Network and Communications Security (IN3210/IN4210) …1971: Ray Tomlinson −First network email in...
Transcript of Network and Communications Security (IN3210/IN4210) …1971: Ray Tomlinson −First network email in...
-
Network and Communications Security (IN3210/IN4210)
Email Security
-
Email Foundations
5
-
Network and Communications Security (IN3210/IN4210) 6
-
Network and Communications Security (IN3210/IN4210)
History of Electronic Mail
● 1960s: Host-based electronic mail
● 1971: Ray Tomlinson− First network email in the ARPANET
− First use of the “@” symbol for separation of user and host name
● 1976: 75% of ARPANET traffic is email communication
● 1982: First standards for Internet email:− RFC 821: Simple Mail Transfer Protocol (SMTP)
− RFC 822: Internet Message Format
● 1984: Post Office Protocol (POP)
● 1986: Internet Message Access Protocol (IMAP)
● 1998: S/MIME
7
Imag
e So
urc
e: W
ikip
edia
Ray Tomlinson
-
Network and Communications Security (IN3210/IN4210)
Message Transport System
8
UA UA
MTA
MDAMTA
MTAMTA
MTA
MTAMTA
Sender Receiver
-
Network and Communications Security (IN3210/IN4210)
Message Transport System
9
UA UA
MTA
MDAMTA
MTAMTA
MTA
MTAMTA
Sender Receiver
IMAP / POP3
SMTP
SMTPSMTPSMTP
-
Network and Communications Security (IN3210/IN4210)
Message Transport System
● User Agent (UA)
− End user program for sending and receiving emails (e.g. Thunderbird)
● Message Transfer Agent (MTA)
− System for sending and receiving mail between systems
● Mail Delivery Agent (MDA)
− System for delivering email to the end user (e.g. via IMAP or local delivery)
10
-
Network and Communications Security (IN3210/IN4210)
Letter Structure
11
Envelope
Header
Body
-
Network and Communications Security (IN3210/IN4210)
Email Structure (simplified)
Received: from mail-ex12.exprod.uio.no (2001:700:100:120::74) by
mail-ex03.exprod.uio.no (2001:700:100:52::6) with Microsoft SMTP Server (TLS)
id 15.0.1497.2 via Mailbox Transport; Tue, 3 Sep 2019 20:50:10 +0200
...
Received: from easychair.org (m2635.contabo.net [213.136.76.235])
by easychair.org (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x83Io91i008601
for ; Tue, 3 Sep 2019 20:50:09 +0200
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 3 Sep 2019 20:50:09 +0200
From: "NordSec 2019"
To: XXX XXX
Subject: NordSec 2019 paper assignment
Sender: [email protected]
MIME-Version: 1.0
Dear XXX,
Please find below the list of papers assigned to you
for reviewing.
Best regards,
The NordSec 2019 Team.
12
MTA
s
Header
Body
-
Network and Communications Security (IN3210/IN4210)
Full MTA Path
Received: from mail-ex12.exprod.uio.no (2001:700:100:120::74) by
mail-ex03.exprod.uio.no (2001:700:100:52::6) with Microsoft SMTP Server (TLS)
id 15.0.1497.2 via Mailbox Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-ex11.exprod.uio.no (2001:700:100:120::73) by
mail-ex12.exprod.uio.no (2001:700:100:120::74) with Microsoft SMTP Server
(TLS) id 15.0.1497.2; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-mx03.uio.no (129.240.169.59) by mail-ex11.exprod.uio.no
(129.240.120.73) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from easychair.org ([213.136.76.235])
by mail-mx03.uio.no with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92)
(envelope-from )
id 1i5DsY-00049g-3U
for [email protected]; Tue, 03 Sep 2019 20:50:10 +0200
Received: from easychair.org (m2635.contabo.net [213.136.76.235])
by easychair.org (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x83Io91i008601
for ; Tue, 3 Sep 2019 20:50:09 +0200
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 3 Sep 2019 20:50:09 +0200
...
13
-
Network and Communications Security (IN3210/IN4210)
Email and DNS
● How does an MTA know the destination server?
● Example:
− Mail address: [email protected]
● DNS contains a resource record for mail transfer: MX
● Example:
− Domain: example.com
− DNS MX response:▪ mail.example.com
14
$ORIGIN example.com.
$TTL 2d
@ IN SOA < some parameters >
IN NS ns1.example.com.
IN NS ns2.example.com.
IN MX 10 mail.example.com.
ns1 IN A 192.168.0.3
ns2 IN A 192.168.0.4
mail IN A 192.168.0.5
mailto:[email protected]
-
Network and Communications Security (IN3210/IN4210)
Email Protocols
● Internet Message Access Protocol (IMAP)
− Protocol to access an email box (from multiple email clients)
− Standard ports: ▪ IMAP: 143
▪ IMAP over TLS: 993
− Has widely replaced the older POP3 protocol
● Simple Mail Transfer Protocol (SMTP)
− Protocol for email transmission between UAs, MTAs and MDAs
− Standard ports: 25, 587 (for submission from clients)
− Secure transport typically not via SMTP over TLS, but opportunistic TLS
15
-
Network and Communications Security (IN3210/IN4210)
Example: SMTP
S: 220 smtp.example.com ESMTP PostfixC: HELO relay.example.comS: 250 smtp.example.com, I am glad to meet youC: MAIL FROM:S: 250 OkC: RCPT TO:S: 250 OkC: RCPT TO:S: 250 OkC: DATAS: 354 End data with .C: From: "Bob Example" C: To: Alice Example C: Cc: [email protected]: Date: Tue, 15 Jan 2008 16:02:43 -0500C: Subject: Test messageC: C: Hello Alice.C: This is a test message with 5 header fields and 4 lines in the message body.C: Your friend, BobC: .S: 250 Ok: queued as 12345C: QUITS: 221 Bye
16
Exam
ple
Sou
rce:
Wik
iped
ia
-
Network and Communications Security (IN3210/IN4210)
Extended SMTP (ESMTP)
● Extends the orginal standard with a number of features, e.g. for authentication, unicode encoding, secure transport
● Example (STARTTLS):[establish TCP connection]
S: 220 mail.example.org ESMTP service ready
C: EHLO client.example.org
S: 250 mail.example.org offers a warm hug of welcome
S: 250 STARTTLS
C: STARTTLS
S: 220 Go ahead
[TLS handshake]
C: EHLO client.example.org [TLS secured]
17
Exam
ple
Sou
rce:
Wik
iped
ia
-
Network and Communications Security (IN3210/IN4210)
Multipurpose Internet Mail Extensions (MIME)
● The original email standard only permitted 7-bit US ASCII text
● Thus, no:− special characters from non-English languages (e.g. ü, æ, ç, ω, ж)
− binary data (e.g. graphics, audio)
● MIME allows definition of:− content types (e.g. text, PNG, html)
− content encoding, e.g. ▪ base64: use Base64 encoding
▪ quoted-printable: non-ASCII characters are replaced by hex value
▪ 8bit: no encoding, direct transmission (only in newer implementation)
● MIME additionally allows transport of multiple message parts
18
-
Network and Communications Security (IN3210/IN4210)
Detour: Base64
● Encodes binary data into the following 64 characters:
− A ... Z, a ... z, 0 ... 9, +, /
● Takes each 6-bit from binary input and transforms in one character
● If input length (in bytes) is not a multiple of 3 the output is marked with “=“ or “==“
● Example:
19
SourceText (or Binary)
M a n
Bits 0 1 0 0 1 1 0 1 0 1 1 0 0 0 0 1 0 1 1 0 1 1 1 0
Base64encoded
Sextets 19 22 5 46
Character T W F u
Exam
ple
Sou
rce:
Wik
iped
ia
-
Network and Communications Security (IN3210/IN4210)
Multipurpose Internet Mail Extensions (MIME)
● Example:Content-Type: multipart/mixed; boundary="------------125573EC27547229E81181E9"
MIME-Version: 1.0
--------------125573EC27547229E81181E9
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
This is the content of the mail.
--------------125573EC27547229E81181E9
Content-Type: image/png; name="uio-logo.png"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="uio-logo.png"
iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKAQMAAAC3/F3+AAAABlBMVEUAAAD/+l2Z/dAAAACXBI
WXMAAA7EAAAOxAGVKw4bAAAAFUlEQVQImWP4foDhIQz9P8DwGYULAPrNEK/99dAAAAAElFTk==
--------------125573EC27547229E81181E9--
20
-
Security Issues and Countermeasures
21
-
Network and Communications Security (IN3210/IN4210)
Security Issues of Emails
● Phishing− Draw confidential information from victim (e.g. passwords)
● Privacy breach− Sender wants to track email recipients
● SPAM− Unwanted emails (e.g. advertisement)
● Eavesdropping− Disclosure of email contents on servers or during transport between servers
● Spoofing− Faking sender identity
● Malware− Infiltrating malicious programs into recipient’s computer
● Fraud− Contact medium for deception (e.g. financial fraud)
22
-
Network and Communications Security (IN3210/IN4210)
Security Issues of Emails
● Phishing− Draw confidential information from victim (e.g. passwords)
● Privacy breach− Sender wants to track email recipients
● SPAM− Unwanted emails (e.g. advertisement)
● Eavesdropping− Disclosure of email content on servers or during transport between servers
● Spoofing− Faking sender identity
● Malware− Infiltrating malicious programs into recipient’s computer
● Fraud− Contact medium for deception (e.g. financial fraud)
23
-
Network and Communications Security (IN3210/IN4210)
Phishing
● Phishing = „Password Fishing“
− Victim receives email with link to fake Web site and clicks link
− Victim enters confidential data (e.g. passwords) assuming he is on a trusted Web site
− Attacker misuses the entered data
● The tricks …
− Sending mass emails is very easy and cheap
− Sender addresses in emails are not authenticated
− Creating Web sites and mails impersonating a trusted source is easy
− Hyperlinks to fake Web sites can be hidden in HTML mails
24
-
Network and Communications Security (IN3210/IN4210)
Phishing Emails
25
-
Network and Communications Security (IN3210/IN4210)
Phishing Emails – UiO
26
-
Network and Communications Security (IN3210/IN4210)
Phishing URLs (1)
● Attacker uses his own domain name, e.g.:
http://www.evil.net/login/
● Other possibility:
− generic DNS name (e.g. host.1234.provider.net)
− IP address
● Disadvantage:
− Easily detectable for the victim
27
From theviewpoint ofthe attacker
http://www.evil.net/login/
-
Network and Communications Security (IN3210/IN4210)
Phishing URLs (2)
● Attacker uses his own domain name, but disguises it with a clever sub domain, e.g.:
http://www.online-bank.com.login.evil.net/
● Advantage:
− Simple realization
− Harder detectable for the victim
● Disadvantage:
− Most modern browsers highlight the domain and simplify detection of this URL spoofing
28
Assume, there is a real bank with the address:www.online-bank.com
http://www.online-bank.com.login.evil.net/http://www.online-bank.com/
-
Network and Communications Security (IN3210/IN4210)
Phishing URLs (3)
● The attacker registers a domain like the original domain, e.g.:
http://www.online-bonk.com/login/
● Advantage:
− Very hard to detect for the victim
● Disadvantage:
− Higher effort (compared to the previous approaches)
29
http://www.online-bonk.com/login/
-
Network and Communications Security (IN3210/IN4210)
Phishing URLs (4)
● The attacker registers a domain looking like the original domain, e.g.:
http://www.online-bаnk.com/login/
● Advantage:− Very hard to detect
for the victim
● Disadvantage:− Higher effort (compared to the previous approaches)
− Not possible with modern browsers (see below)
● Some browsers encode non-ASCII characters in “puny code”:
http://www.xn--online-bnk-6qi.net/login/
30
„a“ from cyrillic (russian) character set!
http://www.online-bаnk.com/login/http://www.online-bаnk.net/login/
-
Network and Communications Security (IN3210/IN4210)
Phishing URLs (5)
● The attacker uses the original domain:
http://www.online-bank.com/login/
● Advantage:
− Detection is impossible for the victim
● Disadvantage:
− Requires DNS spoofing attack (see DNS chapter) → very high effort
32
http://www.online-bank.com/login/
-
Network and Communications Security (IN3210/IN4210)
Phishing – Countermeasures
● Some mail programs check for suspicious content− Example: Masking actual Web address
● Observation of To and From addresses (but can be spoofed)
● Careful observation of Web addresses (plus usage of TLS)
● Most important countermeasure: use of common sense!
34
https://ecs-org.us14.list-manage.com/track/click?id=37753b9cd9
-
Network and Communications Security (IN3210/IN4210)
Security Issues of Emails
● Phishing− Draw confidential information from victim (e.g. passwords)
● Privacy breach− Sender wants to track email recipients
● SPAM− Unwanted emails (e.g. advertisement)
● Eavesdropping− Disclosure of email content on servers or during transport between servers
● Spoofing− Faking sender identity
● Malware− Infiltrating malicious programs into recipient’s computer
● Fraud− Contact medium for deception (e.g. financial fraud)
36
-
Network and Communications Security (IN3210/IN4210)
Email Tracking
● The sender might want to know: has the recipient received/read the email?
● Possibility 1: explicit request + receipt
− user must confirm mail receipt for finishing a business process
− hardly used any more
● Possibility 2: implicit tracking (mainly for SPAM or phishing)
− does the email address exist?
− does the email bypass SPAM filters?
− is the recipient viewing the mail (or deleting it)?
37
-
Network and Communications Security (IN3210/IN4210) 38
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Images
● Many newsletters contain HTML content:This is a multi-part message in MIME format.
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Hvis du ikke kan se HTML-version af nyhedsbrevet, skal du klikke på dette link:
http://rt1-t.autoemail.hm.com/r/?id=t36ae2b3,c895a0b,c895a47
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Images
● Many newsletters contain HTML content:This is a multi-part message in MIME format.
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Hvis du ikke kan se HTML-version af nyhedsbrevet, skal du klikke på dette link:
http://rt1-t.autoemail.hm.com/r/?id=t36ae2b3,c895a0b,c895a47
------=_NextPart_655_E1CC256C.E1CC256C
Content-Type: text/html; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Images
● Mail program receives email in HTML format
● HTML document contains image tags (located on Web server of the mail sender)
− e.g.:
● Mail program downloads the images for rendering the HTML mail
● Web server owner (= mail sender) logs the request and can analyze the URL
41
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Images
● In all newsletters:− https://s1-cdn.hm.com/global/assets/1.0.112/images/social/twitter-box.png
● Newsletter 1:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://aemcomm.hm.com/content
/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/desktop.chain]&auth=hash[e5be3db9]
● Newsletter 2:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://aemcomm.hm.com/content
/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/mobile.chain]&auth=hash[87882c29]
42
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Images
● In all newsletters:− https://s1-cdn.hm.com/global/assets/1.0.112/images/social/twitter-box.png
● Newsletter 1:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://aemcomm.hm.com/content
/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/desktop.chain]&auth=hash[e5be3db9]
● Newsletter 2:− https://lpe.hm.com/hmoces?set=locale[no_no]&set=imageUrl[https://aemcomm.hm.com/content
/dam/hm/Seasonal Images Email/Seasonal Images May 2019/6059-1.50-Customer-On-Boarding-3x2-1400x934px-5.jpg/_jcr_content/renditions/cq5dam.web.750.750.jpeg]&set=width[750]&call=url[https://s1-cdn.hm.com/global/image-chains/1.1.253/price-module-image-v2/mobile.chain]&auth=hash[87882c29]
43
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Links
● Link to „Today‘s Headlines“
● Newsletter 1:
− https://nl.nytimes.com/f/a/otsqCtxeBjREdiEiVRSdZA~~/...
● Newsletter 2:
− https://nl.nytimes.com/f/a/aKN5MabIovCe_iU3KL9SBw~~/...
44
-
Network and Communications Security (IN3210/IN4210)
Email Tracking ... as a Service
45
-
Network and Communications Security (IN3210/IN4210)
Email Tracking: Countermeasures
46
-
Network and Communications Security (IN3210/IN4210)
Security Issues of Emails
● Phishing− Draw confidential information from victim (e.g. passwords)
● Privacy breach− Sender wants to track email recipients
● SPAM− Unwanted emails (e.g. advertisement)
● Eavesdropping− Disclosure of email content on servers or during transport between servers
● Spoofing− Faking sender identity
● Malware− Infiltrating malicious programs into recipient’s computer
● Fraud− Contact medium for deception (e.g. financial fraud)
47
-
Network and Communications Security (IN3210/IN4210)
SPAM
48
-
Network and Communications Security (IN3210/IN4210)
SPAM
50
Imag
e So
urc
e: s
pam
law
s.co
m
-
Network and Communications Security (IN3210/IN4210)
Message Transport System (original)
52
UA UA
MDAMTA
MTAMTA
Sender ReceiverFrom: [email protected]
From: [email protected]
Open Relay
MTA
-
Network and Communications Security (IN3210/IN4210)
Message Transport System (nowadays)
53
UA UA
MDAMTA
Sender ReceiverFrom: [email protected]
Accept mails [email protected] from MTA ofexample.com domain
-
Network and Communications Security (IN3210/IN4210)
Message Transport System (nowadays)
Received: from mail-ex12.exprod.uio.no (2001:700:100:120::74) by
mail-ex03.exprod.uio.no (2001:700:100:52::6) with Microsoft SMTP Server (TLS)
id 15.0.1497.2 via Mailbox Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-ex11.exprod.uio.no (2001:700:100:120::73) by
mail-ex12.exprod.uio.no (2001:700:100:120::74) with Microsoft SMTP Server
(TLS) id 15.0.1497.2; Tue, 3 Sep 2019 20:50:10 +0200
Received: from mail-mx03.uio.no (129.240.169.59) by mail-ex11.exprod.uio.no
(129.240.120.73) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend
Transport; Tue, 3 Sep 2019 20:50:10 +0200
Received: from easychair.org ([213.136.76.235])
by mail-mx03.uio.no with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
(Exim 4.92)
(envelope-from )
id 1i5DsY-00049g-3U
for [email protected]; Tue, 03 Sep 2019 20:50:10 +0200
Received: from easychair.org (m2635.contabo.net [213.136.76.235])
by easychair.org (8.14.4/8.14.4/Debian-4.1ubuntu1.1) with ESMTP id x83Io91i008601
for ; Tue, 3 Sep 2019 20:50:09 +0200
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 3 Sep 2019 20:50:09 +0200
...
54
-
Network and Communications Security (IN3210/IN4210)
Message Transport System (nowadays)
55
UA UA
MTA
Sender ReceiverFrom: [email protected]
I am the MTA of domain
example.com
MTAs must authenticate!
MTA
MTA/MDA
-
Network and Communications Security (IN3210/IN4210)
Sender Policy Framework (SPF)
● Every domain defines a list of allowed sending MTAs
● The list is published in the domain’s DNS
● Receiving MTA checks if the sending MTA is on the SPF list
56
MTA MTA
DNS example.com
129.240.10.33129.240.10.34...
From: [email protected]
-
Network and Communications Security (IN3210/IN4210)
SPF Example: UiO
● SPF record of uio.no (stored as TXT resource record in DNS):v=spf1 mx ip4:129.240.10.0/25 ip6:2001:700:100:10::/64 ip6:2001:700:100:8210::/64 include:spf.uio.no?all
● Envelope of email sent from UiO address:Received: from mail-out02.uio.no (mail-out02.uio.no [129.240.10.71])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
by mx4.xxx.xx (Postfix) with ESMTPS id E4F771F884
for ; Sun, 6 Oct 2019 14:04:50 +0200 (CEST)
● Receiving MTA has checked SPF (result also included in mail header):Authentication-Results: mx4.xxx.xx;
spf=pass (mx4.xxx.xx: domain of [email protected] designates 129.240.10.71 as permitted sender)
57
-
Network and Communications Security (IN3210/IN4210)
DomainKeys Identified Mail (DKIM)
● Sending MTA digitally signs (parts of) outgoing emails
● The corresponding public key is published in the domain’s DNS
● Receiving MTA downloads the public key and verify the signature
58
MTA MTA
DNS example.com
k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAO...
From: [email protected]
-
Network and Communications Security (IN3210/IN4210)
DKIM Example: Google Mail
● DKIM record of Google Mail:k=rsa; p=MIIBIjAN...YRJQqR" "tqEgSiJ+...DA/QAB
● Envelope sent from Google Mail addresse:DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20161025;
h=mime-version:from:date:message-id:subject:to;
bh=OdI9XMdK6yLSftJKNtdmXt6Wt+JqJWNfaLu0qvcMd98=;
b=TbjoDJda8/UX3 ... Afy3Yqlg/==
● Receiving MTA has checked DKIM signature (result also included in mail header):Authentication-Results: mx4.xxx.xx;
dkim=pass header.d=gmail.com header.s=20161025 header.b=TbjoDJda;
59
-
Network and Communications Security (IN3210/IN4210)
Domain-based Message Authentication, Reporting and Conformance (DMARC)
● Sending MTA specifies if it supports DKIM and/or SPF and what shall happen in case on of the checks fail
● Additionally DMARC forces the “alignment” of mail address domain and authenticated domain
60
MTA MTA
DNS example.com
p=none; pct=100;rua=mailto:[email protected]
From: [email protected]
-
Network and Communications Security (IN3210/IN4210)
SPAM
● Still possible to sent SPAM:
− Register domain for SPAM purpose
− Sloppy configuration of mail servers
− Sending emails via botnets
● Further SPAM detection mechanisms:
− Black- / white-lists of email domains (e.g. dnswl.org)
− Inspection of email content (rule based or using machine learning):▪ typical ad keywords
▪ suspicious formatting (e.g. white text on white background, using encoding to hide content)
▪ suspicious attachments
61
-
Network and Communications Security (IN3210/IN4210)
SPAM
● Most SPAM detection systems calculate a “SPAM score” using a bonus/malus system (based on the mechanisms presented before)
● If the total score exceeds a threshold probably SPAM
62
X-Spam-Report: Content analysis details: (5.8 points)pts rule name description---- ---------------------- ---------------------------------------------------0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low
trust[212.227.15.19 listed in list.dnswl.org]
5.0 URIBL_HEDBL_SPAM_2 Contains an URL listed in the HEDBL blocklist[URIs: responsys.net]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider0.1 HTML_MESSAGE BODY: HTML included in message-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
domain-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid0.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily1.5 THIS_AD "This ad" and variants
-
Network and Communications Security (IN3210/IN4210)
Security Issues of Emails
● Phishing− Draw confidential information from victim (e.g. passwords)
● Privacy breach− Sender wants to track email recipients
● SPAM− Unwanted emails (e.g. advertisement)
● Eavesdropping− Disclosure of email content on servers or during transport between servers
● Spoofing− Faking sender identity
● Malware− Infiltrating malicious programs into recipient’s computer
● Fraud− Contact medium for deception (e.g. financial fraud)
63
-
Network and Communications Security (IN3210/IN4210)
S/MIME
● Method for encrypting and digital signing email content by the sender
● Advantages:− End-to-end integrity, authenticity and confidentiality
− Supported by most email clients
● Disadvantages:− “Official” certificate required
− Identification to the CA much more complicated then in the Web
− Key management: private key must be installed on all email devices
− Email header (e.g. From and To) are readable
● Current state:− Just used in some enterprises or universities (with own CA)
64
-
Network and Communications Security (IN3210/IN4210)
Pretty Good Privacy (PGP)
● Method for encrypting and digital signing
● Used for software integrity (signature) and email security
● Trust model (no “official” CA certificate required):
− Direct trust (requires careful check of received certificate) → everyone can sign a trusted certificate and (re-)publish it
− Web of trust: if there exists a path of direct trust to a certificate you can also trust it (indirect trust)
● Advantage:
− No identification to CA required
65
Imag
e So
urc
e: W
ikip
edia
-
Network and Communications Security (IN3210/IN4210)
Pretty Good Privacy (PGP)
● Disadvantages:
− Not (natively) supported by major email clients
− Complex key management (“Whom shall I trust?”)
− Many cryptographic and implementation flaws (e.g. EFAIL)
− Publication of certificate with huge number of signatures offers a possibility for DoS attack on PGP clients
● Current state:
− For email security just in used in small communities
66
Imag
e So
urc
e: v
ice.
com
-
Network and Communications Security (IN3210/IN4210)
Malware
● Email is still the main infection source for malware
● Example: Locky
67
Imag
e So
urc
e: m
cafe
e.co
m
-
Network and Communications Security (IN3210/IN4210)
Fraud
● Famous example: Nigeria scam
68
-
Network and Communications Security (IN3210/IN4210)
Summary
● The email system has many security issues
● Typical security mechanisms:− Confidentiality, integrity:
▪ MTA to MTA: TLS
▪ End to end: (practically) nothing
− Authenticity:▪ MTA to MTA: DKIM, SPF
▪ End to end: (practically) nothing
− Availability: SPAM detection (+ MTA authentication)
− Trustworthy content:▪ Backend: Virus detection (e.g. email sandboxing)
▪ Client: URL inspection
▪ User: common sense
69