SlideShare a Scribd company logo

Jipdec 20131216-english

Download as PPTX, PDF
Kazunori Ando
Kazunori Ando

A presentation of "AN-SHIN-KAN cafe" seminar.

Education
1 of 57
Against Mail Spoofing Past, Current, and the Future Broadband Security, Inc. Kazunori ANDO These slides are made for “An-Shin-Kan café” seminar at JIPDEC (Dec,16 2013) Original version is in Japanese and translated by author.
Internet Magazine July,2005…special feature article “Threats on the net and defence technology” Internet Week 2003 Tutorial “Current status of Mail systems” Internet Week 99 Tutorial “DNS&Mail” I’ve traced and mentioned about “Spoofing” problem continuously!
“Anti-Spoofing = How to verify the sender”
Beginning of e-mail… From: To: Cc: Subject: Hi, John These characters are lune for me. … In ancient days, e-mails(text files) were delivered to receiving servers by FTP or UUCP.
Message Format From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … It must have information about recipients. Later the message format of e-mail is standardized in RFC822 (by Dave Crocker)
Sending Protocol Hi, Bob We can’t read them even if they were displayed on here… … On the other hand, the sending protocol become original one, and standardized in RFC821 (by Jon Postel) HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … .
Double existence of Sender/Rcpts info HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . From: To: Cc: Subject: Message-ID: ◯◯様 平素よりお世話になっております … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … Message body is delivered to the recipients as a text file, but sending/receiving log can’t be checked by all the receivers.
Difference between two delivery informations… HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . From: To: Cc: Subject: Message-ID: ◯◯様 平素よりお世話になっております … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … Within the situation “Users describe the deliver information in the text, and MUA read and use them for actual delivery”, no difference occurs between these two.
maillist server Difference occurs in usual usage HELO sender.example.jp Mail From:sender@example.jp Rcpt To:ml@aams.jp DATA … . From: To: Cc: Subject: Message-ID: ◯◯様 平素よりお世話になっております … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … If the author of the message is different to the sender which deliver the message, these two deliver information may be different. (for example: mail lists). In order to deliver the message to target recipients the recipients information in the sending protocol can’t be spoofed. However, the other information can be spoofed. HELO ml.aams.jp Mail From:ml-owner@aams.jp Rcpt To:ml-rcpt@example.net DATA … .
From the receiver side… Return-Path: From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… The reliable information to confirm the sender is only sender’s IP address. The other information can be spoofed except receivers’ address on the protocol. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . No protection from spoofing!
“E-mail is past technology” ? Return-Path: From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… The sender’s IP address can be spoofed by route hijacking… HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … .
Spoofing on the origin of the routing information?
JANOG30 Meeting (July, 2012) I also pointed out the needs of anti- spoofing on the routing in 2005, and RPKI go covering to verify the origin of routing information… Internet Magazine July,2005…special feature article “Threats on the net and defence technology”
March,2013 DNSamp / Spamhaus The problem of reflection attack using IP src address spoofing is not fully covered yet… BCP38 ! uRPF ! Internet Magazine July,2005…special feature article “Threats on the net and defence technology”
How did e-mail engineers effort against spoofing ?
Sender Policy Framework(SPFbis) Return-Path: Authentication-Results: … spf=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… SPF check the consistency between the sender’s domain (or sender’s FQDN following HELO command) and the IP address of sending server using SPF RR on DNS. The sender’s domain appears in Return-Path header in the message. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Verified by SPF
Sender Policy Framework(SPFbis) Return-Path: Authentication-Results: … spf=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… In Japan, over 90% of e-mail traffic can be checked by SPF (June,2013). Remaining problem: How to appeal the results of verifying to end users. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Verified by SPF
Return-Path: Authentication-Results: … dkim=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… Sign by secret key on sending server, verifying the signature by public key via DNS on receiving server. The coverage of signing can be included headers and message body. However only “From:” header must be included in it. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . STD76: DomainKeys Identified Mail(DKIM) Verified by DKIM Protected optionally
STD76: DomainKeys Identified Mail(DKIM) Return-Path: Authentication-Results: … dkim=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… About 40% of e-mail traffic can be verified by DKIM (June,2013 by MIC) Remaining problem: How to appeal the results of verifying to end users. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Verified by DKIM Protected optionally
Using both DKIM and SPF Return-Path: Authentication-Results: … spf=pass, dkim=pass, … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… Sender information (Return-Path/From) become very hard to spoof! HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Sender info is verified Protected optionally
DMARC Return-Path: Authentication-Results: … spf=?, dkim=?, dmarc=pass, … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… Using the results of DKIM or SPF. If SPF is pass and DKIM is fail, DMARC checks the consistency between “From:” and “Return-Path:” headers. Senders can declare the e-mail processing policy when DMARC results is “fail”. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Checked by consistency
Remaining problems around Sender Authentication Visualization of the results Domain reputation
JIPDEC is trying to visualize the DKIM result with domain reputation (white list).
S/MIME signing From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… From: To: Cc: Subject: Content-Type: multipart/signed -- separater Hi, Bob We can’t read them even if they were displayed on here… -- separater (signature encrypted by sender's secret key) -- separater -- Attach the signature encrypted by sender’s secret key…
S/MIME signing From: To: Cc: Subject: Content-Type: multipart/signed -- separater Hi, Bob We can’t read them even if they were displayed on here… -- separater (signature encrypted by sender's secret key) -- separater -- Decrypt the encrypted signature by the public key from CA/PKI, and verify whole message. End to End anti-alteration and anti-spoof.
Remaining problems around S/MIME Secret key management Deployment to web-mail environment
Oops! Only against sender spoofing? We also hate server spoofing and sniffing!
In current status of e-mail standardization, We are ready to perform server authentication and path encryption on all sending path at least in RFCs.
Really?
MUA Browser Mbox WebMail Server MBOX type WebMail Gateway with IMAP MTAMDA MTA RFC5321RFC5321 RFC2023 RFC5321 RFC2023 RFC3501 RFC3501 RFC1939 Protocols using for Inbound with Path-Encryption RFC3207RFC3207 RFC3207 RFC4616 RFC4616
MUA Browser WebMail Server MBOX type WebMail Gateway with IMAP MTAMSA MTA RFC5321 Protocols using for Outbound with Path-Encryption Mbox RFC6409 RFC6409 RFC5321 RFC5321RFC3501 RFC5321 RFC5321 RFC5321 RFC3207 RFC3207 RFC3207 RFC3207 RFC3207 RFC3207 RFC4616
Sure.The key person is Paul Hoffman.
RFCs using TLS around e-mail protocols are already in Proposed Standard. However, we often encounter some people in a dilemma as below. http://xkcd.com/927
These are past tale.
Current status is…
Yahoo! Japan’s personal data breach (May, 2013) Adobe’s user data breach (Oct,2013)
“Weaken Password Authentication and Mail Services” (Oct, 2012 / Email Security Conference)
Attack using List of Compromised Accounts • “Listed type of account cracking” • “Listed type of illegal access” • “Attack by listed passwords” Attack using breached accounts/passwords in somewhere else. Illegal access to system accounts Increase breached accounts/passwords, Alteration of web-content, Distribution of malware, progress to APT… Illegal access to mail accounts Delivering massive spam, Data breach from imap servers…
In other words, these are Spoofing by Account.
On message text, or on messaging protocol, It is harder to spoof. They change the target to User Authentication.
Impacts to usual anti-spoofing technology by listed compromised accounts • Illegal use of mail accounts – Both SPF and DKIM are also used illegal • Sender Authentication is vulnerable against compromised accounts – Bad reputation • Your server is sending spam! • Illegal use of system accounts – Who protects your secret key? • S/MIME is also vulnerable against compromised accounts
Side effects of massive spam sending is here.
What is the problem if your server is listed on SenderBase or RBL?
Damages on sending servers • “Red-marked” sending servers – The other servers reject its sending… • Connection refused or User unknown is returned by reference of RBL – Many claims occurs from users “I can’t send e-mail” • man-hour to response to claims • man-hour to remove from RBLs – Like whack-a-mole… • Exhausted operators – “Too many to manage them!”(voice at BOF) – “We are rushed off our feet”(voice at mail-list)
Damages on mailbox servers • Breach of stored e-mail(especially from IMAP) – Secondary damages • Breach of another service • Breach of stored passwords • Breach of massive e-mail address • E-mail is possible to be reused for targeted attack
Against down spiral… • If you leave the compromised accounts… – Sending massive spam day by day – All your sending servers are marked “Red” – The account is also listed to blacklist on other services – Your service is almost terminated • Mail service which users can’t send e-mail… – Your users will say “Thus, E-mail is finished!” • So, administrators will – force to operate to off all the compromised accounts(△) • A phase of crisis management – search the technical solution(◎) • Because you are an engineer!
BBSec Anti-Abuse Mail Service detects compromised accounts, and care the customers silently by human support.
In the case of BBSec • At the start of service, we act against DHA – Less breach of mail addresses from mail servers • In July, 2012, we start to detect compromised accounts – We could move before the attack become active in Japan. • With our customer ISPs, we made fixed flow of customer care – We support end users to change their password safer. • "End user – Customer ISP – BBSec" are co-working.
The preparation against threat Discussion in M3AAWG (Feb.2012〜June,2012)
M3AAWG • Messaging,Malware&Mobile Anti-Abuse WG – Industrial group with 220 organizations • All major messaging companies participate – Google,Facebook,Twitter,Apple,Microsoft… • Act to standardize of technology, and make BCP – For example, DMARC – Similar to W3C in Web technology • 3 times general meetings in one year – They have Round Table sessions in the morning to discuss… » Compromised accounts » Outbound Filtering and so on.
Preparation is important!
If you believe digital certificates protect you from spoofing…
CAs can issue certificates for any domains. Problem of “Digital Certificates for Spoofing” New! http://thehackernews.com/2013/12/fake-google-ssl-certificates-made-in.html
In the future, Can we see some seeds ?
Improved user authentication More deployment of Sender Authentication For Pervasive monitoring? S/MIME? Path Encryption(TLS)? Certificates verifying by DANE ETSi Registered Electronic Mail (e-mail with strong authentication ex. DE mail) BCP38/84 against UDP src address spoofing RPKI for verifying the origin of routing information
Q & A time

Recommended

Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10dianacheng
 
Aspects of software naturalness through the generation of IdentifierNames
Aspects of software naturalness through the generation of IdentifierNamesAspects of software naturalness through the generation of IdentifierNames
Aspects of software naturalness through the generation of IdentifierNamesOleksandr Zaitsev
 
What is a MS Windows Network Drive
What is a MS Windows Network DriveWhat is a MS Windows Network Drive
What is a MS Windows Network Driveadil raja
 
Web services and mobile architecture
Web services and mobile architectureWeb services and mobile architecture
Web services and mobile architectureDimple Chandra
 
Basic concept of internet
Basic concept of internetBasic concept of internet
Basic concept of internetSnehal Shahane
 
Recent developments in_text_steganography
Recent developments in_text_steganographyRecent developments in_text_steganography
Recent developments in_text_steganographyRubab Rizvi
 
Submission_36
Submission_36Submission_36
Submission_36Harsh Singh
 
Dictionary Based Compression
Dictionary Based CompressionDictionary Based Compression
Dictionary Based Compressionanithabalaprabhu
 

Recommended

Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10Onesocialweb Presentation at OTA10
Onesocialweb Presentation at OTA10dianacheng
 
Aspects of software naturalness through the generation of IdentifierNames
Aspects of software naturalness through the generation of IdentifierNamesAspects of software naturalness through the generation of IdentifierNames
Aspects of software naturalness through the generation of IdentifierNamesOleksandr Zaitsev
 
What is a MS Windows Network Drive
What is a MS Windows Network DriveWhat is a MS Windows Network Drive
What is a MS Windows Network Driveadil raja
 
Web services and mobile architecture
Web services and mobile architectureWeb services and mobile architecture
Web services and mobile architectureDimple Chandra
 
Basic concept of internet
Basic concept of internetBasic concept of internet
Basic concept of internetSnehal Shahane
 
Recent developments in_text_steganography
Recent developments in_text_steganographyRecent developments in_text_steganography
Recent developments in_text_steganographyRubab Rizvi
 
Submission_36
Submission_36Submission_36
Submission_36Harsh Singh
 
Dictionary Based Compression
Dictionary Based CompressionDictionary Based Compression
Dictionary Based Compressionanithabalaprabhu
 
EmailTracing.ppt
EmailTracing.pptEmailTracing.ppt
EmailTracing.pptgovindanonymous143
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2BCamp
 
How to Trace an E-mail Part 1
How to Trace an E-mail Part 1How to Trace an E-mail Part 1
How to Trace an E-mail Part 1Lebowitzcomics
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview PptAntonio Ieranò
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Greykamaelian
 
Find ip address
Find ip addressFind ip address
Find ip addresssasandeaynat
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofingMattChapman50
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Secure Communications with Jabber
Secure Communications with JabberSecure Communications with Jabber
Secure Communications with Jabberstpeter
 
Email Forensics
Email ForensicsEmail Forensics
Email ForensicsGol D Roger
 
Information Systems Security3Information Systems Secur.docx
Information Systems Security3Information Systems Secur.docxInformation Systems Security3Information Systems Secur.docx
Information Systems Security3Information Systems Secur.docxjaggernaoma
 
Mail server
Mail serverMail server
Mail serverJazib Amjad
 
Mail server
Mail serverMail server
Mail serverJazib Amjad
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.Jonathan Oliver
 
XMPP For Cloud Computing
XMPP For Cloud ComputingXMPP For Cloud Computing
XMPP For Cloud ComputingBluendo
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
XMPP Intro 1101 - 2008
XMPP Intro 1101 - 2008XMPP Intro 1101 - 2008
XMPP Intro 1101 - 2008Steffen Larsen
 
Networking presentation
Networking presentationNetworking presentation
Networking presentationPushkar Mishra
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9Eventos Creativos
 
Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersPedroFerreira53928
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePedroFerreira53928
 

More Related Content

Similar to Jipdec 20131216-english

B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2BCamp
 
How to Trace an E-mail Part 1
How to Trace an E-mail Part 1How to Trace an E-mail Part 1
How to Trace an E-mail Part 1Lebowitzcomics
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview PptAntonio Ieranò
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolVishal Kumar
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Greykamaelian
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofingMattChapman50
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandreoscon2007
 
Secure Communications with Jabber
Secure Communications with JabberSecure Communications with Jabber
Secure Communications with Jabberstpeter
 
Information Systems Security3Information Systems Secur.docx
Information Systems Security3Information Systems Secur.docxInformation Systems Security3Information Systems Secur.docx
Information Systems Security3Information Systems Secur.docxjaggernaoma
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.Jonathan Oliver
 
XMPP For Cloud Computing
XMPP For Cloud ComputingXMPP For Cloud Computing
XMPP For Cloud ComputingBluendo
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
XMPP Intro 1101 - 2008
XMPP Intro 1101 - 2008XMPP Intro 1101 - 2008
XMPP Intro 1101 - 2008Steffen Larsen
 
Networking presentation
Networking presentationNetworking presentation
Networking presentationPushkar Mishra
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9Eventos Creativos
 

Similar to Jipdec 20131216-english (20)

EmailTracing.ppt
EmailTracing.pptEmailTracing.ppt
EmailTracing.ppt
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the Inbox
 
How to Trace an E-mail Part 1
How to Trace an E-mail Part 1How to Trace an E-mail Part 1
How to Trace an E-mail Part 1
 
Technical Background Overview Ppt
Technical Background Overview PptTechnical Background Overview Ppt
Technical Background Overview Ppt
 
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) ProtocolE-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
E-Mail Security Protocol - 1 Privacy Enhanced Mail (PEM) Protocol
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Grey
 
Find ip address
Find ip addressFind ip address
Find ip address
 
A guide to email spoofing
A guide to email spoofingA guide to email spoofing
A guide to email spoofing
 
Os Saintandre
Os SaintandreOs Saintandre
Os Saintandre
 
Secure Communications with Jabber
Secure Communications with JabberSecure Communications with Jabber
Secure Communications with Jabber
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
 
Information Systems Security3Information Systems Secur.docx
Information Systems Security3Information Systems Secur.docxInformation Systems Security3Information Systems Secur.docx
Information Systems Security3Information Systems Secur.docx
 
Mail server
Mail serverMail server
Mail server
 
Mail server
Mail serverMail server
Mail server
 
The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.The 1990s Called. They Want Their Code Back.
The 1990s Called. They Want Their Code Back.
 
XMPP For Cloud Computing
XMPP For Cloud ComputingXMPP For Cloud Computing
XMPP For Cloud Computing
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
XMPP Intro 1101 - 2008
XMPP Intro 1101 - 2008XMPP Intro 1101 - 2008
XMPP Intro 1101 - 2008
 
Networking presentation
Networking presentationNetworking presentation
Networking presentation
 
La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9La seguridad sí importa: Windows Live & IE9
La seguridad sí importa: Windows Live & IE9
 

Recently uploaded

Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersPedroFerreira53928
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePedroFerreira53928
 
Advances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdfAdvances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdfDr. M. Kumaresan Hort.
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfQucHHunhnh
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chipsGeoBlogs
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resourcesdimpy50
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxCapitolTechU
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonSteve Thomason
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resourcesaileywriter
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...Nguyen Thanh Tu Collection
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
 
Forest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDFForest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDFVivekanand Anglo Vedic Academy
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaasiemaillard
 
Matatag-Curriculum and the 21st Century Skills Presentation.pptx
Matatag-Curriculum and the 21st Century Skills Presentation.pptxMatatag-Curriculum and the 21st Century Skills Presentation.pptx
Matatag-Curriculum and the 21st Century Skills Presentation.pptxJenilouCasareno
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxakshayaramakrishnan21
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfjoachimlavalley1
 
[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online PresentationGDSCYCCE
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptSourabh Kumar
 
Basic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
Basic Civil Engg Notes_Chapter-6_Environment Pollution & EngineeringBasic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
Basic Civil Engg Notes_Chapter-6_Environment Pollution & EngineeringDenish Jangid
 

Recently uploaded (20)

Basic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumersBasic phrases for greeting and assisting costumers
Basic phrases for greeting and assisting costumers
 
PART A. Introduction to Costumer Service
PART A. Introduction to Costumer ServicePART A. Introduction to Costumer Service
PART A. Introduction to Costumer Service
 
Advances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdfAdvances in production technology of Grapes.pdf
Advances in production technology of Grapes.pdf
 
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdfDanh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
Danh sách HSG Bộ môn cấp trường - Cấp THPT.pdf
 
Fish and Chips - have they had their chips
Fish and Chips - have they had their chipsFish and Chips - have they had their chips
Fish and Chips - have they had their chips
 
Benefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational ResourcesBenefits and Challenges of Using Open Educational Resources
Benefits and Challenges of Using Open Educational Resources
 
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptxslides CapTechTalks Webinar May 2024 Alexander Perry.pptx
slides CapTechTalks Webinar May 2024 Alexander Perry.pptx
 
The Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve ThomasonThe Art Pastor's Guide to Sabbath | Steve Thomason
The Art Pastor's Guide to Sabbath | Steve Thomason
 
NCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdfNCERT Solutions Power Sharing Class 10 Notes pdf
NCERT Solutions Power Sharing Class 10 Notes pdf
 
The Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational ResourcesThe Benefits and Challenges of Open Educational Resources
The Benefits and Challenges of Open Educational Resources
 
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
50 ĐỀ LUYỆN THI IOE LỚP 9 - NĂM HỌC 2022-2023 (CÓ LINK HÌNH, FILE AUDIO VÀ ĐÁ...
 
Instructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptxInstructions for Submissions thorugh G- Classroom.pptx
Instructions for Submissions thorugh G- Classroom.pptx
 
Forest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDFForest and Wildlife Resources Class 10 Free Study Material PDF
Forest and Wildlife Resources Class 10 Free Study Material PDF
 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
 
Matatag-Curriculum and the 21st Century Skills Presentation.pptx
Matatag-Curriculum and the 21st Century Skills Presentation.pptxMatatag-Curriculum and the 21st Century Skills Presentation.pptx
Matatag-Curriculum and the 21st Century Skills Presentation.pptx
 
Salient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptxSalient features of Environment protection Act 1986.pptx
Salient features of Environment protection Act 1986.pptx
 
Additional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdfAdditional Benefits for Employee Website.pdf
Additional Benefits for Employee Website.pdf
 
[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation[GDSC YCCE] Build with AI Online Presentation
[GDSC YCCE] Build with AI Online Presentation
 
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.pptBasic_QTL_Marker-assisted_Selection_Sourabh.ppt
Basic_QTL_Marker-assisted_Selection_Sourabh.ppt
 
Basic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
Basic Civil Engg Notes_Chapter-6_Environment Pollution & EngineeringBasic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
Basic Civil Engg Notes_Chapter-6_Environment Pollution & Engineering
 

Jipdec 20131216-english

  • 1. Against Mail Spoofing Past, Current, and the Future Broadband Security, Inc. Kazunori ANDO These slides are made for “An-Shin-Kan café” seminar at JIPDEC (Dec,16 2013) Original version is in Japanese and translated by author.
  • 2. Internet Magazine July,2005…special feature article “Threats on the net and defence technology” Internet Week 2003 Tutorial “Current status of Mail systems” Internet Week 99 Tutorial “DNS&Mail” I’ve traced and mentioned about “Spoofing” problem continuously!
  • 3. “Anti-Spoofing = How to verify the sender”
  • 4. Beginning of e-mail… From: To: Cc: Subject: Hi, John These characters are lune for me. … In ancient days, e-mails(text files) were delivered to receiving servers by FTP or UUCP.
  • 5. Message Format From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … It must have information about recipients. Later the message format of e-mail is standardized in RFC822 (by Dave Crocker)
  • 6. Sending Protocol Hi, Bob We can’t read them even if they were displayed on here… … On the other hand, the sending protocol become original one, and standardized in RFC821 (by Jon Postel) HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … .
  • 7. Double existence of Sender/Rcpts info HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . From: To: Cc: Subject: Message-ID: ◯◯様 平素よりお世話になっております … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … Message body is delivered to the recipients as a text file, but sending/receiving log can’t be checked by all the receivers.
  • 8. Difference between two delivery informations… HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . From: To: Cc: Subject: Message-ID: ◯◯様 平素よりお世話になっております … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … Within the situation “Users describe the deliver information in the text, and MUA read and use them for actual delivery”, no difference occurs between these two.
  • 9. maillist server Difference occurs in usual usage HELO sender.example.jp Mail From:sender@example.jp Rcpt To:ml@aams.jp DATA … . From: To: Cc: Subject: Message-ID: ◯◯様 平素よりお世話になっております … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… … If the author of the message is different to the sender which deliver the message, these two deliver information may be different. (for example: mail lists). In order to deliver the message to target recipients the recipients information in the sending protocol can’t be spoofed. However, the other information can be spoofed. HELO ml.aams.jp Mail From:ml-owner@aams.jp Rcpt To:ml-rcpt@example.net DATA … .
  • 10. From the receiver side… Return-Path: From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… The reliable information to confirm the sender is only sender’s IP address. The other information can be spoofed except receivers’ address on the protocol. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . No protection from spoofing!
  • 11. “E-mail is past technology” ? Return-Path: From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… The sender’s IP address can be spoofed by route hijacking… HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … .
  • 12. Spoofing on the origin of the routing information?
  • 13. JANOG30 Meeting (July, 2012) I also pointed out the needs of anti- spoofing on the routing in 2005, and RPKI go covering to verify the origin of routing information… Internet Magazine July,2005…special feature article “Threats on the net and defence technology”
  • 14. March,2013 DNSamp / Spamhaus The problem of reflection attack using IP src address spoofing is not fully covered yet… BCP38 ! uRPF ! Internet Magazine July,2005…special feature article “Threats on the net and defence technology”
  • 15. How did e-mail engineers effort against spoofing ?
  • 16. Sender Policy Framework(SPFbis) Return-Path: Authentication-Results: … spf=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… SPF check the consistency between the sender’s domain (or sender’s FQDN following HELO command) and the IP address of sending server using SPF RR on DNS. The sender’s domain appears in Return-Path header in the message. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Verified by SPF
  • 17. Sender Policy Framework(SPFbis) Return-Path: Authentication-Results: … spf=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… In Japan, over 90% of e-mail traffic can be checked by SPF (June,2013). Remaining problem: How to appeal the results of verifying to end users. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Verified by SPF
  • 18. Return-Path: Authentication-Results: … dkim=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… Sign by secret key on sending server, verifying the signature by public key via DNS on receiving server. The coverage of signing can be included headers and message body. However only “From:” header must be included in it. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . STD76: DomainKeys Identified Mail(DKIM) Verified by DKIM Protected optionally
  • 19. STD76: DomainKeys Identified Mail(DKIM) Return-Path: Authentication-Results: … dkim=pass From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… About 40% of e-mail traffic can be verified by DKIM (June,2013 by MIC) Remaining problem: How to appeal the results of verifying to end users. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Verified by DKIM Protected optionally
  • 20. Using both DKIM and SPF Return-Path: Authentication-Results: … spf=pass, dkim=pass, … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… Sender information (Return-Path/From) become very hard to spoof! HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Sender info is verified Protected optionally
  • 21. DMARC Return-Path: Authentication-Results: … spf=?, dkim=?, dmarc=pass, … From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… Using the results of DKIM or SPF. If SPF is pass and DKIM is fail, DMARC checks the consistency between “From:” and “Return-Path:” headers. Senders can declare the e-mail processing policy when DMARC results is “fail”. HELO sender.example.jp Mail From:sender@example.jp Rcpt To:rcpt@aams.jp DATA … . Checked by consistency
  • 22. Remaining problems around Sender Authentication Visualization of the results Domain reputation
  • 23. JIPDEC is trying to visualize the DKIM result with domain reputation (white list).
  • 24. S/MIME signing From: To: Cc: Subject: Hi, Bob We can’t read them even if they were displayed on here… From: To: Cc: Subject: Content-Type: multipart/signed -- separater Hi, Bob We can’t read them even if they were displayed on here… -- separater (signature encrypted by sender's secret key) -- separater -- Attach the signature encrypted by sender’s secret key…
  • 25. S/MIME signing From: To: Cc: Subject: Content-Type: multipart/signed -- separater Hi, Bob We can’t read them even if they were displayed on here… -- separater (signature encrypted by sender's secret key) -- separater -- Decrypt the encrypted signature by the public key from CA/PKI, and verify whole message. End to End anti-alteration and anti-spoof.
  • 26. Remaining problems around S/MIME Secret key management Deployment to web-mail environment
  • 27. Oops! Only against sender spoofing? We also hate server spoofing and sniffing!
  • 28. In current status of e-mail standardization, We are ready to perform server authentication and path encryption on all sending path at least in RFCs.
  • 30. MUA Browser Mbox WebMail Server MBOX type WebMail Gateway with IMAP MTAMDA MTA RFC5321RFC5321 RFC2023 RFC5321 RFC2023 RFC3501 RFC3501 RFC1939 Protocols using for Inbound with Path-Encryption RFC3207RFC3207 RFC3207 RFC4616 RFC4616
  • 31. MUA Browser WebMail Server MBOX type WebMail Gateway with IMAP MTAMSA MTA RFC5321 Protocols using for Outbound with Path-Encryption Mbox RFC6409 RFC6409 RFC5321 RFC5321RFC3501 RFC5321 RFC5321 RFC5321 RFC3207 RFC3207 RFC3207 RFC3207 RFC3207 RFC3207 RFC4616
  • 32. Sure.The key person is Paul Hoffman.
  • 33. RFCs using TLS around e-mail protocols are already in Proposed Standard. However, we often encounter some people in a dilemma as below. http://xkcd.com/927
  • 34. These are past tale.
  • 36. Yahoo! Japan’s personal data breach (May, 2013) Adobe’s user data breach (Oct,2013)
  • 37. “Weaken Password Authentication and Mail Services” (Oct, 2012 / Email Security Conference)
  • 38. Attack using List of Compromised Accounts • “Listed type of account cracking” • “Listed type of illegal access” • “Attack by listed passwords” Attack using breached accounts/passwords in somewhere else. Illegal access to system accounts Increase breached accounts/passwords, Alteration of web-content, Distribution of malware, progress to APT… Illegal access to mail accounts Delivering massive spam, Data breach from imap servers…
  • 39. In other words, these are Spoofing by Account.
  • 40. On message text, or on messaging protocol, It is harder to spoof. They change the target to User Authentication.
  • 41. Impacts to usual anti-spoofing technology by listed compromised accounts • Illegal use of mail accounts – Both SPF and DKIM are also used illegal • Sender Authentication is vulnerable against compromised accounts – Bad reputation • Your server is sending spam! • Illegal use of system accounts – Who protects your secret key? • S/MIME is also vulnerable against compromised accounts
  • 42. Side effects of massive spam sending is here.
  • 43. What is the problem if your server is listed on SenderBase or RBL?
  • 44. Damages on sending servers • “Red-marked” sending servers – The other servers reject its sending… • Connection refused or User unknown is returned by reference of RBL – Many claims occurs from users “I can’t send e-mail” • man-hour to response to claims • man-hour to remove from RBLs – Like whack-a-mole… • Exhausted operators – “Too many to manage them!”(voice at BOF) – “We are rushed off our feet”(voice at mail-list)
  • 45. Damages on mailbox servers • Breach of stored e-mail(especially from IMAP) – Secondary damages • Breach of another service • Breach of stored passwords • Breach of massive e-mail address • E-mail is possible to be reused for targeted attack
  • 46. Against down spiral… • If you leave the compromised accounts… – Sending massive spam day by day – All your sending servers are marked “Red” – The account is also listed to blacklist on other services – Your service is almost terminated • Mail service which users can’t send e-mail… – Your users will say “Thus, E-mail is finished!” • So, administrators will – force to operate to off all the compromised accounts(△) • A phase of crisis management – search the technical solution(◎) • Because you are an engineer!
  • 47. BBSec Anti-Abuse Mail Service detects compromised accounts, and care the customers silently by human support.
  • 48. In the case of BBSec • At the start of service, we act against DHA – Less breach of mail addresses from mail servers • In July, 2012, we start to detect compromised accounts – We could move before the attack become active in Japan. • With our customer ISPs, we made fixed flow of customer care – We support end users to change their password safer. • "End user – Customer ISP – BBSec" are co-working.
  • 49. The preparation against threat Discussion in M3AAWG (Feb.2012〜June,2012)
  • 50.
  • 51. M3AAWG • Messaging,Malware&Mobile Anti-Abuse WG – Industrial group with 220 organizations • All major messaging companies participate – Google,Facebook,Twitter,Apple,Microsoft… • Act to standardize of technology, and make BCP – For example, DMARC – Similar to W3C in Web technology • 3 times general meetings in one year – They have Round Table sessions in the morning to discuss… » Compromised accounts » Outbound Filtering and so on.
  • 53. If you believe digital certificates protect you from spoofing…
  • 54. CAs can issue certificates for any domains. Problem of “Digital Certificates for Spoofing” New! http://thehackernews.com/2013/12/fake-google-ssl-certificates-made-in.html
  • 55. In the future, Can we see some seeds ?
  • 56. Improved user authentication More deployment of Sender Authentication For Pervasive monitoring? S/MIME? Path Encryption(TLS)? Certificates verifying by DANE ETSi Registered Electronic Mail (e-mail with strong authentication ex. DE mail) BCP38/84 against UDP src address spoofing RPKI for verifying the origin of routing information
  • 57. Q & A time