Electronic-Mail

❑ originally developed for sending simple text messages

Security Issues with E-mail:

❑ Viruses spread in e-mails via the transfer of infected files that travels across the network.

❑ Trojan programs are also sent through mail with computer owners as accomplices, compromising
hundreds of machines everyday.

❑ Worms are pieces of malicious code that use automated methods to spread.

❑ Spam is a junk e-mail usually of a commercial nature sent out in bulk.

❑ Hoax e-mails are e-mails that travel from user to user because of the compelling story contained in
them.
Email Protocol
❑ allowsthe users to attach files to e-mail messages that enable the
viruses travel by e-mail from one local network to another anywhere in
the Internet

To protect e-mail system from virus code:

❑ Don’texecute any attachment from an unknown source.
❑ Use anti-virus programs that run on the server to filter all e-mails.
❑ Use client-side anti-virus programs to catch any viruses that might
come from web-based e-mail accounts.
❑ Keep all software up-to-date to help prevent worm propagation.
 e-mails that travel from user to user because of
the compelling story contained in them

mostly a nuisance, but cost everyone not only in

the time wasted by receiving and reading e- mail,
but also in the Internet bandwidth and server
processing time they take up
e-mail that is sent to you without you requesting it, attempting to sell you something
electronic equivalent of a telemarketing call
first spam e-mail was sent in 1978 by a DEC employee

can be reduce by shutting down mail relaying

two main places to filter spam:

❑ at the host itself
❑ at the server

methods of filtering spam at the server:

❑ pattern matching
❑ use of Realtime Blackhole List
 e-mail encryption is a great way to protect the privacy of communication
since e-mail is a cleartext medium

software that improves security in e-mail:

❑ S/MIME (Secure/Multipurpose Internet Mail Extension)
❑ PGP (Pretty Good Privacy)

S/MIME
secure implementation of the MIME protocol specification
process of encrypting e-mails provides integrity, privacy, and authentication
supports several e-mail programs (i.e., Outlook and Outlook Express)
allows user to select low strength encryption
PGP (Pretty Good Privacy)
encrypts and decrypts e-mail and files

provides the ability to digitally sign a message so the receiver can be certain of the sender’s identity

implements e-mail security similar to S/MIME but using different protocols

basic framework is the same

supports PKI provided by multiple vendors

has plug-ins for many popular e-mail programs (Outlook, Outlook Express, and Qualcomm’s Eudora)
Two broad categories of attacks on computer systems and network:
❑ Attacks on specific software
❑ Attacks on a specific protocol or service

Two types of target of an attacker:

❑ Targetsof opportunity
❑ Defined targets
Early History of Viruses
❑ 1949
• Start of modern computer virus
• John von Neumann postulated that a computer program could reproduce in his paper entitled
“Theory and Organization of Complicated Automata”
❑ 1950s
• Bell Labs employees gave life to von Neumann's theory in a game called "Core Wars.”
• Two programmers in this game would unleash and watch software “organisms” as they take control of
the computer which are known to be the first roadmaps to take viruses to open doors.
• David Gerrold was credited to be the first to use the word “virus” as a computer attack in his science
fiction stories.
❑ 1980s
• In 1984, Ken Thompson described the development of what can be considered the first practical
computer virus
• Fred Cohen from the University of Southern California was the first to define formally the term
"computer virus."
Denial-of-Service Attacks
❑ the attacker is attempting to deny authorized users access either to
specific information or to the computer system or network itself
❑ prevent access to the target system, or the attack can be used in
conjunction with other actions in order to gain unauthorized access to a
computer or network
❑ forms of DOS attack:
• SYN flooding
• Ping-of-death (POD)
❑ can be conducted using a multiple attacking system known as
distributed DOS
❑ to stop or mitigate DOS or DDOS:
• ensure to apply latest patches and upgrades to systems and applications
 SYN flooding DOS attack

SYN

(with faked IP address) Reserve

connection

SYN/ Wait for ACK

ACK
At t a ck er Targ e t

Response to faked address

Backdoors and Trapdoors
❑ sometimes referred to as a trapdoor
❑ commonly used to refer to programs that attackers install after gaining
unauthorized access to a system to ensure that they can continue
having unrestricted access to the system
❑ can also be installed by authorized individuals accidentally, if they run
software that contains a Trojan horse
❑ common backdoors include:
• NetBus
• Back Orifice
❑a variation on the backdoor is the rootkit, and they are established not to
gain root access but rather to ensure continued root access
Sniffing
❑ term used to describe the use of a sniffer program to monitor
data traffic to a network or server, in order to gain access
information
❑ network sniffer is a software or hardware device that is used to
observe traffic as it passes through a networked on shared
broadcast media
❑ network sniffers can be used by network administrators for
monitoring network performance
❑ network sniffers can be used by attackers to gather information
that can used in penetration attempts
Network sniffers listen to all network traffic

Internet
Rou t er
Internal
n et w ork

At t acker
list en in g
to all
traffic
Spoofing
❑ type of attack in which data is made to look like it
has come from a different source
❑ two forms of spoofing:
• E-mail spoofing – the forgery of an e-mail header so
that the message appears to have originated from
someone or somewhere other than the actual source
• IP spoofing – technique used to gain unauthorized
access to computers, whereby the intruder sends
messages to a computer with an IP address indicating
that the message is coming from a trusted host
Man-in-the-Middle Attacks
❑ type of attack that generally occurs when attackers are able
to place themselves in the middle of two other hosts that are
communicating, thus allowing the attacker to view and/or
modify the traffic
❑ various defenses against man-in-the-middle attacks use
authentication techniques that are based on:
• Public keys
• Stronger mutual authentication
• Secret keys (high information entropy secrets)
• Passwords (low information entropy secrets)
Man-in-the-Middle Attacks
Communication appears to be direct

Host 2 Host 1

Attacker relays Communication

messages to actually sent to attacker
destination host

At t a ck er
Replay Attacks
❑ attacks in which the attacker captures a portion of network traffic between two parties
and retransmits it at a later time
❑ can be avoided with encryption, cryptographic authentication, and time stamps

TCP/IP Hijacking
❑ also called session hijacking
❑ refers to attacks designed to take control of an already existing session between a
client and a server
❑ used against web and telnet sessions
❑ to prevent this type of attack is to re-authenticate the user before performing important
actions and to create unique session cookies (for web servers)
Weak Keys
❑ key which when used with a
specific cipher, makes the
cipher behave in some
undesirable way
❑ usually represent a very small
fraction of the overall keyspace,
which usually means that if one
generates a random key to
encrypt a message weak keys
are very unlikely to give rise to
a security problem
Password Guessing
❑ A dictionary attack is a method used to
break password-based security
systems, in which the attacker
systematically tests all possible
passwords beginning with words that
have a higher possibility of being used,
such as names and places.
❑ A brute-force attack is a type of password
attack that does not attempt to decrypt
any information but simply continue to
try different passwords.
❑ A birthday attack is a special type of
brute-force attack that exploits the
mathematics behind the birthday
paradox, making use of a space-time
tradeoff.
Software Exploitation
❑ attack that takes
advantages of bugs or
weaknesses (poor design,
poor testing, or poor
coding practices) in
software
❑ particular type of software
exploitation is buffer
overflow
Wardialing and WarDriving
❑ Wardialing is the term used to
describe an attacker’s attempt to
discover unprotected
modem connections to computer
systems and
networks
❑ WarDriving refers to the activity where
the attackers wander throughout an
area (often in a car) toting a computer
with wireless capability as they search
for wireless networks they can access
 Social Engineering
❑ attack based on deceiving users or administrators at the target site
❑ typically carried out by telephoning users or operators and pretending to be an
authorized user, to attempt to gain illicit access to systems

Malware
❑ also known as malicious code
❑ refers to software that has been designed for some nefarious purpose
❑ designed to cause damage to a system (such as by deleting all files) or to create
a backdoor in the system in order to grant access to unauthorized individuals
❑ includes viruses, worms, Trojan horses, logic bombs, and hostile mobile code
❑ A virus is a piece of malicious code that replicates by attaching itself to another piece of
executable code.
• Boot sector virus – infects the boot sector portion of either a floppy disk or a hard drive
• Program virus – attaches itself to executable files (files ending in .exe or .com on Windows-based systems)

❑ A Trojan horse is a piece of software that appears to do one thing (and may, in fact, actually
do that thing) but which hides some other functionality.
• It is attached to a particular executable file, and typically isn’t capable of replicating and attaching itself to
other files on system.

❑ Logic bombs are a type of malicious software that is deliberately installed, generally by an
authorized user.
• It is a piece of code that sits dormant for a period
of time until some event invokes its payload.
❑ Worms are pieces of code that attempt to propagate through penetration of
networks and computer systems.
• include the Morris worm, Code-Red, and Slammer

❑ Mobilecode is segments of code sent from another host that is executed

on a system.
Financial Effects of Malicious Programs
❑ an estimated amount of billions of dollars worth of damage due mainly to
destruction of data and hardware have been done over the two decades since
the large spread of malicious programs code.
❑ spending time recovering from a virus steals
opportunity in some ways:
• The extra time and effort exerted to scan the virus and repair the damage it has caused.
• The diversion of time and effort from other useful,
revenue producing works.
• The loss of computer hardware, documents, files, and applications that is irretrievable or
indispensable to still recover
❑ the
hard number of actual dollar losses due to malware activity is obscured by
emotional losses.
Remedies
❑ There are many programs that can help you keep viruses away from your system and
can wipe out the critters if they gain access.
❑ Virus protection programs are available from both commercial and public domain
sources.
❑ These products, and the system administration procedures that go along with them,
have two overlapping goals:
• they don't let you run a program that's infected
• they keep infected programs from damaging your system.
❑ Examples of remedy program
• firewalls - protects computer by examining information packet that travels over the network
• antivirus softwares – prevent known viruses from spreading into the computer system and delete
some viruses already in place.
founded by Tim Berners-Lee and popularly known as Web

used for tasks from e-commerce, e-mail, chatting, games, and file and
information sharing

two common architecture:

❑ Uniform Resource Locator (URL)
❑ Hypertext Markup Language (HTML)

two programs developed by Berners-Lee:

❑ web server to serve documents to user
❑ web browser to retrieve documents for users
Security concerns on the Internet are grouped into three
main tasks:

1. Securing a server that delivers content to users over the Web.

2. Securing the transport of information between users and
servers over the Web.
3. Securing the user’s computer from attack over a web connection
.
Encryption (SSL and TLS)
❑ Secure Socket Layer (SSL) is a general- purpose protocol developed by Netscape
for managing the encryption of information being transmitted over the Internet.

❑ Transport Layer Security (TLS), is a protocol intended to secure and authenticate

communications across public networks by using data encryption.

❑ SSL/TLS is a series of functions that exist in the OSI model between the application
layer and the TCP/IP implementation in the transport and network layers.

❑ SSL/TLS adds message integrity and authentication functionality to TCP through the
use of cryptographic methods.
SSL Handshake
❑ anexchange of information that takes place between the client and
the server when a connection is established

❑ includes the following features:

• The client and server exchange information about the SSL version number and
the cipher suites that they both support.
• The server sends its certificate and other information to the client..
• If client authentication is required, the client sends its certificate and other
information to the server.
• The client and server exchange random information which each generates and
which is used to establish session keys: these are symmetric keys which are used
to encrypt and decrypt information during the SSL session. The keys are also used
to verify the integrity of the data.
The Web (HTTP and HTTPS)
❑ Hypertext Transport Protocol
(HTTP) is the protocol designated
for the transfer of hypertext- linked
data over the Internet, from web
servers to browsers.

❑ HTTP over SSL (HTTPS) is a Web

protocol developed by Netscape
and built into its browser that
encrypts and decrypts user page
requests as well as the pages that
are returned by the Web server.
Web Services
❑ open standard (XML, HTTP, UDDI) based Web applications that interact with other web applications
for the purpose of exchanging data

❑ have been defined through industry standardization around a series of specifications, including XML
Schema and Web Services Description Language (WDSL)

❑ invoked over the World Wide Web using Simple Object Access Protocol (SOAP) request over an
HTTP connection

❑ have several weaknesses, such as:

• HTTP/Web server vulnerabilities
• SOAP Structure vulnerabilities
• WSDL vulnerabilities
• Application layer vulnerabilities
❑ SOAP
• began as a method of invoking remote
procedures
over the Internet
• an XML based protocol that consists of three
parts:
– an envelope that defines a framework for
describing what is in a message and
how to process it
– a set of encoding rules for expressing
instances of application-defined data
types
– a convention for representing
remote procedure calls and
responses
• basic SOAP framework lacks many features,
such as routing and security
❑ XML
• used to format messages used by
SOAP to access and return data
from Web Services
• use of XML Schemas to define the
communication interfaces and to
carry information between Web
Services and invoking elements
allows for a standard method that is
independent of any firm or platform,
is extensible and is language
neutral
Directory Services (DAP and LDAP)
❑ A directory is a data storage mechanism similar to a database, but it has several
distinct differences designed to provide efficient data retrieval services compared to
standard database mechanisms.
❑ designed and optimized for reading data, offering fast search and retrieval operations
❑ commonly used in e-mail address lists, domain server data, and resource maps of
network resources
❑ Directory Access Protocol (DAP) is a heavyweight protocol that is difficult to
completely implement, especially on PCs and more constrained platforms.
❑ Lightweight Directory Access Protocol (LDAP) can interface with X.500 services
and it can be used over TCP with less computing resources than a full X.500
implementation.
File Transfer (FTP and SFTP)
❑ FileTransfer Protocol (FTP) is an application- level protocol,
allowing it to operate over a wide range of lower-level protocols.
• embedded in most operating systems and provides a method of
transferring files from a sender to a receiver
❑ Secure FTP (SFTP) is an application program that encodes
both the commands and the data being passed and requires
SFTP to be on both the client and the server.
Buffer Overflows
❑ result of poor coding practices on the part of software programmers – when any
program reads input into a buffer and does not validate the input for correct length,
the potential for a buffer overflow exists

Java and JavaScript

❑ Java includes many safety features, such as type checking and garbage collection,
which actually improve a program’s ability to run safely on a machine and not cause
operating system-level failures
❑ three different levels of security:
• Not run Java programs at all
• Restrict Java program functionality when the program is not run directly from the system’s hard
drive – program being directly executed from the Internet have severe restrictions that block disk
access and force other security-related functions to be performed
• Run any and all Java programs as presented
ActiveX
❑ With an ActiveX-enabled browser (i.e. Internet Explorer only) ActiveX
controls can be downloaded as part of a Web document to add
functionality to the browser (similar to Java applets).

❑ Authenticode
• a system that uses digital signatures and allows Windows users to determine
who produced a specific piece of code and whether or not the code has been
altered
• provides limited accountability at the time of download and assures that the code
has not been changed since the time of signing
Common Gateway Interface (CGI)
❑ standard for the exchange of information between a Web server and
computer programs that are external to it
❑ CGI programs can be written in different languages, such as
Perl
❑ include the full functionality of a server, allowing access to
databases, UNIX commands, other programs
❑ due to unrestrained capability, poorly written scripts can cause
unintended consequences at runtime
❑ has been replaced with newer server-side scripting technologies
such as Java, Active Server Pages (ASP), and PHP
Cookies
❑ small chunks of ASCII text passed within an HTML stream to temporarily store data in a web
browser instance
❑ provides a means for a Web server to induce a client to store information about itself which can
subsequently be called up by the Web server when required
❑ defined as a series of name-value pairs that is stored in memory during a browser instance
❑ specified set of name-value pairs include the following:
• Expires - specifies when the cookie expires
• Domain - specifies the domain where the cookie is used
• Path - resolves the applicability of the cookie into a specific path within a domain
• Secure - indicates that it is only to be used when
connected in an SSL/TLS session
❑ specific cookie functions to be enabled in browsers, specifically:
• The ability to turn on and off cookie usage
• An indicator as to whether cookies are in use
• A means of specifying cookie domain values and lifetimes
Signed Applets
❑ technique of adding a digital signature to an applet to prove that it came
untampered from a particular trusted author
❑ have the power to potentially damage a machine,
e.g. erase all files or format hard disk, or even post a diary on
LiveJournal
❑ concerns on signed applets can be mitigated
through proper system setup and code signing
❑ two ways an attacker can hijack a signed control:
• by in-line access
• republishing it
❑ In-liningis using an embedded control from another site with or without
the other site’s permission
Browser Plug-Ins
❑ software pieces that extend the capabilities of a World Wide Web
browser, such as Netscape Communicator or Internet Explorer
❑ can be sometimes in the form of ActiveX components that allows a
browser to manipulate various Office files, such as pivot tables from
Excel over the Web
❑ Examples include Apple QuickTime movies, Adobe Acrobat PDF
documents Macromedia Director presentations
❑ Flash and Shockwave plug-ins
❑ have security concerns that can be lessen through proper system
setup and code signing.