1 / 43

Computer Security and Penetration Testing

Computer Security and Penetration Testing. Chapter 14 Mail Vulnerabilities. Objectives. Define SMTP vulnerabilities Outline IMAP vulnerabilities Explain POP vulnerabilities Identify some specific server application vulnerabilities. Objectives (continued).

blake
Download Presentation

Computer Security and Penetration Testing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security and Penetration Testing Chapter 14 Mail Vulnerabilities

  2. Objectives • Define SMTP vulnerabilities • Outline IMAP vulnerabilities • Explain POP vulnerabilities • Identify some specific server application vulnerabilities Computer Security and Penetration Testing

  3. Objectives (continued) • Lists types of e-mail-related attacks • Identify some specific browser-based vulnerabilities • Discuss protection measures Computer Security and Penetration Testing

  4. Major Mail Protocols • Main protocols supporting e-mail systems • SMTP • IMAP • POP Computer Security and Penetration Testing

  5. Simple Mail Transfer Protocol (SMTP) • Simple Mail Transfer Protocol (SMTP) • Transfers e-mail messages from one server to another or from a client computer to a server • An e-mail client using either Post Office Protocol (POP) or IMAP can recover the messages • SMTP uses the concept of spooling • SMTP stores the e-mail message in a buffer called the SMTP queue Computer Security and Penetration Testing

  6. Computer Security and Penetration Testing

  7. Simple Mail Transfer Protocol (SMTP) (continued) • If the intended recipient of the e-mail message is unavailable • Server attempts to send the message later • End-to-end delivery • Holding all messages in the spool until they can be delivered Computer Security and Penetration Testing

  8. Simple Mail Transfer Protocol (SMTP) (continued) • The SMTP Model • To deliver an e-mail message • Client computer must establish a TCP connection with port 25 of the destination computer • If the destination computer is unavailable • Server sends a single-line text message to the client computer • If the server accepts the message from the client • It will send details about the sender and the receiver of the e-mail message Computer Security and Penetration Testing

  9. Simple Mail Transfer Protocol (SMTP) (continued) • The SMTP Model (continued) • If recipient exists at any of the destination mailboxes • Server will copy the e-mail messages into the appropriate mailboxes • If an e-mail message cannot be delivered • An error report is returned to the client computer • If more e-mail messages have to be sent • Client computer continues with the connection to the server Computer Security and Penetration Testing

  10. Simple Mail Transfer Protocol (SMTP) (continued) • The SMTP Model (continued) • SMTP Commands • HELO or EHLO • MAIL • RCPT • DATA • RSET • VRFY • EXPN • QUIT Computer Security and Penetration Testing

  11. Simple Mail Transfer Protocol (SMTP) (continued) • SMTP Vulnerabilities • Hackers scan the Internet for any incorrectly configured SMTP servers • Hackers can exploit the server in two ways: • The attacker can send mail anonymously • Hackers can also send the SMTP server a single e-mail with the intention of reaching hundreds, thousands, or even millions of users • Hackers can use several commands to exploit SMTP servers Computer Security and Penetration Testing

  12. Simple Mail Transfer Protocol (SMTP) (continued) • SMTP Vulnerabilities (continued) • Buffer overflows • Hackers may try to overflow the buffer of the user’s system • A very long username, password, or file name is sent to the server • Using the HELO, MAIL or RCPT commands • Backdoor entry • Permits hackers to take complete control of a mail system • Wiz commands can open a back door Computer Security and Penetration Testing

  13. Simple Mail Transfer Protocol (SMTP) (continued) • SMTP Vulnerabilities (continued) • Scanning e-mail servers • EXPN and VRFY may allow attackers to acquire information from an e-mail server • Spamming e-mail servers • Attacker sends a single e-mail message to a large number of recipients • Hacker attempts to attack a mail server by sending large numbers of RCPT commands to it Computer Security and Penetration Testing

  14. Simple Mail Transfer Protocol (SMTP) (continued) • SMTP Vulnerabilities (continued) • Spamming e-mail servers (continued) • May result in any of the following attacks • Denial-of-service (DoS) attack • User-account attack • Spam-relay attack • Sending corrupt MAIL commands • Manipulating commands such as EXPN or VRFY • Third-party mail relay • Most corporate mail servers do not allow third-party mail relaying Computer Security and Penetration Testing

  15. Internet Message Access Protocol (IMAP) • Internet Message Access Protocol (IMAP) • E-mail client protocol which can be used to retrieve e-mail messages from a mail server • Role of IMAP • The functions of IMAP include: • Allowing users to read, edit, reply to, forward, create, and move e-mail messages • Creating, deleting, and renaming mailboxes • Checking for new e-mail messages • Deleting e-mail messages Computer Security and Penetration Testing

  16. Internet Message Access Protocol (IMAP) (continued) • Role of IMAP (continued) • To provide security to users, IMAP is designed to: • Be compatible with Internet messaging standards • Enable message access and management from more than one computer • Permit access without depending on less efficient file access protocols • Support concurrent access to all shared mailboxes Computer Security and Penetration Testing

  17. Internet Message Access Protocol (IMAP) (continued) • IMAP Vulnerabilities • IMAP is susceptible to buffer overflow conditions • IMAP supports various authentication mechanisms, including CRAM-MD5 • A logic flaw in CRAM-MD5 allows a remote attacker • To gain unauthorized access to another user’s e-mail • Hackers are able to obtain super-user access to the mail server because the server process runs as root • Firewalls or filtering routers could protect the server from attacks Computer Security and Penetration Testing

  18. Server Application Vulnerabilities • Some exploits are associated with specific mail-server applications Computer Security and Penetration Testing

  19. Microsoft Exchange Server • Affect various versions of • Microsoft Exchange Server • Windows 2000 Advanced Server • Windows 2000 Datacenter Server Computer Security and Penetration Testing

  20. Microsoft Exchange Server (continued) • Vulnerabilities • Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability, 2006 • Microsoft Exchange Server Calendar Remote Code Execution Vulnerability, 2006 • Microsoft Exchange Server 2003 Exchange Information Store Denial of Service Vulnerability, 2005 • Microsoft Exchange Server 2003 Outlook Web Access Random Mailbox Access Vulnerability, 2004 Computer Security and Penetration Testing

  21. IBM Lotus Domino Notes • Vulnerabilities • IBM Lotus Domino Multiple TuneKrnl Local Privilege Escalation Vulnerabilities, 2006 • iDefense Security Advisory 11.08.06: IBM Lotus Domino 7, 2006 • IBM Lotus Domino Web Access Session Hijacking Vulnerability (Vulnerabilities), 2006 • Session Token Remains Valid After Logout in IBM Lotus Domino Web Access, 2006 Computer Security and Penetration Testing

  22. E-mail Attacks • E-mail attacks include: • List linking • E-mail bombing • Spamming • Sniffing and spoofing • E-mail attachments • 419s • Scams • Phishing Computer Security and Penetration Testing

  23. List Linking • Similar to e-mail bombing • Involves enrolling potentially hundreds of target users • Through e-mail lists and distributed e-mail message systems • Theory behind this voluntary mail-flooding • Subjects of the messages are interesting to the member Computer Security and Penetration Testing

  24. List Linking (continued) Computer Security and Penetration Testing

  25. Computer Security and Penetration Testing

  26. E-mail Bombing • Sending an identical e-mail repeatedly to the target user • May exceed the storage or bandwidth of some e-mail accounts • Mail Bomber • An e-mail bombing utility that was distributed in a file called bomb02.zip • Certain e-mail bombing utilities are used on any system that supports SMTP servers • Other utilities are specialized Computer Security and Penetration Testing

  27. E-mail Spamming • Many people use the term spam to mean any e-mail they don’t like or did not request • Spam is commercial or nuisance e-mail with no effective opt-out system • E-mail spamming is nearly impossible to prevent • Because all users have their own definition of what constitutes spam • Spamming can be considered a security hazard • Especially if spammers use corporate e-mail servers relay their messages Computer Security and Penetration Testing

  28. E-mail Sniffing and Spoofing • Packet sniffers are able to collect all of the unencrypted data traveling on a network • All POP3 e-mail requests will show the attacker the username and password in plain text • E-mail spoofing is a way of tampering with e-mail • So that the message received appears to be from a known and trusted person • When it is actually sent by an impostor • The person being imitated is unaware Computer Security and Penetration Testing

  29. E-mail Attachments • Attachments to e-mail can contain worms and viruses • Worms can self-mail themselves to all the email addresses in your address book • E-mails to which worms attach themselves are often extremely poorly written • If the victim opens the e-mail, the worm spreads Computer Security and Penetration Testing

  30. 419s, Scams, and Phishing • 419 or Advanced Fee Fraud • Named after the relevant section of the Criminal Code of Nigeria referring to “Advance Fee Fraud” • Occurs when the victim pays money to someone in anticipation of receiving something of greater value • Other Scams • Bad-check scams • Victim is asked to agree to receive money for an offshore company who cannot get it otherwise • The victim is offered 10% of the money Computer Security and Penetration Testing

  31. 419s, Scams, and Phishing (continued) • Phishing • Uses e-mails from a purported financial institution (often eBay or Paypal) • Stating that there is something wrong with an account, and the account holder needs to log in to set it straight • They provide the account holder with a link to a site that looks almost identical to the real company site • When the account holder logs in, the scammers capture the username and password Computer Security and Penetration Testing

  32. Browser-Based Vulnerabilities • Browsers are applications written in some programming language by human beings • All browsers have bugs, coding errors, and vulnerabilities Computer Security and Penetration Testing

  33. Protection • A few fairly effective countermeasures to threats and annoyances • Could be called personal and corporate measures Computer Security and Penetration Testing

  34. Personal E-mail Security Countermeasures • Segmenting E-mail • Get two or more e-mail accounts and use them for specific purposes • Filter Mail at the Client Level • All e-mail clients give users the tools to filter e-mails • Filter for whitelist rather than for blacklist terms • Whitelisting gives few false positives • Blacklisting is often handled by the ISP and they typically place the suspected spam in the Bulk folder Computer Security and Penetration Testing

  35. Personal E-mail Security Countermeasures (continued) • Due Diligence • Using the same amount of effort that a reasonably educated person would use • Users should have antivirus software if there is any reason to suspect vulnerability to viruses or worms • Digital Signature and Certificates • A digital signature or certificate is a file that validates who a user is • Digital signatures are used to confirm the user’s identity to any third party concerned Computer Security and Penetration Testing

  36. Personal E-mail Security Countermeasures (continued) • Digital Signature and Certificates (continued) • A digital certificate is issued by a third-party Certificate Authority (CA) • Digital certificate includes information about the sender credited with signing the message Computer Security and Penetration Testing

  37. Corporate E-mail Security Countermeasures • E-mail Security Policies • Policy should inform the entire organization of acceptable e-mail and messaging • Policy will also contain policies for infractions of the messaging protocols • Provide Security Software • Implement antivirus software on all machines • In case server-based solutions miss something • Consider software firewalls and centralized patch management Computer Security and Penetration Testing

  38. Corporate E-mail Security Countermeasures (continued) • Antispam Tools • Either hardware or software options • All antispam tools are reactive and most are based on filtering algorithms • Tools reduce storage requirements for regulatory purposes • And reduce time spent by employees in reading, analyzing, and processing obviously unwanted mail • Advanced antispam tools include content-checking of incoming and outgoing e-mail Computer Security and Penetration Testing

  39. Corporate E-mail Security Countermeasures (continued) • Content-Checking • Can be installed on the e-mail system to monitor whether users are giving away trade secrets • Or to check for offensive or inappropriate content • An authorized censor within the organization must approve any suspicious messages • Disclaimers • Attached to each company e-mail • Considered an effective way of controlling employees’ propensity to send sensitive information Computer Security and Penetration Testing

  40. Corporate E-mail Security Countermeasures (continued) • Encryption • Encryption techniques such as PGP • Make gleaning useful information from packet-sniffing rather challenging • Virus Scanners • Checks all incoming and outgoing e-mail messages and attachments for e-mail viruses and worms • Server-based virus solutions cut the time users spend dealing with possible virus-laden e-mails • Use multilayered defenses, not just one solution Computer Security and Penetration Testing

  41. Summary • Mail system vulnerabilities are dependent on the major mail protocols, server software, tendencies of users and attackers, and vulnerabilities in specific browser code • The major mail protocols are SMTP, IMAP, and POP • Simple Mail Transfer Protocol (SMTP) is used to transfer e-mail messages • Most SMTP vulnerabilities occur because the SMTP server is not correctly configured • Some standard SMTP commands can be used by attackers Computer Security and Penetration Testing

  42. Summary (continued) • Internet Message Access Protocol (IMAP) is an e-mail client protocol that retrieves e-mail messages from a mail server • Older versions of IMAP and POP are susceptible to buffer overflow conditions • Post Office Protocol (POP) delivers mail to users, downloaded to their local devices • E-mail clients are vulnerable to over-sized messages • All mail-server applications are vulnerable to exploit Computer Security and Penetration Testing

  43. Summary (continued) • E-mail attacks include list linking, e-mail bombing, spamming, sniffing and spoofing, attachments, 419s, scams, and phishing • All e-mail browsers have their share of bugs, coding errors, and other vulnerabilities • Personal e-mail security measures: segmenting mail, filtering mail, and using due diligence • Corporate e-mail security measures: implementing an e-mail security policy and providing security software and virus scanners Computer Security and Penetration Testing

More Related