Chapter 12 Email and WWW Threats1 - PowerPoint PPT Presentation

About This Presentation
Title:

Chapter 12 Email and WWW Threats1

Description:

Electronic mail. The World Wide Web ... Forged E-mail (cont) The client sends the HELO message: HELO mail.carol.com ... storage space for incoming email ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 44
Provided by: Tjad
Learn more at: http://www.cs.sjsu.edu
Category:
Tags: www | chapter | email | mail | threats1

less

Transcript and Presenter's Notes

Title: Chapter 12 Email and WWW Threats1


1
Overview
  • Two of the most popular uses of the Internet are
  • Electronic mail
  • The World Wide Web
  • By default, both offer almost no protection for
    the privacy, integrity, and authenticity of
    information
  • A number of security mechanisms have been
    developed for each
  • SSL, Java
  • Still many risks for users

2
E-mail Fraud/Scams
  • Many dishonest individuals utilize the wide reach
    and relative anonymity of the Internet to offer
  • Miracle health products
  • Sure-fire investment strategies
  • Lucrative business opportunities (and other
    get-rich-quick schemes)
  • Vacation packages that sound a lot better than
    they really are
  • Collectible items that are much less valuable
    than the buyer is led to believe
  • Credit repair (and other) services that charge a
    hefty fee to do what anyone can do themselves for
    free

3
The Original Ponzi Scheme
  • Boston, 1920
  • Charles K. Ponzi begins issuing notes for a
    postal reply coupon business
  • Promises a fifty percent return in forty-five
    days
  • Initial investors receive their profits and word
    spreads
  • Ponzi begins to receive millions of dollars from
    thousands of investors

4
The Original Ponzi Scheme (cont)
  • After several months it is revealed that
  • Ponzi was not investing the money he collected in
    postal reply coupons
  • Ponzi was using the money coming in from new
    investors to pay off previously issued notes as
    they came due
  • Ponzi ran out of money trying to satisfy the
    ensuing flood of redemption requests
  • Many investors were left holding worthless notes
  • Ponzi eventually went to jail for larceny and
    fraud
  • Scams in which the promise of fabulous returns is
    used to draw in new investors thereby financing
    the paying of old investors are called a Ponzi
    schemes

5
Pyramid Schemes
  • A pyramid scheme is a scam in which people
  • Pay a small amount of money to the people who
    joined previously
  • Receive money from the people who join after them
  • Example
  • Bob receives an e-mail containing the names and
    addresses of ten people
  • Bob is instructed to
  • Send each person on the list one dollar
  • Delete the person at the top of the list
  • Shift all people on the list up one position
  • Add himself in the last position
  • Send a copy of the newly created letter to ten
    friends

6
Pyramid Schemes (cont)
  • Supposedly
  • Bobs ten friends will each
  • Send Bob a dollar (Bob receives 10 dollars)
  • Send out a copy of the letter to ten friends each
    with Bobs name in the ninth position and their
    name in the tenth position
  • One hundred friends of Bobs friends will each
    send Bob a dollar (Bob receives 100 dollars)
  • Etc.
  • By the time Bobs name works its way to the top
    of the list and is removed, Bob will have
    received more than one billion dollars

7
Pyramid Schemes (cont)
  • Pyramid schemes
  • Do not work (for the vast majority of
    participants)
  • Every dollar gained by one person must be paid by
    another person
  • If anyone makes a substantial amount of money
    through a pyramid scheme then a large number of
    other participants must lose money
  • Are illegal in many countries
  • Example Make Money Fast
  • Hi, my name is Dave Rhodes

8
Forged E-mail
  • Carol can forge a realistic-looking e-mail
    messages for Bob that appears to have come from
    Alice, Bobs boss
  • To Bob_at_company-x.com
  • From Alice_at_company-x.com
  • Subject Information for our new consultant
  •  
  • Hi Bob,
  •  
  • We have recently hired Carol as a consultant to
    analyze our business operations and recommend
    potential areas for cost savings. Therefore,
    please send copies of your budget reports for the
    last six months to her at carol_at_carol.com so that
    she can begin analysis of your division. Thanks.
  •  
  • Alice

9
Exploiting SMTP to Send Forged E-mail
  • The Simple Mail Transport Protocol (SMTP) is
    fairly straightforward and completely text-based
  • Most SMTP servers listen on TCP port 25
  • The client to establish a connection with the
    server (probably using TELNET)
  • mail.carol.com telnet
  • telnet open mail.company-x.com 25
  • Trying 128.112.17.1...
  • Connected to mail.company-x.com.
  • Escape character is ''.

10
Forged E-mail (cont)
  • The server replies with either a 220 message to
    indicate that the server is ready, or an error
    code if there is a problem
  • 220 mail.company-x.com ESMTP Sendmail
    8.9.3Sun/8.9.1 Fri, 29 Jun 2001 141709 -0400
    (EDT)
  • The server waits for the client to send a HELO
    message

11
Forged E-mail (cont)
  • The client sends the HELO message
  • HELO mail.carol.com
  • The server responds with a hello message
  • 250 mail.company-x.com, hello mail.carol.com,
    pleased to meet you

12
Forged E-mail (cont)
  • The client and the server are now connected and
    the server is waiting for the client to transfer
    one or more e-mail messages
  • The client specifying the address of the sender
    in a MAIL FROM message
  • MAIL FROM alice_at_company-x.com
  • The server replies
  • 250 Sender OK

13
Forged E-mail (cont)
  • The client sends a RCPT TO message indicating the
    address of the recipient
  • RCPT TO bob_at_company-x.com
  • The server acknowledges the receiver
  • 250 ... Recipient OK

14
Forged E-mail (cont)
  • The client then sends the DATA command to signal
    its readiness to transmit the e-mail message
  • DATA
  • And the server replies
  • 354 Enter mail, end with "." on a line by itself

15
Forged E-mail (cont)
  • The client enters the headers and body of the
    (forged) e-mail message
  • To bob_at_company-x.com
  • From alice_at_company-x.com
  • Subject Information for our new consultant
  •  
  • Hi Bob,
  •  
  • We have recently hired Carol as a consultant to
    analyze our business operations and recommend
    potential areas for cost savings. Therefore,
    please send copies of your budget reports for the
    last six months to her at carol_at_carol.com so that
    she can begin analysis of your division. Thanks.
  •  
  • Alice
  • .

16
Forged E-mail (cont)
  • The server notifies the client that the message
    has been accepted for delivery
  • 250 Message accepted for delivery
  • The client could then transfer additional e-mail
    messages, or close the connection
  • quit

17
Forged E-mail (cont)
  • Uses
  • To make it more difficult to track and prosecute
    those who send fraudulent offers through e-mail
  • To make e-mail appear to originate from a
    well-known or authoritative source
  • Spam

18
Spam
  • Spam is unsolicited, commercial offers that
    arrive via e-mail
  • The response rate to unsolicited advertisements
    is very low
  • So spammers send their offers to tens or hundreds
    of thousands of people in hopes of receiving a
    few hundred replies

19
Spam vs. Junk Mail
  • Most junk mail is sent by reputable firms and
    contains legitimate (if unwanted) offers whereas
    most spam is sent by dishonest individuals and
    contains offers concerning
  • Get-rich-quick schemes
  • Pirated software
  • Other questionable or outright illegal products

20
Spam vs. Junk Mail (cont)
  • Spam costs the sender nothing
  • Spam introduces costs on the victims
  • Lost time
  • Annoyance
  • ISPs must pass on the costs to their customers of
    transferring, processing, and storing spam
  • Can account for one quarter (or more) of the
    e-mail volume

21
Dealing With Spam
  • Technical solutions many users and ISPs utilize
    filters to try to discard spam before having to
    deal with it
  • Self-regulation organizations (e.g. the Direct
    Marketing Association) set standards for their
    members regarding appropriate behavior when
    engaging in direct marketing
  • Legislative many groups lobbying for anti-spam
    laws
  • Title 47, Section 227 of the U.S. Code prohibits
    the use of any telephone facsimile machine,
    computer, or other device to send an unsolicited
    advertisement to a telephone facsimile machine.

22
Mail Bombs
  • A mail bomb is
  • A denial-of-service attack
  • An attacker sends a large amount of email to an
    individual or a system in a short period of time
  • Effects
  • Can fill up a users (or even a systems) storage
    space for incoming email
  • Can keep a host busy processing e-mail messages
    so that it has little time to do anything else

23
Carnivore
  • Carnivore is a controversial surveillance tool
    developed by the FBI in order to monitor
    Internet-based communications by suspected
    criminals
  • Similar to wiretaps which the FBI has been
    performing for decades
  • FBI must convince a judge that they have probable
    cause to believe that the individual is engaged
    in illegal behavior
  • Judge may issue court order allowing surveillance
    (stipulates a set period of time)
  • The FBI, with the help of phone companies, can
    record and monitor the phone conversations of
    individuals covered by the order
  • The FBI argues that wiretaps are vitally
    important to its ability to protect the public
    and prosecute criminals

24
Carnivore (cont)
  • Designed to allow the FBI to record and monitor
    all Internet communications of a suspected
    criminal
  • Requires a court order
  • Help of Internet Service Providers
  • Can be configured to monitor only those Internet
    communications specifically authorized by a court
    order
  • E-mail messages
  • Chat sessions
  • Bulletin board postings
  • Etc.

25
Using Carnivore
  • The ISP identifies an access point through which
    all of the suspects data flows but hopefully
    contains little or no data for other users
  • The FBI attaches a tapping device at the access
    point.
  • The tapping device sends an exact copy of all
    data that passes through the access point to an
    FBI collection system
  • The data is passed through a filter which
    discards any data not authorized by the court
    order, and the remaining data is written to
    permanent storage media for analysis

26
The Controversy of Carnivore
  • Mistrust of the FBI
  • FBI refuses to release the source code
  • May be able to exploited by hackers either to
    escape detection or to spy on other Internet
    users
  • May be misused by FBI or ISP personnel
  • Different from traditional wiretaps ease of
    automation of the collection and analysis of data

27
E-mail Threats - Summary
  • E-mail threats include
  • Fraud/scams
  • Forgery
  • Spam
  • Mail bombs
  • Carnivore

28
WWW Threats
  • There are many risks associated with the World
    Wide Web
  • Credit card fraud/abuse
  • Content hijacking
  • Hostile content
  • Cookies
  • Many users do not understand the dangers

29
The Web and Mass Communication
  • In the past the ability reach a large audience
    was limited to
  • The rich (owners of publishing companies, radio
    stations, television stations, etc.)
  • Their employees
  • Subject to editorial control
  • Must share in profits
  • The Web now makes it possible for almost anyone
    to reach a large audience
  • Benefits
  • Dangers
  • Contents of messages
  • Accuracy

30
Fraud on the Web
  • Scams
  • Many of the same ones circulated via e-mail
  • Credit card fraud
  • Theft of credit card information on the Internet
  • Theft of credit card information from a
    merchants database
  • Abuse of credit card information by a
    merchant/employee

31
Content Hijacking
  • Content hijacking - one site steals content from
    another
  • Stolen content
  • Graphics
  • Information
  • Web pages
  • Impersonation
  • Mistyped URLs
  • Misleading links

32
Content Hijacking - Example
  • April, 2000 - a web page was created that
    resembled the Bloomberg news site
  • The page contained a false news release
    reporting that a certain company was about to be
    acquired for much more than its current share
    price
  • A link to this page was posted on several
    web-based message boards devoted to discussion of
    the companys stock
  • The URL in the link referred to the page by its
    IP address rather than by its domain name, but
    many readers did not notice

33
Content Hijacking Example (cont)
  • Many people read the story and immediately bought
    the stock in order to profit from the rise in
    price that would result from the acquisition
  • The price of the stock rose quickly and then
    plummeted a few hours later when the hoax was
    discovered
  • The perpetrator(s) of this scam
  • Probably bought stock in the company prior to
    posting the false information
  • Probably sold in the first few hours for a huge
    profit
  • Many of the investors who were fooled by the fake
    story suffered large losses

34
Hostile Content
  • Hostile content on the Web is design to annoy or
    assail an unsuspecting victim
  • Recursive frames bug
  • Popup windows
  • Flaws in implementations of the Java Virtual
    Machine
  • Plug-in programs

35
Cookies
  • A cookie is a small amount of information that a
    server sends to a browser which is stored on the
    clients computer
  • Every time a browser makes a request to a server
    the browser checks the stored cookie list and
    sends any cookies from that server along with the
    request
  • Uses
  • Maintain persistent state
  • Customize web pages to a clients preferences
  • Protection mechanisms
  • Browser will only send a cookie to the site from
    which it originated

36
Cookies - Format
  • Format
  • Set-Cookie NAMEVALUE expiresDATE pathPATH
    domainDOMAIN_NAME secure
  • Set-cookie tag (required)
  • Name field identifier (required)
  • Expires expiration date (optional)
  • Expired cookies will not be sent by the browser

37
Cookies Domain Field
  • Domain field - allows the browser to determine to
    which hosts a cookie can be sent (optional)
  • Defaults to the name of the server from which the
    cookie originated (e.g. www.carol.com)
  • Servers can set the domain field in a cookie
    (e.g. carol.com)
  • Browser checks domain field in cookies (e.g.
    wont accept bob.com in a cookie from
    www.carol.com)
  • Browser uses the domain field to determine which
    cookie(s) to send to a server
  • The suffix of the domain name of the server must
    match the domain specified in the cookie
  • Example DOMAIN carol.com
  • www.carol.com, c1.carol.com, c1.foo.carol.com

38
Cookies Path Field
  • Path field - restrict which pages at a particular
    site will cause a cookie to be sent by the
    browser
  • Cookie must first pass domain checking
  • A prefix of the path must appear in the URL in
    order for the cookie to be sent
  • Defaults to /
  • Example PATH /carol
  • http//www.carol.com/carol/index.html send
    cookie
  • http//www.carol.com/bob/index.html do not send
    cookie

39
Cookies Secure Field
  • Secure field specifies a secure cookie
  • Defaults to false
  • If set, tells the browser that the cookie should
    only be sent if there is a secure (e.g. SSL)
    connection between the client and the server

40
A CGI Script that Sends a Cookie

41
Accepting or Rejecting Cookies
  • Most browsers allow the user to set options to
  • Accept all cookies without consulting the user
  • Ask the user before accepting a cookie
  • Reject all cookies

42
The Privacy Risks of Cookies
  • Spying by employers/coworkers
  • Cookies identify many of the sites that the user
    has visited
  • Anyone with access to the machine can examine the
    users browsing habits
  • User profiling by advertisers
  • Site places ads (served by its own servers) on a
    wide variety of other sites
  • Cookies are used to track how many times the
    companys ads are displayed on each site and how
    often users click on the ads
  • The company to advertise on sites where their ads
    tend to be well received and not on sites where
    their ads fare poorly
  • The company can also build elaborate profiles of
    users

43
WWW Threats - Summary
  • WWW threats include
  • Credit card fraud/abuse
  • Content Hijacking
  • Hostile content
  • Cookies
  • Many users do not understand these dangers
Write a Comment
User Comments (0)
About PowerShow.com