Chapter 16: Email and Instant Messaging

Email Hygiene

All email should be scanned for malware, spam, and other unwanted items before it truly enters the email system in an organization. This reduces risk and also the costs of backup. With spam compromising the majority of received emails, not having to back it up saves a lot of space.

Modern Instant Messaging Systems

Instant Messaging in an application that can increase productivity by saving communication time, but it's not without risks. The protocol sends messages in plaintext and thus fails to preserve their confidentiality. It also enables the sharing of files between clients, Thus allowing a backdoor access method for files. The best ways in which to protect yourself on an IM network are similar to those for all internet applications: -Avoid communication with unknown persons. -Avoid running any program you are unsure of. -Do not write anything you wouldn't want posted with your name on it. Information disclosure is another security threat enterprises face via these applications.

Malicious Code

Virus and worms are popular programs because they make themselves popular. When virus were constrained to only one computer, they attempted to spread by attaching themselves to every executable program that they could find. Notes: Viruses and worms both can carry malicious payloads and cause damage. The difference is in how they are transmitted: 1. Viruses require a file to infect. 2. Worms can exist independently of a file.

MIME

When a message has an attachment, the protocol used to deliver the message is Multipurpose Internet Mail Extensions (MIME). This protocol allows the exchange of different kinds of data across text based systems. When MIME is used, it is marked in the header of the email, along with supporting elements to facilitate decoding.

Greylisting

is the bouncing of received email as a temporary rejection. SMTP server that are compliant with RFC 5321 will wait a configurable amount of time and attempt retransmission of the message. Obviously, spammers will not retry sending of any messages, so spam is reduced.

Mail Relaying

A good security principle is to shutdown mail relaying. An Open Relay is a mail server that will accept mail from anyone. Mail Relaying is similar to dropping a letter off at the post office instead of letting the postal carrier pick it up at your mailbox. On the internet, That consists of sending email from a separate IP address, making it more difficult for the mail to be traced back to you. All SMTP software should be configured to accept only mail from known hosts; this closes down mail relaying and helps to reduce spam.

Open Relays

Configure mail relay options carefully to avoid being an open relay. All mail servers have an option where you can specify which domains or IP addresses your mail server will relay mail for. It's very important to configure your mail relay parameter to be very restrictive so that your server does not become a gateway for spamming others, possibly resulting in your server getting blacklisted.

DLP

Data Loss Prevention (DLP) is also an issue for outgoing mail. Two options are available: 1. use an integrated DLP solution that scans outgoing traffic. 2. Use a separate standalone system. A separate standalone system has the disadvantage that one must maintain two separate DLP keyword lists. Most enterprise level DLP solutions have built-in gateway methods for integration with mail servers to facilitate outgoing mail scanning. This allows for the checking of outgoing mail traffic against the same list of keywords that other outgoing traffic is scanned against.

Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) is an email validation system employed to detect email spoofing. DKIM operates by providing a mechanism to allow receiving MTAs to check that incoming mail is authorized and that the email (including attachments) has not been modified during transport. It does this through a digital signature included with the message that can be validated by the recipient using the signer's public key published in the DNS. DKIM is the result of the merging of two previous methods: 1.Domain Keys 2. Identified Internet Mail Any mail from these organizations should carry a DKIM signature.

Security Of Email:

Email can be used to move a variety of threats across the network. From spam, to viruses, to advanced malware in spear-phishing attacks, email can act as a transmission medium. The Email Hoax has become another regular occurrence. Email security is ultimately the responsibility of users themselves, because they are the ones who will actually be sending and receiving the messages. Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP) are two popular methods used for encrypting email. Server-based and desktop based virus protection can help against malicious code, and spam filters attempt to block all unsolicited commercial email, also called spam. Email users need to be educated about security as well, however, because the popularity and functionality of email is going to increase with time. Instant Messaging (IM), while not part of the email system, is similar to email in many respects, particularly in the sense that it is commonly plaintext and can transmit files. IM's handling of files opens the application to virus exploitation just like email.

Hoax Email

Email hoaxes are mostly a nuisance, but they do cost everyone, not only in the time wasted by receiving and reading the emails, but also in the internet bandwidth and server processing time they take up. The most important thing to do in this case is educate email users: They should be familiar with a hoax or two before they go online, and they should know how to search the internet for hoax information. Users need to apply the same common sense on the internet that they would in real life: If its too good to be true, it probably is. Forwarding hoax emails and other jokes, funny movies, and non-work related emails at work can be a violation of your company's acceptable use policy and result in disciplinary actions. Snopes.com = to research hoaxes and verify information.

Mail Gateway:

Email is one of the reasons for connecting networks together, and mail gateways can act as solutions to handle specific traffic issues. Mail gateways are used to process email packets on a network, providing a wide range of email related services.

Email Structure:

Email is structured into two elements: 1. Header 2. Body The entire message is sent via plain ASCII text, with attachments included using Base64 encoding. The email header provides information for the handling of the email between MUAs, MTAs, and MDAs.

How Email Works:

Email started with mailbox programs on early time-sharing machines, allowing researches to leave messages for others using the same machine. Internet email depends on three primary protocols: 1. SMTP 2. POP3 3 IMAP Email appears to be a client to client communication, between sender and receiver. In reality a lot of steps are involved such as: 1. A user composes and sends an email from the user's client machine. 2. The email is sent to the client's email server. In an Internet Service Provider environment, this could be via the ISP. In the case of webmail, it is the mail service (Gmail, Hotmail/live, etc.). In a corporate environment, it is the corporate mail server. 3. A) The receiving email server scans the email for viruses, malware, and other threats. B) The mail server uses DNS to obtain the recipient's email server address via an MX record. 4. The mail server prepares the email for transit across the internet to the recipient's mail server 5. The email is routed across the internet. 6. The receiving email server scans the email for viruses, malware, and other threats. 7. The email is passed to the recipient's inbox, where it can be read. In technical terms, the application on the sender's machine is referred to as a Mail User Agent (MUA), and the mail server is a Mail Transfer Agent (MTA), the recipient's mail server is referred to as a Mail Delivery Agent (MDA). For communication from the MUA to the MTA, SMTP port 25 is used, and from MTA to MTA. For communication from the MDA to MUA on the recipient machine is IMAP/POP3 143/110.

HTML Email

HTML email can carry embedded instructions to download or run scripts that can be launched from the preview pane in some email programs, without requiring that the user actively launch the attached programs.

Internet Message Access Protocol (IMAP)

Has replaced POP3 and uses TCP port 143. It operates similar to pop3 but works with greater synchronization.

Instant Messaging

Instant messaging is another technology that ahs seen a change in recent years. IM programs are designed to attach to a server, or network of servers, and allow you to talk to other people on the same network of servers in near real-time. The nature of this type of communication opens several holes in a system's security. One of the common issues is that the IM application will tell other users when a user is online. Popular IM clients were not implemented with security in mind. They all support sending files as attachments, few currently support encryption and currently non have a virus scanner built into the file sharing utility. This has created a market for a secure IM system, and several have sprung to server IM on the mobile device marketplace. (Wire is one of them)

STARTTLS

Is a means of using Transport Layer Security (TLS) to secure a communication channel for text-based communication protocols.

Post Office Protocol 3 (POP3)

Is a method by which a client computer may connect to a server and downloads new messages POP3 uses TCP port 110

Simple Mail Transfer Protocol (SMTP)

Is the method by which mail is sent to the server as well as from server to server. SMTP uses TCP port 25.

Activate Reverse DNS to Block Bogus Senders:

Messaging systems use DNS lookups to verify the existence of email domains before accepting a message. A reverse DNS lookup is an option for fighting off bogus mail senders, as it verifies the sender's address before accepting the email. Reverse DNS lookup acts by having SMTP verify that the sender's IP address matches both the host and domain names that were submitted by the SMTP client in the EHLO/HELLO command. This works by blocking messages that fail the address matching test.

Sender ID Framework (SIDF)

Microsoft offers another server-based solution to spam, called the Sender ID Framework. SIDF attempts to authenticate messages by checking the sender's domain name against a list of IP addresses authorized to send email by the domain name listed, Sender ID has not had a lot of uptake other than by Bell Canada, so in most cases it is of limited use.

PGP (Pretty Good Privacy)

Pretty Good Privacy (PGP) implements email security in a similar fashion to S/MIME but uses completely different protocols. PGP supports the public key infrastructure (PKI) provided by multiple vendors, including X.509 certificates and Lightweight Directory Access Protocol (LDAP) key sources such as Microsoft Active Directory. PGP manages keys locally in its own software. This is where you not only store your local keys, but also any keys that were received from other user. A free key server is available for storing PGP keys. PGP can generate its own keys using either Diffie-Hellman or RSA (asymmetric), and it can then transmit the public keys to the PGP LDAP server so other PGP users can search for and locate your public key to communicate with you. For the actual encryption of the email content itself, PGP supports International Data Encryption Algorithm (IDEA), 3DES, and Carlisle Adams and Stafford Tavares (CAST) for symmetric encryption. PGP provides pretty good security against brute force attacks by using a 3DES key length of 168 bits, and a IDEA, CAST key length of 128 bits. All of these algorithms are difficult to brute force with existing hardware, requiring well over a million years to break the code. Although this is not a promise of future security against brute force attacks, the security is reasonable for today. Like S/MIME, PGP is not problem free. You must be diligent about keeping the software up to date and fully patched, because vulnerabilities are occasionally found.

Controlling Port 25 on Mail Servers:

SMTP authentication forces the users who use your server to obtain permission to send mail by first supplying a username and password. This helps to prevent open relay and abuse of your server and it is highly recommended when your mail server has a routed IP address. This ensures that only known accounts can use your server's SMTP to send email. The number of connections to an SMTP server should be limited based on the specifications of the server (Memory, NIC bandwidth, CPU, etc.) and its normal load per day. Limiting connections is useful to mitigate spam floods and denial of service (DOS) attacks that target your network infrastructure.

S/MIME

Secure/Multipurpose Internet Mail Extensions is a secure implementation of the MIME protocol specification. MIME was created to allow internet email to support new and more creative features. MIME handles audio files, images, and applications. SMIME takes this content and specifies a framework for encrypting the message as a MIME attachment. S/MIME was developed by RSA data security and sues the X.509 format for certificates. The specification supports both 40 bit RC2 and 3DES for symmetric encryption. The protocol can affect the message in one of two ways: 1. The host program can encode the message with S/MIME. 2. The server can act as the processing agent, encrypting all messages between servers. The host based operation starts when the user clicks send; the mail agent then encodes the message using the generated symmetric key. Then the symmetric key is encoded with the Remote User's Public Key for Confidentiality or is signed with the Local User's Private Key for Authentication/Non-repudiation. This enables the remote user to encode the symmetric key and the decrypt the content of the message. This is all handled by the user's mail program, requiring the user to tell it to decode the message. If the message is signed by the sender, it will be signed with the sender's Public Key, guaranteeing the source of the message (nonrepudiation). The S/MIME process of encrypting emails provides integrity, privacy, and if the message is signed (private key), authentication. X.509 = Digital Certificates Microsoft Outlook and Windows Mail support S/MIME. 40 bit key = low strength encryption 3DES = Better S/MIME could have some flaws and weaknesses due to its weak encryption but it is better than none.

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) validates the originating address of the email. How SPF works: SPF works by using the SPF record, a small piece of text that is stored in the domain name service (DNS) record of your domain name. Because only domain name owners or other authorized parties, can alter DNS records, this is hard for the spammer to alter. The SPF record explains which servers are allowed to send email from your domain. When a system receives email, it looks up the SPF record and checks it against the details of the server that sent the message. If they match, the mail is kept: otherwise, it is usually trashed or put in the spam folder.

Spam URI Real-Time Blocklists

Spam URI Real-Time Blocklists (SURBLs) detect unwanted email based on invalid or malicious links within a message. Using an SURBL filter is a valuable tool to protect users from malware and phishing attacks. There are multiple methods of blocking lookup resources, through a method referred to as blacklists or block lists. A Real Time Blackhole List (RBL) is a list of email servers that are known for allowing spam, or have open relays, and enable bad behaviors.

Spam

Spam is the industry trade name for unsolicited emails. There are a variety of reasons that spam is sent, 1. It is low cost to send. 2. About 3% of users click on links in spam, so, it works. Spam can be sent by legitimate companies, using a shotgun approach to drive sales. Marina, Kraken, and Conficker botnets spread spam. Look into the Spamhaus project.

Spam Filter

The bane of users and system administrators everywhere, spam is essentially unsolicited or undesired bulk emails. Here are a few of the popular methods used to fight the spam epidemic: Most of these techniques are used to filter email but could be applied to other mediums as well: -Blacklisting: blocking -Content or Keyword Filtering: Filtering email message for undesirable content or indications of spam. -Trusted Servers: Similar to whitelisting -Delay based filtering: Placing a common pause between the opening of a connection and the sending of the SMTP server's welcome banner. -PTR and Revers DNS checks: Some email filters check the origin domain of an email sender. Checking the reverse lookup reference from the DNS (the PTR record entry) can assist in determining the validity of the email. -Callback Verification: As many spam messages use forged "from" addresses, some filters attempt to validate the "from" address of the incoming email. -Statistical content filtering: Statistical filtering is much like a document classification system. Users mark received messages as either spam or legitimate mail and the filtering system learns from the user's input. -Rule based filtering: Is a simple technique that looks for matches in certain fields or keywords. -Egress filtering: Spam filtering on outgoing mail -Hybrid filtering: A combination of several different techniques to fight spam. Much spam filtering is done at the network or SMTP server level. It's more efficient to use a centralized solution.

Mail Encryption

The email concerns discussed so far in this chapter are all global issues involving security, but email suffers from a more important security problem - the lack of confidentiality (privacy). As it is a plaintext protocol. Some tools can be used to solve this problem by using encryption on the email's content. The first method is S/MIME and the second is PGP.