Lesson 1: E-Mail Security

Lesson 1: E-Mail Security

A connection between any client and server on the Internet is routed through potentially dozens of independent systems. At any point along that connection, network traffic can be monitored. Transmitting unencrypted communications over the Internet is about as private as sending a postcard through the mail because anyone with access to the infrastructure along the way can read the message.

E-mail is one of the most popular forms of communication today. Unfortunately, many security issues plague e-mail communications. In this lesson, we address several of these e-mail security concerns. The main topics discussed in this lesson are encrypting e-mail, e-mail application vulnerabilities, unsolicited e-mail, and e-mail hoaxes and scams.


After this lesson, you will be able to

  • Install and appropriately apply secure electronic messaging

  • Take steps to prevent the exploitation of e-mail application vulnerabilities

  • Implement antispam measures

  • Take steps to reduce the exposure of your organization to e-mail scams

  • Reduce the propagation of e-mail hoaxes

Estimated lesson time: 60 minutes


Secure Electronic Messaging

Just like a postcard traveling through the mail, standard e-mail offers little privacy from individuals who want to read other people's mail. E-mail can literally be collected and read by almost anyone with a protocol analyzer (also called a data sniffer, network sniffer, packet sniffer, and other derivatives of these terms). As you should know from your previous experience, a protocol analyzer is a device (or computer software program) that allows its user to capture and decode network traffic. The Computer Emergency Response Team (CERT) reported in 1994 that tens of thousands of Internet hosts were compromised by sniffing e-mail message packets (with a protocol analyzer) for user names and passwords.

Mailsnarf is an example of an automated program for collecting information from e-mail messages. Mailsnarf is included with a group of programs packaged as dsniff. You can find out more about these programs on the Packet Storm Web site.

In addition to a lack of privacy, e-mail can easily be forged. An attacker can modify the sender field of an e-mail message so that it can appear to come from anyone. The attacker can just as easily modify the reply field so that replies to the messages are sent to an address under her or his control. Many people today receive e-mail messages with unsolicited advertisements that seem to come from their own e-mail addresses. If someone used your name or e-mail address to send a message to one of your colleagues, would he or she know the difference? Worse yet, would your colleague reply to the attacker, thinking that you sent the message?

Secure electronic messaging addresses these security concerns. It allows you to encrypt messages, so that only the intended recipients can decrypt them. Secure electronic messaging also allows you to digitally sign messages, so that your message recipients can be sure that the message is really from you.

General Dynamics has a secure electronic messaging product named Secure Electronic Messaging System (SEMS). That product is not discussed further in this text. The term secure electronic messaging in this chapter and in many other technical documents refers generically to methods for encrypting and digitally signing e-mail.

PGP

Pretty Good Privacy (PGP) is a set of software tools that allows you to encrypt, decrypt, and digitally sign computer data and e-mail. PGP's encryption and decryption services are asymmetric, as described in Chapter 3. This encryption can be applied to e-mail, stored files, some forms of instant messaging, and virtual private networking. This chapter limits the discussion to e-mail encryption. PGP performs these functions to allow you to sign and encrypt e-mail:

  • Create keys.

    PGP creates your key pair, which is your public and private key.

  • Manage keys.

    PGP allows you to store other users' public keys on a local key ring.

  • Encrypt/decrypt e-mail.

    Colleagues use your public key to encrypt messages to you. You use your private key (or secret key) to decrypt those messages.

  • Sign/authenticate e-mail.

    You use your private key to digitally sign messages to your colleagues. Your colleagues use your public key to decrypt your signature and verify that the message actually came from you.

You must send your public key to anyone who you would like to be able to encrypt messages to you and verify your digital signature on messages from you. Your private key is maintained on your local computer by default. You can also store your private key on removable media, such as a floppy disk. The private key is protected by a pass phrase (password) that you configure during PGP installation and configuration. This pass phrase is requested every time you decrypt or digitally sign a message.

PGP integrates with the following e-mail applications: Qualcomm Eudora, Microsoft Exchange, Microsoft Outlook, Microsoft Outlook Express, and Lotus Notes.

S/MIME

The Secure Multipurpose Internet Mail Extensions (S/MIME) specification is similar to PGP in that it seeks to enable the encryption and digital signing of e-mail messages. S/MIME is designed for integration into e-mail and messaging products. S/MIME, like PGP, utilizes asymmetric encryption techniques. However, S/MIME clients rely on certificates generated by a public key infrastructure (PKI), as described in Chapter 3.

S/MIME version 3 is documented in RFC 2633 and S/MIME version 2 is documented in RFC 2311. (RFC articles can be found at http://www.icann.rfceditor.org)

To utilize S/MIME, you must have an S/MIME-enabled application and access to a PKI certificate. This certificate can come from an internal PKI provided by your organization or an external infrastructure. Two popular external PKI service providers are Verisign (http://www.verisign.com) and Thwate (http://www.thwate.com).

RSA Security, Inc. maintains a list of S/MIME-enabled products on its Web site at http://www.rsasecurity.com/standards/smime/products.html. Three of the most popular S/MIME-enabled applications are Netscape Communicator and Microsoft Outlook and Outlook Express.

Once you have installed and configured your key pair, you can begin using S/MIME. When you are utilizing an external PKI, you might have to send your public key in the form of a digital signature to people you would like to allow to encrypt messages to you. If your PKI is internal, other users should be able to automatically enroll your e-mail signing and encryption certificate and public key from the internal PKI.

Client e-mail settings for digital signatures and encryption are often independently configurable. For example, Microsoft's Outlook e-mail client allows you to digitally sign all (or selected) messages and separately digitally encrypt all (or selected) messages.

E-Mail Vulnerabilities

Vulnerabilities are often found in software, and e-mail software is no exception. Beyond product vulnerabilities, e-mail is often used to exploit other vulnerabilities. Such attacks can damage e-mail servers, erase e-mail or other data, or run other malicious software, resulting in loss of data, time, and money.

One of the most widespread attacks launched through e-mail was the Melissa macro virus, which did two harmful things to users of Microsoft Outlook and Microsoft Word for Windows. First, it infected Word files stored on the victim's local system and garbled the documents. Second, the virus opened the victim's Microsoft Outlook address book and e-mailed itself to the first 50 addresses using the victim's e-mail address and account. This virus is estimated to have caused $80 million in damages. The creator of the virus was eventually caught and sentenced to 20 months in prison and a $5,000 fine. Numerous other exploits and vulnerabilities for a wide array of e-mail programs exist on networks around the world.

To protect your network and your organization from e-mail vulnerabilities, you must vigilantly monitor security alerts and update virus-scanning software. E-mail gateway servers can scan incoming messages and isolate or remove virus attachments. This is a common line of defense in many organizations. Individual computers can also be configured with virus scanners, creating a defense-in-depth. This helps to prevent internal users from infecting other internal users and provides a backup in case the e-mail gateway is unable to stop an infected message.

CERT sends out confirmed reports of software exploits on a variety of software free of charge. Visit http://www.cert.org for more information and to sign up for their security alerts.

You should also educate your organization's users about how to spot a potential threat. For example, many exploits arrive in the form of e-mail attachments, so users should be trained not to open attachments that appear suspicious or that were unsolicited, even if they came from a colleague. Many organizations train users never to open attachments and prohibit them from being sent or received through the e-mail gateway.

As exploits are discovered in e-mail client and server programs, vendors typically provide software patches. Be sure to monitor vendor security updates. Test and apply security patches for your applications as they are made available.

Spam

Spam is a term used to describe unsolicited e-mail (typically commercial advertisements) sent to a large number of addresses. On February 18 and 19, 2002, a major Internet service provider (ISP) found out that spam is dangerous for business. Legitimate e-mails were taking as long as 24 hours to deliver because the ISP's e-mail servers were processing so much spam. Antispam organizations, such as Brightmail, report that the volume of spam is rising much more quickly than the volume of normal e-mail. In a March 1, 2002, article titled "The High Price of Spam," Business Week Online reported, "For some ISPs and corporations, spam makes up more than 50% of total e-mail."

To protect your organization from the debilitating effects of spam, you should install filtering software at your Internet gateway and client desktops. Many products are available to help prevent spam. Examples include SpamAssassin, Brightmail, Cloudmark, DigiPortal's ChoiceMail, and Mailshell. You should also educate your network users on how to help avoid spam. Spam.org has compiled the following list of tips to help reduce spam:

  • Never respond to spam.

    This helps spammers confirm that they have a live e-mail address. They can then sell your address to other spammers.

  • Don't post your address on your Web site.

    Addresses on Web sites can be "harvested" by automatic software that scans Web sites for e-mail addresses.

  • Use a second e-mail address in newsgroups.

    Newsgroups are another location where spammers collect e-mail addresses. The address that you use for posting messages is likely to be used for spam. However, if you create a second address (called your public address) and use that for posting to newsgroups, you can expect spam on that account. This prevents spam from clogging your normal inbox.

  • Don't provide your e-mail address without knowing how it will be used.

    Many Web sites ask you to log in with your e-mail address and a password. Be sure to look for a privacy statement regarding the information requested. Also, consider whether you trust the organization not to sell your information. If you can't find a privacy policy or you don't trust the organization not to sell your information, don't log in, sign up, or in any other way give them your address.

  • Use a spam filter.

    Spam filters can help to reduce spam. Many products refer to spam filters as junk mail filters. Some let you create rules based on the subject, sender, or message body, allowing you to keep messages out of your inbox by moving or even deleting them.

  • Never buy anything advertised in spam.

    Companies use spam because people respond to the advertisements.

The U.S. Federal Trade Commission (FTC) would like to know if you receive spam. They ask you to send a copy of unwanted or deceptive messages to uce@ftc.gov. The FTC stores these messages in a database and pursues law enforcement actions against the people who send them. You can also file online complaints about spam messages, including problems with unsubscribe functions, to the FTC through their Web site at http://www.ftc.gov.

You can learn more about fighting and preventing junk mail from http://www.spam.org and http://www.junkbusters.org.

SMTP Relay

Simple Mail Transfer Protocol (SMTP) relaying is what an e-mail server does when it transfers e-mail. Some spammers attempt to funnel their junk mail through other e-mail servers that permit SMTP relay. If spammers can forward mail from a server not normally linked to spam, they can get more spam to more people. When someone else's e-mail server is used for spam without permission, the act of spamming becomes an attack. Why? The victim's server is likely to slow down and will not be able to service e-mail as efficiently as before. More important, many ISPs are likely to block mail from the victim's e-mail server. This means the victim must discover the problem and then contact each ISP to explain that the mail server was attacked and convince them to unblock mail from their mail server.

To protect your organization's servers from becoming a spammer's junk mail relay station, you must restrict access to SMTP relay. For example, most major ISPs typically protect themselves from being used for spamming attacks by restricting the use of SMTP servers to customers only. That way, if a customer account is used for spam, it can be locked out, stopping the spam. The spammer might even be tracked down and legally prosecuted. Noncustomer accounts are prevented from using the SMTP server at all.

SMTP relay should be disabled (if it is available) on any device that the organization does not intend to use for mail transfer.

Scams

Like spam, an e-mail scam is a solicitation. The real difference between the two is that a scam is not offering a legitimate product or service. E-mail scams are typically an attempt to steal money, products, or services. Usually they ask the intended victim to transfer money or provide bank account or credit card information.

One of the most notorious e-mail scams is known as the Nigerian money laundering scam. This scam appears to have started sometime in the 1980s. The scam invitation is delivered through faxes, letters, and most recently e-mails. It can involve the following situations: overinvoiced or double-invoiced oil or other supply and service contracts; a bequest left to you in a will; and money cleaning where money must be chemically cleaned before it can be used (because embezzled money must be moved to an established account outside the country). The perpetrator of the scam either asks for a deposit up front or information about the victim's bank account. If the victim provides bank account information, money from the victim's account is transferred out (instead of in). The July 2000 Business Link online newsletter from the Better Business Bureau (BBB) reported that Americans lose $100 million per year to this scam. Worldwide, the scam was estimated to be worth $5 billion as of 1996.

Although this scam is known as the Nigerian money laundering scam, it is not a direct reflection on the government or people of Nigeria. This scam is also conducted outside of Nigeria and might not even include "Nigeria" in the subject or body.

To protect your organization, its employees, and its clients from scams like this, create a policy prohibiting the release of sensitive information through inappropriate channels. You must define what should be considered sensitive information, such as bank account numbers, social security numbers, and so on. Also, you must define appropriate and inappropriate channels, which vary by organization. In most organizations, account information, personal information, and company funds are controlled and monitored, yet organizations and individuals continue to be defrauded by scams.

Educating your organization's network users to the existence and prevalence of e-mail scams is the best defense. To assist with your organization's education program concerning e-mail scams, the FTC has compiled a list of common e-mail scams. The FTC published the list in a consumer alert article titled "FTC Names Its Dirty Dozen: 12 Scams Most Likely to Arrive Via Bulk Email." Those top 12 scams are the following:

  • Business opportunity scams

  • Make money by sending bulk e-mail

  • Chain letters

  • Work-at-home schemes

  • Health and diet scams

  • Effortless income

  • Free goods

  • Investment opportunities

  • Cable descrambler kits

  • Guaranteed loans or credit, or easy terms scams

  • Credit repair scams

  • Vacation prize promotions

The full FTC article can be found on their Web site at http://www.ftc.gov.

In addition to the FTC, you can learn more about Internet scams from these Web sites: Cyber Criminals Most Wanted (http://www.ccmostwanted.com) and Scambusters (http://www.scambusters.com).

Hoaxes

E-mail hoaxes and scams continue to be a problem for network users. An e-mail hoax is often spread like a chain letter or rumor. Hoaxes contain false information that is believable. Hoax e-mails are often forwarded from one person to many others, making it possible for an idea in a single e-mail to spread exponentially.

Hoax e-mails request that the e-mail be forwarded to colleagues. One of the most infamous hoax messages was the Good Times virus hoax that has been widely propagated on the Internet several times. The gist of the original message is that there is a virus sent through e-mail that is able to erase your computer's hard disk if you open the message. The message is said to be propagated by a user named "Good Times" or the message subject is "Good Times," thus the name of the hoax.

Other hoaxes indicate that people might have been given a virus by one of their colleagues. People are asked to search their computers for files that are said to be viruses, when the files are actually part of popular operating systems. For example, the files Sulfnbk.exe, Jdbgmgr.exe, and Cleanmgr.exe, which are common to Microsoft Windows operating systems, have been called viruses by e-mail hoaxes. The hoaxes tell users to delete these files and forward this information to everyone in their address book.

To protect your organization from hoaxes, you should create a written policy that prohibits the forwarding of known hoaxes. The policy should also be posted to help users identify potential hoaxes. Be sure to educate your network users on the existence of these hoaxes and the damage and loss of productivity they can cause. For example, here are five tell-tale signs (compiled by http://www.hoaxbusters.org) that an e-mail is a hoax:

  • Urgent.

    Words of urgency, importance, warnings, or specifically "virus alert" often appear in the subject line.

  • Tell all your friends.

    There is always some request to forward the information to others.

  • This isn't a hoax.

    The message usually contains some type of corroboration from someone specific or generic who might seem to be trustworthy. For example, the original sender might write something like, "I verified this by calling the number" or "This alert was reported by some official-sounding person, news station, or other authority."

  • Dire consequences.

    Hoaxes often tell you to act immediately or risk losing something, such as all the data on your hard disk.

  • History.

    If the message has "FW" in the subject line, or many angle brackets (such as >>>>>>) in the subject body, the message has probably been forwarded several times, a good indication that it is probably a hoax.

Be sure to communicate that users should not delete any files that an e-mail instructs them to delete. Instead, they should forward such messages to technical support personnel for an official response and action plan. An existing and up-to-date virus scanner can be used verify the actual existence of a virus. You can cross-check reported file names with organizations that can alert you to hoaxes, such as hoaxbusters.org, cert.org, vmyths.com, icsalabs.com, and the major virus scanner providers.

Exercise 1: Downloading and Installing PGP Freeware

In this exercise you install PGP Freeware. The exercise is accurate step by step if you are using a computer running Microsoft Windows 2000 Professional.

PGP Freeware is available for other operating systems, such as Amiga, Atari, BeOS, EPOC (Psion), MacOS, MS-DOS, Newton, OS/2, PalmOS, and UNIX. However, the installation steps can be quite different for these operating systems. (Newer versions of PGP are available for Windows XP and Macintosh OSX. Search for PGP 8.0 through your favorite Web search engine for more information.)

The steps should be quite similar for earlier versions of the Microsoft Windows operating system. You need a Web browser and a program that allows you to decompress software, such as WINZIP or PowerZip. Both PowerZip and WINZIP allow you to download demo versions that work for this exercise.

  1. Log on as a user with administrator permissions to the local Windows 2000 system.

  2. Open your Web browser and navigate to your favorite Web search engine. Type PGP Freeware 7.03 as the search criteria. This should bring up a list of locations from which you can download PGP Freeware 7.03. Choose a site from which to download.

  3. Most Web sites organize PGP Freeware versions by operating system. For Microsoft Windows 2000 Professional, choose the Windows 2000 link. If you are using a different operating system, choose the appropriate link.

  4. Most Web sites organize PGP Freeware by version. Choose PGP version 7.0.3, if available (steps might vary slightly if you choose a version other than 7.0.3).

  5. You should see a link to download PGP Freeware 7.03. Choose the Download PGP 7.0.3 link as well as any hotfixes. (You'll probably have to download the program and each hotfix separately.) You should see a list of download locations. Notice that you are offered either HTTP or FTP downloads. You can choose any type that your software supports, but File Transport Protocol (FTP) downloads are typically faster. If you are not sure what your software supports, try FTP. If that doesn't work, use Hypertext Transfer Protocol (HTTP).

  6. Your browser program should ask you where you would like to save the zipped program. Save the program and hotfixes to the location of your choice.

  7. Navigate to the location where you saved the files and use your file decompression program to extract the installation files to the location of your choice.

  8. Navigate to the location where you decompressed the installation files. You should find a PGP FW folder. Open that folder and double-click the PGPfreeware 7.0.3.exe file.

  9. The PGPfreeware 7.0.3 Installer first displays a Welcome page. Click Next to proceed with the installation.

  10. Read and accept the license agreement by clicking Yes. The Read Me page appears.

    If you do not agree to the terms of the license agreement, click No. If you click No, the installation terminates and you are unable to complete the exercise.

  11. Click Next. The User Type page appears.

  12. Assuming that you have never used PGP before, you should select No, I Am A New User and click Next. The Install Directory page appears.

  13. Click Next if you want to install PGP Freeware in the default location. Otherwise, use the Browse feature to change the location of the installation.

  14. When you have chosen the location, click Next. The Software Components page appears. For this exercise you can clear the PGPnet Personal Firewall/IDS/VPN check box.

    If you choose to install PGPnet Personal Firewall/IDS/VPN, the installation steps vary slightly, as you have to configure the PGPnet component.

  15. Click Next. The Start Copying Files page appears.

  16. Confirm your settings and click Next to copy the files. An advertisement for PGP Personal Security might appear. If so, click Next again to begin copying the files.

  17. Once the files are copied, you are asked to restart your computer. Click Finish to continue. Your computer restarts.

After the installation of PGP, you can install the hot fixes. To do so, navigate to the location where you downloaded the PGP hot fixes and extract the hot fix files from the compressed files you downloaded. Navigate to the executable files that are the hot fixes and run them. Each file asks you to restart your system. Restart after you've installed both hot fixes.

After you restart your system and log on, you should see that PGP Freeware is available on your system. You should be able to access PGP documentation and utilities by clicking Start, Programs, and PGP. At this point you should read Part 1: Overview including Chapter 1, "PGP Basics" and Chapter 2, "A Quick Tour of PGP."

Exercise 2: Creating PGP Keys

To start working with PGP, you must first create a PGP Key pair. This exercise works step-by-step on any Windows 2000 operating system.

  1. Click Start, Programs, PGP, PGPKeys. The PGPKeys window opens.

  2. Click the Keys menu and then click New Key menu option. The Key Generation Wizard opens.

  3. Click Next to proceed. The Name and Email Assignment page opens.

  4. Enter your name and e-mail address in the locations provided. Click Next. The Passphrase Assignment page appears.

  5. In the Passphrase text box, enter a pass phrase that is difficult to guess. Confirm your pass phrase by typing it again in the Confirmation text box.

    For stronger pass phrase security, you should use at least eight characters with a combination of uppercase and lowercase letters, numbers, and nonalphabetic characters.

  6. Click Next to continue. The Key Generation Progress page appears.

  7. Click Next when the key generation process is finished. The Completing The PGP Key Generation Wizard page appears.

  8. Click Finish. The PGPKeys window is updated with your new key pair.

At this point, if you want to allow others to encrypt messages to you, they must install PGP and create a key pair. Then you and your colleagues can exchange key pairs as described in Chapter 3, "Making and Exchanging Keys" of the PGP documentation. You should also review Chapter 4, "Managing Keys" to learn how to appropriately utilize the keys you exchange.

If you want to learn how to secure your e-mail, review Chapter 5, "Securing Email" of the PGP documentation to learn how to send encrypted messages and digitally sign e-mail. You can also use PGP to encrypt the data on your hard disk, which is explained in Chapter 6, "Securing Files" of the PGP documentation. You can also use PGP to encrypt and sign communications over ICQ (I Seek You) as described in Chapter 7, "Securing Instant Messages" of the PGP documentation.

You can download Adobe Acrobat Reader free from Adobe's Web site at http://www.adobe.com.

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

  1. Name two ways in which you can increase the privacy of e-mail.

  2. What are some steps you should take to protect your organization from the exploitation of e-mail vulnerabilities?

  3. What can you do to help your organization combat spam?

  4. What steps can you take to reduce your organization's exposure to e-mail scams?

  5. How can you reduce the propagation of e-mail hoaxes?

Lesson Summary

  • You can protect e-mail by using secure electronic messaging programs. PGP-enabled and S/MIME-enabled applications are able to encrypt, decrypt, and digitally sign e-mail. When implemented properly, only the intended recipient can read encrypted e-mail. Further, the recipient can verify the authenticity of the message by checking the sender's digital signature.

  • E-mail vulnerabilities plague almost all e-mail systems. It is very likely that the discovery and exploitation of vulnerabilities will never end. Therefore, it is imperative that you pay attention to security alerts from vendors concerning their applications, in addition to generic alerts provided by organizations such as cert.org. Further, you should test and apply security fixes as soon as they are made available.

  • You can protect your organization from spam by implementing e-mail filters at the Internet gateway and on client desktops. You can also educate network users on how to avoid being targeted by spam. A list of six steps to help people reduce their exposure to spam is available on the Spam.org Web site.

  • E-mail scams are not new. Many scams that are carried out today over e-mail were propagated through letters and faxes before e-mail became popular. Awareness of the existence of most scams is the best defense against them. To that end, the FTC has compiled a list of 12 common e-mail scams. To protect your organization from these scams, educate network users about them and create policies that help to prevent people in your organization from being caught in a scam.

  • You can help reduce the propagation of e-mail hoaxes by educating users about how to recognize these hoaxes. Hoaxbusters.org has compiled a list of five tell-tale signs of an e-mail hoax. Ask users to review the list. Your organization's technical support personnel should verify all alerts to be sure that they are not hoaxes before communicating them to network users.



Security+ Certification Training Kit
Security+ Certification Training Kit (Pro-Certification)
ISBN: 0735618224
EAN: 2147483647
Year: 2002
Pages: 55

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net