Chapter 12 Email and WWW Threats1 - PowerPoint PPT Presentation

About This Presentation

Chapter 12 Email and WWW Threats1


Electronic mail. The World Wide Web ... Forged E-mail (cont) The client sends the HELO message: HELO ... storage space for incoming email ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 44
Provided by: Tjad
Learn more at:
Tags: www | chapter | email | mail | threats1


Transcript and Presenter's Notes

Title: Chapter 12 Email and WWW Threats1

  • Two of the most popular uses of the Internet are
  • Electronic mail
  • The World Wide Web
  • By default, both offer almost no protection for
    the privacy, integrity, and authenticity of
  • A number of security mechanisms have been
    developed for each
  • SSL, Java
  • Still many risks for users

E-mail Fraud/Scams
  • Many dishonest individuals utilize the wide reach
    and relative anonymity of the Internet to offer
  • Miracle health products
  • Sure-fire investment strategies
  • Lucrative business opportunities (and other
    get-rich-quick schemes)
  • Vacation packages that sound a lot better than
    they really are
  • Collectible items that are much less valuable
    than the buyer is led to believe
  • Credit repair (and other) services that charge a
    hefty fee to do what anyone can do themselves for

The Original Ponzi Scheme
  • Boston, 1920
  • Charles K. Ponzi begins issuing notes for a
    postal reply coupon business
  • Promises a fifty percent return in forty-five
  • Initial investors receive their profits and word
  • Ponzi begins to receive millions of dollars from
    thousands of investors

The Original Ponzi Scheme (cont)
  • After several months it is revealed that
  • Ponzi was not investing the money he collected in
    postal reply coupons
  • Ponzi was using the money coming in from new
    investors to pay off previously issued notes as
    they came due
  • Ponzi ran out of money trying to satisfy the
    ensuing flood of redemption requests
  • Many investors were left holding worthless notes
  • Ponzi eventually went to jail for larceny and
  • Scams in which the promise of fabulous returns is
    used to draw in new investors thereby financing
    the paying of old investors are called a Ponzi

Pyramid Schemes
  • A pyramid scheme is a scam in which people
  • Pay a small amount of money to the people who
    joined previously
  • Receive money from the people who join after them
  • Example
  • Bob receives an e-mail containing the names and
    addresses of ten people
  • Bob is instructed to
  • Send each person on the list one dollar
  • Delete the person at the top of the list
  • Shift all people on the list up one position
  • Add himself in the last position
  • Send a copy of the newly created letter to ten

Pyramid Schemes (cont)
  • Supposedly
  • Bobs ten friends will each
  • Send Bob a dollar (Bob receives 10 dollars)
  • Send out a copy of the letter to ten friends each
    with Bobs name in the ninth position and their
    name in the tenth position
  • One hundred friends of Bobs friends will each
    send Bob a dollar (Bob receives 100 dollars)
  • Etc.
  • By the time Bobs name works its way to the top
    of the list and is removed, Bob will have
    received more than one billion dollars

Pyramid Schemes (cont)
  • Pyramid schemes
  • Do not work (for the vast majority of
  • Every dollar gained by one person must be paid by
    another person
  • If anyone makes a substantial amount of money
    through a pyramid scheme then a large number of
    other participants must lose money
  • Are illegal in many countries
  • Example Make Money Fast
  • Hi, my name is Dave Rhodes

Forged E-mail
  • Carol can forge a realistic-looking e-mail
    messages for Bob that appears to have come from
    Alice, Bobs boss
  • To
  • From
  • Subject Information for our new consultant
  • Hi Bob,
  • We have recently hired Carol as a consultant to
    analyze our business operations and recommend
    potential areas for cost savings. Therefore,
    please send copies of your budget reports for the
    last six months to her at so that
    she can begin analysis of your division. Thanks.
  • Alice

Exploiting SMTP to Send Forged E-mail
  • The Simple Mail Transport Protocol (SMTP) is
    fairly straightforward and completely text-based
  • Most SMTP servers listen on TCP port 25
  • The client to establish a connection with the
    server (probably using TELNET)
  • telnet
  • telnet open 25
  • Trying
  • Connected to
  • Escape character is ''.

Forged E-mail (cont)
  • The server replies with either a 220 message to
    indicate that the server is ready, or an error
    code if there is a problem
  • 220 ESMTP Sendmail
    8.9.3Sun/8.9.1 Fri, 29 Jun 2001 141709 -0400
  • The server waits for the client to send a HELO

Forged E-mail (cont)
  • The client sends the HELO message
  • HELO
  • The server responds with a hello message
  • 250, hello,
    pleased to meet you

Forged E-mail (cont)
  • The client and the server are now connected and
    the server is waiting for the client to transfer
    one or more e-mail messages
  • The client specifying the address of the sender
    in a MAIL FROM message
  • The server replies
  • 250 Sender OK

Forged E-mail (cont)
  • The client sends a RCPT TO message indicating the
    address of the recipient
  • The server acknowledges the receiver
  • 250 ... Recipient OK

Forged E-mail (cont)
  • The client then sends the DATA command to signal
    its readiness to transmit the e-mail message
  • DATA
  • And the server replies
  • 354 Enter mail, end with "." on a line by itself

Forged E-mail (cont)
  • The client enters the headers and body of the
    (forged) e-mail message
  • To
  • From
  • Subject Information for our new consultant
  • Hi Bob,
  • We have recently hired Carol as a consultant to
    analyze our business operations and recommend
    potential areas for cost savings. Therefore,
    please send copies of your budget reports for the
    last six months to her at so that
    she can begin analysis of your division. Thanks.
  • Alice
  • .

Forged E-mail (cont)
  • The server notifies the client that the message
    has been accepted for delivery
  • 250 Message accepted for delivery
  • The client could then transfer additional e-mail
    messages, or close the connection
  • quit

Forged E-mail (cont)
  • Uses
  • To make it more difficult to track and prosecute
    those who send fraudulent offers through e-mail
  • To make e-mail appear to originate from a
    well-known or authoritative source
  • Spam

  • Spam is unsolicited, commercial offers that
    arrive via e-mail
  • The response rate to unsolicited advertisements
    is very low
  • So spammers send their offers to tens or hundreds
    of thousands of people in hopes of receiving a
    few hundred replies

Spam vs. Junk Mail
  • Most junk mail is sent by reputable firms and
    contains legitimate (if unwanted) offers whereas
    most spam is sent by dishonest individuals and
    contains offers concerning
  • Get-rich-quick schemes
  • Pirated software
  • Other questionable or outright illegal products

Spam vs. Junk Mail (cont)
  • Spam costs the sender nothing
  • Spam introduces costs on the victims
  • Lost time
  • Annoyance
  • ISPs must pass on the costs to their customers of
    transferring, processing, and storing spam
  • Can account for one quarter (or more) of the
    e-mail volume

Dealing With Spam
  • Technical solutions many users and ISPs utilize
    filters to try to discard spam before having to
    deal with it
  • Self-regulation organizations (e.g. the Direct
    Marketing Association) set standards for their
    members regarding appropriate behavior when
    engaging in direct marketing
  • Legislative many groups lobbying for anti-spam
  • Title 47, Section 227 of the U.S. Code prohibits
    the use of any telephone facsimile machine,
    computer, or other device to send an unsolicited
    advertisement to a telephone facsimile machine.

Mail Bombs
  • A mail bomb is
  • A denial-of-service attack
  • An attacker sends a large amount of email to an
    individual or a system in a short period of time
  • Effects
  • Can fill up a users (or even a systems) storage
    space for incoming email
  • Can keep a host busy processing e-mail messages
    so that it has little time to do anything else

  • Carnivore is a controversial surveillance tool
    developed by the FBI in order to monitor
    Internet-based communications by suspected
  • Similar to wiretaps which the FBI has been
    performing for decades
  • FBI must convince a judge that they have probable
    cause to believe that the individual is engaged
    in illegal behavior
  • Judge may issue court order allowing surveillance
    (stipulates a set period of time)
  • The FBI, with the help of phone companies, can
    record and monitor the phone conversations of
    individuals covered by the order
  • The FBI argues that wiretaps are vitally
    important to its ability to protect the public
    and prosecute criminals

Carnivore (cont)
  • Designed to allow the FBI to record and monitor
    all Internet communications of a suspected
  • Requires a court order
  • Help of Internet Service Providers
  • Can be configured to monitor only those Internet
    communications specifically authorized by a court
  • E-mail messages
  • Chat sessions
  • Bulletin board postings
  • Etc.

Using Carnivore
  • The ISP identifies an access point through which
    all of the suspects data flows but hopefully
    contains little or no data for other users
  • The FBI attaches a tapping device at the access
  • The tapping device sends an exact copy of all
    data that passes through the access point to an
    FBI collection system
  • The data is passed through a filter which
    discards any data not authorized by the court
    order, and the remaining data is written to
    permanent storage media for analysis

The Controversy of Carnivore
  • Mistrust of the FBI
  • FBI refuses to release the source code
  • May be able to exploited by hackers either to
    escape detection or to spy on other Internet
  • May be misused by FBI or ISP personnel
  • Different from traditional wiretaps ease of
    automation of the collection and analysis of data

E-mail Threats - Summary
  • E-mail threats include
  • Fraud/scams
  • Forgery
  • Spam
  • Mail bombs
  • Carnivore

WWW Threats
  • There are many risks associated with the World
    Wide Web
  • Credit card fraud/abuse
  • Content hijacking
  • Hostile content
  • Cookies
  • Many users do not understand the dangers

The Web and Mass Communication
  • In the past the ability reach a large audience
    was limited to
  • The rich (owners of publishing companies, radio
    stations, television stations, etc.)
  • Their employees
  • Subject to editorial control
  • Must share in profits
  • The Web now makes it possible for almost anyone
    to reach a large audience
  • Benefits
  • Dangers
  • Contents of messages
  • Accuracy

Fraud on the Web
  • Scams
  • Many of the same ones circulated via e-mail
  • Credit card fraud
  • Theft of credit card information on the Internet
  • Theft of credit card information from a
    merchants database
  • Abuse of credit card information by a

Content Hijacking
  • Content hijacking - one site steals content from
  • Stolen content
  • Graphics
  • Information
  • Web pages
  • Impersonation
  • Mistyped URLs
  • Misleading links

Content Hijacking - Example
  • April, 2000 - a web page was created that
    resembled the Bloomberg news site
  • The page contained a false news release
    reporting that a certain company was about to be
    acquired for much more than its current share
  • A link to this page was posted on several
    web-based message boards devoted to discussion of
    the companys stock
  • The URL in the link referred to the page by its
    IP address rather than by its domain name, but
    many readers did not notice

Content Hijacking Example (cont)
  • Many people read the story and immediately bought
    the stock in order to profit from the rise in
    price that would result from the acquisition
  • The price of the stock rose quickly and then
    plummeted a few hours later when the hoax was
  • The perpetrator(s) of this scam
  • Probably bought stock in the company prior to
    posting the false information
  • Probably sold in the first few hours for a huge
  • Many of the investors who were fooled by the fake
    story suffered large losses

Hostile Content
  • Hostile content on the Web is design to annoy or
    assail an unsuspecting victim
  • Recursive frames bug
  • Popup windows
  • Flaws in implementations of the Java Virtual
  • Plug-in programs

  • A cookie is a small amount of information that a
    server sends to a browser which is stored on the
    clients computer
  • Every time a browser makes a request to a server
    the browser checks the stored cookie list and
    sends any cookies from that server along with the
  • Uses
  • Maintain persistent state
  • Customize web pages to a clients preferences
  • Protection mechanisms
  • Browser will only send a cookie to the site from
    which it originated

Cookies - Format
  • Format
  • Set-Cookie NAMEVALUE expiresDATE pathPATH
    domainDOMAIN_NAME secure
  • Set-cookie tag (required)
  • Name field identifier (required)
  • Expires expiration date (optional)
  • Expired cookies will not be sent by the browser

Cookies Domain Field
  • Domain field - allows the browser to determine to
    which hosts a cookie can be sent (optional)
  • Defaults to the name of the server from which the
    cookie originated (e.g.
  • Servers can set the domain field in a cookie
  • Browser checks domain field in cookies (e.g.
    wont accept in a cookie from
  • Browser uses the domain field to determine which
    cookie(s) to send to a server
  • The suffix of the domain name of the server must
    match the domain specified in the cookie
  • Example DOMAIN

Cookies Path Field
  • Path field - restrict which pages at a particular
    site will cause a cookie to be sent by the
  • Cookie must first pass domain checking
  • A prefix of the path must appear in the URL in
    order for the cookie to be sent
  • Defaults to /
  • Example PATH /carol
  • http// send
  • http// do not send

Cookies Secure Field
  • Secure field specifies a secure cookie
  • Defaults to false
  • If set, tells the browser that the cookie should
    only be sent if there is a secure (e.g. SSL)
    connection between the client and the server

A CGI Script that Sends a Cookie

Accepting or Rejecting Cookies
  • Most browsers allow the user to set options to
  • Accept all cookies without consulting the user
  • Ask the user before accepting a cookie
  • Reject all cookies

The Privacy Risks of Cookies
  • Spying by employers/coworkers
  • Cookies identify many of the sites that the user
    has visited
  • Anyone with access to the machine can examine the
    users browsing habits
  • User profiling by advertisers
  • Site places ads (served by its own servers) on a
    wide variety of other sites
  • Cookies are used to track how many times the
    companys ads are displayed on each site and how
    often users click on the ads
  • The company to advertise on sites where their ads
    tend to be well received and not on sites where
    their ads fare poorly
  • The company can also build elaborate profiles of

WWW Threats - Summary
  • WWW threats include
  • Credit card fraud/abuse
  • Content Hijacking
  • Hostile content
  • Cookies
  • Many users do not understand these dangers
Write a Comment
User Comments (0)