24 Chapter 1 • Understanding the Threats Figure 1.3 shows Norton SystemWorks, a typical application that con- tains an antivirus component. Personal firewall software often includes an anti-virus scanner. However, a personal firewall takes the extra step of protecting your computer by closing down unnecessary ports. Personal firewall software can also: ■ Tell you the IP address and/or resolved IP address of the hacker attacking your system. ■ Filter out TCP/IP-related packets. For example, personal firewall software can block packets sent by the ping application. ■ Disable a system from sending and/or receiving e-mail. A personal firewall can provide additional services, depending upon the personal firewall vendor you select. Encryption The chief way to protect an e-mail message on the client side is to use encryption. Using encryption makes it difficult for unauthorized users to read or tamper with your e-mail. There are three types of encryption used to secure information on the Internet: 1. Private key encryption The use of one password to encrypt and decrypt information. www.syngress.com Figure 1.3 Norton SystemWorks. 119_email_01 10/4/00 9:23 PM Page 24 Understanding the Threats • Chapter 1 25 2. Public key encryption The use of a key pair to encrypt and decrypt information. 3. Hash encryption A process that creates a numerically related hash of the information. This code is theoretically irreversible, and is used to help ensure a document has not been tampered with. One of the most common ways to encrypt a document is to use a single string of text to encrypt it. If you have ever used Microsoft Word, for example, to encrypt a document, you have used private key encryption. This form of encryption is called private key because you must take measures to ensure that your password remains secret. If an unauthorized user were to learn the password to this document, then he or she would be able to open it. Let’s say that you have encrypted a Microsoft Word document that you wish to give to a friend. Suppose that for some reason you cannot simply call your friend and share the password. You could send an e-mail with the password, but doing this carries the risk that someone might sniff your e-mail message and get the password. So, how do you transmit this docu- ment and password to your friend? You could place the password in another document and encrypt this document, but now how do you trans- port this new password? It seems that this process has a logical flaw. In order to transmit the document securely, you must first transmit the pass- word in an insecure manner. The answer, at least as far as e-mail is concerned, is to use public key encryption. Applications such as Microsoft Outlook, Netscape Messenger, and Eudora Pro support public key encryption. Public key encryption involves the creation of a key pair. This pair is mathematically related. The first key, called a private key, must remain private at all costs. It will be placed in a hidden location on your hard drive. It is useful to think of a key pair as a whole that you then divide into halves. The pair always works together, even though the public key can be distributed freely. You can safely give the public key to the most experienced hacker in the world. This is because even though these keys are related, it is very diffi- cult (if not impossible) to use one key to defeat the other. However, a fun- damental principle makes it possible for you to send a message to your friend. A user’s private key can decrypt information encrypted to the user’s public key. In other words, if Sandi were to encrypt a message to James’ public key, then only James’ private key can decrypt that message. Let’s spend some time on this concept. When you wish to send your friend an e-mail message, you each must create a key pair. You will keep your private key in a hidden place, and will never reveal it, or the password used to access it, to anyone. You never need to. The same principle applies to your friend. He or she will never reveal their secret key, or the password www.syngress.com 119_email_01 10/4/00 9:23 PM Page 25 26 Chapter 1 • Understanding the Threats that allows them to access their private key. However, both of you must give your public keys to each other. You have theirs, and they have yours. Then, all you have to do is encrypt your e-mail message to your friend’s public key. Now, not even you can read this message. Why? Because the only key in the world that can decipher this message is your friend’s pri- vate key. Similarly, when they want to send you an encrypted e-mail mes- sage, they must encrypt that e-mail message with your public key. Then, when you receive the message, you can decrypt it with your private key. Figure 1.4 is meant to explain how you must first exchange public keys with a recipient before the messages are encrypted. Whenever you exchange public keys, you are said to be establishing a trust relationship between you and your friend. NOTE Dedicated servers exist that contain the public keys of many individuals. You can place your public key on these servers for others to download, or you can e-mail the keys to the person with whom you wish to estab- lish a relationship. A quick solution might be to create space on an FTP or Web server that contains the public keys of those who wish to com- municate securely. Applications such as Pretty Good Privacy (PGP) use this technique. Commercial servers, such as Microsoft Exchange, also provide the ability to encrypt transmissions on the server side. You will learn more about implementing public key encryption in Chapters 2 and 3. www.syngress.com Your private key Your friend’s public key Your public key Your friend’s private key Machine A Machine B Figure 1.4 An established trust relationship between machine A and machine B. 119_email_01 10/4/00 9:23 PM Page 26 Understanding the Threats • Chapter 1 27 NOTE Public key encryption has one drawback: It is extremely slow. As a result, most commercial applications use private key encryption to encrypt an e-mail message. They then use public key encryption to encrypt only the symmetric (private) password. Hash Encryption and Document Signing The third form of encryption in use today is hash encryption. Another name for this type of encryption is one way encryption, because once infor- mation is encrypted through this process, it is irretrievable. This process is used because it can help determine if a message has been tampered with. Public and private key encryption provide only one service: data encryption. When you need to transmit information across the Internet, it would also be nice if you could ensure that this information was not tampered with during transit. One way to do this is to electronically sign a message by creating a hash of the message. Hash codes are created through a process that closely reads the contents of a message. Contents include the size of the message, the characters within it, and how they are arranged. Any single change in the document results in a different hash value. Therefore, if you were to create a hash of your e-mail, and someone were to tamper with the message, you could tell, because the hash value will change when you verify it. Applications such as PGP use one way encryption to first create a hash of the document. Whenever you use an MUA such as Netscape Messenger to sign a document, you are using creating a hash of your e-mail message. You will learn more about implementing these concepts in Chapter 3. Protecting the Server Now that you know how to protect information emanating from an MUA, it is important to learn some of the ways to protect the MTA and MDA. These methods include: ■ Hardening the e-mail server’s operating system Hardening the operating system involves locking down unnecessary ports; upgrading your system using the latest, stable service patches and bug fixes; and changing default settings. www.syngress.com 119_email_01 10/4/00 9:23 PM Page 27 28 Chapter 1 • Understanding the Threats ■ Placing your system behind a firewall When implementing an e-mail server, you should place it behind a firewall. A firewall is a more powerful, robust version of a personal firewall. It resides on a separate system, then scans and filters out packets. By placing your Web server behind a firewall, you are essentially protecting all aspects of your system except those ports that are exposed to the Internet. For example, if you are using ports 25 and 110, then users will be able to connect to only these ports. A firewall, therefore, reduces the number of attacks that can be waged against your system. ■ Configuring the server to allow connections from certain hosts only Most e-mail servers (or their underlying servers) allow you to control which systems can connect. Taking time to lock down your server can greatly increase security. ■ E-mail scanning Scanning the body of an e-mail message protects e-mail users, as well as the MTA and the MDA. Once you have placed your e-mail server behind a firewall, you should then take steps to filter traffic that is passing through your e-mail ports. ■ Attachment scanning Scanning attachments on the server side can consume an enormous amount of system resources, but it is often helpful. For example, once you learn about a particular virus attachment, you can program your attachment scanning software to block out only this attachment. Of course, for those administra- tors who are truly security conscious, the option to disallow all e-mail attachments is always available. Summary This chapter is an overview of the concepts that will be discussed throughout the book. You should now have an understanding of authenti- cation, access control, and how e-mail servers and clients work together to send a message. From studying some of the past attacks, we can predict some of the common patterns attackers follow. We know, for instance, about some of the common attacks waged against MUAs, MTAs, and MDAs. From the Robert Morris worm to Melissa and Life Stages, we are now aware of the threats and issues that confront systems administrators. We have introduced the most popular methods for securing e-mail servers. From encrypting transmissions to installing third-party scanning software, many options are available to you. The following chapters are designed to provide you with real-world solutions. www.syngress.com 119_email_01 10/4/00 9:23 PM Page 28 Understanding the Threats • Chapter 1 29 www.syngress.com FAQs Q: Why would a hacker want to conduct a denial of service attack? A: The first reason is that it is easier to conduct a denial of service attack than it is to formulate an attack that allows a user to authenticate. Therefore, you tend to see a lot of script kiddies who gain a quick, cheap sense of satisfaction watching an e-mail server crash. However, more sophisticated reasons exist to conduct a denial of service attack. Should a malicious user want to hijack a connection between your e-mail server and a client logging in, they would want to conduct a denial of service attack against the client in order to take over the connection and log in. So, although many denial of service attacks are conducted just to watch the server die, there are times when a DoS attack is a step in a more sophisticated process. Q: What attacks are e-mail servers most prone to? A: The answer has to do more with how well you have protected the e-mail server. Recently, worm-based attacks, such as Melissa, have been the most devastating. However, e-mail servers that scan e-mail bodies and e-mail attachments can greatly reduce attacks. Furthermore, if the server is placed behind a firewall, it will be much safer. Q: If worms attack the e-mail client, then why do the e-mail servers (the MTA and the MDA) get overwhelmed as well? A: Because the MTA must process hundreds of thousands of requests in a very short period of time. Also, the MDA can become bogged down because it has to deliver all of these messages to users. This is espe- cially true if the MDA is housed on the same server. Q: Is it possible for an MTA to encrypt messages? A: Yes. One of the drawbacks of encryption on the part of the MTA is that encryption can slow down the delivery process. Also, MTA-based encryption is usually proprietary; only those systems within a company organization can encrypt their e-mail messages; if they have to send messages outside the company, or to other MTAs, the message will no longer be encrypted. 119_email_01 10/4/00 9:23 PM Page 29 30 Chapter 1 • Understanding the Threats Q: Where can I learn more about viruses, worms, Trojans, and illicit servers? A: One of the many sites that explains cryptography is the United States National Institute of Technology (NIST), at http://csrc.nist.gov/nistpubs/ 800-7/node207.html. You can also search the www.cryptography.com site. As of this writing, the following link contains a valuable list of resources: www.cryptography.com/resources/index.html. Q: This chapter has discussed the possibility of encrypting e-mail messages. Is it possible for someone to find an application that can decrypt mes- sages without your authorization? A: Yes. There really is no such thing as an infallible encryption process. If a government or large corporation wished to devote enough resources, such as multi-million dollar supercomputers, it is possible that they could decrypt your e-mail message. Readily available products can still encrypt transmissions so that even the most sophisticated computers would take days, if not weeks or months, to decrypt messages. Q: In public key encryption, what happens if someone obtains my private key? A: You will have to generate a new key pair. If your private key gets pub- lished, then anyone can plug this private key in to the appropriate application, such as PGP, and read your messages. www.syngress.com 119_email_01 10/4/00 9:23 PM Page 30 Securing Outlook 2000 Solutions in this chapter: ■ Identifying common targets, exploits, and weaknesses ■ Enabling filtering ■ Choosing mail settings and options ■ Installing Pretty Good Privacy (PGP) Chapter 2 31 119_email_02 10/5/00 5:07 PM Page 31 32 Chapter 2 • Securing Outlook 2000 Introduction Microsoft Outlook 2000 (and Outlook 98) made a reputation for itself when the Love Letter virus flooded the Internet. The primary enabling factor was a number of weaknesses in Outlook. These weaknesses materialized when Microsoft incorporated a simplified messaging interface in Outlook 98/2000, which enforced already existing vulnerabilities. Microsoft is not the only one to blame for the spreading of the e-mail viruses—partial blame goes to the inadequate security awareness of users and system administrators, especially to those with the awareness but not the respon- sibility. (If you know that an attachment can launch an attack, why would you ever open one on an unsecured system?) However, I will not advise you to not open e-mails from unknown senders—after all, what if you work in Customer Support and most of your e-mail originates from unknown senders? In any case, attacks can also appear to come from known senders. Macro viruses and malicious code can replicate themselves by accessing the victim’s address book and sending copies of themselves to trusting friends and colleagues. It’s a disturbing fact that you do not need to be a whiz kid to come up with an e-mail virus like Love Letter or Melissa. If you have even limited experience with Visual Basic for Applications, you will be able to create an e-mail virus. To get a better understanding of Outlook’s weaknesses and vulnerabili- ties, you need some background information on the way the program is constructed. After explaining these weaknesses and vulnerabilities, this chapter will describe what Microsoft did to prevent e-mail viruses and sim- ilar attacks from happening again. It is not a pretty picture. However, I also will discuss what you can do to prevent becoming a victim. It is pos- sible to configure and use Outlook 2000 in a way that enables you to safely keep using it as your primary communication client, which is impor- tant because Outlook is so neatly integrated with the other Office 2000 applications. The last part of this chapter will show you how to install and use Pretty Good Privacy (PGP) to fully secure your e-mail communication over the Internet. NOTE The use of an anti-virus application is a good way to put additional pro- tection on your PC. However, this chapter will describe the use of Outlook 2000 without the added security of an anti-virus application. For information about client-side anti-virus applications, see Chapter 5. www.syngress.com 119_email_02 10/5/00 5:07 PM Page 32 www.syngress.com Common Targets, Exploits, and Weaknesses In their efforts to make Office 2000 an integrated package that supplies users with an easy way to write their own automation programs, Microsoft added two functionalities that opened up the access to information sources created with Office 2000 applications: ■ Simplified access to Messaging Application Program Interface (MAPI) via the Collaborative Data Objects (CDO) library. The CDO takes over a lot of MAPI programming issues and supplies a lim- ited set of easy functions to make use of MAPI and other resources, such as the Personal Address Book (PAB) and mail folders. Nearly all macros and utilities that you use within Outlook use the CDO to access your mail folders and address book(s)—for example, when you use a macro to send an e-mail message to a group of contacts in your address book. ■ The use of Visual Basic for Applications (VBA) in Outlook 2000 through the CDO, which was not possible in versions before Outlook 98. As you can see, MAPI is a complex system that is highly abstracted towards the applications. MAPI was invented by Microsoft as a way to allow non-e-mail applica- tions (such as a Web browser, or any other application on your system) to send e-mail. It was also invented as a means to an end. Because it (thank- fully) works “under the hood,” end-users never need to know it’s there. Thus, MAPI is a set of hidden routines (actually, embedded libraries) that make it extremely easy to send e-mail. Therefore, it would be possible for your spreadsheet, word processing, or music application to send an e-mail. It is even possible to automate the process; once a user clicks on a certain button or hits a series of keystrokes that meet a certain condition, a MAPI- enabled application can send an e-mail. This all sounds very convenient, and it is. The problem with this convenience is that it is quite simple for a malicious programmer to create an application that has a victim send e-mail messages to another victim. The Melissa and Love Letter viruses, for example, were designed to take advantage of the conveniences that MAPI provides. The important thing about MAPI is that an application can access dif- ferent messaging systems if they are using the same MAPI. In addition, using CDO access to stored information becomes even simpler. It is impor- tant to remember that when you run a program/utility from within Outlook, this program has the same access rights as Outlook. Securing Outlook 2000 • Chapter 2 33 119_email_02 10/5/00 5:07 PM Page 33 [...]... when you receive HTMLformatted e- mails You should use the Restricted Site zone for Outlook and Outlook Express (see Figure 2. 6); use the Internet zone for Internet Explorer See the sidebar, “Customizing the Security Zone Setting” regarding hardening the Restricted Site zone even further www.syngress.com 119_email_ 02 10/5/00 5:08 PM Page 47 Securing Outlook 20 00 • Chapter 2 47 After you have selected... the security update has been installed Before you actually execute the upgrade, be sure that you and all the users save the attachments to the hard drive After you apply the update, Level 1 attachments are no longer accessible from saved e- mail Another issue is that (according to Microsoft) the Level 1 and Level 2 extension list can be changed only if you have an Exchange Server running where the users... HIVE keys Shell\Open\Command or Shell\Open2\Command The default key value would resemble: %SystemRoot%\System 32\ WScript.exe “%1” %* You need to use the Registry editor (Regedit.exe) and do a search on the registry trees: My Computer\HKEY_CLASSES_ROOT My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES For example, under Windows 20 00: Change To My Computer\HKEY_CLASSES_ROOT\JSEFile My Computer\HKEY_CLASSES_ROOT\JSEFile.DisabledByJD... than does the Outlook e- mail editor Zone Settings You may have encountered the Zones options in Internet Explorer and/or Outlook Express or Outlook All three use the same settings By changing the zone setting in Outlook, the settings in Internet Explorer and Outlook Express also change Be careful when changing them because it can influence the other applications Zone setting is an effective method in... make the effort, you can create your own filters based on the text file However, these extensive rules will slow down the filtering significantly It’s a better practice to check the Office Web site for updates, or to search the Internet for third-party filters Figure 2. 2 Setting the junk e- mail filters www.syngress.com 119_email_ 02 44 10/5/00 5:07 PM Page 44 Chapter 2 • Securing Outlook 20 00 Filtering Keywords... are sending the encrypted e- mail supports S/MIME, they can decrypt the message, making it readable again 2 Add a digital signature for outgoing messages By putting a digital signature to the end of the message, the person you are sending the e- mail to can verify that you are indeed the sender of the mail It also ensures them that the content is not changed Including a checksum when sending the e- mail. .. unwanted e- mails, but you need keywords or sender names or addresses to be able to recognize them That is where the challenge lies Take notice of virus reports, because these hold enough information to at least construct a simple rule to move an e- mail message from the Inbox to a Hold folder Because the e- mails in this filter are suspicious, you will look at them cautiously If you cannot recognize an e- mail. .. update is the one triggered by the Love Letter virus; it has a significant impact on the use of Outlook 20 00: E- mail Security Attachment Attachments that are on the list of unsafe extensions (or Level 1) are no longer accessible You can no longer open, save, delete, or print them Less unsafe attachments have extensions that are on the Level 2 list You cannot open these in Outlook, but you can save them... alarming the recipient with an HTML-formatted e- mail Remember, the recipient is battling the same security issues that you are You can reduce the risk of HTML-formatted e- mail messages by accessing Outlook’s Zone Settings feature Go to Tools | Options, then select the Security tab to select the Restricted Sites zone www.syngress.com 119_email_ 02 46 10/5/00 5:08 PM Page 46 Chapter 2 • Securing Outlook 20 00... does this; the recipient does the same and if the checksums match, the message has not changed 3 Send a clear text signed message Not everyone has an e- mail client that supports S/MIME If you were to send a S/MIME message, a recipient without it would just see gobbledygook If you check this option, the message is also sent in readable text However, if you also had checked the first option, an attachment . VBScript files are interpreted and executed. You have no way of excluding certain types of files from being executed by accident. In the case of the Love Letter virus, the name of the e- mail s file attachment was. delete the standard mail folders. However, all folders you added yourself can be removed through simple programs, complete with all mes- sages. The messages in the Sent Items folder are the ones. VB files. Attacks Specific to This Client Since the release of Outlook 20 00, a number of weaknesses and vulnera- bilities have been discovered. These vulnerabilities have become a prime target for malicious