One of the concerns for the network project is ensuring secure e-mail and any do

Question

One of the concerns for the network project is ensuring secure e-mail and any documents sent through e-mail. Prepare a paper that explains how e-mail messages can be securely sent. The paper should include the features of secure e-mail and how secure e-mail works. Include a discussion of vulnerabilities involved in e-mail and how they can be countered. The paper should include the following:

The 4 main features of secure e-mail

Discussion of the 5-step process for handling secure e-mail with PGP and S/MIME

Discussion of the vulnerabilities of e-mail

Discussion of countermeasures that address the vulnerabilities

Be sure to document your references using APA format

Explanation / Answer

Secure eMail means that the sender can be assured that the message sent will be delivered to the intended recipient without interference, changes or disclosures to any third parties. It also means that the recipient can be certain that the sender named is indeed the person who sent it, that the content is the same content that was originally entered, that no one has viewed it in transit and that no one has added any surprise payloads.[1]

There are a few basic requirements for secure and private exchange of email: · CONFIDENTIALITY nobody other than the intended recipient can read the message; · INTEGRITY we know that a message hasn't been tampered with in transmission. · AUTHENTICATION we can be certain that the message comes from the person from whom it appears to come;[1]

There are various e-mail services working in various platforms. Most of the vulnerabilities are caused by lack of integrity between the email services and the underlying platforms.

Web based e-mail Services [2]

We are starting with web based e-mail services. Web browsers are the underlying applications for these e-mail services. Any bug or flaw in the web browser can result in vulnerabilities in the e-mail service provided.

Hotmail security vulnerabilities[2]

Microsoft has unveiled their new Passport service, which allows you to log in to multiple sites and do your work with one single login. However, they failed to realize that not all people allow all cookies everywhere to be put on their computer. It is possible by making a settings change in Netscape (and possibly IE) to transparently let a user log in as the last user that used Hotmail on that computer

For Example: In Netscape, set your cookie preference to the above. Log in to any Hotmail account. Choose "Sign Out". From the MSN page that appears after sign-out, choose the Hotmail link. You will be back in the Inbox. Possible Fixes: Set cookies to "Accept all cookies" Close your browser immediately after signing out.

The Frame Spoofing Vulnerability:[2]

This flaw has been found by SecureXpert Labs. The vulnerability enables the author of a nefarious Web site or e-mail message to "spoof" information presented by another Web site. This vulnerability can also be exploited through e-mail. For example, a user might receive an HTML email message appearing to be from a trusted source (since standard e-mail is easily forged) containing a message advertising a product or service. That e-mail could then cause a well-known and trusted Web site to open. The Web site could then be manipulated to confirm the attacker's message.

Netscape Preferences flaws[2]

Netscape preference flaws are concerned with the ‘prefs.js’ file. Malicious web site operators can read the ‘prefs.js ’ from the hard disk of visiting users through an obscure series of steps, or make ‘prefs.js ’useless through JavaScript code. Information contained in this file can include e-mail addresses, domain names and passwords. As the most sensitive information that can be located in the ‘prefs.js’ file is the e-mail password, you can protect against an attacker learning your password by making sure it is not automatically stored in Communicator.

Current Secure eMail Solutions can be broken down into three categories or a combination of them:[1]

  Service: eMail is sent and received through a secured site administered by the vendor. There is no need to install anything at the client site.

Hardware: An appliance or “Black Box” that is normally installed between the corporate mail server and the firewall to intercept, inspect and process incoming and outgoing eMails

Software: The software solution is similar to the hardware solution. Instead of using a “hardened” appliance, the software is loaded onto a corporate server.

The features offered are:

Authentication The ability to verify that the person opening the message is the person that was intended to receive it. This is normally accomplished through a password.

Message Integrity The ability to verify that the message is not changed by anyone during the transmission from point A to point B.

Non-Repudiation The ability to verify that the sender is who they claim to be and that it was their intention to send this message to the recipient.

Firewall Like the mental picture it brings to mind, a Firewall is a method of protecting the internal mail network from external attack.

Intrusion Detection (Ingress & Egress logging) The ability to detect and report unusual activity that may be indicative of an attack from the outside or one being initiated from internally against someone else. Anti-Virus This feature provides the ability to scan all incoming messages and attachments for viruses, worms, Trojan horses, etc.

Anti-Spam This feature provides the ability to stop incoming and outgoing Spam. SPAM is junk eMail sent in large volumes. It can be used as a form of attack to bring a server down based on it’s inability to handle the volume or it could be a marketing campaign where someone was able to get a corporate eMail list.

Confidentially - eMail Encryption EMail encryption is used to “encode your messages, which are then decoded by the recipient after delivery. Even if the message is viewed in transit by someone else, they will not be able to decipher it.”

The four main features of secure Email are:

The countermeasures for vulnerabilities in Email system are:

The steps to secure E-mail are:[3]

The steps process for handling secure E-mail with PGP and S/MIME are:[4]

References:

[1]: Secure eMail: Determining an Enterprise Strategy and Direction., SANS Institute InfoSec Reading Room.2002

[2]: Vulnerabilities of e-mail services. ,By Tugrul Yanik and Adnan Gutub. ECE 478/578 Computer and Network Security Spring 2000

[3]: An Introduction to Secure Email, by Addam Schroll IT Security & Privacy Analyst,PDF by PURDUE University

[4]: Pretty Good Privacy Downloading, Installing, Setting Up, and Using this Encryption Software by Bernard John Poole, MSIS, University of Pittsburgh at Johnstown, Johnstown, PA, USA

Related Questions

Navigate

• Browse (All)
• Browse O
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.