E-mail and Instant MessagingChapter 16Principles of Co.docx

E-mail and Instant Messaging
Chapter 16
Principles of Computer Security, Fifth Edition
Copyright © 2018 by McGraw-Hill Education. All rights
reserved.
Objectives
Describe security issues associated with e-mail.
Implement security practices for e-mail.
Detail the security issues of instant messaging protocols.
reserved.
2
Key Terms (1 of 2)
Botnet
DomainKeys Identified Mail (DKIM)
E-mail
E-mail hoax
Instant messaging (IM)
Mail delivery agent (MDA)

Mail relaying
Mail transfer agent (MTA)
Mail user agent (MUA)
Multipurpose Internet Mail Extensions (MIME)
Open relay
reserved.
Botnet – A term for a collection of software robots, or bots, that
runs autonomously and automatically and commonly invisibly
in the background. The term is most often associated with
malicious software, but it can also refer to the network of
computers using distributed computing software.
DomainKeys Identified Mail (DKIM) – An authentication
system for e-mail designed to detect spoofing of e-mail
addresses.
E-mail – Started with mailbox programs on early time-sharing
machines, allowing researchers to leave messages for others
using the same machine.
E-mail hoax – E-mails that travel from user to user because of
the compelling story contained in them.
Instant messaging (IM) – A text-based method of
communicating over the Internet.
Mail delivery agent (MDA) – The recipient’s mail server.
Mail relaying – Similar to dropping a letter off at a post office
instead of letting the postal carrier pick it up at your mailbox.
On the Internet, that consists of sending e-mail from a separate
IP address, making it more difficult for the mail to be traced
back to you.
Mail transfer agent (MTA) – The mail server
Mail user agent (MUA) – The application on the sender’s

machine.
Multipurpose Internet Mail Extensions (MIME) – A standard
that describes how to encode and attach non-textual elements in
an e-mail.
Open relay – A mail server that receives and forwards mail from
outside sources.
3
Key Terms (2 of 2)
Pretty Good Privacy (PGP)
Real-time Blackhole List (RBL)
Secure/Multipurpose Internet Mail Extensions (S/MIME)
Sender Policy Framework (SPF)
Simple Mail Transfer Protocol (SMTP)
Spam
Unsolicited commercial e-mail
reserved.
Pretty Good Privacy (PGP) – A popular encryption program that
has the ability to encrypt and digitally sign e-mail and files.
Real-time Blackhole List (RBL) – A system that uses DNS
information to detect and dump spam e-mails.
Secure/Multipurpose Internet Mail Extensions (S/MIME) – An
encrypted implementation of the MIME (Multipurpose Internet
Mail Extensions) protocol specification.
Sender ID Framework (SIDF) – Microsoft’s server-based
solution to spam.
Simple Mail Transfer Protocol (SMTP) – The standard Internet
protocol used to transfer e-mail between hosts.
Spam – E-mail that is not requested by the recipient and is
typically of a commercial nature. Also known as unsolicited

commercial e-mail (UCE).
Unsolicited commercial e-mail – E-mail that is not requested by
the recipient and is typically of a commercial nature.
4
How E-mail Works (1 of 4)
E-mail started with mailbox programs on early time-sharing
machines, allowing researchers to leave messages for others
using the same machine.
Internet e-mail depends on three primary protocols:
Simple Mail Transfer Protocol (SMTP) is a method by which
mail is sent to the server as well as from server to server.
POP3 is a method by which a client computer may connect to a
server and download new messages.
IMAP allows the client to retrieve messages from the server; it
typically works in greater synchronization than POP3.
reserved.
5
Secure versions of the common communication protocols exist
via the STARTTLS method.
STARTTLS is a means of using Transport Layer
Security (TLS) to secure a communication channel for text-
based communication protocols.
E-mail appears to be a client-to-client communication, between
sender and receiver.
In reality, a lot of steps are involved.

reserved.
6
Figure 16.1 How e-mail works
reserved.
In reality, a lot of steps are involved, as shown in Figure 16.1
and described here:
1. A user composes and sends an e-mail from the user’s client
machine.
2. The e-mail is sent to the client’s e-mail server. In an Internet
service provider (ISP) environment, this could be via the ISP. In
the case of web mail, it is the mail service (Gmail,
Hotmail/Live, etc.). In a corporate environment it is the
corporate mail server.
3. a. The receiving e-mail server scans the e-mail for viruses,
malware, and other threats.
3. b. The mail server uses DNS to obtain the recipient e-mail
server address via an MX record.
4. The mail server prepares the e-mail for transit across the
Internet to the recipient’s mail server.
5. The e-mail is routed across the Internet.
6. The receiving e-mail server scans the e-mail for viruses,

malware, and other threats.
7. The e-mail is passed to the recipient’s in-box, where it can be
read.
7
In technical terms, the application on the sender’s machine is
referred to as a mail user agent (MUA), and the mail server is a
mail transfer agent (MTA).
The recipient’s mail server is referred to as a mail delivery
agent (MDA).
These terms are used when discussing mail transfers to provide
accuracy in the conversation.
reserved.
For communication from the MUA to the MTA, SMTP (port 25)
is used, and communication from MTA to MTA is also SMTP.
The protocol used for communication from the MDA to the
MUA on the recipient machine is typically POP/IMAP.
8
E-mail Structure
E-mail is structured in two elements, a header and the body.
The entire message is sent via plain ASCII text, with
attachments included using Base64 encoding.
The e-mail header provides information for the handling of the
e-mail between MUAs, MTAs, and MDAs.
It is important to note that the format of the message and its
attachments are in plaintext.

reserved.
9
MIME
When a message has an attachment, the protocol used to deliver
the message is Multipurpose Internet Mail Extensions (MIME).
This protocol allows the exchange of different kinds of data
across text-based e-mail systems.
When MIME is used, it is marked in the header of the e-mail,
along with supporting elements to facilitate decoding.
reserved.
10
Security of E-mail (1 of 4)
The e-mail hoax has become a regular occurrence.
Internet-based urban legends are spread through e-mail, with
users forwarding them in seemingly endless loops around the
globe.
People still have not found a good way to block ubiquitous
spam e-mails.
E-mail security is ultimately the responsibility of users
themselves, because they are the ones who will actually be
sending and receiving the messages.

reserved.
E-mail can be used to move a variety of threats across the
network. From spam, to viruses, to advanced malware in spear-
phishing attacks, e-mail can act as a transmission medium.
Spam is the most common attack but is now just a nuisance; the
majority is now mostly cleaned up by mail server filters and
software.
11
Figure 16.2 A typical list of spam e-mails
reserved.
People still have not found a good way to block ubiquitous
spam e-mails (a sampling of which is shown in Figure 16.2),
despite the remarkable advance of every other technology.
12
Security administrators can give users the tools they need to
fight malware, spam, and hoaxes.
Secure/Multipurpose Internet Mail Extensions (S/MIME) and
Pretty Good Privacy (PGP) are two popular methods used for
encrypting e-mail.
Server-based and desktop-based virus protection can help

against malicious code, and spam filters attempt to block all
unsolicited commercial e-mail.
E-mail users need to be educated about security.
reserved.
13
Instant messaging (IM), while not part of the e-mail system, is
similar to e-mail in many respects, particularly in the sense that
it is commonly plaintext and can transmit files.
Unsolicited commercial e-mail (Spam)
Industry trade name for unsolicited emails.
Botnets are set up to spread spam
reserved.
14
Malicious Code (1 of 7)
Viruses and worms are popular programs because they make
themselves popular.
Because the e-mail protocol permits users to attach files to e-
mail messages, viruses can travel by e-mail from one local
network to another, anywhere on the Internet.

This changed the nature of virus programs, since they once were
localized but now could spread virtually everywhere.
E-mail gave the virus a global reach.
reserved.
Exam Tip: Viruses and worms both can carry malicious
payloads and cause damage. The difference is in how they are
transmitted: viruses require a file to infect, whereas worms can
exist independently of a file.
The advent of computer networks was a computer virus writer’s
dream, allowing viruses to attempt to infect every network share
to which the computer was attached. This extended the virus’s
reach from a set of machines that might share a floppy disk to
every machine on the network. Because the e-mail protocol
permits users to attach files to e-mail messages (see Figure
16.3), viruses can travel by e-mail from one local network to
another, anywhere on the Internet. This changed the nature of
virus programs, since they once were localized but now could
spread virtually everywhere. E-mail gave the virus a global
reach.
When active content was designed for the Web, in the form of
Java and ActiveX scripts, these scripts were interpreted and run
by the web browser. E-mail programs also would run these
scripts, and that’s when the trouble began. Some e-mail
programs, most notably Microsoft Outlook, use a preview pane,
which allows users to read e-mails without opening them in the
full screen (see Figure 16.4).
15

Figure 16.3 Viruses commonly spread through e-mail
attachments
reserved.
Because the e-mail protocol permits users to attach files to e-
mail messages (see Figure 16.3), viruses can travel by e-mail
from one local network to another, anywhere on the Internet.
16
When active content was designed for the Web, in the form of
Java and ActiveX scripts, these scripts were interpreted and run
by the web browser.
E-mail programs also would run these scripts, and that is when
the trouble began.
Some e-mail programs, most notably Microsoft Outlook, use a
preview pane, which allows users to read e-mails without
opening them in the full screen.
reserved.
17

Figure 16.4 The preview pane on the right can execute code
in e-mails without opening them.
reserved.
Some e-mail programs, most notably Microsoft Outlook, use a
preview pane, which allows users to read e-mails without
opening them in the full screen (see Figure 16.4).
Unfortunately, this preview still activates all the content in the
e-mail message, and because Outlook supports Visual Basic
scripting, it is vulnerable to e-mail worms. A user doesn’t need
to run the program or even open the e-mail to activate the
worm—simply previewing the e-mail in the preview pane can
launch the malicious content. This form of automatic execution
was the primary reason for the spread of the ILOVEYOU worm.
18
All malware is a security threat.
Antivirus systems are not a panacea.
Worm prevention relies on patch management.
Viruses are user-launched.
People using the e-mail system create the front line of defense
against viruses.
Users need to be educated about virus dangers.
Use localized antivirus scanning programs like AVG.

reserved.
All malware is a security threat, with the several different types
having different countermeasures. The antivirus systems that we
have used for years have progressed to try and stop all forms of
malicious software, but they are not a panacea. Worm
prevention also relies on patch management of the operating
system and applications. Viruses are user-launched, and since
one of the most common transfer methods for viruses is through
e-mail, the people using the e-mail system create the front line
of defense against viruses. In addition to antivirus scanning of
the user’s system, and possibly an e-mail virus filter, users need
to be educated about the dangers of viruses.
Although the great majority of users are now aware of viruses
and the damage they can cause, more education may be needed
to instruct them on the specific things that need to be addressed
when a virus is received via e-mail. These can vary from
organization to organization and from e-mail software to e-mail
software; however, some useful examples of good practices
involve examining all e-mails for a known source as well as a
known destination, especially if the e-mails have attachments.
Strange files or unexpected attachments should always be
checked with an antivirus program before execution. Users also
need to know that some viruses can be executed simply by
opening the e-mail or viewing it in the preview pane. Education
and proper administration is also useful in configuring the e-
mail software to be as virus resistant as possible—turning off
scripting support and the preview pane are good examples.
Many organizations outline specific user responsibilities for e-
mail, similar to network acceptable use policies. Some examples
include using e-mail resources responsibly, avoiding the
installation of untrusted programs, and using localized antivirus

scanning programs, such as AVG.
19
reserved.
Another protection is to carefully create virus scanning
procedures.
If possible, perform virus scans on every e-mail as it comes into
the company’s e-mail server.
Some users will also attempt to retrieve e-mail offsite from a
normal Internet service provider (ISP) account, which can
bypass the server-based virus protection,
Every machine should also be protected with a host-based virus
protection program that scans all files on a regular basis and
performs checks of files upon their execution.
reserved.
21
Hoax E-mails (1 of 2)
E-mail hoaxes are mostly a nuisance.
They waste time and use Internet bandwidth and server

processing time.
E-mail hoaxes are global urban legends, perpetually traveling
from one e-mail account to the next, and most have a common
theme of some story.
It is important to educate e-mail users.
They should be familiar with a hoax before they go online.
They should know how to search the Internet for hoax
information.
reserved.
Warning: Forwarding hoax e-mails and other jokes, funny
movies, and non-work-related e-mails at work can be a violation
of your company’s acceptable use policy and result in
disciplinary actions.
E-mail hoaxes are mostly a nuisance, but they do cost everyone,
not only in the time wasted by receiving and reading the e-
mails, but also in the Internet bandwidth and server processing
time they take up. E-mail hoaxes are global urban legends,
perpetually traveling from one e-mail account to the next, and
most have a common theme of some story you must tell ten
other people about right away for good luck or some virus that
will harm your friends unless you tell them
The most important thing to do in this case is educate e-mail
users: they should be familiar with a hoax or two before they go
online, and they should know how to search the Internet for
hoax information. Users need to apply the same common sense
on the Internet that they would in real life: If it sounds too
outlandish to be true, it probably is a fabrication. The goal of
education about hoaxes should be to change user behavior to

delete the hoax e-mail and not send it on immediately. Hoaxes
are similar to chain letters, but instead of promising a reward,
the story in the e-mail is typically what produces the action.
22
Hoax E-mails (2 of 2)
Figure 16.5 Snopes is an online reference for urban legends
common in hoax e-mails.
reserved.
Hoaxes have been circling the Internet for many years, and
many web sites are dedicated to debunking them, such as
Snopes.com (see Figure 16.5).
23
Spam Filter (1 of 6)
Spam refers to unsolicited commercial e-mail whose purpose is
the same as the junk mail you get in your physical mailbox—it
tries to persuade you to buy something.
The amount of spam being transmitted eventually spurred
federal authorities into action.
Controlling the Assault of Non-Solicited Pornography and
Marketing Act (CAN-SPAM) law
reserved.

The first spam e-mail was sent in 1978 by a DEC employee.
However, the first spam that really captured everyone’s
attention was in 1994, when two lawyers posted a commercial
message to every Usenet newsgroup. This was the origin of
using the Internet to send one message to as many recipients as
possible via an automated program. Commercial e-mail
programs have taken over, resulting in the variety of spam that
most users receive in their in-boxes every day.
24
Popular methods to fight spam
Blacklisting
Content filtering
Trusted servers
Delay-based filtering
PTR and reverse DNS checks
Callback verification
Statistical content filtering
Rule-based filtering
Egress filtering
Hybrid filtering
reserved.
The first spam e-mail was sent in 1978 by a DEC employee.
However, the first spam that really captured everyone’s
attention was in 1994, when two lawyers posted a commercial
message to every Usenet newsgroup. This was the origin of
using the Internet to send one message to as many recipients as
possible via an automated program. Commercial e-mail
programs have taken over, resulting in the variety of spam that

most users receive in their in-boxes every day.
25
Mail relaying is similar to dropping a letter off at a post office
IP address.
SMTP server software is typically configured to accept mail
only from specific hosts or domains.
All SMTP software can and should be configured to accept only
mail from known hosts, or to known mailboxes; this closes
down mail relaying and helps to reduce spam.
reserved.
Mail relaying is similar to dropping a letter off at a post office
IP address, making it more difficult for the mail to be traced
back to you. SMTP server software is typically configured to
accept mail only from specific hosts or domains. All SMTP
software can and should be configured to accept only mail from
known hosts, or to known mailboxes; this closes down mail
relaying and helps to reduce spam.
26
Greylisting
When an e-mail is received, it is bounced as a temporary
rejection.
SMTP servers that are compliant with RFC 5321 will wait a

configurable amount of time and attempt retransmission of the
message.
Spammers will not retry sending of any messages, so spam is
reduced.
reserved.
27
reserved.
Another technique is known as greylisting. When an e-mail is
received, it is bounced as a temporary rejection. SMTP servers
that are RFC 5321–compliant will wait a configurable amount
of time and attempt retransmission of the message. Obviously,
spammers will not retry sending of any messages, so spam is
reduced.
28
Spam URI Real-time Block Lists (SURBL) detect unwanted e-
mail based on invalid or malicious links within a message.
Using a SURBL filter is a valuable tool to protect users from

malware and phishing attacks.
Not all mail servers support SURBL, but this technology shows
promise in the fight against malware and phishing.
The Real-time Blackhole List (RBL) list of e-mail servers that
are known for allowing spam, or have open relays, and enable
bad e-mail behaviors
reserved.
29
Sender ID Framework
Microsoft offers another server-based solution to spam, called
the Sender ID Framework (SIDF).
SIDF attempts to authenticate messages by checking the
sender’s domain name against a list of IP addresses authorized
to send e-mail by the domain name listed.
This list is maintained in a text (TXT) record published by the
DNS, called a Sender Policy Framework (SPF) record.
reserved.
So when a mail server receives an e-mail, it will check the
sender’s domain name in the DNS; if the outbound server’s IP
matches, the message gets a “pass” rating by SIDF. This is
similar to the idea that routers should drop any outbound port
25 traffic that does not come from known e-mail servers on the

subnet managed by the router. However, the SIDF system
handles the authentication of the e-mail server when it is
received, not when it is sent. This system still allows wasted
bandwidth from the sender of the message to the receiver, and
since bandwidth is increasingly a metered service, this means
the cost of spam is still paid by the recipient. The SPF check
ensures that the sending MTA is allowed to send mail on behalf
of the sender’s domain name. When SPF is activated on your
server, the sending server’s MX record (the DNS Mail Exchange
record) is validated before message transmission takes place.
These methods can take care of up to 90 percent of the junk
mail clogging our networks, but they cannot stop it entirely.
Better control of port 25 traffic is required to slow the tide of
spam hitting our in-boxes. This would stop spammers using
remote open relays and, hopefully, prevent many users from
running unauthorized e-mail servers of their own. Because of
the low cost of generating spam, until serious action is taken, or
spam is somehow made unprofitable, it will remain with us.
30
DomainKeys Identified Mail (1 of 2)
DomainKeys Identified Mail (DKIM) is an e-mail validation
system employed to detect e-mail spoofing.
DKIM operates by providing a mechanism to allow receiving
MTAs to check that incoming mail is authorized and the e-mail
(including attachments) has not been modified during transport.
It does this through a digital signature included with the
message that can be validated by the recipient using the signer’s
public key published in the DNS.
reserved.

DomainKeys Identified Mail (DKIM) is an e-mail validation
system employed to detect e-mail spoofing. DKIM operates by
providing a mechanism to allow receiving MTAs to check that
incoming mail is authorized and that the e-mail (including
attachments) has not been modified during transport. It does
this through a digital signature included with the message that
can be validated by the recipient using the signer’s public key
published in the DNS. DKIM is the result of the merging of two
previous methods, DomainKeys and Identified Internet Mail.
DKIM is the basis for a series of IETF standards-track
specifications and is used by AOL, Gmail, and Yahoo mail. Any
mail from these organizations should carry a DKIM signature.
31
DomainKeys Identified Mail (2 of 2)
DKIM is the result of the merging of two previous methods,
DomainKeys and Identified Internet Mail.
DKIM is the basis for a series of IETF standards-track
specifications and is used by AOL, Gmail, and Yahoo mail.
Any mail from these organizations should carry a DKIM
signature.
Data Loss Prevention (DLP)
Scans outgoing traffic and mail
reserved.
32
Mail Encryption
E-mail suffers from a more important security—the lack of

confidentiality, or, as it is sometimes referred to, privacy.
E-mail has always been a plaintext protocol.
Any attacker at a choke point in the network could read all e-
mail passing through that network segment.
Some tools can be used to solve this problem by using
encryption on the e-mail’s content.
The first method is S/MIME and the second is PGP.
reserved.
When many people first got onto the Internet, they heard a
standard lecture about not sending anything through e-mail that
they wouldn’t want posted on a public bulletin board. Part of
the reason for this was that e-mail is sent with the clear text of
the message exposed to anyone who is sniffing the network.
Any attacker at a choke point in the network could read all e-
mail passing through that network segment.
33
S/MIME (1 of 5)
Secure/Multipurpose Internet Mail Extensions (S/MIME) is a
secure implementation of the MIME protocol specification.
MIME was created to allow Internet e-mail to support new and
more creative features.
MIME handles audio files, images, applications, and multipart
e-mails.
MIME allows e-mail to handle multiple types of content in a
message, including file transfers.
S/MIME was developed by RSA Data Security and uses the
X.509 format for certificates.

reserved.
The original e-mail RFC specified only text e-mail, so any non-
text data had to be handled by a new specification—MIME.
MIME handles audio files, images, applications, and multipart
e-mails. MIME allows e-mail to handle multiple types of
content in a message, including file transfers. Every time you
send a file as an e-mail attachment, you are using MIME.
S/MIME takes this content and specifies a framework for
encrypting the message as a MIME attachment.
S/MIME was developed by RSA Data Security and uses the
X.509 format for certificates. The specification supports both
40-bit RC2 and 3DES for symmetric encryption. The protocol
can affect the message in one of two ways: the host mail
program can encode the message with S/MIME, or the server
can act as the processing agent, encrypting all messages
between servers.
The host-based operation starts when the user clicks Send; the
mail agent then encodes the message using the generated
symmetric key. Then the symmetric key is encoded with the
remote user’s public key for confidentiality or signed with the
local user’s private key for authentication/nonrepudiation. This
enables the remote user to decode the symmetric key and then
decrypt the actual content of the message. Of course, all of this
is handled by the …
Types of Attacks and Malicious Software
Chapter 15

reserved.
Objectives
Describe the various types of computer and network attacks,
including denial-of-service, spoofing, hijacking, and password
guessing.
Identify the different types of malicious software that exist,
including viruses, worms, Trojan horses, logic bombs, time
bombs, and rootkits.
Explain how social engineering can be used as a means to gain
access to computers and networks.
Describe the importance of auditing and what should be audited.
reserved.
2
Key Terms (1 of 3)
Auditing
Backdoor
Birthday attack
Botnet
Buffer overflow
Denial-of-service (DoS) attack
Distributed denial-of-service (DDoS) attack

DNS kiting
Drive-by download attack
Integer overflow
Logic bomb
reserved.
Auditing – Actions or processes used to verify the assigned
privileges and rights of a user, or any capabilities used to create
and maintain a record showing who accessed a particular system
and what actions they performed.
Backdoor – A hidden method used to gain access to a computer
system, network, or application. Often used by software
developers to ensure unrestricted access to the systems they
create. Synonymous with trapdoor.
Birthday attack – A form of attack in which the attack needs to
match not a specific item but just one of a set of items.
Botnet – A term for a collection of software robots, or bots, that
runs autonomously and automatically and commonly invisibly
in the background. The term is most often associated with
malicious software, but it can also refer to the network of
computers using distributed computing software.
Buffer overflow – A specific type of software coding error that
enables user input to overflow the allocated storage area and
corrupt a running program.
Denial-of-service (DoS) attack – An attack in which actions are
taken to deprive authorized individuals from accessing a
system, its resources, the data it stores or processes, or the
network to which it is connected.
Distributed denial-of-service (DDoS) attack – A special type of
DoS attack in which the attacker elicits the generally unwilling
support of other systems to launch a many-against-one attack.

DNS kiting – The use of a DNS record during the payment grace
period without paying.
Drive-by download attack – An attack on an innocent victim
machine where content is downloaded without the user’s
knowledge.
Integer overflow – An error condition caused by the mismatch
between a variable assigned storage size and the size of the
value being manipulated.
Logic bomb – A form of malicious code or software that is
triggered by a specific event or condition. See also time bomb.
3
Key Terms (2 of 3)
Malware
Man-in-the-middle attack
Null session
Pharming
Phishing
Ransomware
Replay attack
Rootkit
Sequence number
Smurf attack
Sniffing
Spear phishing
Spoofing
Spyware
reserved.
Malware – A class of software that is designed to cause harm.
Man-in-the-middle attack – Any attack that attempts to use a

network node as the intermediary between two other nodes.
Each of the endpoint nodes thinks it is talking directly to the
other, but each is actually talking to the intermediary.
Null session – The way in which Microsoft Windows represents
an unauthenticated connection.
Pharming – The use of a fake web site to socially engineer
someone out of credentials.
Phishing – The use of social engineering to trick a user into
responding to something such as an e-mail to instantiate a
malware-based attack.
Ransomware – Malware that encrypts sensitive files and offers
their return for a ransom.
Replay attack – An attack where data is replayed through a
system to reproduce a series of transactions.
Rootkit – A form of malware that modifies the OS in a system
to change the behavior of the system.
Sequence number – A number within a TCP packet to maintain
TCP connections and conversation integrity.
Smurf attack – A method of generating significant numbers of
packets for a DoS attack.
Sniffing – The use of a software or hardware device (sniffer) to
observe network traffic as it passes through a network on a
shared broadcast media.
Spear phishing – A form of targeted phishing where specific
information is included to convince the recipient that the
communication is genuine.
Spoofing – Making data appear to have originated from another
source so as to hide the true origin from the recipient.
Spyware – Malware designed to spy on a use, typically
recording information such as keystrokes for passwords.
4
Key Terms (3 of 3)
SYN flood
TCP/IP hijacking
Trojan

Typo squatting
Virus
Worm
Zombie
reserved.
SYN flood – A method of performing DoS by exhausting TCP
connection resources through partially opening connections and
letting them time-out.
TCP/IP hijacking – An attack where the attacker intercepts and
hijacks an established TCP connection.
Trojan – A form of malicious code that appears to provide one
service (and may indeed provide that service) but that also hides
another purpose. This hidden purpose often has a malicious
intent. This code may also be referred to as a Trojan horse.
Typo squatting – An attack form that involves capitalizing upon
common typo errors.
Virus – A form of malicious code or software that attaches itself
to other pieces of code in order to replicate. Viruses may
contain a payload, which is a portion of the code that is
designed to execute when a certain condition is met (such as on
a certain date). This payload is often malicious in nature.
Worm – An independent piece of malicious code or software
that self-replicates. Unlike a virus, it does not need to be
attached to another piece of code. A worm replicates by
breaking into another system and making a copy of itself on this
new system. A worm can contain a destructive payload but does
not have to.
Zombie – A machine that is at least partially under the control
of a botnet.
5

Avenues of Attack
A computer system is attacked for one of two general reasons:
It is specifically targeted by an attacker.
Political reason
Chosen based on attacker’s motivation
Not reliant on target system’s hardware and software
It is a target of opportunity.
Systems with hardware or software vulnerable to a specific
exploit
Difficult and take time and effort
reserved.
Generally, computer systems are attacked either as specific
targets or merely as targets of opportunity.
An attacker’s motivation in specifically targeting a system may
be political, monetary, or other.
In these instances the choice to attack does not rely on the exact
hardware and software being used in the targeted system, but
rather proceeds in spite of these details.
Target of opportunity attacks succeed when systems are found
which have not been updated with the most current security
patches and are therefore vulnerable to specific exploits.
6
Minimizing Possible Avenues of Attack
Steps to minimize possible attacks include:
Ensure all patches for the operating system and applications are
installed.
Limit the services that are running on the system.

Limit public disclosure of private information about your
organization and its computing resources.
reserved.
7
Malicious Code
Malicious code, or malware, refers to software that has been
designed for some nefarious purpose.
Patching of vulnerabilities is important, for it closes the point
of entry for most malware.
Types of malicious software include:
Viruses, Trojan horses, logic bombs, spyware, and worms
Malware can be fairly complex in its construction.
Multipartite, polymorphic, and metamorphic
reserved.
Malware can be fairly complex in its construction, with specific
features designed to assist malware in avoiding detection.
Modern malware can be multipart in construction, where several
pieces work together to achieve a desired effect.
When malware has multiple different objects that it specifically
attacks, it is called multipartite.
Many types of malware can include a changing encryption layer

to resist pattern-matching detection. These are called
polymorphic.
If the malware actually changes the code at time of infection,
this property is called metamorphic.
8
Viruses (1 of 4)
The best-known type of malicious code is the virus.
A virus is a piece of malicious code that replicates by attaching
itself to another piece of executable code.
When the other executable code is run, the virus also executes
and has the opportunity to infect other files and
perform any other nefarious actions it was designed to do.
The specific way that a virus infects other files, and the type of
files it infects, depends on the type of virus.
The first viruses created were of two types:
Boot sector viruses and program viruses
reserved.
9
Viruses (2 of 4)
A boot sector virus infects the boot sector portion of a floppy
disk or hard drive.
A program virus attaches itself to executable files so that it is
executed before the program executes.
Most program viruses also hide a nefarious purpose, such as
deleting the hard drive data.
A macro virus results from software that includes macro-
programming languages.

Best practice is to advise users never to open a document
attached to an e-mail if it seems at all suspicious.
reserved.
Boot Sector Virus – A boot sector virus infects the boot sector
portion of either a floppy disk or a hard drive (years ago, not all
computers had hard drives, and many booted from a floppy).
When a computer is first turned on, a small portion of the
operating system is initially loaded from hardware. This small
operating system then attempts to load the rest of the operating
system from a specific location (sector) on either the floppy or
the hard drive. A boot sector virus infects this portion of the
drive.
Program Virus – A program virus attaches itself to executable
files—typically files ending in .exe or .com on Windows-based
systems. The virus is attached in such a way that it is executed
before the program executes. Most program viruses also hide a
nefarious purpose, such as deleting the hard drive data, which is
triggered by a specific event, such as a date or after a certain
number of other files are infected. Like other types of viruses,
program viruses are often not detected until after they execute
their malicious payload. One method that has been used to
detect this sort of virus before it has an opportunity to damage a
system is to calculate checksums for commonly used programs
or utilities. Should the checksum for an executable ever change,
it is quite likely that it is due to a virus infection.
Macro Virus – In the late 1990s, another type of virus appeared
that now accounts for the majority of viruses. As systems and
operating systems became more powerful, the boot sector virus,

which once accounted for most reported infections, became less
common. Systems no longer commonly booted from floppies,
which were the main method for boot sector viruses to spread.
Instead, the proliferation of software that included macro-
programming languages resulted in a new breed of virus—the
macro virus.
This type of virus is so common today that it is considered a
security best practice to advise users never to open a document
attached to an e-mail if it seems at all suspicious. Many
organizations now routinely have their mail servers eliminate
any attachments containing Visual Basic macros.
10
Viruses (3 of 4)
To avoid virus infection:
Be cautious about executing programs or opening documents
sent to you.
Install and run an antivirus program and maintain an up-to-date
listing of virus signatures for the software.
Stay on top of the latest updates for known viruses.
Two advances in virus writing have made it more difficult for
antivirus software to detect viruses.
Stealth virus
Polymorphic virus
reserved.
Two advances in virus writing have made it more difficult for
antivirus software to detect viruses. These advances are the
introduction of stealth virus techniques and polymorphic
viruses.

A stealthy virus employs techniques to help evade being
detected by antivirus software that uses checksums or other
techniques.
Polymorphic viruses also attempt to evade detection, but they
do so by changing the virus itself (the virus “evolves”). Because
the virus changes, signatures for that virus may no longer be
valid, and the virus may escape detection by antivirus software.
11
Viruses (4 of 4)
Armored viruses resist being reverse-engineered.
Makes the process of determining information from reverse
engineering a viruses functionality more difficult.
Users are susceptible to virus hoaxes due to prior virus
outbreaks.
Word is spread about a new virus and the danger it poses.
A hoax may warn users to not read certain files or connect to
the Internet.
Hoaxes can actually be even more destructive than just wasting
time and bandwidth.
reserved.
When a new form of malware/virus is discovered, antivirus
companies and security researchers will decompile the program
in an attempt to reverse engineer its functionality. Much can be
determined from reverse engineering, such as where the
malware came from, how it works, how it communicates, how it
spreads, and so forth. Armoring malware can make the process
of determining this information much more difficult, if not

impossible. Some malware, such as Zeus, comes encrypted in
ways to prevent criminals from stealing the intellectual property
of the very malware that they use.
Viruses have caused so much damage to systems that many
Internet users become extremely cautious anytime they hear a
rumor of a new virus. Many users will not connect to the
Internet when they hear about a virus outbreak, just to be sure
their machines don’t get infected. This has given rise to virus
hoaxes, in which word is spread about a new virus and the
extreme danger it poses. It may warn users to not read certain
files or connect to the Internet.
Hoaxes can actually be even more destructive than just wasting
time and bandwidth. Some hoaxes warning of a dangerous virus
have included instructions to delete certain files if they’re
found on the user’s system. Unfortunately for those who follow
the advice, the files may actually be part of the operating
system, and deleting them could keep the system from booting
properly. This suggests another good piece of security advice:
make sure of the authenticity and accuracy of any virus report
before following somebody’s advice. Antivirus software
vendors are a good source of factual data for this sort of threat
as well.
12
Worms (1 of 2)
Worms are pieces of code that attempt to penetrate networks
and computer systems.
Once a penetration occurs, the worm will create a new copy of
itself on the penetrated system.
Reproduction of a worm thus does not rely on the attachment of
the virus to another piece of code or to a file, which is the

definition of a virus.
There is an important distinction:
Virus code has to attach itself to something else.
Worm code can “survive” on its own.
reserved.
It was once easy to distinguish between a worm and a virus.
Recently, with the introduction of new breeds of sophisticated
malicious code, the distinction has blurred.
Viruses were generally thought of as a system-based problem,
and worms were network-based. If the malicious code is sent
throughout a network, it may subsequently be called a worm.
13
Worms (2 of 2)
Protection against worms depends on the type of worm.
Avoid worms attached and propagated by e-mail.
Do not open files or run attachments unless you are absolutely
sure of their origin and integrity.
Secure systems and networks against penetration.
Install patches, eliminate unused and unnecessary services,
enforce good password security, and use firewalls and intrusion
detection systems.
Sophisticated attacks are almost impossible to avoid.
reserved.

How you protect your system against worms depends on the
type of worm.
Those attached and propagated through e-mail can be avoided
by following the same guidelines about not opening files and
not running attachments unless you are absolutely sure of their
origin and integrity.
Protecting against worms involves securing systems and
networks against penetration in the same way you would protect
your systems against human attackers: install patches, eliminate
unused and unnecessary services, enforce good password
security, and use firewalls and intrusion detection systems.
More sophisticated attacks, such as the Samy worm, are almost
impossible to avoid.
14
Polymorphic Malware
One of the primary means of avoiding detection by sensors is
the use of polymorphic code.
This is code that changes on a regular basis.
These changes or mutations are designed not to affect the
functionality of the code, but rather to mask any signature from
detection.
Polymorphic programs can change their coding after each use,
making each replicant different from a detection point of view.
reserved.
The detection of malware by antimalware programs is primarily

done through the use of a signature. Files are scanned for
sections of code in the executable that act as markers, unique
patterns of code that enable detection. Just as the human body
creates antigens that match marker proteins, antimalware
programs detect malware through unique markers present in the
code of the malware. Malware writers are aware of this
functionality and have adapted methods to defeat it.
15
Trojan Horses
A Trojan horse, or simply Trojan, is a piece of software that
appears to do one thing (and may, in fact, actually do that thing)
but hides some other functionality.
A Trojan is a standalone program that must be copied
and installed by the user.
To prevent the introduction of a Trojan:
Never to run software if you are unsure of its origin, security,
and integrity
Keep a virus-checking program running on the system
reserved.
A Trojan horse is software that appears to do one thing but
includes some hidden functionality.
Unlike a virus, which reproduces by attaching itself to other
files or programs, a Trojan is a standalone program that must be
copied and installed by the user—it must be “brought inside”
the system by an authorized user.
The challenge for the attacker is enticing the user to copy and
run the program. This generally means that the program must be
disguised as something that the user would want to run—a
special utility or game, for example.

Once it has been copied and is inside the system, the Trojan will
perform its hidden purpose, with the user often still unaware of
its true nature.
Prevention:
The single best method to prevent the introduction of a Trojan
to your system is never to run software if you are unsure of its
origin, security, and integrity.
A virus-checking program may also be useful in detecting and
preventing the installation of known Trojans. Another way to
prevent a Trojan Horse is to keep a virus-checking program
running on the system.
16
RAT (1 of 2)
Remote-access Trojans (RATs) are toolkits designed to provide
the capability of covert surveillance and/or the ability to gain
unauthorized access to a target system.
Mimic behaviors similar to keyloggers or packet sniffer
applications
Can employ malware to infect a system with code that can be
used to facilitate the exploitation of a target.
reserved.
17
RAT (2 of 2)
Present information to an attacker in a form to facilitate the
ability to gain unauthorized access to the target machine.
RATs are commonly employed by the more skilled threat actors
RATs enable attackers to have a way back into a system.

Key function of a RAT is to provide a periodic beacon out.
reserved.
18
Rootkits
A rootkit is a form of malware specifically designed to modify
the operation of the operating system in some fashion to
facilitate nonstandard functionality.
Can do virtually anything that the operating system does
Designed to avoid the security functions of the operating system
to avoid detection using subversion or evasion
Can load before the operating system loads, acting as a
virtualization layer
Acts as a form of malware and can exist in firmware and as
loadable library modules
reserved.
A rootkit is a form of malware that is specifically designed to
modify the operation of the operating system in some fashion to
facilitate nonstandard functionality.
Rootkits were originally designed to allow a program to take
greater control over operating system function when it fails or
becomes unresponsive.
They can do virtually anything that the operating system does.

Rootkits modify the operating system kernel and supporting
functions, changing the nature of the system’s
operation.
Rootkits are designed to avoid, either by subversion or evasion,
the security functions of the operating system to avoid
detection.
Rootkits act as a form of malware that can change thread
priorities to boost an application’s performance, perform
keylogging, act as a sniffer, hide other files from other
applications, or create backdoors in the authentication system.
The use of rootkit functionality to hide other processes and files
enables an attacker to use a portion of a computer without the
user or other applications knowing what is happening. This
hides exploit code from antivirus and antispyware programs,
acting as a cloak of invisibility.
Rootkits can load before the operating system loads, acting as a
virtualization layer, as in SubVirt and Blue Pill.
Rootkits can exist in firmware and these have been
demonstrated in both video cards and PCI expansion cards.
Rootkits can exist as loadable library modules, effectively
changing portions of the operating system outside the kernel.
Once a rootkit is detected, it needs to be removed and cleaned
up. Because of rootkits’ invasive nature, and the fact that many
aspects of rootkits are not easily detectable, most system
administrators don’t even attempt to clean up or remove a
rootkit. It is far easier to use a previously captured clean system
image and reimage the machine than to attempt to determine the
depth and breadth of the damage and fix individual files..
There are five main types of rootkits as listed below:
– Attacks firmware on a system
– Attacks at the virtual machine level
– Attacks the kernel of the OS
– Attacks libraries used on a system
– Attacks specific applications

19
Logic Bombs
Logic bombs are a type of malicious software that is
deliberately installed, generally by an authorized user.
A logic bomb is a piece of code that sits dormant for a period of
time until some event invokes its malicious payload.
Logic bombs are difficult to detect.
They demonstrate the need for a separation of duties and a
periodic review of all programs and services that are running on
a system.
They reinforce need for active backups.
reserved.
Logic bombs are difficult to detect because they are often
installed by authorized users and, in particular, by
administrators who are also often responsible for security. This
demonstrates the need for a separation of duties and a periodic
review of all programs and services that are running on a
system. It also illustrates the need to maintain an active backup
program so that if your organization loses critical files to this
sort of malicious code, it loses only transactions that occurred
since the most recent backup and no permanent loss of data
results.
20
Spyware
Spyware is software that “spies” on users, recording and
reporting on their activities.
Typically installed without user knowledge, spyware can do a

wide range of activities.
It can record keystrokes (commonly called keylogging) when
the user logs into specific web sites.
It can monitor how a user uses a specific piece of software
(monitor attempts to cheat at games).
Many states have passed legislation banning the unapproved
installation of software.
reserved.
Many uses of spyware seem innocuous at first, but the
unauthorized monitoring of a system can be abused very easily.
In other cases, the spyware is specifically designed to steal
information. Many states have passed legislation banning the
unapproved installation of software, but many cases of spyware
circumvent this issue through complex and confusing end-user
license agreements.
21
Adware
Software that is supported by advertising is called adware.
Adware comes in many different forms:
Legitimate adware
The user is aware of the advertising and agrees to the
arrangement in return for free use of the software.
Adware in the form of malware
It is characterized by software that presents unwanted ads.
reserved.

With legitimate adware, the user is aware of the advertising and
agrees to the arrangement in return for free use of the software.
This type of adware often offers an alternative, ad-free version
for a fee.
Adware can also refer to a form of malware, which is
characterized by software that presents unwanted ads. These ads
are sometimes an irritant, and at other times represent an actual
security threat. Frequently these ads are in the form of pop-up
browser windows, and in some cases they cascade upon any user
action.
22
Botnets
One form of malware that is seemingly benign to a user is a
botnet zombie.
Hackers create armies of machines by installing malware agents
on the machines, which then are called zombies.
These collections of machines are called botnets.
These zombies machines are used to conduct other attacks and
to spread spam and other malware.
Botnets have grown into networks of over a million nodes and
are responsible for tens of millions of spam messages daily.
reserved.
23
Backdoors and Trapdoors

Backdoors were originally (and sometimes still are) nothing
more than methods used by software developers to ensure that
they could gain access to an application even if something were
to happen in the future to prevent normal access methods.
The term backdoor is also, and more commonly, used to refer to
programs that attackers install after gaining unauthorized access
to a system to ensure that they can continue to have unrestricted
access to the system, even if their initial access method is
discovered and blocked.
reserved.
An example would be a hard-coded password that could be used
to gain access to the program in the event that administrators
forgot their own system password. The obvious problem with
this sort of backdoor (also sometimes referred to as a trapdoor)
is that, since it is hard-coded, it cannot be removed. Should an
attacker learn of the backdoor, all systems running that software
would be vulnerable to attack.
Backdoors can also be installed by authorized individuals
inadvertently, should they run software that contains a Trojan
horse (introduced earlier). A variation on the backdoor is the
rootkit, discussed in the previous section, which is established
not to gain root access but rather to ensure continued root
access.
24
Crypto-Malware
Crypto-malware is an early name given to malware that encrypts
files on a …

E-mail and Instant MessagingChapter 16Principles of Co.docx

E-mail and Instant MessagingChapter 16Principles of Co.docx

Recommended

Recommended

More Related Content

Similar to E-mail and Instant MessagingChapter 16Principles of Co.docx

Similar to E-mail and Instant MessagingChapter 16Principles of Co.docx (20)

More from brownliecarmella

More from brownliecarmella (20)

Recently uploaded

Recently uploaded (20)

E-mail and Instant MessagingChapter 16Principles of Co.docx