Presentation is loading. Please wait.

Presentation is loading. Please wait.

Email and Mobile Code Issues CS432 - Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University.

Published byBlanche Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "Email and Mobile Code Issues CS432 - Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University."— Presentation transcript:

1 Email and Mobile Code Issues CS432 - Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University

2 Section Overview Email architecture Email architecture SPAM Countermeasures SPAM Countermeasures Browser Issues Browser Issues Mobile Code issues Mobile Code issues Code signing Code signing

3 References Security in Computing, 3 rd Ed. Security in Computing, 3 rd Ed. Chapter 7 (pgs. 420-424, 442-443, 474-479) Chapter 7 (pgs. 420-424, 442-443, 474-479)

4 TCP/IP-Based Email pop, imap smtp smtp ClientServer InternetServers

5 Email Headers Return-Path: smo@ix.netcom.comsmo@ix.netcom.com Received: from dfw-ix4.ix.netcom.com by klingon (SMI-8.6/SMI-SVR4) id TAA24482; Sun, 2 Nov 1997 19:19:38 -0500 Received: (from smap@localhost) by dfw-ix4.ix.netcom.com (8.8.4/8.8.4) id SAA19695 for ; Sun, 2 Nov 1997 18:18:14 -0600 (CST) Received: from ind-in13-20.ix.netcom.com(207.220.129.116) by dfw-ix4.ix.netcom.com via smap (V1.3) id rma019634; Sun Nov 2 18:18:01 1997 Message-ID: Date: Sun, 02 Nov 1997 19:16:33 -0500 From: Scott Orr Organization: Purdue U. CS Dept. - IUPUI X-Mailer: Mozilla 4.03 [en] (Win95; I) MIME-Version: 1.0 To: sorr@cs.iupui.edu Subject: Hello from NetCom Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Length: 43 Hi Scott, You work too hard!!! :-) ~smo

6 Secure Email Requirements Message Confidentiality Message Confidentiality Message Integrity Message Integrity Sender Authenticity Sender Authenticity Nonrepudiation Nonrepudiation Great use of Public Key Cryptography

7 Email Spam Mass transmissions of electronic junk mail Mass transmissions of electronic junk mail USENET News USENET News Electronic Mail Electronic Mail Often use legitimate systems as remailers Often use legitimate systems as remailers Section 227, Title 47 of the US. Code Section 227, Title 47 of the US. Code It Shall be unlawful for any person within the United States: (C) to use any telephone facsimile machine, computer, or other device to send an unsolicited advertisement to a telephone facsimile machine;... Coalition Against Unsolicited Commercial Email Coalition Against Unsolicited Commercial Email Coalition Against Unsolicited Commercial Email Coalition Against Unsolicited Commercial Email

8 Opening Spam-dora’s Box April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 minutes April 12, 1994 – Lawyers Laurence Canter and Martha Siegel sent message about upcoming Green Card lottery to some 6000+ Usenet News Groups in less than 90 minutes Arizona ISP Internet Direct received so many email complaints, their email server(s) crashed more than 15 times. Arizona ISP Internet Direct received so many email complaints, their email server(s) crashed more than 15 times. C&S account gets cancelled and threaten to sue (although never do) C&S account gets cancelled and threaten to sue (although never do) C&S publish How to Make a Fortune on the Information Superhighway (1995) C&S publish How to Make a Fortune on the Information Superhighway (1995)

9 15 years later… SPAM (Unsolicited Commercial Email) 72% of all email (1 st Qtr. 2009) SPAM (Unsolicited Commercial Email) 72% of all email (1 st Qtr. 2009) Phishing Attacks less than 1% of all email but growing Phishing Attacks less than 1% of all email but growing Significant increase in Botnets Significant increase in Botnets Top Spam-Sending Countries Top Spam-Sending Countries United States (28.36%) United States (28.36%) Spain (9.16%) Spain (9.16%) China (5.86%) China (5.86%) Italy (5.71%) Italy (5.71%) Brazil (3.8%) Brazil (3.8%) Source: Commtouch Software Online Labs Commtouch Software Online LabsCommtouch Software Online Labs

10 Costs of Spam Spammers Spammers Great ROI!!! Great ROI!!! Malware writer partnerships Malware writer partnerships Phishing Phishing Recipent Recipent Time Time Bandwidth Bandwidth Storage space Storage space

11 Illiad’s Solution to Spam… Source: www.userfriendly.org www.userfriendly.org

12 SPAM Legislation CAN-SPAM Act of 2003 CAN-SPAM Act of 2003 Label Messages as “unsolicited Commercial” Label Messages as “unsolicited Commercial” Prohibit False subject lines/header info Prohibit False subject lines/header info Include OPT-OUT instructions Preempt state laws Include OPT-OUT instructions Preempt state laws Computer Owner’s Bill of Rights Computer Owner’s Bill of Rights FTC maintained subscribed do-not-email list FTC maintained subscribed do-not-email list FTC can impose civil penalties on offenders FTC can impose civil penalties on offenders Wireless Telephone SPAM Protection Act Wireless Telephone SPAM Protection Act Prohibit sending Unsolicited AdVerts to wireless devices Prohibit sending Unsolicited AdVerts to wireless devices

13 Preventive Measures to SPAM Personal Methods Personal Methods Don’t post email address on web pages Don’t post email address on web pages Send Unsubscribe email to Spammers? Send Unsubscribe email to Spammers? Configure filters within email programs Configure filters within email programs Third party SPAM prevention lists Third party SPAM prevention lists System Administrator Methods System Administrator Methods Direct contact with Spammers Direct contact with Spammers Configure filters on Mail Servers (RBL) Configure filters on Mail Servers (RBL) Block offending address blocks Block offending address blocks

14 SPAM Filtering Techniques Black lists Black lists White lists White lists Content (keyword blocking) Content (keyword blocking) Invalid addresses/header values Invalid addresses/header values Heuristics Heuristics Bayesian Filtering Bayesian Filtering

15 Greylisting Each message identified by a triplet Each message identified by a triplet Envelope recipient Envelope recipient Envelope sender Envelope sender IP address of delivering host IP address of delivering host Delivery based on following rules: Delivery based on following rules: If IP address or recipient on whitelist – send msg to recipient If IP address or recipient on whitelist – send msg to recipient If not seen triplet before – send tempfail msg and record triplet If not seen triplet before – send tempfail msg and record triplet If time limit on triplet not expired – send tmpfail msg If time limit on triplet not expired – send tmpfail msg If time limit on triplet expired – send msg to recipient and update last seen time. If time limit on triplet expired – send msg to recipient and update last seen time. Remove triplet from database after not seen for set period of time Remove triplet from database after not seen for set period of time

16 Sender Policy Framework (SPF) Receiving host verifies sender is legitimate mail server for originating domain Receiving host verifies sender is legitimate mail server for originating domain Add TXT (SPF) records to Domain DNS Add TXT (SPF) records to Domain DNS Domain specific Domain specific Each host with MX record (also A, PTR, IP addr, external hosts) Each host with MX record (also A, PTR, IP addr, external hosts) cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu" cs.iupui.edu. IN TXT "v=spf1 mx a:storm.cs.iupui.edu" Issues Issues Breaks email forwarding Breaks email forwarding Spammers can still send messages if they have an account on domain Spammers can still send messages if they have an account on domain Most major ISPs do not support SPF (yet) Most major ISPs do not support SPF (yet)

17 Yahoo DomainKeys Verifies sending domain and message integrity Verifies sending domain and message integrity Sender digitally signs message Sender digitally signs message Receiver gets sender public key from sender’s DNS server to verify signature Receiver gets sender public key from sender’s DNS server to verify signature Issues Issues User is not authenticated User is not authenticated No central Certificate Authority No central Certificate Authority DNS Security? DNS Security?

18 World Wide Web Components WidgetWebServer UserWorkstation Widget 2.0 ------------------------------ Download Demo Buy it Now Name: CC #: Submit Reset Browser

19 Browser Security Concerns Rapidly developed (buggy) code Rapidly developed (buggy) code Stores a history of visited sites Stores a history of visited sites Password caching Password caching Helper Applications Helper Applications External programs started to handle certain (MIME) links External programs started to handle certain (MIME) links Helper application bugs Helper application bugs Viruses and Trojan Horses Viruses and Trojan Horses

20 “Plug-ins” Loads directly into browser Loads directly into browser Full access to all data on computer Full access to all data on computer Written by third party Written by third party Security concerns Security concerns Rogue Plug-ins Rogue Plug-ins Trojan Horse of “good” Plug-in Trojan Horse of “good” Plug-in Plug-in bugs Plug-in bugs Plug-in macro language Plug-in macro language

21 Java “Safety” Automatic Garbage Collection Automatic Garbage Collection Built-in bounds checking Built-in bounds checking No pointers No pointers Single inheritance Single inheritance Strong type checking Strong type checking Powerful Exception Handling Powerful Exception Handling

22 Java System Java Runtime Libraries JavaVirtualMachine(JVM)JavaVirtualMachine(JVM)SandboxProgramsandappletsrunningSandboxProgramsandappletsrunningByteCodeVerifierByteCodeVerifier ClassLoaderClassLoader Java Security Manager Source: Web Security and Commerce Simson Garfinkel and Gene Spafford Simson Garfinkel and Gene Spafford Hello ComputerScreen Programdownloaded into sandbox from WWW

23 JavaScript Security Features Features No direct access to computer file systems No direct access to computer file systems Inability to directly open network connections to other computers Inability to directly open network connections to other computers Issues Issues Automatic submission of email via forms Automatic submission of email via forms Access to browser history information Access to browser history information Monitor URLs accessed in other windows Monitor URLs accessed in other windows

24 Java/JavaScript Attacks Denial of Service Attacks Denial of Service Attacks CPU and Stack attacks CPU and Stack attacks Inability to interrupt while running Inability to interrupt while running Swap space attacks Swap space attacks Window system attacks Window system attacks Spoofing Attacks Spoofing Attacks

25 ActiveX Controls Types of code Types of code Java ByteCode Java ByteCode Native machine code (Visual Basic, C, etc.) Native machine code (Visual Basic, C, etc.) Automatically run when downloaded Automatically run when downloaded Can be Digitally Signed (Authenticode) Can be Digitally Signed (Authenticode) Helps ensure control is from trusted source Helps ensure control is from trusted source Not a guarantee of safety !!! Not a guarantee of safety !!!

26 Authenticode ExecutableProgram Signature Author Certificate Source: Web Security and Commerce Simson Garfinkel and Gene Spafford

Download ppt "Email and Mobile Code Issues CS432 - Security in Computing Copyright © 2005, 2009 by Scott Orr and the Trustees of Indiana University."

Similar presentations

Basic Communication on the Internet:

Basic Communication on the Internet:
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
----Presented by Di Xu 17.12.2010.  Introduction  Overview of Spam  Solutions to Spam  Conclusion.

----Presented by Di Xu  Introduction  Overview of Spam  Solutions to Spam  Conclusion.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
COS 125 DAY 4. Agenda Questions from last Class?? Today’s topics Communicating on the Internet Assignment #1 due Assignment #2 will be posted next week.

COS 125 DAY 4. Agenda Questions from last Class?? Today’s topics Communicating on the Internet Assignment #1 due Assignment #2 will be posted next week.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.
563.8.2 Spam Sonia Jahid University of Illinois Fall 2007.

Spam Sonia Jahid University of Illinois Fall 2007.
23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.

23 October 2002Emmanuel Ormancey1 Spam Filtering at CERN Emmanuel Ormancey - 23 October 2002.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
CHAPTER THE INTERNET, THE WEB, AND ELECTRONIC COMMERCE 22.

CHAPTER THE INTERNET, THE WEB, AND ELECTRONIC COMMERCE 22.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Internet Security In the 21st Century Presented by Daniel Mills.

Internet Security In the 21st Century Presented by Daniel Mills.

Similar presentations

Ads by Google