Email Security Vulnerabilities - Report Example

Email security Name: Number: Course: Lecturer: Date: Introduction With the electronic world that we have today, email communication remains one of the most essential tools that are used for communication. It forms the backbone of communication in many organizations. The use of email will grow from time to time. As the growth is seen to be exponential, its security is an important aspect that should be considered. The security implications of email storage, the policy implementation and enforcement and data recovery are the issues that are being considered today. In order to avoid failures, there is need to manage large data information in a well-organized and secure manner [Tan04]. Email security vulnerabilities There are many email vulnerabilities that have come up with the continued use of email in many organizations. These email communications security vulnerabilities include man-in-the-middle attack, ARP poisoning, RP flooding, wired and wireless attacks [Sch10]. ARP poisoning Address Resolution Protocol spoofing, also referred to as ARP flooding, or ARP poisoning/ARP poison routing is a mechanism that is employed when one wants to attack an Ethernet wireless or wired network. This technique may allow the attacker to undertake packet sniffing. In case of email, the attacker will sniff the packets that are being sent between the two communicating parties [Tan05]. In the normal operations of ARP, there will be broadcasting of host IP address and MAC addresses. When some host wants to send some information to a certain host, it will send a broadcast asking who has a certain IP address. The host with the respective IP address will reply to the request and will do so with the correct IP address and the MAC address. This communication happens with a lot of gullibility [Sal03]. This is because, ARP does not have authentication. The reply and the host which replies that it has the said IP address and MAC address will not be authenticated. In ARP communication, there is no authentication of the hosts. The host replying will be taken to be correct. ARP does not have a mechanism of correcting the information that it gets from the hosts which are communicating in the network [Sal03]. Since there is no authentication of the ARP requests and replies, the attacker will insert a wrong IP address to a computer cache. The ARP request will then be fed with the wrong IP address. This is called ARP poisoning, that is the ARP table has been poisoned with wrong information. The attacker manages to lie to the machines and to the people in the network [Rus11]. What these attacks do is that they will get what is taking place with the two parties. When the parties communicate, the attacker will get the packets and get the email password of either parties or even both parties. They can then use the passwords to undertake attacks [Pel05]. The ability to associate any IP address with any MAC address gives the attackers many forms of attacks. They are able to undertake many forms of attacks to the unsuspecting users and hosts in the network. With this ability, it is possible to have a lot of other attacks like man in the middle attacks, denial of service attacks, and MAC flooding [Ore07]. Man-in-the-middle attacks This is an attack which is common in local area networks. This attack is a form of active and aggressive eavesdropping where the attacker will create independent connections between the parties communicating so that the attacker will feign either parties communicating. In the end, the parties communicating will think that they are having a private communication and yet in the real sense, the communication is being controlled by eth attacker [Neu06]. A hacker can make use of ARP spoofing/poisoning to attack the communication between two communicating agents. A simple way in which this can be done is by the attacker sending ARP reply to a router. The router could be communicating with computer A. The router will send information regarding its IP address and the MAC address thinking that the requesting agent is computer A. after getting this information, the attacker will also send a ARP reply to machine A. Machine A will respond to the reply thinking that the machine is a router. It will then send information to the attacker. After getting this information, the MAC and IP address of the router and machine A, the attacker will then use a feature of the operating system that is called IP forwarding. This feature will enable the attacker to forward any information to the hosts in the network [Mat03]. MAC flooding MAC flooding is ARP cache poisoning technique that is targeted at switches. There is a difference between switches and hubs. Switches send network packets to particular host that was meant to get the information. Hubs just rebroadcast all the information and traffic they get. They do not have a mechanism which will enable them to check where the traffic is headed. There are some switches which go to hub mode when they become overloaded. Hackers will take advantage of this by ensuring that traffic is overloaded to the switch so that they get access to the traffic and therefore be able to packet sniff the network. This is possible when the switch is in the hub mode [Lin06]. Denial of service attack A hacker can maliciously associate an IP address which is very important to a MAC address which is false. An example is that a hacker can send an ARP reply by associating the IP address of the router to a false MAC address does not exist. What will happen is that the computers in the network will be thinking that they know the default gateway and will be sending packets to this false gateway. In other words they will be sending packets to the wrong “router”. The email which is purportedly sent in a network will then be sent to the wrong destination. The email details will therefore be disclosed to the wrong people. This is how denial of service attacks takes place [Lay07]. Tools that can be used to exploit email communications There are software tools that can be used to exploit email communications. They have been used to authenticate email; communications. This section will analyze these tools and how they are used to exploit email communications [Koh05]. Wireshark Wireshark Originally named Ethereal has been viewed as the most popular network analysis and assessment tool in the world. This software is used for analysis, troubleshooting and communication development of a network. It basically allows one to interactively assess the network traffic in a computer network. Wireshark packet analyzer is multiplatform software that uses a GTK+ widget tool for implementation of its interface and the pcap which consist of an application programming interface purposely for packet capturing. The tool can be used in any operating system platform including UNIX, Linux, Solaris and Microsoft Windows [Die09]. The software can be used to analyze network usage and traffic details at different times and levels from the connection time to transmission and termination time. Wireshark examines the traffic details including the bits that make up an individual packet. The pcap tool used by wireshark to capture packets provides individual packet data information such as source, destination, transmit time, protocol type and header data. It also has an inbuilt filtering and sorting tool that categorizes and organizes the analyzed information. This information is used in the assessment and audit of the network performance; it is also useful in the assessment of network security [Die09]. The results displayed by the wireshark interface include various outputs that are used for determining the network performance and security operations in the network. The tool will provide packet details which include the explanation of network level it belongs to, the transmission time, sender, recipient, among other details relating to an individual packet of data. This output is then used in the determination of the network performance [Dia02]. Wireshark can be used to exploit email communication in a network in that the traffic and their details are captured by the software. After this, the sender and receiver details shall have been captured. These details could contain the content of the email. With this information, the content of the email and their intention will be known to the attacker. This way, the communication between the two parties will have been intercepted and their privacy invaded [Dhi071]. Cain and Abel software This is software that is used to crack Windows operating systems passwords. There are many features that are associated with Cain. It can scan a wireless network and try to assess the network looking for passwords. There is also the attempt to decrypt database files like those of Ms Access, Fox Pro and dBase. There are many strategies that they use in an attempt to get the passwords that are found in the database and files. One strategy that this software can use is brute force attack. This is a strategy that tries accessing passwords by use of numerous attempts. This strategy will attempt to get the password by trying many attempts. It may take long to get the password but smaller and dictionary passwords are easy to crack. This is the reason as to why security professionals insist that complicated passwords should be used when looking for a password. Such software that is used to crack password only help to reduce the credibility and the safety of using email. There is the use of hashing which is a faster method as compared to brute-force attack. Hash codes are where a hash table is created so that passwords can be compared. It brings a good feature that is faster in speed. There are other features that come with Cain and Abel software like Web cracker and sniffing [Dhi07]. The software is made up of two parts: Cain and Abel. Cain is the part that we normally use. This is the part that is used by the hackers. It has the user interface. Abel is installed so that it can run on the background of the system. It can run while other tasks are being undertaken. This software can exploit email communications in that the password of the users can be retrieved using this software. The software can be used to get the passwords of the parties who are communicating. When this happens, the attackers can gain access to the email of both parties and, therefore, get the content of the mailboxes of either users, or the target user [Dhi071]. Linux Backtrack 5 R3 This is a distribution that is used by network security professionals. They are used to test for network penetration and testing. They are also used by hackers who might want to destroy the penetration applications and testers that are used by security professionals. They might want to destroy the penetration software [Dhi071]. BackTrack is a distribution of Linux that is meant for security that is used for testing penetration of applications on the network. The application is developed basing on Ubuntu Desktop. The latest version of this application has been coded Revolution. The latest release is that of BactTrack 5 R3. This system will boot into a console and not a graphic as it is normal with many applications. The graphic mode will be started manually by typing startx and pressing theenter key. This is the same thing when the system is being installed. The difference comes in that in installation, the system will boot to login mode. Because the system is developed using Ubuntu Desktop, the installation follows the same process with any application that is meant to be used in Ubuntu Desktop [Dhi05]. This software will exploit spoofing in that it will be used to know which packets are accessing the network. The details of the packets will be exposed and if an attacker was interested with these details, then he can get the content of the email. The communication will have been intercepted between the two communicating parties. Penetration detection and testing is a simple way of getting to know which email has entered a network. With the sniffing-like mechanism of the software tool, it is possible to get the features of the packet that has been intercepted and if the packets represented email, then the content of the email will be exposed to the supposed attacker [Bas08]. Mitigation strategies There are mitigation strategies that are used to eradicate the risks that are associated with email communications. For spoofing and ARP poisoning, one way on which this can be mitigated is by using IP addresses which are static. Also the network administrator should make use of ARP tables which are static. By exploiting CLI commands in UNIX and windows operating systems, the network administrator will know all the IP addresses of all the hosts that are found in the network. These commands include such commands like ipconfig/all in Windows and ifconfig in UNIX, the network administrator will get all the IP addresses and the MAC addresses of all hosts in the network [Bas08]. For the large networks, the network administrator will be required to have port security features that are available for the switch. Switches should be protected with this approach. One example of a port security feature is to have one MAC address to be associated with each of the physical ports of the switch. This will prevent the attackers from changing the MAC address of their machines. This way, switch security features will have been eradicated as the attackers will not have a chance to change the MAC addresses. The issue of spoofing will also be eradicated with this move. This is because it will be hard for attackers to change the MAC addresses of the computers which are being used [Bad07]. Another mitigation strategy is to have ARP monitoring tool installed in the network. It is important to have network administrators understand what ARP tool will do. With the use of this tool, attacks from ARP poisoning will be avoided. It will make it easier to safeguard the security and the operation of the switches because ARP reporting and replies will be protected [Ang07]. To prevent phishing and other email security vulnerabilities, organizations should install enterprise level security software in the network. It is advisable that this security software be able to check messages which are going out of the network and also those that are coming into the network. This will prevent messages from transmitting spam from networks that have been compromised [Ace05]. Also, users should be advised to change passwords frequently. This will prevent attackers from using brute force attack and, therefore, making it easier to guess passwords that are used by staff. Users should also be advised to use passwords that are strong. They should not use dictionary words or any combination of their names. Staff should also be trained about the internet security issues so that they are aware of what is going on. Most users are attacked because they are not aware of what is going on. They should be aware that their data and information is company assets and should be well guarded. They should be taught about the importance of having their passwords as their own and not sharing with anyone [And01]. References Tan04: , (Tan & Ruighaver 2004), Sch10: , (Schneier 2010), Tan05: , (Tan & Ruighaver 2005), Sal03: , (Salomon &Cassat 2003), Sal03: , (Salomon & Cassat 2003), Rus11: , (Russell & Gangemi 2011), Pel05: , (Peltier 2005), Ore07: , (Orebaugh, Ramirez & Beale 2007), Neu06: , (Neumann 2006), Mat03: , (Matt 2003), Lin06: , (Lindup 2006), Lay07: , (Layton 2007), Koh05: , (Koh et al. 2005), Die09: , (Dieter 2009), Dia02: , (Diayt 2002), Dhi071: , (Dhillon 2007), Dhi07: , (Dhillon & Mishra 2007), Dhi05: , (Dhillon 2005), Bas08: , (Baskerville 2008), Bad07: , (Badenhorst & Ellof 2007), Ang07: , (Angell 2007), Ace05: , (Aceituno 2005), And01: , (Anderson 2001), Read More