email and web security
TRANSCRIPT
EMAIL AND WEB SECURITY
The first e-mail message was sent in 1971 by an engineer named Ray Tomlinson.
WHAT IS EMAIL?
• E-Mail Electronic mail
• A method of exchanging messages in digital
form.
• E-mail systems are based on a store-and-
forward method in which e-mail server accept,
forwards, delivers and stores messages on
behalf of users.
Users only need to connect to the internet
through a computer for the duration of message
submission or retrieval.
Email Service Providers
SECURITY FEATURES OF SOME EMAIL SERVICE PROVIDERS
FILTERS
MULTIPLE SIGN-IN With multiple sign-in, you can sign in to up to tenaccounts in the same web browser. If you sign outof any Google product from any of your accounts,you’ll be signed out of all your Google Accounts atonce.
Security issue: - If one account is compromised there is a threat toall the accounts.
AUTHORISING APPLICATIONS & SITES Activating this feature allows non-Google
websites and applications to access your account and sync with your data
Security issue: - Google doesn’t review or endorse any third-party websites, so make sure you trust the website and understand Google's privacy policy before approving
2-STEP VERIFICATION
It adds a layer of security to your Google
Account by requiring access to your phone -
as well as your username and password -
when you sign in
If someone steals or guesses your password,
that person can’t sign in to your account
because they don’t have your phone.
MAKE SURE YOU READ Terms of usage policy – outlines how you
are supposed to use Google’s platformMandatory to provide under Indian Cyber Law
(Sec. 79)
Privacy policy – outlines Information that Google collect and how they use it
Mandatory to provide under Indian Cyber Law (Sec.43A)
SIGN-IN SEAL
A sign-in seal is a secret message or photo that Yahoo! will display on this computer only.
Look for it every time you sign in, to make sure you're on a genuine Yahoo! site.
If the message, photo, or colors are different, you may have landed on a phishing site.
PHISHING - A PRACTICAL CASE STUDY
WHAT IS PHISHING? Phishing involves fraudulently acquiring
sensitive information (e.g. passwords, credit card details etc) by masquerading as a trusted entity.
THE SITES
www.noodlebank.com (i.e NOODLEBANK.com) www.nood1ebank.com (i.e NOOD1EBANK.com)
THE REAL SITE
THE SPOOFED EMAIL
THE SPOOFING
The link appears as
www.noodlebank.com (i.e NOODLEBANK.com)
But actually it links to
www.nood1ebank.com (i.e NOOD1EBANK.com)
THE FAKE SITE
THE “STEAL”
• When Debasis entered his username-
password at the spoofed website, the
username-password was sent across to the
criminal carrying out the phishing attack.
MORE EXAMPLES…
• In this case study, the user was enticed with a misleading URL. Such urls can be created easily using simple html code such as:
<a href=http://www.nood1ebank.com>
http://www.noodlebank.com</a>
• This link displays the correct url but on clicking takes the user to the spoofed url.
USING A URL WITH AN IP ADDRESS
http://[email protected]
This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53
USING A SPLIT DOMAIN NAME
http://www.NOODLEBANK.com.securitycheck.secure-login.nood1ebank.com/login.asp
This url does not lead to noodlebank.com, it leads to the spoofed website.
USING AN OBFUSCATED URL
http://www.NOODLEBANK.com%00@%36%37%2e%31%39%2e%32%31%37%2e%35%33
This url does not lead to noodlebank.com, it leads to the website on the IP address 67.19.217.53
HEX TO ASCII CONVERTER
http://www.dolcevie.com/js/converter.html
TEST
www.phish-no-phish.com
SENDING FAKE EMAILS http://mailz.funmaza.co.uk/ http://deadfake.com/Send.aspx
UNDERSTANDING FAKE MAIL
E-mail headers analysis –Email header is the information that travels with every email, containing details about the sender, route and receiver.
ANALYZING HEADERS
To see the g-mail header click on the
arrow button next to the “Reply” option
click on “show original”
Header of the mail sent by using “fakemailer
Analyse Message ID
Email Bombing
Email Bombing
EMAIL FRAUDS
Bogus offers Vigra @ 80% discount price
Requests for help email promising treasure
Lottery scams
Confidence trick
Get-rich-quick schemes
Money mules
AVOIDING EMAIL FRAUD
Keep one's email address as secret as possible
Use a spam filter
Notice the several spelling errors in the body of
the "official looking" email
Ignore unsolicited emails of all types, simply
deleting them
Don’t be greedy, since greed is often the
element that allows one to be "hooked"