Guide to Operating
System Security
Chapter 10
E-mail Security
Objectives




Understand the use of SMTP in e-mail and
attacks on SMTP
Explain how e-mail can be secured through
certificates and encryption
Discuss general techniques for securing e-mail
Configure security in popular e-mail tools
Guide to Operating System Security
2
Overview of SMTP




Enables exchange of e-mail across networks
and the Internet
Provides reliable – but not guaranteed –
message transport
No logon ID or password required
A client and server process
Guide to Operating System Security
3
Sending E-Mail by SMTP
Guide to Operating System Security
4
Parts of SMTP Messages

Address header






Envelope
Message header
Domain literal
Multihomed host
Host names
Message text
Guide to Operating System Security
5
Overview of SMTP

Protocols used to store and retrieve e-mail


Post Office Protocol (POP)
Internet Message Access Protocol (IMAP)
Guide to Operating System Security
6
Operating Systems That Use
SMTP by Default




Microsoft Outlook Express on Windows
2000/XP/2003
Microsoft Outlook in Windows-based systems
that have Microsoft Office
Ximian Evolution Mail in Red Hat Linux 9.x
Mail in Mac OS X
Guide to Operating System Security
7
E-mail Server Software Systems
That Use SMTP







Eudora
Lotus Domino Mail Server
Mailtraq
Merak Email
Microsoft Exchange
Sendmail
SuSE Linux Open Exchange Server
Guide to Operating System Security
8
E-mail Attacks on SMTP



Surreptitious alteration of a DNS server
Direct use of command-line e-mail tools to
attack SMTP communications
Spread of unsolicited commercial e-mail
(spam)
Guide to Operating System Security
9
DNS Server Directing E-mail
Guide to Operating System Security
10
E-mail Attacks Through Altering
DNS Server Information
Guide to Operating System Security
11
Using Command-Line Tools for
E-mail Attacks

Windows 2000/XP/2003


Attacker can use maliciously constructed e-mail to
attack an SMTP server
UNIX/Linux

Easier; attacker can use built-in e-mail commandline options
Guide to Operating System Security
12
Unsolicited Commercial E-mail
(UCE)



Relatively inexpensive for sender
Expensive for users whose resources are
diminished by UCE traffic
Expensive in terms of wasted time (estimated
25% of all Internet e-mail traffic is spam)
Guide to Operating System Security
13
Ways to Control UCE (Spam)





Turn off open SMTP relay capability
Configure SMTP server to have restrictions
Require a computer to authenticate to
Microsoft Exchange before e-mail is relayed
Direct e-mail not addressed to internal
recipients to a bogus IP address
Obtain tools to block e-mail
Guide to Operating System Security
14
Securing E-mail Through
Certificates and Encryption



Ensures privacy
Reduces chances of forgery or someone other
than sender adding an attachment
Accepted methods


Secure Multipurpose Internet Mail Extensions
(S/MIME)
Pretty Good Privacy (PGP)
Guide to Operating System Security
15
Using S/MIME Encryption


Provides encryption and authentication for
e-mail transmissions
An extension of MIME
Guide to Operating System Security
16
MIME



Provides extensions to original SMTP address header
information
Different types of message content can be encoded
for transport over the Internet
Additional header fields





MIME-version
Content-type
Content-transfer-encoding
Content-ID
Content-description
Guide to Operating System Security
17
Using S/MIME Encryption



Uses digital certificates based on X.509
standard
Has flexibility to use 168-bit key Triple DES
Designed to follow Public-Key Cryptography
Standards (PKCS)
Guide to Operating System Security
18
Using PGP Security



Provides encryption and authentication for
e-mail transmissions
Sometimes preferred by users of open systems
(UNIX/Linux); enables use of X.509 or PGP
digital certificates
Unique characteristic of PGP certificate: web
of trust
Guide to Operating System Security
19
Contents of PGP Digital
Certificate






PGP version number
Public key
Information about certificate holder
Digital signature of certificate holder
Validity period of the certificate
Preferred algorithm for the key
Guide to Operating System Security
20
Typical Encryption Methods
Used by PGP



CAST
IDEA
Triple DES
Guide to Operating System Security
21
Other Techniques for Securing
E-mail



Train users
Scan e-mail
Control the use of attachments
Guide to Operating System Security
22
Training Users for E-mail
Security



Never send personal information or a password
response via e-mail
Delete e-mail from unrecognized sources
Use message filtering, if available
Guide to Operating System Security
23
Scanning E-mail





Place virus scanning software on e-mail
gateway
Update virus definitions frequently
Quarantine specific kinds of attachments
Scan zipped files
Scanner code should be written to be relatively
fast
Guide to Operating System Security
24
Controlling the Use of
Attachments





Delete attachments from unknown sources
Never configure software to automatically
open attachments
Avoid using HTML format for opening e-mail
Use virus scanner on e-mail before opening it
Place attachments in quarantine
Guide to Operating System Security
25
Backing Up E-mail


For storage
To ensure that unread e-mail is not lost if
server goes down
Guide to Operating System Security
26
Configuring Security in Popular
E-mail Tools




Microsoft Outlook Express
Microsoft Outlook
Ximian Evolution Mail in Red Hat Linux 9.x
Mail in Mac OS X
Guide to Operating System Security
27
Microsoft Outlook Express



Included with Windows 2000/XP/2003
Can obtain messages from SMTP-based
servers running e-mail server software
Can be used to access newsgroups
Guide to Operating System Security
28
Microsoft Outlook Express
Guide to Operating System Security
29
Security Measures Supported
by Outlook Express






S/MIME (version 3)
40-bit and 128-bit RC2 encryption
64-bit RC2 encryption
56-bit DES encryption
168-bit Triple DES encryption
Digital signatures encrypted using SHA-1
Guide to Operating System Security
30
Configuration Options for
Outlook Express
Guide to Operating System Security
31
Microsoft Outlook Express



Enables you to export e-mail to Microsoft
Outlook or a Microsoft Exchange server
Can be used to back up messages from other
systems
Enables you to block or filter messages from
unwanted sources
Guide to Operating System Security
32
Microsoft Outlook


Included with Microsoft Office
Has multiple capabilities



E-mail communications
Calendar
Ability to track tasks, list contacts, and make notes
Guide to Operating System Security
33
Microsoft Outlook Security
Features







S/MIME (version 3)
40-bit and 128-bit RC2 encryption
64-bit RC2 encryption
56-bit DES encryption
168-bit Triple DES encryption
Digital signatures encrypted using SHA-1
V1 Exchange Server Security certificates
Guide to Operating System Security
34
Configuration Options for
Microsoft Outlook
Guide to Operating System Security
35
Microsoft Outlook


Ability to back up messages by exporting to a
file (many file types available)
Ability to add specific Web sites to junk e-mail
list
Guide to Operating System Security
36
Ximian Evolution Mail in
Red Hat Linux 9.x





Processes e-mail
Schedules activities on a calendar
Records tasks
Creates list of contacts
Summary function (weather, inbox/outbox
totals, appointments, updates and errata)
Guide to Operating System Security
37
Ximian Evolution Mail in
Red Hat Linux 9.x
Guide to Operating System Security
38
Ximian Evolution Mail in
Red Hat Linux 9.x


Capability to configure more than one account
with unique properties
Can be configured to use either PGP security
or GnuPG
Guide to Operating System Security
39
Configuration Options for
Evolution Mail
Guide to Operating System Security
40
Apple Mail (Continued)




Comes with Mac OS X
Focuses on handling e-mail activities
Enables creation of filters to reject mail from
unwanted or unknown sources
Capability to configure different accounts
Guide to Operating System Security
41
Apple Mail (Continued)
Guide to Operating System Security
42
Apple Mail (Continued)



Uses PGP for security
Can specify use of SSL for security over
Internet links to e-mail
Provides different authentication methods for
verifying access to an e-mail account



Password authentication
Kerberos version 4 and version 5
MD5 challenge-response
Guide to Operating System Security
43
Summary


How operating systems use SMTP for e-mail
Sources of e-mail attacks



Over 90% of malicious software strikes through
e-mail
How certificates and encryption can protect
e-mail
How to configure security in e-mail software
typically used with operating systems
Guide to Operating System Security
44