Email Hacking... How it works, Tools, How to prevent

Multiple different mail servers are used in today’s enterprises. Each different mail server has its own set of known vulnerabilities, giving resourceful hackers ample opportunity to search for weaknesses. Once these weaknesses are identified, a single hacker can take down an entire rack of mail servers in the blink of an eye.

So... How do they work?

IMAP & POP vulnerabilities
Hackers have found a number of issues in both IMAP & POP servers that are exploited. Items such as dictionary attacks can expose sensitive e-mail which is stored on an IMAP or POP server. There are countless tools available for performing these attacks and the graphical nature of many of these tools make it simple for even a novice to perform these attacks. Additionally, weak passwords are common vulnerabilities in these protocols. Many organizations do not have adequate controls for password strength, thus end users will use passwords which can easily be broken. Lastly, there may be concerns about defects or bugs in various IMAP and POP services which can leave them susceptible to other types of exploits such as buffer overflows.

Denial-of-Service (DoS) attacks

• Ping of death – Sends an invalid fragment, which starts before the end of packet, but extends past the end of the packet.
• Syn flood – Sends TCP SYN packet (which starts connections) very rapidly, leaving the attacked machine waiting to complete a huge number of connections, and causing it to run out of resources and start dropping legitimate connections.
  
• Loop – Sends a forged SYN packet with identical source/destination address/port so that the system goes into an infinite loop trying to complete the TCP connection.

System configuration holes

Weaknesses in enterprise system configuration can be classified as follows:

• Default configurations – Most systems are shipped to customers with default, easy-to-use configurations. Unfortunatel, “easy-to-use” can mean “easy-to-break-into” as well. Almost any UNIX or WinNT machine shipped can be exploited rather easily.
• Empty/default root passwords – A surprising number of machines are configured with empty or default root/administrator passwords. One of the first things an intruder will do on a network is to scan all machines for empty passwords.
• Hole creation – Virtually all programs can be configured to run in a non-secure mode which can leave unnecessary holes on the system. Additionally, sometimes administrators will inadvertently open a hole on a machine. Most administration guides will suggest that administrators turn off everything that doesn’t absolutely need to run on a machine in order to avoid accidental holes. Unfortunately this is easier said than done, since many administrators aren’t familiar with disabling many common services.

Exploiting software issues
Software bugs can be exploited in the server daemons, the client applications, the operating system, and the network stack. Software bugs can be classified in the following manner:

• Buffer overflows – Almost all the security holes you read about in the press are due to this problem. A typical example is a programmer who will set aside a specific number of characters to hold a login username. Hackers will look for these types of vulnerabilities, often sending longer strings than specified, including code that will be executed by the server. Hackers find these bugs in several ways. First, the source code for a lot of services is available on the net. Hackers routinely look through this code searching for programs that have buffer limitations. Hackers will also examine every place the program accepts input and try to overflow it with random data. If the program crashes, there is a good chance that carefully constructed input will allow the hacker to break into the system.
• Unexpected combinations – programs usually are constructed using many layers of code, including the underlying operating system as the bottom-most layer. Intruders can often send input that is meaningless to one layer, but meaningful to another when constructed properly.
• Unhandled input – Most programs are written to handle valid input. Most programmers do not consider what happens when somebody enters input that doesn’t match the specification

Self-propagation: the new mission of attacks
Hackers are becoming increasingly sophisticated and are no longer content with simply gaining access to networks to cause mischief and disrupt service. Whereas hackers first spread viruses through individual networks simply because they could, we now are seeing more and more attacks that involve the use of Trojans designed to spread a virus to as many computers as possible, with the intent of taking control of these machines for nefarious purposes.

• Trojans - Trojans enter the victim’s computer undetected, usually disguised as a legitimate e-mail attachment. Once the Trojan is opened by the unsuspecting recipient, the attacker is granted unrestricted access to the data stored on the computer. Trojans can either be hidden programs running on a computer, or hidden within a legitimate program, meaning a program that the user trusts will have functions they are not aware of.
• Spreading viruses via Trojans - Hybrid attacks that combine the use of Trojans and traditional viruses have become increasingly popular. An example of this is the notorious Nimba virus that used multiple methods to spread itself and managed to get past anti-virus software by using a behavior not typically associated with viruses. Nimda exploited a flaw in the MIME header and managed to infect 8.3 million computers worldwide.

The increased sophistication of attacks is evidenced by viruses containing their own SMTP engines (MyDoom, Bagle.G, NetSky). By using its own SMTP engine, a virus can avoid the use of MAPI, which allows it to isolate itself from any e-mail client configuration issues and integrated virus scanner(s) that may be present.

The hacker’s toolkit

• Crack/NTcrack/L0pht Crack - Crack network passwords using dictionaries or brute force. These packages also contain utilities for dumping passwords out of databases and sniffing them off the wire.
• Expolit packs - A set of one or more programs that know how to exploit holes on systems (usually designed to be used once the targeted user is logged on).
• NAT - Based on the SAMBA code, NAT is useful for discovering NetBIOS/SMB information from Windows and SAMBA servers.
• Netcat - Characterized as a TCP/IP “Swiss Army Knife,” netcat allows intruders to script protocol interactions, especially text-based protocols.
• Ping Sweepers - For pinging large numbers of machines to determine which ones are active.
• Remote Security Auditors - Programs such as SATAN that look for a number of well known holes in machines all across the network.
• Scanners - Programs like SATAN, ISS or CyberCop Scanner that probe the system for vulnerabilities. These tools check for a huge number of vulnerabilities and are generally automated, giving the hacker the highest return for minimal effort.
• Sniffing utilities - For watching raw network traffic, such as Gobbler, tcpdump, or even a Network Associates Sniffer© Network Analyzer.
• TCP and UDP port scanners - For scanning/strobing/probing which TCP ports are available. TCP port scanners can also run in a number of stealth modes to evade loggers.
• War dialers - Look for dial-in ports by dialing multiple phone numbers.

Protect your enterprise
As businesses place increasing reliance on e-mail systems, they must address the growing security concerns from both e-mail borne attacks and attacks against vulnerable e-mail systems. When enterprise e-mail systems are left exposed by insecure devices, hackers can enter the organization and compromise the company’s corporate backbone, rendering investments in information technology security useless. The implications from a security breach can impact the company’s reputation, intellectual property and ability to comply with government regulations. The only way for organizations to fortify their e-mail systems is to use a comprehensive e-mail security gateway to lock down the e-mail systems. This approach includes:

1. Locking down the e-mail system at the perimeter – Perimeter control for the e-mail systems starts with deploying an e-mail gateway. The e-mail gateway should be purpose-built with a hardened operating system, and intrusion detection capabilities to prevent the gateway from being compromised.
2. Securing access from outside systems – The e-mail security gateway must be responsible for handling traffic from all external systems, and must ensure that traffic passed through is legitimate. By securing access from outside, applications like Web mail are prevented from being used to gain access to internal systems.
3. Real-time monitoring of e-mail traffic – Real-time monitoring of e-mail traffic is critical to preventing hackers from utilizing e-mail to gain access to internal systems. Detection of attacks and exploits in e-mail, such as malformed MIME, requires continuous monitoring of all e-mail.

An e-mail security gateway should provide the following benefits:

Simplify administrator work
Rather than having multiple appliances from different vendors provide piecemeal protection for different areas of your e-mail network, the e-mail security solution that protects your enterprise should be capable of protecting the entire e-mail system on its own. Comprehensive security must be purpose-built into the e-mail security appliance, not added as an afterthought.

Easy integration
Integrating an intrusion detection/prevention system can be complicated, depending on your requirements. However, these systems must not complicate a network, and they should not require the administrator to spend additional time managing them.

Easy configuration
Many intrusion detection systems are difficult to navigate and configure. A purpose-built e-mail security system containing intrusion detection and prevention should be easy to configure and manage, with settings based on established best practices based on your particular type of business.