Security+All-In-One Edition

Chapter 14 – Email and Instant Messaging

Brian E. Brzezicki

Email

Yeah, I have nothing catchy for the first slide…

Internet (425)The Internet has been around for a LONG

time... For most of it’s life nobody cared about the Internet except for government, researchers and geeks like me.

The Internet was never intended for security. IT was indented as a resilient network for communications. Nobody ever though it would be used for what it’s used for today

Email (425)Email has been around for a LONG time as well, as

such the is NO security in the SMTP protocol. It was assumed that everyone who was using Email would just “play nice”

• No Authentication• No Encryption

Email wasn’t even intended to send anything advanced (like images, sounds, word documents).. It was just intended to send text.

(more)

EmailNo a days there is a lot of security concerns

with email which we are already familiar with

• Method for sending viri, Trojans, and worms

• Phishing attacks

• Hoaxes

• SPAM

(more)

Email SecurityThere is also one other major problem with

email that you might not realize… Email is counted on by organization for a means of communications, some would say it’s even mission critical. That leaves two problems that we need to discuss

• Forged email

• Compromise of confidential information sent over email

Forged Email

Forging of email is TRIVIAL in most cases.

(do example if we already did not)

What are some concerns with forged emails?

(more)

Forged EmailCan anyone think of any technologies we

already discussed that can help with the email forgery problem?

Signing EmailIf we use digital certificates we can sign our

emails to prove it’s from us! (we’ll talk about how to do this later)

Email Encryption (431)

The other problem with email is that sensitive information might be sent over email. (SSNs, Credit Card #s etc). If we sent email that was encrypted from person to person we’d be able to solve this problem…

Email Security (431)There are two technologies we can use to

secure email both by providing non-repudiation services, and encryption services

We will talk about each of these next

• S/MIME

• PGP

S/MIME

S/MIME (431)MIME was the original extension to email that

allowed us to attach files in email, such as images and sounds and word documents etc.

SMIME is an extension to MIME that allows for

• Integrity, privacy and sender authentication

• Uses x.509 digital certificates

• Uses RC2 or Triple DES (be aware some default to 40 bit RC2.. Which is very weak)

PGP (431)

PGP is a product that has been around for a while. Can provide Integrity, Security and Non-Repudiation

Used to use a web of trust model, but now can tie into an organizations PKI.

• Supports IDEA, 3DES, CAST

• Originally used MD5 hashes, newer versions default to the SHA series.

PGP signed message example

PGP encrypted and signed

Optional

Time permitting show how to sign or encrypt a PGP message on Linux.

Other random Email stuff (430)

Content based filtering – Some companies try to ensure that sensitive information is not sent over email. They may scan outgoing email for text that looks like SSNs or credit card numbers etc.

Real Time Black Hole Lists – explain

Grey listing – did we discuss this yet?

Instant Messaging (435)Instant Messaging is another popular

applications. However there are some security concerns with IM

• Easy way to leak information out of a company

• Avenue for downloading Trojans, worms and viruses

• Often no true authentication

• Often no encryption

IM

Countermeasures

• Disable IM software, don’t allows users to install software

• Block IM ports (often hard)

• Install and maintain an organizational server if IM communications are used within an organization

Chapter 14 - Review

Q. What does a Realtime Black hole list do?

Q. What is Grey listing

Q. Why do we need public key cryptography for email?

Q. What are the two encryption protocols that S/MIME uses?

_ _ 2 & _ _ _ S

Chapter 14 - Review

Q. What mechanism are often used to distribute SPAM

Q. What is phishing? What the best countermeasure against it?

Q. Is SMTP encrypted? Does is provide user authentication?