Chapter 12 ? Email and WWW Threats1

1
Overview

• Two of the most popular uses of the Internet are
• Electronic mail
• The World Wide Web
• By default, both offer almost no protection for
  the privacy, integrity, and authenticity of
  information
• A number of security mechanisms have been
  developed for each
• SSL, Java
• Still many risks for users

2
E-mail Fraud/Scams

• Many dishonest individuals utilize the wide reach
  and relative anonymity of the Internet to offer
• Miracle health products
• Sure-fire investment strategies
• Lucrative business opportunities (and other
  get-rich-quick schemes)
• Vacation packages that sound a lot better than
  they really are
• Collectible items that are much less valuable
  than the buyer is led to believe
• Credit repair (and other) services that charge a
  hefty fee to do what anyone can do themselves for
  free

3
The Original Ponzi Scheme

• Boston, 1920
• Charles K. Ponzi begins issuing notes for a
  postal reply coupon business
• Promises a fifty percent return in forty-five
  days
• Initial investors receive their profits and word
  spreads
• Ponzi begins to receive millions of dollars from
  thousands of investors

4
The Original Ponzi Scheme (cont)

• After several months it is revealed that
• Ponzi was not investing the money he collected in
  postal reply coupons
• Ponzi was using the money coming in from new
  investors to pay off previously issued notes as
  they came due
• Ponzi ran out of money trying to satisfy the
  ensuing flood of redemption requests
• Many investors were left holding worthless notes
• Ponzi eventually went to jail for larceny and
  fraud
• Scams in which the promise of fabulous returns is
  used to draw in new investors thereby financing
  the paying of old investors are called a Ponzi
  schemes

5
Pyramid Schemes

• A pyramid scheme is a scam in which people
• Pay a small amount of money to the people who
  joined previously
• Receive money from the people who join after them
• Example
• Bob receives an e-mail containing the names and
  addresses of ten people
• Bob is instructed to
• Send each person on the list one dollar
• Delete the person at the top of the list
• Shift all people on the list up one position
• Add himself in the last position
• Send a copy of the newly created letter to ten
  friends

6
Pyramid Schemes (cont)

• Supposedly
• Bobs ten friends will each
• Send Bob a dollar (Bob receives 10 dollars)
• Send out a copy of the letter to ten friends each
  with Bobs name in the ninth position and their
  name in the tenth position
• One hundred friends of Bobs friends will each
  send Bob a dollar (Bob receives 100 dollars)
• Etc.
• By the time Bobs name works its way to the top
  of the list and is removed, Bob will have
  received more than one billion dollars

7
Pyramid Schemes (cont)

• Pyramid schemes
• Do not work (for the vast majority of
  participants)
• Every dollar gained by one person must be paid by
  another person
• If anyone makes a substantial amount of money
  through a pyramid scheme then a large number of
  other participants must lose money
• Are illegal in many countries
• Example Make Money Fast
• Hi, my name is Dave Rhodes

8
Forged E-mail

• Carol can forge a realistic-looking e-mail
  messages for Bob that appears to have come from
  Alice, Bobs boss
• To Bob_at_company-x.com
• From Alice_at_company-x.com
• Subject Information for our new consultant
•  
• Hi Bob,
•  
• We have recently hired Carol as a consultant to
  analyze our business operations and recommend
  potential areas for cost savings. Therefore,
  please send copies of your budget reports for the
  last six months to her at carol_at_carol.com so that
  she can begin analysis of your division. Thanks.
•  
• Alice

9
Exploiting SMTP to Send Forged E-mail

• The Simple Mail Transport Protocol (SMTP) is
  fairly straightforward and completely text-based
• Most SMTP servers listen on TCP port 25
• The client to establish a connection with the
  server (probably using TELNET)
• mail.carol.com telnet
• telnetgt open mail.company-x.com 25
• Trying 128.112.17.1...
• Connected to mail.company-x.com.
• Escape character is ''.

10
Forged E-mail (cont)

• The server replies with either a 220 message to
  indicate that the server is ready, or an error
  code if there is a problem
• 220 mail.company-x.com ESMTP Sendmail
  8.9.3Sun/8.9.1 Fri, 29 Jun 2001 141709 -0400
  (EDT)
• The server waits for the client to send a HELO
  message

11
Forged E-mail (cont)

• The client sends the HELO message
• HELO mail.carol.com
• The server responds with a hello message
• 250 mail.company-x.com, hello mail.carol.com,
  pleased to meet you

12
Forged E-mail (cont)

• The client and the server are now connected and
  the server is waiting for the client to transfer
  one or more e-mail messages
• The client specifying the address of the sender
  in a MAIL FROM message
• MAIL FROM alice_at_company-x.com
• The server replies
• 250 ltalice_at_company-x.comgtSender OK

13
Forged E-mail (cont)

• The client sends a RCPT TO message indicating the
  address of the recipient
• RCPT TO bob_at_company-x.com
• The server acknowledges the receiver
• 250 ltbob_at_company-x.comgt... Recipient OK

14
Forged E-mail (cont)

• The client then sends the DATA command to signal
  its readiness to transmit the e-mail message
• DATA
• And the server replies
• 354 Enter mail, end with "." on a line by itself

15
Forged E-mail (cont)

• The client enters the headers and body of the
  (forged) e-mail message
• To bob_at_company-x.com
• From alice_at_company-x.com
• Subject Information for our new consultant
•  
• Hi Bob,
•  
• We have recently hired Carol as a consultant to
  analyze our business operations and recommend
  potential areas for cost savings. Therefore,
  please send copies of your budget reports for the
  last six months to her at carol_at_carol.com so that
  she can begin analysis of your division. Thanks.
•  
• Alice
• .

16
Forged E-mail (cont)

• The server notifies the client that the message
  has been accepted for delivery
• 250 Message accepted for delivery
• The client could then transfer additional e-mail
  messages, or close the connection
• quit

17
Forged E-mail (cont)

• Uses
• To make it more difficult to track and prosecute
  those who send fraudulent offers through e-mail
• To make e-mail appear to originate from a
  well-known or authoritative source
• Spam

18
Spam

• Spam is unsolicited, commercial offers that
  arrive via e-mail
• The response rate to unsolicited advertisements
  is very low
• So spammers send their offers to tens or hundreds
  of thousands of people in hopes of receiving a
  few hundred replies

19
Spam vs. Junk Mail

• Most junk mail is sent by reputable firms and
  contains legitimate (if unwanted) offers whereas
  most spam is sent by dishonest individuals and
  contains offers concerning
• Get-rich-quick schemes
• Pirated software
• Other questionable or outright illegal products

20
Spam vs. Junk Mail (cont)

• Spam costs the sender nothing
• Spam introduces costs on the victims
• Lost time
• Annoyance
• ISPs must pass on the costs to their customers of
  transferring, processing, and storing spam
• Can account for one quarter (or more) of the
  e-mail volume

21
Dealing With Spam

• Technical solutions many users and ISPs utilize
  filters to try to discard spam before having to
  deal with it
• Self-regulation organizations (e.g. the Direct
  Marketing Association) set standards for their
  members regarding appropriate behavior when
  engaging in direct marketing
• Legislative many groups lobbying for anti-spam
  laws
• Title 47, Section 227 of the U.S. Code prohibits
  the use of any telephone facsimile machine,
  computer, or other device to send an unsolicited
  advertisement to a telephone facsimile machine.

22
Mail Bombs

• A mail bomb is
• A denial-of-service attack
• An attacker sends a large amount of email to an
  individual or a system in a short period of time
• Effects
• Can fill up a users (or even a systems) storage
  space for incoming email
• Can keep a host busy processing e-mail messages
  so that it has little time to do anything else

23
Carnivore

• Carnivore is a controversial surveillance tool
  developed by the FBI in order to monitor
  Internet-based communications by suspected
  criminals
• Similar to wiretaps which the FBI has been
  performing for decades
• FBI must convince a judge that they have probable
  cause to believe that the individual is engaged
  in illegal behavior
• Judge may issue court order allowing surveillance
  (stipulates a set period of time)
• The FBI, with the help of phone companies, can
  record and monitor the phone conversations of
  individuals covered by the order
• The FBI argues that wiretaps are vitally
  important to its ability to protect the public
  and prosecute criminals

24
Carnivore (cont)

• Designed to allow the FBI to record and monitor
  all Internet communications of a suspected
  criminal
• Requires a court order
• Help of Internet Service Providers
• Can be configured to monitor only those Internet
  communications specifically authorized by a court
  order
• E-mail messages
• Chat sessions
• Bulletin board postings
• Etc.

25
Using Carnivore

• The ISP identifies an access point through which
  all of the suspects data flows but hopefully
  contains little or no data for other users
• The FBI attaches a tapping device at the access
  point.
• The tapping device sends an exact copy of all
  data that passes through the access point to an
  FBI collection system
• The data is passed through a filter which
  discards any data not authorized by the court
  order, and the remaining data is written to
  permanent storage media for analysis

26
The Controversy of Carnivore

• Mistrust of the FBI
• FBI refuses to release the source code
• May be able to exploited by hackers either to
  escape detection or to spy on other Internet
  users
• May be misused by FBI or ISP personnel
• Different from traditional wiretaps ease of
  automation of the collection and analysis of data

27
E-mail Threats - Summary

• E-mail threats include
• Fraud/scams
• Forgery
• Spam
• Mail bombs
• Carnivore

28
WWW Threats

• There are many risks associated with the World
  Wide Web
• Credit card fraud/abuse
• Content hijacking
• Hostile content
• Cookies
• Many users do not understand the dangers

29
The Web and Mass Communication

• In the past the ability reach a large audience
  was limited to
• The rich (owners of publishing companies, radio
  stations, television stations, etc.)
• Their employees
• Subject to editorial control
• Must share in profits
• The Web now makes it possible for almost anyone
  to reach a large audience
• Benefits
• Dangers
• Contents of messages
• Accuracy

30
Fraud on the Web

• Scams
• Many of the same ones circulated via e-mail
• Credit card fraud
• Theft of credit card information on the Internet
• Theft of credit card information from a
  merchants database
• Abuse of credit card information by a
  merchant/employee

31
Content Hijacking

• Content hijacking - one site steals content from
  another
• Stolen content
• Graphics
• Information
• Web pages
• Impersonation
• Mistyped URLs
• Misleading links

32
Content Hijacking - Example

• April, 2000 - a web page was created that
  resembled the Bloomberg news site
• The page contained a false news release
  reporting that a certain company was about to be
  acquired for much more than its current share
  price
• A link to this page was posted on several
  web-based message boards devoted to discussion of
  the companys stock
• The URL in the link referred to the page by its
  IP address rather than by its domain name, but
  many readers did not notice

33
Content Hijacking Example (cont)

• Many people read the story and immediately bought
  the stock in order to profit from the rise in
  price that would result from the acquisition
• The price of the stock rose quickly and then
  plummeted a few hours later when the hoax was
  discovered
• The perpetrator(s) of this scam
• Probably bought stock in the company prior to
  posting the false information
• Probably sold in the first few hours for a huge
  profit
• Many of the investors who were fooled by the fake
  story suffered large losses

34
Hostile Content

• Hostile content on the Web is design to annoy or
  assail an unsuspecting victim
• Recursive frames bug
• Popup windows
• Flaws in implementations of the Java Virtual
  Machine
• Plug-in programs

35
Cookies

• A cookie is a small amount of information that a
  server sends to a browser which is stored on the
  clients computer
• Every time a browser makes a request to a server
  the browser checks the stored cookie list and
  sends any cookies from that server along with the
  request
• Uses
• Maintain persistent state
• Customize web pages to a clients preferences
• Protection mechanisms
• Browser will only send a cookie to the site from
  which it originated

36
Cookies - Format

• Format
• Set-Cookie NAMEVALUE expiresDATE pathPATH
  domainDOMAIN_NAME secure
• Set-cookie tag (required)
• Name field identifier (required)
• Expires expiration date (optional)
• Expired cookies will not be sent by the browser

37
Cookies Domain Field

• Domain field - allows the browser to determine to
  which hosts a cookie can be sent (optional)
• Defaults to the name of the server from which the
  cookie originated (e.g. www.carol.com)
• Servers can set the domain field in a cookie
  (e.g. carol.com)
• Browser checks domain field in cookies (e.g.
  wont accept bob.com in a cookie from
  www.carol.com)
• Browser uses the domain field to determine which
  cookie(s) to send to a server
• The suffix of the domain name of the server must
  match the domain specified in the cookie
• Example DOMAIN carol.com
• www.carol.com, c1.carol.com, c1.foo.carol.com

38
Cookies Path Field

• Path field - restrict which pages at a particular
  site will cause a cookie to be sent by the
  browser
• Cookie must first pass domain checking
• A prefix of the path must appear in the URL in
  order for the cookie to be sent
• Defaults to /
• Example PATH /carol
• http//www.carol.com/carol/index.html send
  cookie
• http//www.carol.com/bob/index.html do not send
  cookie

39
Cookies Secure Field

• Secure field specifies a secure cookie
• Defaults to false
• If set, tells the browser that the cookie should
  only be sent if there is a secure (e.g. SSL)
  connection between the client and the server

40
A CGI Script that Sends a Cookie

41
Accepting or Rejecting Cookies

• Most browsers allow the user to set options to
• Accept all cookies without consulting the user
• Ask the user before accepting a cookie
• Reject all cookies

42
The Privacy Risks of Cookies

• Spying by employers/coworkers
• Cookies identify many of the sites that the user
  has visited
• Anyone with access to the machine can examine the
  users browsing habits
• User profiling by advertisers
• Site places ads (served by its own servers) on a
  wide variety of other sites
• Cookies are used to track how many times the
  companys ads are displayed on each site and how
  often users click on the ads
• The company to advertise on sites where their ads
  tend to be well received and not on sites where
  their ads fare poorly
• The company can also build elaborate profiles of
  users

43
WWW Threats - Summary

• WWW threats include
• Credit card fraud/abuse
• Content Hijacking
• Hostile content
• Cookies
• Many users do not understand these dangers