Conducting e-mail Security Assessments Dan Elder Security Engineer Novacoast Eron Howard Manager Development Services Novacoast.

Slides:

Advertisements

Similar presentations

December 29, 2013 Willem Bagchus Master CNE, CLP, MCP Senior SE, Senior Trainer GWAVA Reload.

Advertisements

Reduce Cost & Complexity Partner logo here Presenters Name (16pt) Presenters Title (14pt) Company/ (14pt) Manage and Deploy Applications using Virtualization.

Nsure ™ Audit Essentials Rick Meredith Software Engineer Novell, Inc. Jaime Brimhall Software Engineer Novell, Inc.

Deploying GEE Whiz Enterprise Anti-SPAM for GroupWise ® and NetMail ® Aldo Zanoni Master CNI SM, B.A., B.Ed. Director of Customer Service, Omni Technology.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Chapter 4 Application Security Knowledge and Test Prep

How to Successfully Cluster GroupWise Gregg A. Hinchman Consultant, Hinchman Consulting Ed Hanley Senior Consultant, Novell.

SAN Design Considerations Hylton Leigh Senior Consultant Novell Consulting, UK Stuart Thompson Senior Consultant Novell Consulting, UK.

How to Implement a Cluster of Clusters Atiq Adamjee Senior Architect Novell, Inc. Brad Rupp Software Engineer Novell, Inc.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Password Management Bill Street, Nathan Jensen, Mike Simpson, Will Peterson Identity Management Engineering.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Computer Concepts 2014 Chapter 7 The Web and .

Upgrading to Novell ® SecureLogin 3.5 Rod Tietjen,

Developing for Novell ® Nsure ™ SecureLogin Gordon Mathis Senior Software Engineer, Novell Inc.

DIR-835A1 Wireless N750 Dual-Band Router Wireless & Router Product Div. July 2011 D-Link WRPD.

Document Management with GroupWise ® Gregg Hinchman Consultant Hinchman Consulting Jerry Winkel Novell Escalation Engineer.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Nsure ™ Audit: Instrumenting Custom Applications Rick Meredith Jason Arrington Nsure Audit Engineering Novell, Inc.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Implementing Novell iChain ® at the City of Los Angeles Adam Loughran Senior Systems Engineer, Novell Robert Gillette IS Development Manager, City of Los.

Benefits of a SUSE ® Subscription Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

Configuring Identity Manager 2 (formerly DirXML ® ) for JDBC (w/DirXML) Jason Elsberry Software Engineer

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Implementing iChain ® in the Wild: Life beyond the lab Rich Roberts Senior Architect – Novell Consulting Novell Inc. Jim Short iChain Guru – Novell Consulting.

Implementing DirXML ® Stylesheets David Wagstaff

Novell Nsure TM Identity Manager 2 andGroupWise Provisioning Art Purcell, GroupWise ® Engineering, David Holbrook, DirXML Engineering,

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Successful GroupWise Clustering, Part 1 Gregg A. Hinchman Ed Hanley Novell Inc.

April 30, 2007 openSUSE.org Build Service a short introduction Moiz Kohari VP Engineering.

Novell ® BrainShare ® A Hands-on Approach to Implementing an Effective Retention Solution with Novell GroupWise and GWArchive Greg Smith, Director.

How to Successfully Cluster GroupWise ® Gregg A. Hinchman Consultant, Hinchman Consulting Ed Hanley Senior Consultant, Novell.

Kevin James Prototype Systems Devloper Novell Inc. Freddy Kaiser Technical Directory, Enterprise Solutions Novell Inc. BUS172 - Case Study: Extended Provisioning.

SecureLogin Solution for Hospital Environments Keith Lewis Novell Consultant Novell, Inc. Troy Drewry Protocom Consultant Protocom.

Retention for GroupWise Angela Williams - Channel Sales Manager Jeff Stratford - President Nexic, Inc.

Beginning Programming with the Novell GroupWise ® Object API Glade Monson Developer Services, Novell Inc.

January 8, 2009 Business Continuity Cluster Always Running Gregg A. Hinchman Consultant Hinchman Consulting

Strong Authentication to any Application Using SecureLogin and NMAS TM Scott Kiester and John Jolly Software Engineer Novell, Inc.

Securing GroupWise ® end-to-end with SSL Mike Bills ATT Engineer, Novell Inc.

Security fundamentals Topic 9 Securing internet messaging.

Best Practices for Running Multiple Identity Manager 2 (formerly DirXML ® ) Drivers on Linux and Solaris Patrick J Cush Senior Technical Specialist Novell.

Securing Legacy Applications with exteNd Composer and Novell iChain Kirk Noren Application Services Specialist Novell, Inc.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.

Configuring Novell GroupWise ® on SuSE LINUX Randy Brown GroupWise Dedicated Support Engineer, Novell Inc. Matt Preston GroupWise Support.

DIR-826L Wireless N600 Gigabit Cloud Router Sales Guide WRPD Jan 25 th, 2012 D-LINK HQ.

Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

가상화 기반의 Workload 관리솔루션 : FORGE PlateSpin Virtualization and Workload Management 나영관 한국노벨 /

SUSE ® Linux Enterprise High Availability Extension.

Introduction to GroupWise ® C3POs Glade Monson Developer Services, Novell Inc.

IDC Says, "Don't Move To The Cloud" Richard Whitehead Director, Intelligent Workload Management August, 2010 Ben Goodman Principal.

Novell ® IT Consulting Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

SUSE ® Linux Enterprise Desktop in a One-To-One 21st Century Classroom Alex Inman Director of Technology Whitfield School

Novell ® Technical Training Field / Sales Presentation Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

Introduction to SUSE Studio Tim Serong Senior Clustering Engineer OPS Engineering, Novell Inc.

OES11 / SLES11 Feature Competitive Novell Confidential.

GStreamer in OpenOffice.org? Cédric Bosdonnat, Radek Doulík.

Forrester and Novell Novell ® Identity Manager 4 Webcast I Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

Novell ® Demo Systems Portal Update Doc Hodges Novell Demo Systems

DHP-600AV / DHP-601AV Powerline AV2 Gigabit Adapter Powerline AV2 Starter Kit Sales Guide WRPD, Mar 2013 D-Link Confidential.

From Source Code to Packages and even whole distributions By Cool Person From openSUSE.

Enterprise Linux Servers Solution Overview Kerry Kim Enterprise Linux Servers Solution Manager.

From Source Code to Packages for Various Distributions Andreas Jaeger Program Manager openSUSE

UI-Facelift of the YaST Partitioner Module Martin Schmidkunz Status: 13th February 2008.

SUSE Studio: Building distributions By Cool Person From openSUSE.

The Community role in openSUSE life-cycle Dinar Valeev Community member.

TMG Client Protection 6NPS – Session 7.

Redesign of AppArmor Modules in YaST

Presentation transcript:

Conducting Security Assessments Dan Elder Security Engineer Novacoast Eron Howard Manager Development Services Novacoast

© March 22, 2004 Novell Inc. 2 Novacoast, Inc. Company Facts Founded in 1996 Based in Santa Barbara, California Named Novell “Partner of the Year” for 2002 Professional Services company with practice areas that have been built around key engineers who specialize in a given technology Offices in California, Utah, Arizona, Texas and Oregon National resource for Novell Consulting Receiving our fourth Novell Service Excellence Award

© March 22, 2004 Novell Inc. 3 Introduction Published Vulnerabilities for Exchange and Groupwise Auto execution of code Site redirection Hex obfuscation Attacks on Antivirus systems Novacoast security assessments Credits and sources

© March 22, 2004 Novell Inc. 4 Published Vulnerabilities in Groupwise : Novell Groupwise Webaccess Cross Site Scripting Vulnerability : Novell GroupWise Wireless Webaccess Insecure Logged Password Vulnerability : Novell GroupWise WebAccess Information Disclosure Vulnerability : Novell Groupwise Mail Transport Agent Unspecified Denial Of Service Vulnerability : Novell GroupWise WebAccess Unspecified Malicious Script Vulnerability : Novell GroupWise Internet Agent Buffer Overflow Vulnerability : Novell GroupWise Web Root Disclosure Vulnerability : Novell GroupWise 6 Post Office LDAP Authentication Bypass Vulnerability : Novell Groupwise Servlet Gateway Default Authentication Vulnerability : Novell Groupwise Arbitrary File Retrieval Vulnerability : Novell GroupWise Padlock Vulnerability : Novell Groupwise Directory Disclosure Vulnerability : Novell GroupWise Network Directory Browsing Vulnerability : Novell GroupWise GWWEB.EXE Multiple Vulnerabilities

© March 22, 2004 Novell Inc. 5 Published Vulnerabilities in Exchange Exchange :Microsoft Outlook Web Access HTML Attachment Script Execution Vulnerability :Microsoft Exchange Server 5.5 Outlook Web Access Cross-Site Scripting Vulnerability :Microsoft Exchange Server Buffer Overflow Vulnerability :Microsoft Exchange Server SMTP HELO Argument Buffer Overflow Vulnerability :Microsoft Exchange Server 5.5 IMAP NOOP Denial of Service Vulnerability :Microsoft Exchange Server IMC EHLO Response Buffer Overflow Vulnerability :Microsoft IIS SMTP Service Encapsulated SMTP Address Vulnerability :Microsoft Remote Procedure Call Service DoS Vulnerability :Microsoft Outlook Web Access with RSA SecurID Authentication Bypass Vulnerability :Microsoft Windows SMTP Service Authorization Bypass Vulnerability :Microsoft OWA Server Embedded Script Execution Vulnerability :Microsoft Exchange OWA Global Address List Disclosure Vulnerability :Microsoft Outlook Web Access Denial of Service Vulnerability :Microsoft Exchange 5.5 LDAP Denial of Service Vulnerabilities :Microsoft Exchange OWA Embedded Script Execution Vulnerability :Microsoft Exchange Server Invalid MIME Header charset = "" DoS Vulnerability Outlook :Microsoft Outlook / Exchange Blank Headers DoS Vulnerability :NT Exchange Server Encapsulated SMTP Address Vulnerability :Multiple Vendor PKCS#1 Vulnerability :Microsoft Exchange Server AUTH / XAUTH / AUTHINFO DoS Vulnerabilities :Microsoft Exchange Server Empty MIME Boundary DoS :Multiple Browser URI Display Obfuscation Weakness :Microsoft mshtml.dll Library GIF Image Handling Denial of Service Vulnerability :Multiple Outlook/Outlook Express Predictable File Location Weaknesses :Microsoft Internet Explorer Double-Null URI Denial Of Service Vulnerability :Microsoft Outlook Mailto Parameter Quoting Zone Bypass Vulnerability :Multiple Outlook/Outlook Express Predictable File Location Weaknesses :Microsoft Internet Explorer Double-Null URI Denial Of Service Vulnerability :Microsoft Internet Explorer Absolute Position Block Denial Of Service Vulnerability :Microsoft mshtml.dll Library GIF Image Handling Denial of Service Vulnerability :Microsoft Outlook 2002 V1 Exchange Server Security Certificate Information Leakage Vulnerability :Microsoft Outlook Header Processing Denial of Service Vulnerability :Microsoft Outlook HTML Mail Script Execution Vulnerability :Microsoft VBScript ActiveX Word Object Denial Of Service Vulnerability :Microsoft Outlook Disabled Cookies Setting Bypass Vulnerability :Microsoft Outlook IFrame Embedded Media Player File Vulnerability :Microsoft Outlook Javascript Execution Vulnerability :Microsoft Outlook IFrame Embedded URL Vulnerability :Microsoft Outlook Arbitrary Code Execution Vulnerability :Microsoft Outlook Unauthorized Access Vulnerability :Multiple Outlook/Outlook Express Predictable File Location Weaknesses :Microsoft mshtml.dll Library GIF Image Handling Denial of Service Vulnerability :Microsoft Outlook and Outlook Express Arbitrary Program Execution Vulnerability :Multiple Vendor Client JavaScript Information Leakage Vulnerability :Microsoft Outlook HTML Mail Script Execution Vulnerability :Microsoft VBScript ActiveX Word Object Denial Of Service Vulnerability :Microsoft Outlook Disabled Cookies Setting Bypass Vulnerability :Microsoft Outlook Javascript Execution Vulnerability :Microsoft Outlook IFrame Embedded URL Vulnerability :Microsoft Outlook Arbitrary Code Execution Vulnerability :Microsoft MSHTML.DLL Crash Vulnerability :Microsoft Outlook Unauthorized Access Vulnerability :Microsoft Outlook Express Address Book Spoofing Vulnerability :Microsoft Outlook vcard Buffer Overflow Vulnerability :Microsoft Outlook Vcard DoS Vulnerability :Microsoft Outlook Concealed Attachment Vulnerability :Microsoft Outlook Rich Text Format Information Disclosure Vulnerability :Microsoft Outlook / Outlook Express Cache Bypass Vulnerability :Microsoft Outlook / Outlook Express GMT Field Buffer Overflow Vulnerability : Microsoft Internet Explorer and Outlook/Outlook Express Remote File Write Vulnerability : Microsoft Office 2000 UA Control Vulnerability : Microsoft Signed ActiveX Active Setup Vulnerability : Microsoft ActiveX CAB File Execution Vulnerability

© March 22, 2004 Novell Inc. 6 Autoexecution of code 1 st Demo Can code be executed without opening an message?

© March 22, 2004 Novell Inc. 7 Site Redirection 2 nd Demo Can a user be sent to a website that appears to be a legitimate and have improperly signed code run on the users machine that appears to be legitimate? Can this code run a program on the local workstation and send an to all users on the system?

© March 22, 2004 Novell Inc. 8 Hex Obfuscation/Hacking with Google 3 rd Demo Can critical information about users and companies be found using Google? Can an message be crafted to trick a user into executing code that looks legitimate?

© March 22, 2004 Novell Inc. 9 Attacks on AntiVirus Systems 4 th Demo Can executed code un-install Antivirus Software and infect a network

© March 22, 2004 Novell Inc. 10 Novacoast Security Assessments Who is Novacoast? What do we do?

© March 22, 2004 Novell Inc. 11 Credits and Sources Security Focus Astalavista.net DoxPara Research JohnnyIHackStuff Novacoast Security Group

© March 22, 2004 Novell Inc. 13 General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.