The internet as a primary source of entertainment, communication, and education, has undoubtedly changed the life of an individual of all ages. As the use of internet is increasing rapidly more privacy threats are percolating day by day. Not only financial institutions and military Organizations need to worry about securing their computer systems but also from an ultimate learned individual to companies from all different sectors and sizes need to be serious about the matter. This document is an attempt to secure the organizations and allow the personage to look after their daily operations rather than worry about the teenage criminal trying to infiltrate into the network.
1. Introduction : Without proper protection, any part of any network can be susceptible to attacks or unauthorized activity. This includes the nature of threats and shows how user can make a system more secure. This research is mere effort to draw the readers notice towards security threats, secrets and loopholes that until now went unnoticed .It guides to the protect system from being attacked to common threats like email threats since each and every one accesses email on a regular basis. Also, guides to disastrous Input Validation attacks, Trojans, Sniffers which not only sacrifices sensitive information but also loss of intellectual property.
2. Email Threats : Almost all employees in corporations across the globe use email on a daily basis for either business or personal purposes. Some of the most common problems associated with the email are as follows: Very few corporations (if any) actually use encrypted email, most emails on the Internet are sent in the plain text form, and hence can easily be recorded. It is very easy for an attacker to use sniffers to sniff the password of the victim. Moreover, if save password option has been enabled then it is quite easy for an attacker to crack the password using a basic password cracking tool. Almost all regular ISPs or web based email system rely on external untrusted systems to send an email from source to destination. High number of viruses and worms choose email systems as preferred method for propagation.
There are varieties of email related threats some of them are:
• Abusive emails
• Email forging
• Spam
Detection: Every email originates at a particular mail server is routed through a number of different interim mail servers at specific routes and then finally arrives at actual destination.
Sender Outbox Source mail server interim mail servers destination mail serverdestination inbox.
When an email is sent across the internet then not only does it carry actual message content but also carries embedded information about the path travelled by it. This information about the path travelled by email is contained in email headers of the email itself. This means that the reverse engineering the path travelled by an email, one can easily figure out its source. Each time one receives a suspicious email one can easily verify its authenticity and source of abusive or forged email.
View the email headers of the received suspicious email.
Identify the IP address of the computer that was used to send the email.
Trace the IP address to pinpoint the identity of the culprit.
Analysis of email header:
X-Apparently-To: abc2001@yahoo.com via 216.136.175.43; 29 Apr 2003 09:31:11 -0700
(PDT)
Return-Path: <xyz@email.com>
Received: from 205.158.62.158 (HELO spf1.us.outblaze.com) (205.158.62.158) by
mta114.mail.scd.yahoo.com with SMTP; 29 Apr 2003 09:31:11 -0700 (PDT)
Received: (qmail 24665 invoked from network); 29 Apr 2003 16:30:13 -0000
Received: from unknown (205.158.62.146) by spf1.us.outblaze.com with QMQP; 29 Apr 2003
16:30:13 -0000
Received: (qmail 6652 invoked from network); 29 Apr 2003 16:25:58 -0000
Received: from unknown (HELO ws3-3.us4.outblaze.com) (205.158.62.93) by 205-158-62-
146.outblaze.com with SMTP; 29 Apr 2003 16:25:58 -0000
Received: (qmail 20307 invoked by uid 1001); 29 Apr 2003 16:30:54 -0000
Message-ID: <20030429163054.20306.qmail@email.com>
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
MIME-Version: 1.0
X-Mailer: MIME-tools 5.41 (Entity 5.404)
Received: from [128.61.130.108] by ws3-3.us4.outblaze.com with http for xyz@email.com;
Tue, 29 Apr 2003 11:30:53 -0500
From: "XYZ" <xyz@email.com> | This is spam | Add to Address Book
To: abc2001@yahoo.com
Date: Tue, 29 Apr 2003 11:30:53 -0500
Subject: Re: help me please!
X-Originating-IP: 128.61.130.108
X-Originating-Server: ws3-3.us4.outblaze.com
Content-Length: 1141
Analysis of above header
Message-ID: 20030429163054.20306.qmail@email.com
20030429163054:-The e-mail was sent in the year 2003, month April(04),day 29th,time 16hours,30minutes,12seconds.
20306:-Each e-mail being sent by a mail server has a unique Message ID reference no. associated with it.
Return-Path: xyz@email.com :-Represents the e-mail address of the sender.
Received: from [128.61.130.108] by ws3-3.us4.outblaze.com with http for xyz@email.com; :-this is the last received line revels the IP Address of the senders system i.e. 128.61.130.108 and ws3-3.us4.outblaze.com is the source mail server
Received: from unknown (HELO ws3-3.us4.outblaze.com) (205.158.62.93) by 205-158-62-
146.outblaze.com with SMTP; 29 Apr 2003 16:25:58 -0000:-represents HELO ws3-3.us4.outblaze.com is the host name 205-158-62-146.outblaze.com with SMTP is the interim mail server
Received: from unknown (205.158.62.146) by spf1.us.outblaze.com with QMQP; 29 Apr 2003
16:30:13 -0000:- represents interim mail server send to spf1.us.outblaze.com with QMQP
Received: from 205.158.62.158 (HELO spf1.us.outblaze.com) (205.158.62.158) by
mta114.mail.scd.yahoo.com with SMTP; 29 Apr 2003 09:31:11 -0700 (PDT):-represents 205.158.62.158 (HELO spf1.us.outblaze.com) (205.158.62.158) sends it to the destination mail server mta114.mail.scd.yahoo.com
Countermeasures: It is always a good idea to use digitally signed emails or Pretty Good Privacy (PGP) to encrypt all outgoing emails. This will ensure that attacker will not be able to sniff the email contents also it will make difficult for an attacker to successfully perform email forging.
Corporation should implement anti-Spam measures, and block all blacklisted domains and address at the router level itself. Filtering Spam emails will save both time and network resources.
One should avoid using email address should register for online contest and groups instead it is advisable to create separate email account that is only used for such purposes.
Input Validation Attack: Input validation attacks takes place when an application does not bother to validate input before accepting and processing it. Many input validation attacks happen because of faulty programming by the developer of the vulnerable application. Attackers regularly use such vulnerabilities for different malicious purposes.
Remote executions of malicious commands, accessing sensitive data such as password size, databases, credit card lists etc, unauthorized entry into remote computers by bypassing local or remote security restrictions.
SQL Injection Attack : In these attacks, attacker uses especially crafty SQL queries or commands to carry out malicious activities on target system. This vulnerability exists due to lack of validation inputs when a data base query is made through the Internet.
The Various Types Of Input Prompts
• OS password prompt
• Application prompt
• URL box
• Search box
• Online database form
Query such as
SELECT FROM database WHERE query string=’abc’ or 1=1--‘
Also, an attacker can enter the following data ass inputs in an online login form
Username: abc OR 1=1--
Password: BLANK
The problem here is ‘--‘ part of the SQL query. In SQL, the ‘--‘are used to denote the start of comments. Therefore everything after ‘--‘ in SQL is discarded as comments. So the above SQL query can be rewritten as
SELECT FROM database WHERE query string= ’abc’ or 1=1--
SELECT people from database WHERE username= abc OR 1=1
The same query now becomes very interesting. It will display all the records where query string is equal to abc or where 1=1. It is quite clear that second condition that is 1=1 will evaluate to true and hence will actually be able to retrieve all the records.
Countermeasures : Developers must ensure that proper input validation tests are conducted before commercially releasing the software application. One should restrict both user and file access. Also the developer can prevent SQL injection attacks by filtering out all the special characters (such as ?, :, / ,\ and others) from user input, cookie files and URL parameters.
4. Sniffers : Sniffers are basically recording softwares that record, capture, interpret and store all data packets (sometimes even analyses) all the data packets being sent across the network. Unfortunately sniffers are used to capture secret files, passwords, bank account details, credit card details, IM conversations and other sensitive data being sent across the target network. Sniffers are able to manipulate the NIC of the victim system and put it into the promiscuous mode in which the compromised system is able to access all the data packets within the listening range, including even those packets that are specifically not addressed to compromised system.
Detection: NIC in promiscuous mode: As a system administrator one should look out for systems NIC using the utility cpm to detect whether the NIC of the system is promiscuous mode or not.
System Processes: There are few sniffers that are visible in the list of system processes currently present in the memory.
Log Files: All sniffers record the data packets in a central log file. A system administrator should watch for such log files containing the recorded data. A large file with unusual name usually found in a hidden directory is likely to be a sniffer log file.
Tool: Presence of sniffers on your network can be detected with the help of various host based and network based sniffer detection tools.
Countermeasures:
Encryption: Encryption protocols such as IPSec, SSL ensure that irrespective of presence of sniffers your data and communication remains safe.
Trojans: These are nothing but remote administration tools (RATs) that provide attackers with remote control and remote access to the victim system once a system has been infected with a Trojan, an attacker can remotely access almost all hardware and software on it. Even it can delete, upload or download files from it and can format the entire disc. Trojans have inbuilt logging capabilities and record all key strokes made by the victim on the infected system. Trojans can be used to record passwords, credit card numbers, etc. Steal software programming code.
Attack a predefine victim system at a particular time and date. The attacker can attach the Trojan server file to an e-mail and send it to the victim. One can burn the Trojan onto a CD- ROM, and use the auto-run facility of the CD to automatically execute or install the Trojan as soon as the CD is put into the tray. One can send the Trojan server part disguised as a normal file over IRC, or IM to the victim. In most occasions, attackers rename the Trojan so that it seems to be a normal legitimate file .EXE binder which allows an attacker to bind two .EXE files together that can be used to hide the Trojan server part inside a legitimate. EXE file.
Detection: Suspicious Open Ports: one can detect whether the server part of a Trojan has been installed on your system or not by simply going to the command line prompt and typing the netstat – n command. This command will display a list of open ports on your system. If this list of open port numbers does not match. The list of normally open ports, or if it matches any of the Trojan ports then it is quite likely that your system might be infected with the Trojan.
Monitoring Outgoing Traffic: one can detect malicious e-mails by looking for suspicious outgoing connections addressed to external mail servers that is SMTP or Port 25. If one finds illegitimate activity like numbers of outgoing packets addressed to Port 25 of a remote system. Then this could mean that your system has been compromised.
Detection Tools: The most common tools are Lockdown 2000 and preview etc. Most Antivirus tools have the ability to detect Trojan infections.
Startup Files: Trojans are effective only if they somehow start or load into the memory each time the operating system boots. There must be a reference to it in some startup files or other. Like The Startup Folder, System Files, Batch Files, The Window Registry.
Countermeasures: Once a Trojan has been detected, the next step that the system administrator needs to take is to actually remove it.
There are a number of Trojan removal tools available but one should remove all references to Trojan from startup files even after a Trojan has been removed from a system. One should never accept or execute any file sent to you over e-mail, chat, IRC etc.
5. Conclusion: Statistics show that most common reaction to an email attack is to hit the DELETE key. However ignoring the problem will surely not help to make it go away. Also a very few corporations actually bother to spend money on protecting or securing the same IP. One of the biggest problem of IP theft is that attack could originate from both either inside or outside the network. Similarly, there are numerous cases where input validation loopholes have cost business thousands of dollars in the form of resources, labour and time required to fix those bugs that could easily have been fixed during development stage itself. We have seen various threats their detection and various countermeasures one need to follow to ensure safety of one’s intellectual property. If one just becomes a quite aware. This research can be future enhanced to various Buffer Overflow Attacks, IP thefts, DOS Attacks, Identity thefts.
References:
1. An Ethical Hacking Guide to Corporate Security MACMILLAN INDIA LTD, 2008
2. Fadia Ankit. An Unofficial Guide to Ethical Hacking, MACMILLAN PUBLISHERS INDIA LTD, 2009
3. Fadia Ankit, Network Security A Hacker’s Perspective, MACMILLAN PUBLISHERS INDIA LTD, 2009
4. Fadia Ankit, Even You Can Hack! E-Mail Hacking, Viaks Publishing House PVT LTD, 2009.
5. http://en.wikipedia.org/wiki/Network_security
6. http://www.oppapers.com/essays/Network-Security/86962
Print version