c10 messaging and web components

8/13/2019 C10 Messaging and Web Components

1/62

1

Network and Systems SecurityNetwork and Systems Security

Messaging and Web componentsMessaging and Web components


2/62

2

Describe security issues associated with e-mail.

Implement security practices for e-mail.

Detail the security issues of instant messaging protocols.

Describe the functioning of the SSL/TLS protocol suite.

Explain web applications, plug-ins, and associated securityissues.

Describe secure file transfer options.

Explain directory usage for data retrieval. Explain scripting and other Internet functions that present

security concerns.

Use cookies to maintain parameters between web pages.

Examine web-based application security issues.

Objectives


3/62

3

E-mail Usage


4/62

4

Security of E-mail

Originally launched unsecure; remains unsecure. Internet e-mail depends on three primary

protocols:

SMTP

POP3

IMAP

Used as a medium:

To spread viruses To forward hoaxes

Similar to Instant Messaging.


5/62

5

Example List of Spam E-mails


6/62

6

AOL Instant Messenger Program


7/62

7

Can be found and dispersed by manydifferent methods:

Worm

Virus Trojan horse program

Botnet

Malicious Code


8/62

8

Viruses Commonly Spread Through E-mail

Attachments


9/62

9

Malicious Code Protection Measures

Antivirus E-mail scan

Disable

Preview panes

Scripting support

Follow safe practices and procedures

Educating employees


10/62

10

Hoax E-mails

E-mail hoaxes are mostly a nuisance, wastingeveryones time, taking up Internet bandwidth andserver processing time as well.

Sites like Snopes.com debunk such hoaxes.


11/62

11

Famous Hoax: The Neiman-Marcus

story


12/62

12

Unsolicited Commercial E-mail

(Spam) Spam refers to unsolicited commercial e-mailwhose purpose is the same as the junk mail youget in your physical mailboxit tries to persuade

you to buy something. The term spam comes from a skit on Monty

Pythons Flying Circus, where two people are in arestaurant that serves only the potted meatproduct.

This concept of the repetition of unwanted thingsis the key to e-mail spam.


13/62

13

Fighting Spam

Ways to fight spam include: E-mail filtering

Educate users about spam

Cautious internet surfing Cautious towards unknown e-mail

Shut down open relays

Host/server filters Blacklisting or DNSBL

Greylisting


14/62

14

Mail Encryption

Provision for confidentiality or morecommonly known as privacy.

E-mail is sent in the clearclear text

unless the message and/or attachmentsare encrypted.

E-mail content encryption methods include:

S/MIME PGP


15/62

15

S/MIME Secure/Multipurpose Internet Mail Extensions (S/MIME)

is a secure implementation of the MIME protocolspecification. MIME was created to allow Internet e-mailto support new and more creative features.

MIME allows e-mail to handle multiple types of content in

a message, including file transfers. Every time you send a file as an e-mail attachment, you

are using MIME.

S/MIME takes this content and specifies a framework for

encrypting the message as a MIME attachment.


16/62

16

Configuration Settings in Outlook


17/62

17

Pretty Good Privacy (PGP)

PGP implements e-mail security in a similarfashion to S/MIME, but uses completely differentprotocols.

The basic framework is the same:

The user sends the e-mail, and the mail agentapplies encryption as specified in the mailprograms programming.

The content is encrypted with the generatedsymmetric key, and that key is encrypted withthe public key of the recipient of the e-mail forconfidentiality.


18/62

18


PGP manages keys locally in its ownsoftware.

This is where a user stores not only local

keys, but also any keys that were receivedfrom other users.

A free key server is available for storing

PGP public keys.


19/62

19

Decoding a PGP-encoded Message in

Eudora


20/62

20


PGP has plug-ins for many popular e-mailprograms, including Outlook andQualcomms Eudora.

These plug-ins handle the encryption anddecryption behind the scenes, and all thatthe user must do is enter the encryptionkeys passphrase to ensure that they are

the owner of the key.


21/62

21

Instant Messaging

Technology that allows individuals to chatonline.

AOL Instant Messenger (AIM) is a prevalentchat application.


22/62

22

Instant Messaging

To work properly IM has to: Attach to a server (typically announcing

the IP address of the originating client)

Announce your presence on the server


23/62

23

Instant Messaging


24/62


25/62

25

Web Protocols

Common protocols used on theWeb:


26/62

26

Encryption (SSL and TLS) Secure Sockets Layer (SSL) is a general-

purpose protocol developed by Netscape formanaging the encryption of information beingtransmitted over the Internet.

Transport Layer Security (TLS)SSL and TLSare essentially the same, although notinterchangeable.

Cryptographic methods are an ever-evolvingfield, and because both parties must agree on animplementation method, SSL/TLS has embracedan open, extensible, and adaptable method toallow flexibility and strength.


27/62

27

IE 8 Security Options

E i (SSL d TLS)


28/62

28

Encryption (SSL and TLS)

Firefox SSL Security Options

E i (SSL d TLS)


29/62

29

Encryption (SSL and TLS)

Firefox SSL Cipher Options

SSL/TLS H d h k


30/62

30

SSL/TLS Handshake

H SSL/TLS W k


31/62

31

IE 8 Certificate Management Options

How SSL/TLS Works

IE 8 Certificate Store


32/62

32

IE 8 Certificate Store

Firefox Certificate Options


33/62

33

Firefox Certificate Options

Firefox Certificate Store


34/62

34

Firefox Certificate Store

SSL/TLS Attacks


35/62

35

SSL/TLS Attacks

SSL/TLS is specifically designed toprovide protection from man-in-themiddle attacks.

A Trojan program that copieskeystrokes and echoes them toanother TCP/IP address in parallel

with the intended communication candefeat SSL/TLS.

The Web (HTTP and HTTPS)


36/62

36


HTTP is used for the transfer ofhyperlinked data over the Internet,from web servers to browsers.

When a secure connection isneeded, SSL/TLS is used andappears in the address as https://.



37/62

37


High-assurance notification in IE 7

High-assurance notification inFirefox

Directory Services (DAP and LDAP)


38/62

38

Directory Services (DAP and LDAP)

A directory is designed andoptimized for reading data, offeringvery fast search and retrieval

operations.LDAP offers all of the functionality

most directories need and is easierand more economical to implement.

SSL/TLS LDAP


39/62

39

SSL/TLS LDAP

SSL/TLS provides several importantfunctions to LDAP services:

Establish the identity of a data

source through the use ofcertificates.

Provide for the integrity and

confidentiality of the data beingpresented.

File Transfer (FTP and SFTP)


40/62

40

File Transfer (FTP and SFTP)

FTP is a standard network protocolused to exchange and manipulatefiles over a TCP/IP based network.

Secure FTP (SFTP) is used whenconfidential transfer is required andcombines both the Secure Shell(SSH) protocol and FTP.

Vulnerabilities


41/62

41

Vulnerabilities

Because SSL is enabled does notmean the user is safe.

Key loggers can record what is being

typed on a users computer before itis encrypted.

A companys database can gethacked releasing your information tothe world.

Code-based Vulnerabilities


42/62

42

Code based Vulnerabilities Buffer overflows

Java and JavaScript

ActiveX

Securing the browser CGI

Server-side scripts

Cookies

Signed applets

Buffer Overflows


43/62

43

Buffer Overflows

The buffer overflow vulnerability is aresult of poor coding practices on thepart of software programmers.

This occurs when an application canaccept more input than it hasassigned storage space, and the

input data overwrites other programareas.

Java


44/62

44

Java Java is a computer language invented by Sun

Microsystems as an alternative to Microsoftsdevelopment languages.

Designed to be platform-independent

Java offered a low learning curve and a way of

implementing programs across an enterprise. Although platform independence never fully materialized,

Java has found itself to be a leader in object-orientedprogramming languages.

Java can still perform malicious activities, and the factthat many users falsely believe it is safe increases itsusefulness for attackers.

JavaScript


45/62

45

JavaScript JavaScript is a scripting language developed to be

operated within a browser instance.

The primary purpose is to enable features such asvalidation of forms.

Enterprising programmers found many other uses forJavaScript, such as manipulating the browser historyfiles, now prohibited by design.

JavaScript actually runs within the browser, and the code

is executed by the browser itself.

This has led to compatibility problems.

Java and JavaScript


46/62

46

Ja a a d Ja aSc ptJava Configuration Settings in Microsoft

Internet Explorer 7

Java and JavaScript


47/62

47

p

Security Setting Functionality Issues

ActiveX


48/62

48

ct e ActiveX is a broad collection of application

programming interfaces (APIs), protocols, andprograms developed by Microsoft.

Used to download and execute code

automatically over an Internet-based channel. Can enable a browser to display a custom type

of information in a particular way.

Can perform complex tasks, such as update theoperating system and application programs.

ActiveX


49/62

49

ActiveX Security Settings in IE 8

Securing the Browser


50/62

50

gAdded features means weaker security.

No browser is 100 percent safe.

Currently Firefox coupled with the

NoScript plug-in provides good protection. The NoScript plug-in allows the user to

determine from which domains to trust

scripts.

CGI & Server-Side Scripts


51/62

51

p Common Gateway Interface (CGI) is a

method for having a web server execute aprogram outside the web server process,yet on the same server.

Server-side scripting allows programs to berun outside the web server and to returndata to the web server to be served to end

users via a web page. This is replacingCGI.

Cookies


52/62

52

Cookies are small chunks of ASCII textpassed within an HTTP stream to store datatemporarily in a web browser instance.

It a series of name-value pairs that is stored in

memory during a browser instance.

Expires

Domain

Path

Secure

Cookies


53/62

53

Firefox Cookie Management

Cookies


54/62

54

Microsoft Internet Explorer 7 CookieManagement

Cookies


55/62

55

Microsoft Internet Explorer 7 Cookie

Store

Signed Applets


56/62

56

The ability to use a certificate to signan applet allows the identity of theauthor to be established.

A signed applet can be hijacked aseasily as a graphic or any other file.

Inlining is using an embeddedcontrol from another site with orwithout the other sites permission.

Browser Plug-ins


57/62

57

Plug-ins are small application programsthat increase a browsers ability to handlenew data types and add new functionality.

Dynamic data such as movies and musiccan be manipulated by a wide variety ofplug-ins, and one of the most popularcomes from Real Networks.

Browser Plug-ins


58/62

58

Add-ons for IE 8

Open Vulnerability and AssessmentL (OVAL)


59/62

59

Language (OVAL) OVAL comprises two main

elements: an XML-based machine-readable language for describing

vulnerabilities, and a repository. Common Vulnerabilities and

Exposures (CVE) is a system that

provides a reference-method forpublicly known information-securityvulnerabilities and exposures.

Web 2.0 and Security


60/62

60

The foundations of security apply thesame way in Web 2.0 as they doelsewhere.

With more capability and greatercomplexity comes a greater need forstrong foundational security efforts.

SummaryDescribe security issues associated with e mail


61/62

61

Describe security issues associated with e-mail.

Implement security practices for e-mail.

Detail the security issues of instant messaging protocols.

Describe the functioning of the SSL/TLS protocol suite.

Explain web applications, plug-ins, and associated security issues. Describe secure file transfer options.

Explain directory usage for data retrieval.

Explain scripting and other Internet functions that present securityconcerns.

Use cookies to maintain parameters between web pages.

Examine web-based application security issues.

[princ00] Principles of Computer Security: CompTIA Security+ and Beyound

References


62/62

62

[princ00] Principles of Computer Security: CompTIA Security+ and Beyound,Second Edition, Wm. Arthur Conklin, et. al., McGraw Hill, 2010

[gmail00] Gmail http://www.gmail.com

[thun00] Thunderbird http://www.mozillamessaging.com/en-US/thunderbird/

[enig00] Enigmail http://enigmail.mozdev.org/home/index.php

[gpg00] GPG http://www.gnupg.org/

[seti00] Setting up Thunderbird to work with gmail and gpghttp://www.ericpuryear.com/2007/09/24/setting-up-thunderbird-to-work-with-gmail-and-gpg/

[spam00] Dealing with Spam http://www.us-cert.gov/cas/tips/ST04-007.html

[hoax00] Hoax Emails http://www.snopes.com

[oval00] OVAL http://oval.mitre.org/index.html

[vir00] Virus and Spyware http://news.zdnet.com/2422-13569_22-156290.htmlhttp://news.zdnet.com/2422-13569_22-156290.html

[spam01] Spam http://news.zdnet.com/2422-13569_22-156230.html

[mail00] Mail Encryption http://cnettv.cnet.com/secure-your-e-mail-from-prying-eyes/9742-1_53-50004023.html

[conf00] Conficker Worm http://www.cbsnews.com/video/watch/?id=4905403n

[frse00] Free Security Apps http://cnettv.cnet.com/best-free-security-apps/9742-1_53-50002962.html

c10 messaging and web components

Documents