1. 1 Email and DNS Hacking

2. Overview Email Hacking - Technology - Attacks - Phishing/Spearphishing/Whaling DNS Hacking - Technology - Attacks - Flux 2

3. Email 3 A postcard written in pencil, with trusted cargo attached VIP@XXX.COM Here is the program you’ve been waiting for. Trusted Colleague

4. How Email Works 4 User Mail User Agent Mail Transfer Agent Mail User Agent

5. Simple Mail Transfer Protocol TCP/25 by default Transfer-agent based Text Protocol Single connection, multiple messages (maybe) Easily forged 5 S: 220 smtp.example.com ESMTP Postfix C: HELO relay.example.org S: 250 Hello relay.example.org, I am glad to meet you C: MAIL FROM: S: 250 Ok C: RCPT TO: S: 250 Ok C: RCPT TO: S: 250 Ok C: DATA S: 354 End data with. C: From: "Bob Example" C: To: Alice Example C: Date: Tue, 15 Jan 2008 16:02:43 -0500 C: Subject: Test message C: Hello Alice. C: Your friend, Bob C:. S: 250 Ok: queued as 12345 C: QUIT S: 221 Bye {The server closes the connection}

6. How Email Can Go Wrong 6 User Mail User Agent Mail Transfer Agent Mail User Agent Malicious Software Weak Protocol Intercepted Message Malicious Software Weak Protocol Inserted Message Preview & Download Integration with OS Dropped Message

7. Attacking Email 7 User Mail User Agent Mail Transfer Agent Mail User Agent Subvert Attach Hijack Flood Extract Insert Compromise Propagate Fool

8. Social Engineering Exploit trust relationships between people Exploit service climate Exploit business methods 8

9. 9 Love Letter Virus VIP@XXX.GOV Check out this joke... Trusted Colleague IRC Exchange VBS JPG MP3 others Replace Corrupt data/script files Steal Passwords Clog email

10. 10 Phishing example? Date: Tue, 20 Sep 2005 03:06:03 -0700 (PDT) From: Countrywide countrywide@email.countrywide.com To: tjs@cert.org Subject: Important Customer Correspondence [Image: "height="] [Image: "Countrywide - Full Speectrum Lending Division"] [Image: "1-866-227-4118"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "If you could use some extra cash, Countrywide could make it easy."] [Image: "Click Here to Get Started"] [Image: "height="] [Image: "height="] [Image: "height="] [Image: "height="] Dear Timothy, We can help customers get cash from the available equity they've built up in their homes by refinancing their mortgages ? and with the trend in rising home values, we estimate your home's equity may have increased to as much as $43,867.00. (much more…) Phone number appears legit, current mortgage holder Note typographical errors (Speectrum, empty images, etc.) Big payoff offered Closer look: embedded domains doesn’t match from domain (m0.net, r.delivery.net, not countrywide.com, all same ISP (Digital Impact))

11. Domain Name System More than just hostname → IP Query hierarchy of nameservers –Local nameserver (resolver): answer from cache or preloaded resolutions, may do recursive queries –Authoritative nameserver: answer based on domains it covers, or recurse –Root nameserver: answer top-level, delegate, or generate errors 11

12. Name Server Protocol UDP/53 or TCP/53 Client queries local (address, ptr, mx, ns, hinfo, any) Local responds from cache or queries to root Root responds with referral to TLD or error Local queries TLD TLD responds with referral to authority or error Local queries authority Authority sends answer Local sends answer 12 Query Response

13. Where DNS Can Go Wrong Client Side –Cache Poisoning –False Response –False Domains –Compromise –Tunneling Server Side –Flooding –False Response –Compromise 13

14. Flux Why would a domain change its resolution? Why would a domain change frequently? Why would a domain change transiently? 14

15. Summary Common and needed protocols Many, many vulnerabilities Many, many attacks Some systematic solutions (encryption) Trust 15