CIS3360: Security in Computing Supplement to Chapter 4 : Spam and Phishing Cliff Zou Spring 2012 - PowerPoint PPT Presentation

About This Presentation
Title:

CIS3360: Security in Computing Supplement to Chapter 4 : Spam and Phishing Cliff Zou Spring 2012

Description:

Supplement to Chapter 4 : Spam and Phishing Cliff Zou Spring 2012 Lots of bulk email tools: http://www.spamsites.org/live_sites.html Accepts lists of possible source ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 47
Provided by: GrossmanN
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: CIS3360: Security in Computing Supplement to Chapter 4 : Spam and Phishing Cliff Zou Spring 2012


1
CIS3360 Security in Computing Supplement to
Chapter 4 Spam and Phishing Cliff ZouSpring
2012
2
Acknowledgement
  • This lecture uses some contents from the lecture
    notes from
  • Dr. Dan Boneh (Stanford) CS155Computer and
    Network Security
  • Jim Kurose, Keith Ross. Computer Networking A
    Top Down Approach Featuring the Internet, 5th
    edition.

3
Electronic Mail
  • Three major components
  • user agents
  • mail servers
  • simple mail transfer protocol SMTP
  • User Agent
  • a.k.a. mail reader
  • composing, editing, reading mail messages
  • e.g., Eudora, Outlook, elm, Netscape Messenger
  • outgoing, incoming messages stored on server

4
How email works SMTP (RFC 821, 1982)
  • Some SMTP Commands
  • MAIL FROM ltreverse-pathgt
  • RCPT TO ltforward-pathgt
  • RCPT TO ltforward-pathgt
  • If unknown recipient response 550
    Failure reply
  • DATA
  • email headers and contents
  • Use TCP port 25 for connections

Repeated for each recipient
.
5
Sample fake email sending
S 220 longwood.cs.ucf.edu C HELO
fake.domain S 250 Hello crepes.fr,
pleased to meet you C MAIL FROM
ltfake_at_nba.comgt S 250 alice_at_crepes.fr...
Sender ok C RCPT TO ltczou_at_cs.ucf.edugt
S 250 czou_at_cs.ucf.edu ... Recipient ok
C DATA S 354 Enter mail, end with "." on
a line by itself C from fake man
ltfake_at_fake.fake.fakegt C to dr. who
ltwho_at_whogt C subject who am I? C Do
you like ketchup? C How about pickles?
C . S 250 Message accepted for delivery
C QUIT S 221 longwood.cs.ucf.edu
closing connection
6
Try SMTP interaction for yourself
  • telnet servername 25
  • see 220 reply from server
  • enter HELO, MAIL FROM, RCPT TO, DATA, QUIT
    commands
  • mail from the domain may need to be existed
  • rcpt to the user needs to be existed
  • A mail server may or may not support relay
  • CS email server supports relay for campus network
  • from to subject are what shown in normal
    email display

7
Use Unix Machine in Department
  • The Unix machine eustis.eecs.ucf.edu
  • Must use SSH to connect
  • Find free SSH clients on Internet
  • E.g., Putty (command line based)
  • http//en.wikipedia.org/wiki/Ssh_client
  • Find a GUI-based SSH client
  • Username NID
  • Default passwordthe first initial of your last
    name in uppercase and the last 5 digits of your
    PID

8
Using Telnet
  • On department eustics.eecs.ucf.edu Linux machine
  • telnet longwood.cs.ucf.edu 25
  • In telnet interaction, backspace is not
    supported. You can type ctrlbackspace to erase
    previous two characters
  • On Windows 7 machine
  • Telnet is not installed by default, check this
    tutorial for install
  • http//technet.microsoft.com/en-us/library/cc77127
    528vws.1029.aspx

9
  • Outside campus network, department email server
    does not accept
  • You need to first setup VPN to campus network,
    then use telnet
  • How to set up VPN
  • https//publishing.ucf.edu/sites/itr/cst/Pages/Vpn
    Help.aspx

10
Email in the early 1980s
Network 1
Network 2
Mail relay
Network 3
Mail relay
sender
  • Mail Relay forwards mail to next hop.
  • Sender path includes path through relays.

recipient
11
Why Email Server Support Relay?
  • Wiki tutorial
  • http//en.wikipedia.org/wiki/Open_mail_relay
  • Old days network constraint makes it necessary
  • Email agent uses SMTP to send email on behalf of
    a user
  • The user could choose which email address to use
    as the sender
  • Email server supports email group list
  • The sender shown in email is the group list
    address, but the real sender is a different
    person
  • Closing Relay
  • Messages from local IP addresses to local
    mailboxes
  • Messages from local IP addresses to non-local
    mailboxes
  • Messages from non-local IP addresses to local
    mailboxes
  • Messages from clients that are authenticated
    and authorized

12
Spoofed email
  • SMTP designed for a trusting world
  • Data in MAIL FROM totally under control of
    sender
  • an old example of improper input validation
  • Recipients mail server
  • Only sees IP address of direct peer
  • Recorded in the first From header

13
The received header
  • Sending spoofed mail to myself
  • From someone_at_somewhere.com (172.24.64.20) ...
  • Received from cs-smtp-1.stanford.edu
  • Received from smtp3.stanford.edu
  • Received from cipher.Stanford.EDU
  • Received header inserted by relays ---
    untrustworthy
  • From header inserted by recipient mail server

14
Spam Blacklists
  • RBL Realtime Blackhole Lists
  • Includes servers or ISPs that generate lots of
    spam
  • spamhaus.org , spamcop.net
  • Effectiveness (stats from spamhaus.org)
  • RBL can stop about 15-25 of incoming spam at
    SMTP connection time,
  • Over 90 of spam with message body URI checks
  • Spammer goal
  • Evade blacklists by hiding its source IP address.

15
Spamming techniques
16
Open relays
  • SMTP Relay forwards mail to destination
  • Bulk email tool connects via SMTP (port 25)
  • Sends list of recipients (via RCPT TO command)
  • Sends email body --- once for all recipients
  • Relay delivers message
  • Honest relay
  • Adds Received header revealing source IP
  • Hacked relay does not

17
Example bobax worm
  • Infects machines with high bandwidth
  • Exploits MS LSASS.exe buffer overflow
    vulnerability
  • Slow spreading
  • Spreads on manual command from operator
  • Then randomly scans for vulnerable machines
  • On infected machine (spam zombie)
  • Installs hacked open mail relay. Used for spam.
  • Once spam zombie added to RBL
  • Worm spreads to other machines

18
Open HTTP proxies
  • Web cache (HTTP/HTTPS proxy) -- e.g. squid
  • To spam CONNECT SpamRecipient-IP 25
  • SMTP Commands
  • Squid becomes a mail relay

xyz.com
URL HTTPS//xyz.com
WebServer
SquidWebCache
19
Finding proxies
  • Squid manual (squid.conf)
  • acl Safe_ports port 80 443 http_access
    deny !Safe_ports
  • URLs for other ports will be denied
  • Similar problem with SOCKS proxies
  • Some open proxy and open relay listing services
  • http//www.multiproxy.org/ http//www.stayinvisib
    le.com/ http//www.blackcode.com/proxy/
    http//www.openproxies.com/ (20/month)

20
Open Relays vs. Open Proxies
  • HTTP proxy design problem
  • Port 25 should have been blocked by default
  • Otherwise, violates principal of least privilege
  • Relay vs. proxy
  • Relay takes list of address and send msg to all
  • Proxy spammer must send msg body to each
    recipient through proxy.
  • ? zombies typically provide hacked mail relays.

21
Thin pipe / Thick pipe method
  • Spam source has
  • High Speed Broadband connection (HSB)
  • Controls a Low Speed Zombie (LSZ)
  • Assumes no egress filtering at HSBs ISP
  • Hides IP address of HSB. LSZ is blacklisted.

LSZ
TargetSMTPServer
HSB
22
Bulk email tools (spamware)
  • Automate
  • Message personalization
  • Also test against spam filters (e.g.
    spamassassin)
  • Mailing list and proxy list management

23
Send-Safe bulk emailer
24
Anti-spam methods
25
The law CAN-SPAM act (Jan. 2004)
  • Bans false or misleading header information
  • To and From headers must be accurate
  • Prohibits deceptive subject lines
  • Requires an opt-out method
  • Requires that email be identified as
    advertisement
  • ... and include sender's physical postal address
  • Also prohibits various forms of email harvesting
    and the use of proxies

26
Effectiveness of CAN-SPAM
  • Enforced by the FTC
  • FTC spam archive spam_at_uce.gov
  • Penalties 11K per act
  • Dec 05 FTC report on effectiveness of CAN-SPAM
  • 50 cases in the US pursued by the FTC
  • No impact on spam originating outside the US
  • Open relays hosted on bot-nets make it difficult
    to collect evidence

http//www.ftc.gov/spam/
27
Sender verification I SPF (sender policy
framework)
  • Goal prevent spoof email claiming to be from
    HotMail
  • Why? Bounce messages flood HotMail system

DNS
hotmail.comSPF record 64.4.33.7 64.4.33.8
Recipient Mail Server (MUA)
Sender
Is SenderIP in list?
More precisely hotmail.com TXT vspf1
amailers.hotmail.com -all
28
Sender verification II DKIM
  • Domain Keys Identified Mail (DKIM)
  • Same goal as SPF. Harder to spoof.
  • Basic idea
  • Senders MTA signs email
  • Including body and selected header fields
  • Receivers MUA checks signature
  • Rejects email if invalid
  • Senders public key managed by DNS
  • Subdomain _domainkey.hotmail.com

29
Graylists
  • Recipients mail server records triples
  • (sender email, recipient email, peer IP)
  • Mail server maintains DB of triples
  • First time triple not in DB
  • Mail server sends 421 reply I am busy
  • Records triple in DB
  • Second time (after 5 minutes) allow email to
    pass
  • Triples kept for 3 days (configurable)
  • Easy to defeat but currently works well.

30
Puzzles and CAPTCHA
  • General DDoS defense techniques
  • Puzzles slow down spam server
  • Every email contains solution to puzzle where
  • challenge (sender, recipient, time)
  • CAPTCHA
  • Completely Automated Public Turing test to tell
    Computers and Humans Apart
  • Every email contains a token
  • Sender obtains tokens from a CAPTCHA server
  • Say 100 tokens for solving a CAPTCHA
  • CAPTCHA server ensures tokens are not reused
  • Either method is difficult to deploy.

31
SpamAssasin
  • Wiki tutorial
  • http//en.wikipedia.org/wiki/SpamAssassin
  • Mainly a rule-based spam filter
  • Many rules to give scores for all fields in an
    email
  • Email header, special keywords in email, URLs in
    email, images in email, ..
  • Final decision is the combined score compared
    with a threshold
  • Has false positive (treat normal as spam), and
    false negative (treat spam as normal)
  • False positive is very damaging!
  • Nobody wants to lose an important email!
  • Also contains Bayesian filtering to match a
    users statistical profile
  • Need known ham and spam email samples for
    training

32
Part IIPhishing Pharming
33
Oct. 2004 to July 2005 APWG
34
(No Transcript)
35
Note no SSL. Typically short
lived sites.
36
Common Phishing Methods
  • Often phishing sites hosted on bot-net drones.
  • Move from bot to bot using dynamic DNS.
  • Use domain names such as
  • www.ebay.com.badguy.com
  • Use URLs with multiple redirections
  • http//www.chase.com/url.php?urlhttp//www.phis
    h.com
  • Use randomized links
  • http//www.some-poor-sap.com/823548jd/

37
Industry Response
  • Anti-phishing toolbars Netcraft, EBay,
    Google, IE7
  • IE7 phishing filter
  • Whitelisted sites are not checked
  • Other sites (stripped) URL sent to MS server
  • Server responds with OK or phishing

38
Pharming
  • Cause DNS to point to phishing site
  • Examples
  • DNS cache poisoning
  • Write an entry into machines /etc/hosts
    file
  • Phisher-IP Victim-Name
  • URL of phishing site is identical to victims URL
  • will bypass all URL checks

39
Response High assurance certs
  • More careful validation of cert issuance
  • On browser (IE7)

but most phishing sites do not use HTTPS
40
Other industry responses BofA, PassMark
ING bank login
41
Industry Response Bank of Adelaide
42
ING PIN Guard
43
T.G.s The next phishing wave
  • Transaction generation malware
  • Wait for user to login to banking sites
  • Issue money transfer requests on behalf of user.
  • Reported malware in UK targeting all four major
    banks.
  • Note These are social engineering attacks.
  • Not just a windows problem.

44
Some ID Protection Tools
  • SpoofGuard (NDSS 04)
  • Alerts user when viewing a spoofed web page.
  • Uses variety of heuristics to identify spoof
    pages.
  • Some SpoofGuard heuristics used in eBay
    toolbar and Earthlink ScamBlocker.
  • PwdHash (Usenix Sec 05)
  • Browser extension for strengthening pwd web auth.
  • Being integrated with RSA SecurID.

45
Password Hashing (pwdhash.com)
hash(pwdA, BankA)
Bank A
hash(pwdB, SiteB)
Site B
  • Generate a unique password per site
  • HMACfido123(banka.com) ? Q7a0ekEXb
  • HMACfido123(siteb.com) ? OzX2ICiqc
  • Hashed password is not usable at any other site

46
Take home message
  • Deployed insecure services (proxies, relays)
  • Quickly exploited
  • Cause trouble for everyone
  • Current web user authentication is vulnerable to
    spoofing
  • Users are easily fooled into entering password
    in an insecure location
Write a Comment
User Comments (0)
About PowerShow.com