Security and Privacy

Similar documents
BEST PRACTICES FOR PERSONAL Security

Secure Recipient Guide

Introduction to

Introduction to

(electronic mail) is the exchange of computer-stored messages by telecommunication.

Introduction. Logging in. WebMail User Guide

Security Using Digital Signatures & Encryption

Computer Basics 4 Basics Revision 3 ( )

USER GUIDELINES. Q 2. Is it necessary to configure password retrieval question and answer? How can I do that? Q 3. How can I change password?

Spam Protection Guide

My The guide.

Introduction Secure Message Center (Webmail, Mobile & Visually Impaired) Webmail... 2 Mobile & Tablet... 4 Visually Impaired...

INTERNET SAFETY IS IMPORTANT

Your message is sent from your computer to a server (like the post office) where the

CS348: Computer Networks (SMTP, POP3, IMAP4); FTP

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Welcome to the world of .

Workshop. Part 1: Creating your account. 1) In the top search bar, type in gmail.com 2) Click on create account

Contents. Management. Client. Choosing One 1/20/17

Basics. Prepared by Christine Anning June 2011 Modified by Emilie Hanson March 2012

How to Stay Safe on Public Wi-Fi Networks

The Activist Guide to Secure Communication on the Internet. Introduction

e-commerce Study Guide Test 2. Security Chapter 10

User Manual Documentation

Computer Foundation Skills. Internet Webmail

Cyber Security Guide for NHSmail

Guidance for sending and receiving an encrypted NHSmail

Basics. Setting up an Account. Inbox. Your inbox is your starting place when you open your . Your inbox contains all the s that have

User Manual Version

Accessing Encrypted s Guide for Non-NHSmail users

Choic Anti-Spam Quick Start Guide

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Security PGP / Pretty Good Privacy. SANOGXXX July, 2017 Gurgaon, Haryana, India

Recipient USER GUIDE

Your security on click Jobs

Internet and Mini.K.G Senior Scientist, FRAD, CMFRI

PROTECTING YOUR BUSINESS ASSETS

Amazon WorkMail. User Guide Version 1.0

Manually Create Phishing Page For Facebook 2014

Life After Webmail Reference Guide

Thunderbird IMAP Instructions Bloomsburg University Students

Using BBC Raw

Electronic mail, or is a quick way of sending messages to people using the internet.

SECTION 5 USING STUDENT

On the Surface. Security Datasheet. Security Datasheet

Sectigo Security Solution

Introduction. Logging in. WebQuarantine User Guide

Online Scams. Ready to get started? Click on the green button to continue.

DOWNLOAD PDF OUTLOOK EXPRESS CONFIGURATION STEPS

Binarytech Digital Education Karta Allahabad ( Notes)

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

An Overview of Webmail

Some jobs are listed in local classified ads, like the ones found in the newspaper.

Bank of Hawaii Protecting Confidential . What's in this User Guide

How to Enable Images to display in various client programs

Anti-Spoofing. Inbound SPF Settings

Outlook on the Web College of Lake County Professional Development Center Revised July 17, 2014

Communication. Identity

Creating An Account With Outlook

S a p m a m a n a d n d H a H m 성균관대학교 최형기

Recommendations for Device Provisioning Security

ProofPoint Protection Perimeter Security Daily Digest and Configuration Guide. Faculty/Staff Guide

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Internet Architecture

is still the most used Internet app. According to some studies around 85% of Internet users still use for communication.

P2_L12 Web Security Page 1

E mail Setup Guide for Microsoft Outlook 2002, 2003 & 2007

GMAIL BEGINNERS GUIDE

FAQ: Privacy, Security, and Data Protection at Libraries

Using web-based

Cyber Security Guide. For Politicians and Political Parties

Using Google Mail In this lesson we will show you how to sign into and use your Google account (or Gmail as it s commonly known).

User Manual of Webmail Version 5

Creating and Using an Account

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Using Your New Webmail

Account Set Up Guide

Communication using

To: Proofpoint Protection Server administrators From: Proofpoint Re: Informing your user community about encrypting and decrypting secure

High-Speed Internet. Connection Guide

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

ATTACHMENTS, INSERTS, AND LINKS...

How Enterprise Tackles Phishing. Nelson Yuen Technology Manager, Cybersecurity Microsoft Hong Kong

Chapter 6 Network and Internet Security and Privacy

Using WebQuarantine for Managing Quarantined Messages

Using the Control Panel

Accounts and Passwords

Accessing Insurance Portal/PAS Job Aid Single Sign-On

Accessing WebMail. Logging In. Check your Mail. Main Mail Screen. Reading Messages. Search. Sending a new message

GRCC Gmail. What is ? Logon and Accessing your GRCC

56 Common Problems and Solutions

Exchange 2013 User Guide For Apple devices

Home/Network Computing

Authentication Methods

WEBMAIL INTERFACE MANUAL GUIDE

Junk mail, aka Spam. Unsolicited messages that are sent in huge numbers and clog your box.

Emptying the trash...18 Webmail Settings...19 Displayed Name...19 Sort by...19 Default font style...19 Service language...

Objectives CINS/F1-01

CipherMail encryption. CipherMail white paper

Transcription:

E-mail Security and Privacy Department of Computer Science Montclair State University Course : CMPT 320 Internet/Intranet Security Semester : Fall 2008 Student Instructor : Alex Chen : Dr. Stefan Robila

1. Introduction Today there are millions of people in the world that use e-mail and many of them use free e-mail services offered on the Internet by several companies. Email is an integral part of our jobs in the workplace, but it is also plays an important role in our everyday lives outside of work. Many of us rely on these web-based email services as a form of communication for financial transactions, job offers, and personal correspondence. Many of these webmail services ask you for some type of personal information when signing up for an account to prove who you are and also to be used as verification if you should ever forget your password. We think that our email is secure because we have to input a password to access it. But how secure is our email really and how secure is our account information? We will set out to find out just how well companies such as Google, Yahoo, and Microsoft protect our account information. While we would all like to think that our information is being kept really secure in this advanced technological society, it is really not as safe we assume it is. We are all increasingly using our email to communicate personal information and financial transactions and hackers know that as well. With that, they will stop at nothing to try to gain access into as many e-mail accounts as possible for personal gain. They are always changing their method of attack and some of these companies providing webmail services have not been able to implement security policies properly to counter these attacks. E-mail Security and Privacy 2

2. How Webmail Works Webmail is not too different from regular email. In fact, you could think of webmail as a special type of email. Unlike regular email, you do not access your account using a program on your computer such as Outlook or Thunderbird. Instead, you access your account from a website, which then gives you a web interface to your email. No email messages are stored physically on your computer, so you do not have access to them while you are offline. However, similar to regular email, all of your messages are stored on a server owned by the email host. Whenever you compose a message from within the web interface, you are essentially communicating with that mail server. Your sent message goes from your computer to the outgoing mail server. The message then gets transmitted to another server that holds the recipient s email messages. Figure 1: How e-mail gets sent and received 1 The recipient is able to view the message once they log in to their email from a computer. They can then read the message and reply to it, if they so choose. Replying to an email message involves the same process as sending an email. E-mail Security and Privacy 3

3. Accessing Webmail Accounts In order for a person to get access to their web based email, they must first log in to the email system. This is done by visiting the email host s webpage and entering your username and password (E.g. mail.yahoo.com, hotmail.com, gmail.com). Most people who know are technologically adept know that the standard HTTP protocol is not a safe way of transmitting log in credentials such as usernames and passwords. Yet, we are still faced with the dilemma of how to log in to our webmail securely 2. Most companies who provide web based email present their log in page to you in HTTPS. This means that they are using Secure Socket Layer (SSL) technology to encrypt your username and password before it is sent over the internet to their server. 3.1. Securely Accessing Webmail In order to securely log in to email on the internet, your username and password must be encrypted before being sent to a server to verify that you can access the specified account. Both Yahoo! and Google redirect their log in pages to ones that are using SSL. It doesn t matter if you only entered the URL using the HTTP protocol, the page will redirect it to the HTTPS protocol. This is at least the minimum that should be required of free webmail providers. Microsoft, however, does not quite understand this concept just yet. Their login page for webmail services is still a default HTTP protocol with no encryption. The option to have your email addressed remembered on the specific computer is even checked so a cookie with your email address is stored on the computer automatically unless you uncheck it. There is an option however, for you to login to Microsoft email securely, however, you must click and choose that option. For many users of e-mail, they will just type the URL of the page and log in, not knowing whether or not it is secure. There should be no reason why email login pages are still using the HTTP protocol, especially when there have been increasingly reported attempts at hackers stealing e-mail account information and using them to either spam people or to gain access to someone s account at a financial institution. The fact that Microsoft s login page is not secure puts into question how well and how committed Microsoft is to protecting your information. E-mail Security and Privacy 4

Figure 2: Microsoft E-mail Insecure Login 4. Gaining Access Without a Password Because webmail is not an email system hosted in a corporate business culture, resetting a password is not as simple a making a phone call to your IT administrator. Most webmail services will provide you with some way to reset your password in case you have forgotten it. However, others who wish to access your account can also use these tools to do so. Microsoft and Yahoo! ask you for your email address and then ask you a few questions before you can reset your password. Questions ask your postal code, birth date, and Microsoft adds a security question that you chose when you signed up. If someone knows you well or at least your location information, they can easily gain access into your account and reset your password. In order to make this more secure, Yahoo! and Microsoft should set the first option to send an email to the person s secondary email address with a link to reset their password. Google s GMail is E-mail Security and Privacy 5

pretty secure in this aspect because the first thing it does is send an email to your secondary e- mail address. If you do not have a secondary e-mail address, then you must go for 24 hours without any activity on your account before they present you with the security question that you chose when you signed up for the account. This poses a significant obstacle to hackers or others that want to access your account with malicious intent. 5. Content Security Many of us would like for our email providers to provide a level of security where our messages are protected from outsiders and also where we are protected from emails that contain malicious content. 5.1. Sending E-mail We care about the security and protection of our usernames and passwords for our email accounts, but not many of us worry about the security of the content in our emails. We expect or assume that email just works and only the person the message was addressed to will be able to read it. This is true if you encrypt your messages before sending them using an email client such as Outlook or Thunderbird. What security do webmail providers give us in terms of ensuring our email is secure? In reality, they do not offer anything more or less than what a desktop email client offers, which is not much. Most emails you send are sent over the internet unencrypted. This means that anyone or any computer that your message travels through can intercept and read the contents of your email message. This is a wake up call for many users because they do not often think about the inner workings of an email system; they just expect it to work and deliver the message to where it is supposed to go. While Yahoo! and Microsoft may have secure login pages for their users, they do not offer much in terms of security once the user is actually logged in. After users have logged in, they access their account and inbox features through the normal HTTP protocol without any security. This poses many threats for the individual user because anyone that is using a packet sniffer can easily grab the information being sent over the network and read it. This poses one additional risk against users because if anyone is specifically targeting them with a packet sniffer and they do not encrypt outbound emails, then the attacker can gain a plethora of information without really trying. E-mail Security and Privacy 6

Google s GMail service however, does not have this same problem that Microsoft and Yahoo! have. Google can be set to automatically ensure that a user s session (period of time they are logged in) is transmitted over the internet using SSL. This means that the entire connection between Google s mail server and the user s computer is encrypted. Every action taken, including deletion, composing, and sending are encrypted before being sent back over the network to Google s servers. This makes their email system a little more secure. It prevents or at least deters attackers from being able to sniff out any worthwhile information from your internet packets. They can however, still intercept packets, but they cannot do anything with those packets unless they have the key to decrypt them. End user s however, should not take this as Google encrypting their email completely. They should understand that it is only encrypted until it gets to Google s servers. Once it leaves Google s servers to be delivered to the destination email provider, the contents of the email can once again be intercepted and read easily by anyone. Figure 3: Gmail Session in HTTPS E-mail Security and Privacy 7

5.2. Encryption of Email While many emails can be signed and encrypted on desktop email clients using methods such as S/MIME and PGP, encrypting webmail is a much more difficult process. Using certificates with S/MIME is sometimes considered to be not suited for webmail 3. PGP is now proprietary software, however there is an open-source version available called GnuPG. Using an encryption technique like GnuPG is great when you have a desktop email client because GnuPG is a command-line tool. You can encrypt the email on your computer before sending it. With webmail however, you are composing a message in a web browser, so the message is not really on your computer. With this, there come complications in encrypting the messages you send. Encryption of email even on desktop clients is not an easy task, much less encrypting webmail messages. It is a complex process which deters many users from implementing it. However with a tutorial online to walk those through it and a Firefox browser extension (FireGPG), users can begin to encrypt their web-based email messages in no time 4. These tools are freely available and do not actually take very long to set up. Figure 4: FireGPG courtesy of Crunchgear.com 4 E-mail Security and Privacy 8

5.3. Receiving Email Users of free web-based email systems have come to expect built-in spam filters. Users demand now that these filters work right off the bat without them having to make any customizations. For the most part these spam filters do what they are supposed to do and send spam and phishing messages to the junk folder. There is the occasional slip up however that gets past the filters and makes it into your inbox. What happens if a user was to accidentally click on one of these messages and there were malicious content hidden within the email? The good thing is that most web based email providers now automatically block dynamic HTML content and graphics in emails when you first open them. These content providers have a vested interest in protecting their user s computers from becoming infected because it then reduces the number of other users on their network that are infected. What about spoofed emails? What are spoofed emails? Spoofed emails are messages that arrive in your inbox that claim they are sent from someone when they are in reality not. For example, an email can arrive in your inbox and claim that you sent it to yourself, but in reality it was sent by someone else. Assuming your account has not been compromised, this is a prime example of a spoofed email. Because of email attacks like this and phishing scams, Google, Yahoo, and Microsoft have all implemented technologies into their email systems to verify a sender. Yahoo! and Google have implemented a technology called DKIM (DomainKeys Identified Mail) 5. DKIM allows the sender or sending organization vouch for the authenticity of their emails while they are being sent over the internet. The reputation of the company will determine whether the message is trusted for delivery or not 5. DKIM basically allows for a sender to digitally sign their emails and verify that they are legitimate. For example, EBay currently has implemented DKIM and uses it on all of their outgoing emails. Because of this, when legitimate EBay emails are sent to Yahoo accounts, they are actually delivered, whereas fake EBay emails are denied delivery and never make it to your account. We will see however, that this works most of the time, but there are instances where this fails. E-mail Security and Privacy 9

5.3.1. Example of DKIM Failure Figure 5: Attempt to get past DKIM The screenshot above is from the free webmail service, Fastmail.fm. It allows you to add a From address that you want to have your emails sent from. This feature is available on all email clients; however, you must first verify that the email you are trying to use belongs to you. Fastmail, however, requires no such verification and as such, you can make an email look like it came from an email address that does not belong to you. With this, I wanted to test to see if DKIM would catch the fact that the email was not really coming from the same account it was being addressed to. Figure 6: Forged Email arrives in Inbox without problems E-mail Security and Privacy 10

Figure 7: Header of preceding email As you can see, the forged email that I sent arrived in the inbox without any problems. I have even included the header of the message to prove that I did not send that message to myself from within Yahoo Mail. I can only assume that this happens because Yahoo s DKIM service is fooled into thinking this email actually came from yahoo.com. This does not only happen for Yahoo Mail, it happens for Google s Gmail as well because they both use DKIM technology. Hotmail does not use DKIM, but instead use their own technology called Sender ID to verify a sender of an email message 6. What will happen when we repeat this experiment, but send it to a Hotmail address instead? E-mail Security and Privacy 11

Figure 8: Forged Email in Junk Mailbox Figure 9: Header for preceding Email E-mail Security and Privacy 12

As you can see, the email was immediately sent to the Junk folder of Hotmail and the content was even blocked automatically and you could not see the message until you specifically allowed it. This is a great security measure implemented by Hotmail and it helps protect its users from spoofed emails. 6. Conclusion Email is used by many people today as one of their main forms of communication. Many of those users also like to be able to access their email from wherever they are without having to carry around their own computer. As such, it is imperative that web-based email providers offer their users plenty of security measures. They should protect their users from account hijacks and also protect the information that is in a user s account, email content included. While encryption of emails may take too many resources to be correctly implemented in a webmail system, the content providers should at least provide an easily accessible tutorial for their users to follow should they want to implement encryption on their own. With the exception of Google, email providers still have a ways to go in making sure that it is as difficult as possible for someone to hijack another user s email account. Email is a great resource and it would be beneficial for many if these webmail providers would offer more in terms of security and privacy for their users. E-mail Security and Privacy 13

References 1. How E-mail Works <http://communication.howstuffworks.com/email2.htm> 2. New Tool Automates Webmail Account Hijacks <http://voices.washingtonpost.com/securityfix/2007/08/new_tool_automates_webmail_acc.ht ml> 3. Obstacles to Deploying S/MIME <http://en.wikipedia.org/wiki/s/mime#obstacles_to_deploying_s.2fmime_in_practice> 4. How to Protect your Webmail with GnuPG and FireGPG <http://www.crunchgear.com/2008/09/22/help-key-how-to-protect-your-webmail-withgnupg-and-firegpg/> 5. DomainKeys Identified Mail <http://www.dkim.org/> 6. Sender ID <http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx> 7. Pfleeger, C. and Pfleeger, S., Security in Computing, 4 th Edition. 8. Webmail Security: Best Practices for Data Protection <http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1313468,00.html> E-mail Security and Privacy 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback