Security fundamentals Topic 9 Securing internet messaging

Agenda Secure mail servers Secure mail clients Secure instant messaging (IM)

security basics Store and forward – Send message to mail server, mail server delivers message to server with recipient’s mailbox IMAP – reads the message on the mail server POP – downloads mail from mailbox to the client DNS MX (Mail Exchange) to route the message sent in ASCII format MIME extensions to convert any file to ASCII and attach to an Mail header contains information about the message, attachments and mail servers

security basics Protocols: SMTP sends to mail server and sends from mail servers to other mail servers POP retrieves mail for the client from a mailbox on a mail server IMAP views messages in the mailbox on the mail server Standard issues: No encryption No authentication from sender No integrity of message

Spam – Mass mailings of mail Unsolicited Commercial – Mass mailings to mailing lists for advertising Issues with spam and UCE – Uses network capacity – Clogs up users mailboxes – Significant costs with

Spam Best practise – Filters on mail servers and/or mail clients – Block from blacklist servers – Teach users: Never respond to spam Don’t post an address on a web site Use a second address for newsgroups Know how your address will be used if you provide it: check the privacy statement Use a spam filter or junk filter

Scams and hoaxes Create a policy that prohibits the release of sensitive information through inappropriate channels Define what is sensitive Define what is inappropriate channels Educate users Hoaxes – Seek to spread misleading information somewhat like a chain letter

Scams and hoaxes Issues with hoaxes – Uses network capacity – Malicious, may instruct users to delete files Create a written policy that prohibits the forwarding of known hoaxes Educate users to watch out for s with these headers – Urgent, tell all your friends, this isn't a hoax, dire consequences, history FW >>> – Forward s to technical support – Keep virus scanners up-to-date

Securing mail servers Common attacks against mail servers – Data theft or tampering – Denial of Service – Spam, scams and hoaxes – Spoofing (IPs) – Mail relay (with unauthenticated servers) – virus Protecting mail servers – Remove unnecessary components – Block unused protocols – Disable relaying from unauthenticated connections – Configure an SMTP bridgehead server – only receives SMTP messages from internet and forwards – single purpose easier to secure – Install virus filters and antivirus software – signatures up-to-date – Keep software up-to-date

Access control Client access (users with mailboxes) – POP transmits credentials in clear text Use SPA (Secure Password Authentication) or APOP (Authenticated POP) Use IPSec to encrypt messages and authentication – Proprietary protocols such as MAPI Configure in a secure manner – Web based Configure SSL and allow only https connections – SMTP Require authentication and use SPA

SMTP relay The process of forwarding messages to another server Spammers may attempt to forward to your server for relaying to another server (allows blacklisted servers to move spam into legitimate mail channels) Open relays – servers that accept and relay all traffic Monitoring – Filter executable attachments such as.exe,.zip – Monitor outgoing for confidential – Monitor employee communications – Australian Telecommunications Act

Securing clients Common attacks against clients – Spoofing with a false return address – Eavesdropping headers and contents in clear text – HTML vulnerabilities, Java, Microsoft® ActiveX, scripting – Not patched, security updates not applied – Viruses and trojans – Web based that bypass corporate servers security policy

Encryption and signing PGP (Pretty Good Privacy) – Encrypt, decrypt and sign , files, some IMs and VPNs – Exchange, Microsoft® Outlook®, Microsoft® Outlook Express®, Eudora® (Eudora is a registered trademark of QUALCOMM Incorporated) and Lotus Notes® – No CA, you must provide public key to partners – You store others public keys on a key ring stored locally – Others encrypt with your public key, you decrypt with your private key – Sign with your private key, others ensure integrity with your public key S/MIME (Secure Multipurpose Internet Mail Extensions) – Encrypts and digitally signs – Uses PKI and certificates Both use public key encryption (key pair of public/private keys) Both provide encryption and authentication

Securing instant messaging Real-time messages, files, audio and video Significant security risks Threats: – Unencrypted data transfer – messages in clear text – Transferred files might bypass virus scanners (on servers) – Vulnerabilities such as buffer overflows – Disclosure of sensitive information through social engineering

Securing instant messaging Instant messaging security – Restrict the types authorised for use (easier to support) – Use an IM that supports encryption – Create an acceptable use policy for instant messaging – Educate users on the dangers (particularly file transfer) – Update virus scanners and run scans – Patch and monitor security vulnerabilities – Maintain an IM server for internal use with no traffic to the outside

Lesson overview How to go about securing mail servers and clients How to go about securing instant messaging