1. Security fundamentals Topic 9 Securing internet messaging

2. Agenda Secure mail servers Secure mail clients Secure instant messaging (IM)

3. Email security basics Store and forward – Send message to mail server, mail server delivers message to server with recipient’s mailbox IMAP – reads the message on the mail server POP – downloads mail from mailbox to the client DNS MX (Mail Exchange) to route the message Email sent in ASCII format MIME extensions to convert any file to ASCII and attach to an email Mail header contains information about the message, attachments and mail servers

4. Email security basics Protocols: SMTP sends email to mail server and sends email from mail servers to other mail servers POP retrieves mail for the client from a mailbox on a mail server IMAP views email messages in the mailbox on the mail server Standard email issues: No encryption No authentication from sender No integrity of message

5. Spam – Mass mailings of mail Unsolicited Commercial Email – Mass mailings to mailing lists for advertising Issues with spam and UCE – Uses network capacity – Clogs up users mailboxes – Significant costs with email

6. Spam Best practise – Filters on mail servers and/or mail clients – Block email from blacklist servers – Teach users: Never respond to spam Don’t post an address on a web site Use a second email address for newsgroups Know how your email address will be used if you provide it: check the privacy statement Use a spam filter or junk email filter

7. Scams and hoaxes Create a policy that prohibits the release of sensitive information through inappropriate channels Define what is sensitive Define what is inappropriate channels Educate users Hoaxes – Seek to spread misleading information somewhat like a chain letter

8. Scams and hoaxes Issues with hoaxes – Uses network capacity – Malicious, may instruct users to delete files Create a written policy that prohibits the forwarding of known hoaxes Educate users to watch out for emails with these headers – Urgent, tell all your friends, this isn't a hoax, dire consequences, history FW >>> – Forward emails to technical support – Keep virus scanners up-to-date

9. Securing mail servers Common attacks against mail servers – Data theft or tampering – Denial of Service – Spam, scams and hoaxes – Spoofing (IPs) – Mail relay (with unauthenticated servers) – Email virus Protecting mail servers – Remove unnecessary components – Block unused protocols – Disable relaying from unauthenticated connections – Configure an SMTP bridgehead server – only receives SMTP messages from internet and forwards – single purpose easier to secure – Install virus filters and antivirus software – signatures up-to-date – Keep software up-to-date

10. Access control Client access (users with mailboxes) – POP transmits credentials in clear text Use SPA (Secure Password Authentication) or APOP (Authenticated POP) Use IPSec to encrypt messages and authentication – Proprietary protocols such as MAPI Configure in a secure manner – Web based email Configure SSL and allow only https connections – SMTP Require authentication and use SPA

11. SMTP relay The process of forwarding email messages to another email server Spammers may attempt to forward email to your server for relaying to another email server (allows blacklisted servers to move spam into legitimate mail channels) Open relays – Email servers that accept and relay all email traffic Monitoring email – Filter executable attachments such as.exe,.zip – Monitor outgoing email for confidential email – Monitor employee communications – Australian Telecommunications Act

12. Securing email clients Common attacks against email clients – Spoofing with a false return address – Eavesdropping headers and contents in clear text – HTML vulnerabilities, Java, Microsoft® ActiveX, scripting – Not patched, security updates not applied – Viruses and trojans – Web based email that bypass corporate email servers security policy

13. Encryption and signing PGP (Pretty Good Privacy) – Encrypt, decrypt and sign email, files, some IMs and VPNs – Exchange, Microsoft® Outlook®, Microsoft® Outlook Express®, Eudora® (Eudora is a registered trademark of QUALCOMM Incorporated) and Lotus Notes® – No CA, you must provide public key to email partners – You store others public keys on a key ring stored locally – Others encrypt email with your public key, you decrypt with your private key – Sign email with your private key, others ensure integrity with your public key S/MIME (Secure Multipurpose Internet Mail Extensions) – Encrypts and digitally signs email – Uses PKI and certificates Both use public key encryption (key pair of public/private keys) Both provide encryption and authentication

14. Securing instant messaging Real-time messages, files, audio and video Significant security risks Threats: – Unencrypted data transfer – messages in clear text – Transferred files might bypass virus scanners (on email servers) – Vulnerabilities such as buffer overflows – Disclosure of sensitive information through social engineering

15. Securing instant messaging Instant messaging security – Restrict the types authorised for use (easier to support) – Use an IM that supports encryption – Create an acceptable use policy for instant messaging – Educate users on the dangers (particularly file transfer) – Update virus scanners and run scans – Patch and monitor security vulnerabilities – Maintain an IM server for internal use with no traffic to the outside

16. Lesson overview How to go about securing mail servers and clients How to go about securing instant messaging