No Slide Title

Report
http://www.csc.gatech.edu/copeland/jac/8843/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: GCATT Bldg 579
email or call for office visit, or call Kathy Cheek, 404 894-5696
Chapter 5b - Secure/Multipurpose Internet Mail Extensions
S/MIME
MIME Headers
Multipurpose Internet Mail Extensions (MIME)
RFC 1341 and RFC 1521
• MIME -Version:
• Content-Description:
version number
human-readable string
• Content-ID:
unique identifier
• Content-Transfer-Encoding:
>
>
body encoding
ASCII (Plain, quoted-printable, or Richtext)
Binary (base64)
• Content-Type:
nature of the message
>
>
Image (gif, jpeg), Video (mpeg),
Application (Postscript, octet-stream
>
A.S.Tanenbaum, "Computer Networks," (3rd ed.) p.653
2
Simple Mail Transfer Protocol (SMTP, RFC 822)
SMTP Limitations - Can not transmit, or has a problem with:
• executable files, or other binary files (jpeg image).
• “national language” characters (non-ASCII)
• messages over a certain size
• ASCII to EBCDIC translation problems
• lines longer than a certain length (72 to 254 characters)
MIME Defined Five New Headers
• MIME-Version. Must be “1.0” -> RFC 2045, RFC 2046
• Content-Type. More types being added by developers (application/word)
• Content-Transfer-Encoding. How message has been encoded (radix-64)
• Content-ID. Unique identifying character string.
• Content Description. Needed when content is not readable text (e.g.,mpeg)
Carnonical Form: Standard format for use between systems ( not a “native” format - GIF).
3
Secure/MIME
Can “sign” and/or encrypt messages
Functions:
• Enveloped Data: Encrypted content and encrypted session keys for recipients.
• Signed Data: Message Digest encrypted with private key of “signer.”
• Clear-Signed Data: Signed but not encrypted.
• Signed and Enveloped Data: Various orderings for encrypting and signing.
Algorithms Used
• Message Digesting: SHA-1 and MDS
• Digital Signatures: DSS
• Secret-Key Encryption: Triple-DES, RC2/40 (exportable)
• Public-Private Key Encryption: RSA with key sizes of 512 and 1024 bits, and
Diffie-Hellman (for session keys).
4
S/MIME - User Agent Role
S/MIME uses Public-Key Certificates - X.509 version 3 signed by Certification Authority
Functions:
• Key Generation - Diffie-Hellman, DSS, and RSA key-pairs.
• Registration - Public keys must be registered with X.509 CA.
• Certificate Storage - Local (as in browser application) for different services.
• Signed and Enveloped Data: Various orderings for encrypting and signing.
Example: Verisign (www.verisign.com)
• Class-1 Buyer’s email address confirmed by emailing vital info.
• Class-2 Postal address is confirmed as well, and data checked against diectories.
• Class-3 Buyer must appear in person, or send notarized documents.
5
General Email Problems
SNMP Headers
• Can be used to check email routing, but not reliable (spoofing, NAT, ...)
• Can reveal your IP address, mail server to receipients
Content Poisons:
• Attachments that are executable files (viruses, Worms, Back Doors, ...)
• HTML encoded mail has all the threats of an untrusted Web site
Links can execute code
FTP links can give away your email address, if used as password
Hidden keys can identify the address of the message, ID of receipient
Spammers use unwitting mail servers for exploding and relaying email, hiding their identity
• This requires “Relaying Prohibited,” makes sending email harder from the road
6
Received: from gatech.edu (gatech.edu [130.207.244.244])
by mail.ee.gatech.edu (8.12.9/8.12.9) with ESMTP id h7JMHlYk014613
for <[email protected]>; Tue, 19 Aug 2003 18:43:22 -0400 (EDT)
Received: from STUDENT235 (registration15.pbf.gatech.edu [130.207.41.235])
by gatech.edu (8.12.9/8.12.9) with ESMTP id h7JKhbpf022649
for <[email protected]>; Tue, 19 Aug 2003 16:43:39 -0400 (EDT)
Message-Id: <[email protected]>
From: <[email protected]>
To: <[email protected]>
Subject: Re: Re: My details
Date: Tue, 19 Aug 2003 16:42:16 --0400
X-MailScanner: Found to be clean
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_01EA719F"
X-Virus-Scanned: by amavisd-new
X-SPAM: NO
See the attached file for details
Content-Type: application/octet-stream;
name="movie0045.pif"
Attachment converted: movie0045.mov.pif
7
Return-Path: <[email protected]>
Received: from hubert.mail.atl.earthlink.net (hubert.mail.atl.earthlink.net [207.69.200.45])
by mail.ee.gatech.edu (8.12.10/8.12.9) with ESMTP id h8T36j6w021206
for <[email protected]>; Sun, 28 Sep 2003 23:06:46 -0400 (EDT)
Received: from 12-240-168-97.client.attbi.com ([12.240.168.97])
by carus.mspring.net (Earthlink Mail Service) with SMTP id 1a3OmZ7xt3Nl5tW0
for <[email protected]>; Sun, 28 Sep 2003 23:06:41 -0400 (EDT)
Received: from [22.239.60.151] by 12-240-168-97.client.attbi.com with SMTP; Mon, 29 Sep 2003 03:03:44 Message-ID: [email protected]
From: "Jerrold Hedrick" <[email protected]>
To: <[email protected]>
Subject: Re: Email Advertise to 0.8 Million People - $87
Date: Mon, 29 Sep 03 03:03:44 GMT
X-Mailer: eGroups Message Poster
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="B70E7F2___1DED4_.____0E"
X-Virus-Scanned: by amavisd-new X-SPAM: NO
Content-Type: text/plain;
Broadcast Email Advertise to 28.9 Million People - $129
ggsbwmzsdg hpb duqicsj
qtsaxym
ae zizssn vs
tqcjbfmmgyogkpkn h
nxw
http://www.broadcastemailing.com
8
# nslookup 22.239.60.151 [IP address from “Rcvd:” header]
*** eeserv.ee.gatech.edu can't find 22.239.60.151: Non-existent host/domain
[from www.geektools.com]
Final results for 22.239.201.237 obtained from whois.arin.net.
OrgName: DoD Network Information Center
OrgID: DNIC
Address: 7990 Science Applications Ct
Address: M/S CV 50
City: Vienna
StateProv: VA
[false email source address]
------------------------------------------------------------------------# nslookup www.broadcastemailing.com [from content]
Name: www.broadcastemailing.com
Address: 202.63.201.237
inetnum: 202.63.192.0 - 202.63.223.255
descr: CubeXS Private Limited
descr: Internet Service Provider
descr: Data Entry
descr: Software House
descr: 310-311 Kassam Court
descr: B.C. 9, Block 5, Clifton
descr: Karachi, Pakistan
[actual Web location]
9
From: "Citibank Support" <[email protected]>
To: "Jacom" <[email protected]>
Subject: ATTN: Security Update from Citibank MsgID# 92309245
Date: Wed, 22 Sep 2004 03:10:44 +0100
CITIBANK(R)
“Phishing”
Dear Citibank Customer:
Recently there have been a large number computer terrorist attacks over our database server. In order to safeguard
your account, we require that you update your Citibank ATM/Debit card PIN.
This update is requested of you as a precautionary measure against fraud. Please note that we have no particular
indications that your details have been compromised in any way.
This process is mandatory, and if not completed within the nearest time your account may be subject to temporary
suspension.
Please make sure you have your Citibank ATM/Debit card and your login details at hand.
To securely update your Citibank ATM/Debit card PIN please go to:
Customer Verification Form [Note: the actual link is to: <http://219.138.133.5/verification/>]
Please note that this update applies to your Citibank ATM/Debit card - which is linked directly to your checking
account, not Citibank credit cards.
Regards,
Customer Support MsgID# 92309245
(C)2004 Citibank. Citibank, N.A., Citibank, F.S.B.,
Citibank (West), FSB. Member FDIC.Citibank and Arc
Design is a registered service mark of Citicorp.
Note the lack of the “Padlock” symbol. HTTPS (TLS) is not being
used because they have no X509 certificate.
Look at Page Source Code - check links: (note directory named “scam”)
<td height="66"> <p><img src="citi44a.gif" width="61" height="44">
<img src="file:///F|/scam/scripts2/scripts/w4_0.gif" width="80" height="25">
<img src="file:///F|/scam/scripts2/scripts/m4_1.gif" width="77" height="25”
<p><font color="#0000CC"><b><font size="2" color="#000099">HOME
| ACCOUNTS | PAYMENTS &amp; TRANSFERS | INVESTMENTS | ACCOUNT
SERVICING</font></b></font> </p></td>
whois.apnic.net.
Results:% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 219.138.0.0 - 219.140.255.255
netname: CHINANET-HB
descr: CHINANET hubei province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
admin-c: CH93-AP
tech-c: CHA1-AP
mnt-by: MAINT-CHINANET
mnt-lower: MAINT-CN-CHINANET-HB
changed: [email protected] 20020521
status: ALLOCATED NON-PORTABLE
source: APNIC
role: CHINANET HB ADMIN
address: 8th floor of JinGuang Building
address: #232 of Macao Road
address: HanKou Wuhan Hubei Province
address: P.R.China
country: CN
phone: +86 27 82862199
fax-no: +86 27 82861499
e-mail: [email protected]
trouble: send spam reports to [email protected]
trouble: and abuse reports to [email protected]
trouble: Please include detailed information and
trouble: times in GMT+8
Received: from capitalgroup.ru ([221.192.242.56])
Date: Wed, 22 Sep 2004 15:01:44 +0000
To: [email protected]
From: "Lillie Haywood" <[email protected]>
Subject: Better than Norton, and Symantec for spyware z5
X-ELNK-AV: 0
dodd compriest stiffing thwacks. designer azyme glebous outgrowths unconsonant unsoluble
dyscrasic. phylactery docking javeline uncommandedness palmitinic checkrowed findal teretial.
misshaped diabolarch aprication marsupia parallelotropism.
Clicking on the “Scan” button (or anywhere in the image) takes you to:
<http://TNIKHMCYV.adwarebde.com/?id=02025><img src="http://www.adwarebde.com/m2.gif">
Notice that the serial code “02025” or system “TNIKHMCY” could be codes which may validate your IP
address. The random words in the text are to get past a Basian spam filter. They could not actually “scan”
my Macintosh computer, which has no spyware.
% nslookup -sil www.ad-eliminator.com
Name: www.ad-eliminator.com
Address: 61.240.131.217
whois.apnic.net.
[ results from www.geektools.com 61.240.131.217 ]
Results:
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 61.240.0.0 - 61.243.255.255
netname: UNICOM
descr: China United Telecommunications Corporation
descr: Beijing Railway Station East Avenue
country: CN
mnt-lower: MAINT-CN-CNNIC-UNICOM
changed: [email protected] 20010817
changed: [email protected] 20010828
status: ALLOCATED PORTABLE
source: APNIC
person: RenYong Xu
address: 911 Room,Xin Tong Center,No.8
address: Beijing Railway Station East Avenue,
address: Beijing,PRC.
country: CN
phone: +86-10-6527-8866
fax-no: +86-10-6526-0124
e-mail: [email protected]
Email Relaying (should be prohibited)
MS or
sender
earthlink.com
MS
MS
receiver
gatech.edu
aol.com
Allowed Email Forwarding
MS
sender
MS
sender
receiver
earthlink.com
gatech.edu
MS
receiver
aol.com
MS = Mail Server
15
Data Compression (as in V.21bis modems)
“the_thin_thinker”
t - 84
h - 104
th - 256
he - 257
hi- 264
e - 101
_ - 32
i - 105
n - 110
e_ - 258
_t - 259
in - 261
n_ - 262
_th - 263
ink - 265
thi - 260
Dictionary has 4096 entries (12-bit tokens).
Entries 0 to 255 represent a single byte (permanent).
Other entries are filled after a string match: = string plus first unmatched character.
Message is encoded (compressed) by sending 12-bit tokens represent multiple bytes.
Note that tokens 256, 259, and 261 below represent 2 bytes (16 bits) by a 12-bit token.
“84, 104, 101, 32, 256, 105,110, 259, 104, 261 . . .”
16
Security Wire Perspectives, Sept 20, 2004
In fact, of the targeted attacks Symantec detected in the last six
months, the majority were against e-commerce companies,
including financial institutions. Small business received the
second highest number of attacks.
"We're no longer talking strictly about the male teenager with the
low moral compass, or the hactivist, who defaces sites or uses
malicious code or worms against those on one side in a political
conflict," said Vincent Weafer, senior director of Symantec
Security Response. "These people are targeting e-commerce, and
they are often backed by organized crime.”
The average time period between the disclosure of a vulnerability
and its first exploit by hackers collapsed from several weeks in
past reports to less than six days in the first half of 2004.

similar documents