Network Defense
by Richard Power and Rik Farrow
Gripped by the five fingers of e-mail doom?

E-mail is fast, convenient and economical. It has changed the way we do business
even more than the fax or the cell phone. According to a recent Zona Research
(Mountain View, CA) report, it is more important to business users than either
personal productivity applications or Web access. However, e-mail systems are
vulnerable to a wide variety of threats from both inside and outside the
enterprise. Unless you understand the scope of these threats and take
appropriate measures against them, you're risking exposure to a broad spectrum
of woes ranging from significant down-time to serious financial losses.
Consider the five fingers of e-mail doomÄspying, spoofing, denial of service,
macro virus proliferation and exposure to civil or criminal liability. You need
to understand each of these threats so that you can be ready to break their hold
before they take you and your organization's network down.

Spying and spoofing
E-mail isn't simply used to schedule meetings or indulge in office gossip. E-
mail is also used to cultivate outside business contacts, brainstorm new ad
campaigns, thrash out next year's sales projections and even discuss new product
designs.
In other words, e-mail is a cornucopia of intelligence for hackers and
industrial spies.
There is good reason to be concerned.
An operation targeting your organization's e-mail system might begin with the
compromise of some poorly administered node other than the mail server itself
but residing on the same sub-net. Once the attacker is in, it would be easy to
plant sniffers or keystroke monitors and eventually gain control of the mail
server itself. Once the intruder has gotten hold of that server, he or she could
reap all sorts of intelligence and wreak all sorts of havoc.
Of course, if the attacker has staked out some turf on one of the major Internet
Service Providers, he could just sit out there, cloaked in invisibility, with
sniffers filtered to collect only e-mail addressed to your server without ever
penetrating your perimeter.
If you don't think your company is at risk from such denizens of the digital
netherworld, you are in the minority. According to the results of the Computer
Security Institute's 1997 Computer Crime and Security Survey conducted in
collaboration with the FBI Computer Crime Squad, over 50% of respondents
reported US-owned corporate competitors to be likely sources for a wide range of
attacks, including theft of proprietary information and well over 70% reported
hackers to be a likely source in such attacks.
But it isn't only the confidentiality of your e-mail that is at risk. The
integrity of your users e-mail messages is also easily compromised through e-
mail spoofing (i.e., forgery).
Slemo Warigon, internal auditor for University of California (Santa Barbara)
explains.
"E-mail is particularly easy to forge or spoof; therefore, e-mail messages
generally cannot be trusted without secure enhancements such  as e-mail
encryption and digital signatures. E-mail exchange on the Internet  takes place
using a simple protocol consisting of ASCII-character commands.  A clandestine
user (e.g., masquerader) could easily input these commands  manually by using
telenet to connect directly to a system's Simple Mail  Transfer Protocol (SMTP)
[RP: telnet, even though it is hard to type or spell. RIK]
port. The receiving host trusts that the sending host is who it says it is.
Hence the origin of the e-mail can be forged  easily by entering a sender
address that is different from the actual or  true address. One does not
necessarily have to use improperly obtained  passwords or access privileges in
order to forge e-mail. Any user, without  privileges, can forge e-mail by simply
masquerading as the 'trusted client'  of a particular e-mail system (i.e., the
masquerader would change his host's  IP address to match that of the trusted
client)."
[RP:  The parenthetical phrase makes no sense.  sendmail does include the
notion of a trusted user, and trusted users can send email as any other
user (sendmail will not complain).  Simply changing your IP address will
not work--you can't set up the necessary TCP connection to talk to
the mail server that way.  Usually, you telnet to SMTP, say HELO whoever,
where whoever is the name ot masquerade as.  Even that is not critical,
as the real spoofery happens when you say rcvd from: add-spoof-here. RIK]

Looking for solutions
An IS professional from a Fortune 50 company recently called the CSI Hotline to
ask for some help. Her R&D people were e-mailing each other sensitive design
documents from remote locations. "I've threatened them, I've cajoled them, but
they're going to continue doing it. It is too fast and too convenient. They
won't stop."
She was rightfully concerned about the spying and spoofing of employees e-mail.
She knew that encryption and digital signatures could deal with these two
threats. She wanted to know if there was any third-party crypto technology to
address the issues of e-mail confidentiality and integrity. There are options
available, including Entrust (www.entrust.com), Worldtalk (www.worldtalk.com)
and good old PGP (www.pgp.com). Each has its pros and cons.
Which one would be right for you? Only you can answer that, but perhaps we can
help you phrase the right questions. What would the ideal e-mail encryption
package be like?
According to Bruce Schneier, author of Applied Cryptography  (Wiley & Sons), the
ideal product would be both "unobtrusive to the user and ubiquitous to the
world."
How inobtrusive? "It would function from inside the e-mail applicationÄfor
example, the user wouldn't have to exit CC:Mail to encrypt or decrypt."
Why ubiquitous? "In a world where everyone encrypted, encryption wouldn't arouse
suspicion or excite curiosity. But in a world where most messages are
unencrypted, unfortunately, the encrypted one may draw a lot of unwanted
attention."
The ideal package would have to interface seamlessly with all major e-mail
applicationsÄfor example, a cc:Mail user could easily trade encrypted messages
with a Eudora user.
Schneier also suggests that the ideal package should allow you to set the
default to encryption and provide an option for turning it off, rather than the
other way around.
Of course, the ideal package would have to offer strong crypto. But you don't
have to become an expert in the arcane lore of cryptographic algorithms to
evaluate such things.
"Just steer away from proprietary algorithms," Schneier explains.
"Instead, choose a package that provides a menu of publicly vetted algorithms.
That way, you'll know that some smart minds have been whacking on it for
awhile."
If the algorithm hasn't been broken yet, or if it would require many hours and
an outlandish amount of horsepower in order to compromise it, it may serve your
purpose.

Some other issues to ponder
If you decide one or another of the available e-mail security products meet the
criteria outlined by Schneier, here are a few more important issues to ponder.
Where are the crypto keys held?
Are they held on a server? At the workstation? On diskettes? In your users
heads?
If they are held on a server, how invulnerable to attack is that server? Is it a
UNIX box? There are countless attacks that will compromise a UNIX-based server.
Is it an NT box? The number of attacks that will compromise an NT-based server
have grown alarmingly.
[RP:  Most email crypto systems hold an encrypted version of the users
private key on the user's system.  Public keys may also be held locally,
also encrypted (PGP), or may come from a certification authority (CA),
in which case the security of that platform is somewhat of an issue.
But only somewhat.  Public key crypto systems, which is what is used
by Entrust and PGP, ensure the correctness of keys by checking the
key received from the CA for a digital signature for that CA.  So,
while true that the CA might be compromised, hopefully someone has
paid a LOT of attention to this machine (it is certainly the case
today).  Given this, I wonder if you need to discuss the security 
of the key server?  The real issue is that encryption is NOT ubiquitous,
so not everybody has keys registered anywhere (remember that the
US postal service wants to do this, and that the Canadian gov't is
creating a key service for Canadians, so it is happening.  DO you
trust your government not to permit your key to be replaced with
a masquerading's person's key? RIK]

What is the physical security status of the server? Is it adequately protected
protected from disgruntled or dishonest employee? After all, they remain your
greatest threat.
It is pointless to spend a lot of time and money deploying e-mail encryption
technology if the keys that unlock the crypto are not secured properly.
Don't make the mistake of becoming overly fixated on the confidentiality of the
e-mail message once it passes beyond your perimeter, because increasingly your
perimeter doesn't existÄwhether you have a firewall or not.
Another question to ask is if the crypto keys are lost or corrupted, are they
recoverable?
And, in a related vein, does the security you gain from end to end encryption
outweigh the security you gain from having the ability to monitor users' e-mail?

Undeniable problem
Denial of service attacks are an undeniable problem throughout cyberspace. There
are plenty of CERT advisories and front-page news stories to underscore the
threat.
In one such incident, US President Clinton, a TIME Magazine senior editor and
thirty-five other prominent individuals were the targets of an e-mail bomb
attack. The victims' e-mail boxes soon overflowed with incoming messages from
mailing lists to which they were subscribed without their will or knowledge. In
another case, a Monmouth University student, angry of losing his computer
privileges, was arrested on federal charges for "e-mail bombing" the school's
system with 24,000 e-mail messages.
There is also no lack of nasty little tools to make such attacks easy to mount.
One posting to the Firewalls mailing list, earlier this year, contained numerous
addresses at which various types of e-mail bombing scripts could be obtained.
Automating such an attack isn't difficult. You simply collect a list of list
serversÄsystems people have set up to automatically relay any mail sent to them
to everyone on the listÄand run a batch file (DOS) or a shell script (UNIX and
easier) to subscribe your target to every list server you want. The resulting
problem is not easily dealt with.
[RP:  Some list servers, like BoS, guard against this problem by
requiring the subscriber to respond before they are added to the
list.  Others check the email address used when registering (although
there are problems with this.  Still, not all list servers are equally
dumb.  RIK]

Firewalls are useless against this style of attack, because 'mail bombing' is
fairly indistinguishable from other mail. The subscribee will need to
unsubscribe to each list server.  If all the lists use the same list serving
software (such as Majordomo), the subscribee could also use a script to
unsubscribe.
[RP:  You left out the notion of spam, unsolicited "junk" email, which
takes time to deal with, and wastes bandwidth.  Also, many spammers
rely on other organizations' mail servers for delivery.  For example,
you connect to a mail server, spoof some user as the sender, and 
provider a long list of receipients (usually very long).  Then the
server begins to deliver this email for the spammer--denying service
to legitimate users of the mail server.  In fact, this is how most
spam is delivered, using another system as a blind to hide the
email idendity of the spammer (so he/she doesn't get spammed in
return).  Here are a couple of paragraphs going into another
article I wrote, with some interesting URLs:

The spammers cost us all money, because they abuse our servers,
we pay to receive our e-mail, and they are wasting our bandwidth  
by forcing us to
receive messages we did not request or want.  John Quarterman,
in a Matrix article (http://www.mids.org/mn/704/spam.html) calculates
that just recognizing and deleting spam could conservatively
cost about $85US million per year (that's assuming it takes
five seconds to recognize and delete five or so messages a workday.
The Web gives us a way to find all the marketing ads we could
ever want.  As Quarterman says, spam is theft.

Spammers have finally attracted the attention of Congress.  A
couple of bills were introduced, one in the Senate (by Frank
Murkowski of Alaska), and in the house (by Chris Smith of
New Jersey).  Paul Vixie has been sticking his neck out by
distributing a list of the source IP addresses used by 
spammers so they can be blocked by filters at ISP or
rule sets or filters used with sendmail (there might be
something related to this at the next LISA).  You can
visit http://spam.abuse.net/spam/ and learn more what
you can do to stop spam.  You can also visit the
sendmail.org site, in particular www.sendmail.org/antispam.html,
to learn about ways of filtering spam using sendmail 8.8.

RIK]

Two very different threats

The first three fingers of e-mail doomÄspying, spoofing and denial of serviceÄ
strike straight to the heart of information protection, i.e., they target the
confidentiality, integrity and availability of your e-mail system itself. The
remaining two fingers pose subtler but even more pervasive threats. Both involve
dangers arising from the content of your organization's own e-mail traffic
rather than attacks on it from the outside.
First, there is sure-fire threat of your organization's e-mail traffic serving
as a delivery system for macro viruses and other forms of malicious code.
Second, there is ever-present danger of an employee's abuse of e-mail privileges
exploding into a costly and embarrassing legal action.

Painful attachments
In regard to the proliferation of macro viruses, there is little good news.
Once upon a time, there was a six to eight month grace period between when a
virus was discovered until it began to pose a serious problem in the wild. That
grace period is gone. Why?  New macro viruses are being found at a rate of about
7 per day, and they are spreading much farther much faster because of e-mail and
the InternetÄconsequently, the typical anti-virus scanner is two to three months
behind the curve.
There are already hundreds of different types of macro virus. Many of them have
been found in the wild, many more have been isolated in labs. Their effects
range from the annoying to the destructive. And they are costing organizations a
great deal of money.
In the 1997 CSI/FBI survey, 74% of respondents reported virus incidents within
the last 12 months, and 51% reported dollar losses due to these virus incidents.
Only 30% were able to quantified the damage, the total financial losses for the
160 organizations that could was almost $15 million dollars. The overwhelming
number of these incidents were macro virus infestations, and this digital plague
was spread predominantly via e-mail.
But macro viruses are [not]  the only pests infiltrating your networks via e-mail
attachments from the InternetÄTrojan horses disguised as useful shareware or
updates to popular software utilities have begun to surface. And don't forget
that these attachments can also be used to smuggle contraband (e.g., X-rated
images and pirated software).
Programs such as MIMEsweeper from Integralis (www.integralis.com) may help with
these diverse content-based threats. It is an e-mail router that will scan for
macro viruses as well as for inappropriate content. (Unless, you're using
encryption.)
[RP:  A past Alert mentioned software written by Padget Peterson for
detecting macros; someone mentioned scanprot.dot in the NT security
list; also making normal.dot readonly (which will only work for NTFS
on NT).  RIK]

Forewarned is forearmed
There are numerous stories of employee e-mail escapades and management
miscalculations that have ended up in civil or even criminal court oozing
acrimony, and resulting in costly settlements, stiff penalties and tarnished
public images.
Just take a look at the sordid affair of Oracle CEO Larry Ellison and former
Oracle employee Adelyn Lee. Lee sued and won $100,000 in a wrongful termination
suit. Her civil case was based on an e-mail message. She was later prosecuted
and convicted for forging the e-mail by breaking into Oracle's computer system
and using her boss' password. In their criminal case against Lee, the
prosecutors used Lee's own e-mail messages soliciting gifts such as a sports car
and a Rolex watch from Ellison.
[RP:  Some comments.  If all empoyees used encryption, and there is no
key escrow, this problem goes away.  Interesting.  Also, I saw an article
in a recent Wall Street Journal where a company is suing Andersen 
Consulting because they did not finish a project within the time/
budget specified, and using email as evidence (the quoted a message
saying that an AC consultant should have been taking junior college
courses, not working--a message from an AC person to another).  I
didn't see the date, but likely Thursday of this week, front
page of an inside section (this was lying on a chair in the Cincinatti
airport.)  RIK]
Clearly, everyone involved could have benefited from a few common sense
precautionsÄa strong, enforceable corporate policy stating that e-mail is only
to be used for business purposes; an ongoing security awareness program to
educate users about the consequences of inappropriate use of corporate e-mail
resources; and a warning banner at logon to remind users that all network
activity is subject to monitoring. Such steps would create a mature corporate
culture in which employees (however high or low) would be disinclined to act out
their romantic entanglements via e-mail. Users educated about what information
security really is would also be less likely to undertake forgery or other
unauthorized accessÄfor fear of leaving digital fingerprints.

Summary
Information security is really all about scale of risk. You have to decide what
your organization has to lose, how likely such losses are, what it would cost to
defend against them and then start making tough choices. You may not think it is
worth your while to encrypt your e-mail traffic, and even if you do think it is
worth the expense, you may not be able to sell management on it. If you do
decide to encrypt, you may well heighten the risk from other types of security
breachesÄfor example, being unable to detect insider betrayal of company secrets
because you can no longer monitor the traffic. You're going to have to make
tough decisions based on hard analysis. In many organizations, information
security boils down to a lone system administrator with a well-programmed alpha
pager. Hopefully, the diverse threats outlined here will help you get some much
needed attention to the mail server chugging away over in the corner.