Presentation is loading. Please wait.

Presentation is loading. Please wait.

Erik Kangas -

Published byPeter Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Erik Kangas -"— Presentation transcript:

1 http://bit.ly/email-identity Erik Kangas kangas@luxsci.com - http://luxsci.com

2 Phishing

3 Social Engineering Please allow John (john@gmail.com) to have admin rights on my account as he is my new developer. Please close my account, I don’t need it anymore My boss lost his password and we are losing $1M/day because we can’t access our account. I don’t know who my account administrator is --- can you point me to the right person?

4 Kid Engineering? Fake email to school saying that they will be absent or leave early – think the school checks sender identity? Fake email to another family member… My grade-school kid can’t do this yet…. But in a few years?

5 The Jedi Email Trick is Easy

6 Hack: Sending Email Forgeries Get a good example to mimic and modify We’ll look at Bank of America Fire up a shell with telnet and permission to use outbound port 25. WARNING: Your IP will be tracked – use a network that won’t track back to you. Learn how to speak SMTP

7 Sending the BoA Forgery Return-Path: Received: from unknown [68.232.194.2] (EHLO mta5.ealerts.bankofamerica.com) by p02c12m115.mxlogic.net(mxl_mta-8.2.0-3) over TLS secured channel with ESMTP id 9e853d45.0.105970.00-2374.168431.p02c12m115.mxlogic.net (envelope-from ); Thu, 05 Feb 2015 04:50:03 -0700 (MST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=ealerts.bankofamerica.com; h=From:To:Subject:Date:MIME-Version:Reply-To:Message-ID:Content-Type; i=onlinebanking@ealerts.bankofamerica.com; bh=YhJz6l84RyMXW/utiX0auH/xtTQ=; b=Dzp0SVPypvq8X0VHConCJLSIYwL23EbgP8VxN4qK765Y57++HbhTQDjaXWc0sFjV7BV6/Np3DD3E dYHiIoxpzSy1GHvwvIDaG0+md1ijOmDwsBgFpE70upc+9WVHaNOYXjWxkO1tsgdfjEeJprcK93Wx Oc5xp60eg3MRnIvLC3A= Received: by mta5.ealerts.bankofamerica.com id hqdcek163hsp for ; Thu, 5 Feb 2015 05:49:51 -0600 (envelope-from ) From: "Bank of America" Reply-To: "Bank of America” Message-ID: 1. Get a good example message and headers

8 2. Make Customized Headers Return-Path: Received: by mta5.ealerts.bankofamerica.com id hqdcek163bnq for ; Thu, 5 Feb 2015 10:25:15 -0600 (envelope-from ) From: "Bank of America" Reply-To: "Bank of America" Message-ID: Subject: Alert! Your Bank of America account has been compromised To: testuser@luxsci.net (Add the custom body of the message, next) Note: Omit DKIM Header… we’ll see why later.

9 3. Make a Malicious Body Create a similar/custom message body, modified to trap the recipient.

10 4. Target Inbound Email Server: DNS Recipient (Target): testuser@luxsci.net What servers accept email for @luxsci.net addresses? Check DNS MX Records: $ dig +short luxsci.net mx 30 inbound30.luxsci.com. 10 inbound10.luxsci.com. 20 inbound20.luxsci.com.

11 5. Manual SMTP: Sending $ telnet inbound10.luxsci.com 25 Trying 98.129.60.231... Connected to inbound10.luxsci.com. 220 rs302.luxsci.com ESMTP Sendmail 8.14.4/8.13.8; Sat, 7 Mar 2015 17:48:10 GMT ehlo mta5.ealerts.bankofamerica.com 250-rs302.luxsci.com Hello mobile-166-171-186-103.mycingular.net [166.171.186.103], pleased to meet you … (removed to save space) 250 HELP mail from: 250 2.1.0 onlinebanking@ealerts.bankofamerica.com... Sender ok rcpt to: 250 2.1.5 testuser@luxsci.net... Recipient ok data 354 Enter mail, end with "." on a line by itself To: testuser@luxsci.net From: “Bank of America” Subject: Alert! Your Bank of America account has been compromised Date: Sat, 7 Mar 2015 17:48:10 GMT Message-Id: af68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.localaf68828a-6c81-5896-b43d-8583607bdf99@xtnvs5mta406.xt.local [Insert the rest of your customized headers] [Insert the customized message content]. 250 2.0.0 t27HmAT9021384 Message accepted for delivery quit

12 The Forgery: Received Can you tell its fraud?

13

14 Maybe the Raw Headers?

15 What Can You Believe?

16 Counter Hack 1: SPF Sender Policy Framework Publish in DNS, which servers are authorized to send email for that domain $ dig +short domain.com txt "v=spf1 ptr ~all” E.g. the reverse DNS for the sending IP must match the domain name. Some Forward DNS for host must match the IP. $ dig +short bankofamerica.com txt "v=spf1 include:_txspf.bankofamerica.com include:_vaspf.bankofamerica.com include:_newspf.bankofamerica.com ~all"

17 Hack: SPF Fails 1. Hard to identify all valid sending servers 2. Forwarding fails 3. Use of weak “~all” SPF 4. Inter-domain forgery 5. Same email provider forgery (Doesn’t protect against spam … none of the counter hacks for identity do) $ dig +short hotmail.com txt "v=spf1 include:spf-a.outlook.com include:spf-b.outlook.com ip4:157.55.9.128/25 include:spf.protection.outlook.com include:spf- a.hotmail.com include:_spf-ssg-b.microsoft.com include:_spf-ssg- c.microsoft.com ~all"

18 Counter Hack 2: DKIM Domain Keys Identified Mail Publish in DNS a cryptographic public key Sign every message using the private key. Encompass the body, subject, sender address, and other important headers On Receipt: DKIM public key looked up Signature verified No issue with email forwarding. Sender verification and message integrity / replay protection.

19 Example From Bank of America’s REAL Email: DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=200608; d=ealerts.bankofamerica.com; h=From:To:Subject:Date:MIME-Version:Reply-To:Message-ID:Content-Type; i=onlinebanking@ealerts.bankofamerica.com; bh=YhJz6l84RyMXW/utiX0auH/xtTQ=; b=Dzp0SVPypvq8X0VHConCJLSIYwL23EbgP8VxN4qK765Y57++HbhTQDjaXWc0sFjV7BV6/Np3DD 3E dYHiIoxpzSy1GHvwvIDaG0+md1ijOmDwsBgFpE70upc+9WVHaNOYXjWxkO1tsgdfjEeJprcK93Wx Oc5xp60eg3MRnIvLC3A= Checking DNS $ dig +short _domainkey.bankofamerica.com txt "o=~” $ dig +short 200608._domainkey.bankofamerica.com txt "v=DKIM1\; k=rsa\; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDJlTsW0bYLUNtVk4WDLNml1Jyock XBDIR45WIyTUmN0X96ggBOqdEvawje56qWkniGpC1g1aziAbaxfvzgP9CvtE5iTmCzQF1O1Vh vDxPZjmjCvU/rZDuLwk6Mqvm4lnBRx15eBwtZrm2SJ83yNToIJpMQlPAa8ROpTlqpRrnU4QIDA QAB"

20 Hack: DKIM Fails 1. Hard to get all servers to sign your messages 2. Legitimate message modification breaks DKIM 3. Consequent use of weak DKIM rules (o=~) 4. Inter-domain forgery 5. Same email provider forgery if DKIM usage not strict. Looks strong on paper, often weak in practice

21 Counter Hack 3: DMARC Domain Message Authentication, Reporting and Conformance 1. Publish in DNS exactly what to do if BOTH SPF and DKIM fail. 2. You can be more strict about your policies if they are otherwise all weak. 3. You can tell recipient filters exactly what to do with “nonaligned” messages $ dig +short _dmarc.domain.com txt "v=DMARC1\; p=quarantine\; pct=100” E.g. If SPF and DKIM both fail – always quarantine the email. $ dig +short _dmarc.bankofamerica.com txt "v=DMARC1\; p=none\; rua=mailto:auth.report_ns@bankofamerica.com” E.g. IF both fail – do nothing but send a status report to BoA

22 Hack: DMARC Problems 1. If your SPF and DKIM were strict … DMARC weakens things -- an “OR” and not an “AND” 2. Inter-domain forgery 3. Same email provider forgery if DKIM is not restricted 4. Spam filter support for DMARC is not widespread 5. Most senders do not have DMARC records and are afraid of email non-delivery.

23 Email Hacking: “To Do List” What is an attacker to do? 1. Research the target and see with whom s/he communicates 2. See if you can determine how the recipient’s spam filters work. 3. Find a good sender with weak/no SPF/DKIM support 4. See if you can use the same servers/provider as that sender so that impersonations look legitimate. 5. Last resort – hack the sender’s systems.

24 Counter Hack 3: Vigilance 1. Show “From Addresses” 2. Know your JavaScript exposure 1. Loaded scripts, inline scripts, inline events (onClick), etc. 3. Be careful where you click! 1. Copy and paste vs. hover vs. click 2. Click protection scanning; on-click scanning 4. Always look for anomalies and reserve your trust.

25 Counter Hack 4: PKI Use digitally-signed messages (ya - encrypt too!) using PGP or S/MIME (like “Personal DKIM”) No forwarding issues, intra-domain forgery, or same- provider forgery Key exchange and technology buy-in are the issues here. - PGP has key servers - DIRECT puts S/MIME keys in DNS - Secure email providers can do this for you

26 Counter Hack 5: What else? Messaging portals with authentication requirements 1. Support ticket systems 2. Secure message retrieval systems Closed messaging systems Not using regular email: identity verification built in from the beginning.

27 Take Away Use SPF, DKIM, and DMARC as strictly as possible Tune your Spam filters to pay attention to these Do not trust your email – be vigilant Never use untrusted messages for authorization of anything Use PGP, S/MIME, or secure closed systems for secure and identifying communications

28

Download ppt "Erik Kangas -"

Similar presentations

Securing Email Bruce Maggs. Separate Suites of Protocols Protocols for retrieving email: POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending email:

Securing Bruce Maggs. Separate Suites of Protocols Protocols for retrieving POP, IMAP, MAPI (Microsoft Exchange) Protocols for sending
Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.

Module 6 Implementing Messaging Security. Module Overview Deploying Edge Transport Servers Deploying an Antivirus Solution Configuring an Anti-Spam Solution.
DNSSEC & Email Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.

DNSSEC & Validation Tiger Team DHS Federal Network Security (FNS) & Information Security and Identity Management Committee (ISIMC) Earl Crane Department.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.

How Will Authentication Reduce Global Spam? OECD Anti-Spam Task Force Pusan – September, 2004 Dave Crocker Brandenburg InternetWorking OECD Anti-Spam Task.
Email Protocols and Troubleshooting Brandon Checketts.

Protocols and Troubleshooting Brandon Checketts.
© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.

© 2007 Convio, Inc. Implementation of Sender ID Bill Pease, Chief Scientist Convio.
1 Aug. 3 rd, 2007Conference on Email and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.

1 Aug. 3 rd, 2007Conference on and Anti-Spam (CEAS’07) Slicing Spam with Occam’s Razor Chris Fleizach, Geoffrey M. Voelker, Stefan Savage University.
DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.

DomainKeys Identified Mail (DKIM): Introduction and Overview Eric Allman Chief Science Officer Sendmail, Inc.
Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.

Exchange 2003 and SPAM Fighting Emmanuel Ormancey, Rafal Otto Internet Services Group Department of Information Technology CERN 3 June 2015.
Microsoft Ignite /16/2017 1:30 PM

Microsoft Ignite /16/2017 1:30 PM
Email Security Jonathan Calazan December 12, 2005.

Security Jonathan Calazan December 12, 2005.
Sender policy framework. Note: is a good reference source for SPFhttp://www.openspf.org/

Sender policy framework. Note: is a good reference source for SPFhttp://
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
563.8.2 Spam Sonia Jahid University of Illinois Fall 2007.

Spam Sonia Jahid University of Illinois Fall 2007.
This is the first page of the log in, this is were you enter your unique email details.

This is the first page of the log in, this is were you enter your unique details.
COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.

COEN 351 Non-Repudiation. A non-repudiation service provides assurance of the origin or delivery of data in order to protect the sender against false.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

 ENGR 1110 Introduction to Engineering – Cyber Security Allison Holt, Adam Brown Auburn University.

Similar presentations

Ads by Google