SMTP-based

servers running e-mail server software Can be used to access newsgroups


Security Measures Supported by Outlook Express

S/MIME (version 3) 40-bit and 128-bit RC2 encryption 64-bit RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Digital signatures encrypted using SHA-1


Configuration Options for Outlook Express



Enables you to export e-mail to Microsoft Outlook or a Microsoft Exchange server

Can be used to back up messages from other systems

Enables you to block or filter messages from unwanted sources


Microsoft Outlook

Included with Microsoft Office Has multiple capabilities

E-mail communications Calendar Ability to track tasks, list contacts, and make notes


Microsoft Outlook Security Features

S/MIME (version 3) 40-bit and 128-bit RC2 encryption 64-bit RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Digital signatures encrypted using SHA-1 V1 Exchange Server Security certificates


Configuration Options for Microsoft Outlook


Microsoft Outlook

Ability to back up messages by exporting to a file (many file types available)

Ability to add specific Web sites to junk e-mail list


Ximian Evolution Mail inRed Hat Linux 9.x

Processes e-mail Schedules activities on a calendar Records tasks Creates list of contacts Summary function (weather, inbox/outbox

totals, appointments, updates and errata)



Capability to configure more than one account with unique properties

Can be configured to use either PGP security or GnuPG


Configuration Options for Evolution Mail


Apple Mail (Continued)

Comes with Mac OS X Focuses on handling e-mail activities Enables creation of filters to reject mail from

unwanted or unknown sources Capability to configure different accounts



Uses PGP for security Can specify use of SSL for security over

Internet links to e-mail Provides different authentication methods for

verifying access to an e-mail account Password authentication Kerberos version 4 and version 5 MD5 challenge-response


Summary

How operating systems use SMTP for e-mail Sources of e-mail attacks

Over 90% of malicious software strikes throughe-mail

How certificates and encryption can protecte-mail

How to configure security in e-mail software typically used with operating systems

Guide to Operating System Security Chapter 10 E-mail Security.

Documents

Transcript of Guide to Operating System Security Chapter 10 E-mail Security.