Guide to Operating Systems Security 0-619-16040-3 Guide to Operating Systems Security Chapter 10 Solutions Answers to the Chapter 10 Review Questions 1. One of your clients is attempting to use Outlook Express to send an encrypted e-mail to someone whose proprietary e-mail software is configured only for 64-bit RC2 encryption. However, the other person’s system is rejecting the e-mail. What might be the problem? Answer: d. Outlook Express does not support 64-bit encryption for sending a message. 2. Another of your clients is using an older computer that has e-mail software that only supports SMTP. This user is unable to send an image file. Your diagnosis shows that____________________. (Choose all that apply.) Answer: c. his e-mail software does not support MIME 3. The latest version of S/MIME _______________________________. (Choose all that apply.) Answer: a. and b. 4. Your organization wants to offer e-mail access for clients through an Internet Web server. In providing this access, the organization wants a system that will (1) enable users to store e-mail in different folders, (2) offer the option to search folders for a specific e-mail, and (3) show that a message has been read. Which of the following should they implement on the new e-mail server? (Choose all that apply.) Answer: a. and d. 5. A mail user agent is ______________________________. Answer: a. a program used to compose an e-mail message and to read an e-mail message 6. Which of the following uses a web of trust? Answer: b. PGP 7. During a management meeting one of the security officers in your organization complains that he wastes up to an hour each day just hand-delivering new passwords for users who have forgotten theirs. He suggests adopting a policy to send new passwords through e-mail. What is your response? Answer: a. You recommend adopting a company-wide policy to prevent anyone from sending a user account password through e-mail. 8. GnuPG is most similar to _______________. Answer: d. PGP 9. The users in your organization are active Internet participants and therefore are now the recipients of lots of junk e-mail. Many users waste a lot of time each day reading and deleting their junk e-mail. Which e-mail software is best positioned to address junk e-mail? Answer: c. Apple Mail 10. Which of the following encryption methods are used in PGP? (Choose all that apply.) Answer: a. and d. 11. The business manager in your company is using S/MIME and a digital certificate, but her secret communications with other users are not working. Which of the following might be the problem? (Choose all that apply.) Answer: c. The digital certificate is nonstandard, and so does not conform to X.509. 1 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 12. The DNS server administrator in your organization has discovered that some DNS records related to the organization’s SMTP server have been alternated. Which of the following records are candidates for an attacker to change? (Choose all that apply.) Answer: b. and c. 13. When an attacker targets an e-mail communication that uses POP3, which TCP port is he or she likely to use in the attack? Answer: a. 110 14. An SMTP message is encoded in ____________________________. Answer: b. 7-bit ASCII 15. A man-in-the-middle e-mail attacker has been intercepting e-mail messages from the board members of your corporation and sending copies to a manager in a competing company. He is likely to be altering the __________________________. (Choose all that apply.) Answer: a. and b. 16. One of your Apple Mail users configured this software for security and is now not receiving any email. Which of the following might be the problem? Answer: a. He configured to use TCP port 32, but should be using TCP port 25. 17. A disgruntled employee in your organization has been sending malicious e-mail to all of the managers. Of the following choices, what system is this person most likely using? Answer: b. a command-line MTA 18. The finance director for a college has been trying to encrypt her e-mail in Outlook Express, but is not succeeding. What might be the problem? Answer: c. She must first obtain a digital certificate from a CA. 19. A user who is employing the web of trust is currently discarding lots of e-mail, most likely because _____________________________________. Answer: a. that user’s circle of trusted colleagues is too small 20. When SMTP transports a message to a station, but that station is not available, what happens next? Answer: d. SMTP can retry sending to the recipient for a specified time period before it notifies the sender that the message did not go through. 2 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Hands-On Projects Tips and Solutions for Chapter 10 Project 10-1 In this project students compare the prices of two commercial certificate authorities for a single user. In Step 3, students should record the single user fee, such as the yearly fee. Also, they should record the other security services offered, such as forgery insurance and services to multiple users. In Step 5, students should record the single user fee for a second commercial CA vendor and they should record the other security services offered through the vendor. Project 10-2 In this project, students learn about the PGP Freeware that can be obtained from the MIT Web site. In Step 3, the systems for which the freeware is available are (at this writing): Windows 95/98/NT/2000 Mac OS AIX HPUX Linux Solaris DOS In Step 4, the software for which PGP Freeware is available includes (at this writing): Microsoft Outlook Microsoft Outlook Express Qualcomm Eudora 4.x Claris Emailer 2.x Emacs Mailcrypt In Step 5, students should note how to obtain the software. 3 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Project 10-3 Students learn how to configure security for Microsoft Outlook Express in this project. In Step 5, the security that is configured by default is (what students see in their project may differ, if the defaults have been changed): Restricted sites zone (More secure) Warn me when other applications try to send mail as me Do not allow attachments to be saved or opened that could potentially be a virus In Step 7, the commercial CAs listed at this writing are: Verisign GlobalSign British Telecommunications Thawte Certification In Step 11, the security options include: Warn on encrypting messages with less than this strength Always encrypt to myself when sending encrypted messages Include my digital ID when sending signed messages Encode message before sending (opaque signing) Add senders’ certificates to my address book Check for revoked Digital IDs: Only when online Check for revoked Digital IDs: Never Project 10-4 In this project, students configure the e-mail security for Microsoft Outlook. In Step 4, the options already selected may vary from computer to computer. The default option is: Send clear text signed message when sending signed messages. In Step 6, the available options include: S/MIME Exchange Server Security In Step 8, students' conclusions will depend on whether they are using Outlook 2003 or Outlook 2002, but many may still favor Outlook Express anyway. Project 10-5 In this project, students learn how to configure security for a Ximian Evolution Mail account in Red Hat Linux 9.x. An e-mail account should be set up before students do this project. In Step 8, the forms of security are PGP and GPG. In Step 14, students should determine what the other configuration tabs are used for: Identity: Provides identity information about the account, such as the e-mail account name and the Linux account with which it is associated Receiving Mail: Defines the server type from which to receive e-mail Receiving Options: Defines how often to check for new e-mail Defaults: Specifies in which folders to store drafts and sent messages; and carbon copy/blind carbon copy preferences 4 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Project 10-6 Students learn about configuring security in Apple Mail in this project. An e-mail account should already be configured before students begin. In Step 7, the authentication includes the user name and password for accessing the e-mail account. In Step 8, typically port 25 for SMTP is configured. Also, SSL can be selected for security. When students view the authentication options, these include: None Password Kerberos version 4 Kerberized POP (KPOP) Kerberos version 5 (GSSAPI) MD5 challenge-response In Step 21, students should note what junk mail rule is currently defined, which may vary from computer to computer. 5 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Solutions to the Case Project Assignments Aunt Abby’s is a popular national bakery in a very competitive field. Competitors are always attempting to acquire information about Aunt Abby’s products, particularly the recipes. Aunt Abby’s makes all types of packaged bakery goods and has achieved significant success. The company has bakeries in New York, Atlanta, Toronto, Vancouver, Chicago, Santa Fe, Phoenix, Boise, and San Francisco. Each location has an SMTP server for e-mail and each is connected to the Internet through DSL lines to public ISPs, which means that e-mail communications are not particularly secure. The Toronto location also has a large test bakery that is used for improving current recipes and developing new ones. Once a recipe is ready for prime time, it is sent via e-mail as an attachment to the master baker at each of the other locations. For years, Aunt Abby’s has never worried about someone intercepting a recipe through e-mail, but now they recognize that they need to implement tighter security, because it appears that a competitor has developed a cake recipe that is very similar to one Aunt Abby’s just improved. Aunt Abby’s hires you, via Aspen IT Services to consult about e-mail security. Case Project 10-1: Learning about E-mail Attacks As a start, the IT staff at the Toronto location ask you to create a report that explains how e-mail might be intercepted by a competitor. Create such a report and include some diagrams to illustrate the contents of the report. Answer: One way in which e-mail might be intercepted is through reconfiguring DNS records. The records mentioned in the text are: Host address (A) resource record IPv6 host address (AAAA) resource record Pointer (PTR) resource Service (SRV) locator Using this method, the attacker first gains access to the network’s DNS server, changes the records so that the network’s SMTP server traffic is directed through the attacker’s computer and then the attacker forwards the e-mail to the recipients, possibly changing the contains of the e-mail. This gives the attacker the opportunity to forge e-mail. Another technique is to simply use a sniffer to intercept e-mail traffic. Students might include diagrams such as Figure 10-3 in the text. 6 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Case Project 10-2: Windows XP Professional E-mail Security The Toronto test bakery uses Windows XP Professional workstations and when they exchange recipe information, the recipients in the other locations also use this operating system. What security should they use to protect their e-mail messages when they send recipes and other important information? Answer: These systems should be configured to use S/MIME and digital certificates. The company might contact a commercial CA to purchase a block of certificates and perhaps insurance to go with them. The users may deploy either Microsoft Outlook Express or Microsoft Outlook as the e-mail software. When they configure the e-mail software, they should configure to use encryption and they can use the e-mail software to obtain a digital certificate from the company’s designated commercial CA. Before any recipe information is sent, the users should make sure that encryption is configured. Also, the company should maintain strong security on its DNS servers and regularly check to make sure that SMTP mail server records have not been altered. Case Project 10-3: Blocking Junk Mail The marketing staff, which is in the Chicago location, uses Mac OS X and Apple Mail. As part of the creative process, they spend hours on the Internet collecting ideas. They also now receive lots of junk email. What can they do to block some of this e-mail, which is time-consuming to read and discard? Answer: As a first step, the company should train these users not to open junk e-mail, in case it contains a virus. At the same time they should be trained in safely using the Internet. Next, the company might offer user training on configuring e-mail filters and junk e-mail detection in Apple Mail. To configure filters: Open Apple Mail. Click the Mail menu. Click Preferences. Click the Rules icon. Double-click an existing rule to configure, such as Junk,; or click Add Rule to create a new rule (filter). To directly configure the junk mail options: Open Apple Mail. Click the Mail menu. Point to Junk Mail and select the desired option. 7 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Case Project 10-4: E-mail Digital Certificates Many of the IT staff would like information about different approaches to digital certificates for e-mail. Specifically, they ask you to create a report about the approaches used by the following security methods: S/MIME PGP As you are preparing this report, they ask you to include information about encryption used with each of these methods. Answer: S/MIME uses the standardized X.509 digital certificates, which the user may obtain from a commercial CA. It also uses the following types of encryption: 40-bit and other forms of RC2 encryption 56-bit DES encryption 168-bit Triple DES encryption Further, S/MIME is compatible with Public-Key Cryptography Standards (PKCS). A PGP digital certificate is structured differently than X.509 compatible certificates and contains the fields: PGP version number Public key Information about the certificate holder Digital signature of the certificate holder Validity period of the certificate Preferred algorithm for the key PGP complements certificate use with the idea of a web of trust in which multiple people can sign a certificate and that assumes the recipient is likely to know one of the signers who vouches for the source. The encryption used by PGP includes: CAST IDEA Triple DES 8 © 2004 Course Technology and Michael Palmer. All rights reserved. Guide to Operating Systems Security 0-619-16040-3 Case Project 10-5: Securely Handling E-Mail Attachments The Aunt Abby’s senior management has been concerned lately about a Trojan horse that was introduced through an e-mail attachment. They calculated that eradicating the Trojan horse took over 70 hours of employee time. Senior management asks you to prepare a list of recommendations about handling e-mail attachments (while recognizing that the company’s recipes are sent as attachments). Answer: Sample recommendations that might be provided to the senior management include (from the text suggestions): Consider not using attachments for internal communications, but instead place the location of a file in the message – thus having users obtain a file through file sharing and published files in Active Directory, for example. Place a virus scanner on the e-mail gateway and scan all incoming e-mail. Delete attachments from unknown sources. Do not configure the e-mail software to automatically open attachments. Avoid using the HTML format for opening e-mail . Use a virus scanner on received e-mail and its attachments, before opening either. Place attachments in an area that is quarantined by a virus scanner. 9 © 2004 Course Technology and Michael Palmer. All rights reserved.