What E-Mail Hackers Know That You Don’t

By | March 15, 2006

E-mail systems such as Microsoft Exchange, Lotus Notes and GroupWise were constructed with a single purpose in mind: accept and send the maximum amount of mail and route that mail as efficiently as possible. Without question this has succeeded, e-mail is the most commonly utilised business communication tool on the planet and its use is projected to rise. In fact, the current volume of e-mail sent worldwide is now more than 50 billion messages per day, with that number expected to double by 2008.

E-mail’s continually burgeoning popularity makes it an increasingly attractive target for individuals seeking to do harm, either for their own misguided personal satisfaction, or more likely, for financial gain. The first e-mail hackers found simple vulnerabilities in the operating systems and protocol stacks of e-mail systems and exploited these known weaknesses.

Now, however, hackers and virus writers have become specialists, constantly developing new and innovative methods of overcoming the improvements made in today’s security systems. The game of cat-and-mouse is unlikely to end any time soon, if ever. With every improvement in defensive techniques, hackers and virus writers modify their tactics in an attempt to circumvent these defences and wreak havoc on corporate networks.

Vulnerabilities of e-mail systems

Along with the many conveniences and efficiencies that e-mail use brings to an organisation, there are some inherent risks and vulnerabilities that can be exploited by multiple forms of malicious attack: Denial of Service attacks, Phishing, Spam, Trojans, Viruses, Worms, Zombie attacks.

How Hackers Attack

Multiple different mail servers are used in today’s enterprises: chosen for performance, price, name recognition or any of a number of other reasons, servers such as Lotus Notes and Microsoft Exchange dominate the corporate e-mail landscape.

Each different mail server has its own set of known vulnerabilities, giving resourceful hackers ample opportunity to search for weaknesses. Once these weaknesses are identified a single hacker can take down an entire rack of mail servers in the blink of an eye.

Self-propagation: The New Mission of Attacks

Hackers are becoming increasingly sophisticated and are no longer content with simply gaining access to networks to cause mischief and disrupt service. Whereas hackers first spread viruses through individual networks simply because they could, we now are seeing more and more attacks that involve the use of Trojans designed to spread a virus to as many computers as possible, with the intent of taking control of these machines for nefarious purposes.

Trojans enter the victim’s computer undetected, usually designed as a legitimate e-mail attachment. Once the unsuspecting recipient opens the Trojan the attacker is granted unrestricted access to the data stored on the computer. Trojans can either be hidden programs running on a computer or hidden within a legitimate program meaning a program that the user trusts will have functions they are not aware of. The following chart outlines some of the most popular types of Trojans used by hackers:

Remote Access – Designed to give hacker access to the victim’s machine. Traditionally, Trojans would listen for a connection on a port that had to be available to the hacker. Now Trojans will call out to hackers giving access to the hacker to machines that are behind a firewall. Some Trojans can communicate through IRC commands, meaning a real TCP/IP connection is never made.

Data Sending – Sends information back to the hacker. Tactics include key logging, searching for password files and other private information.

Destructive – Destroys and delete files.

Denial-of-Service – Gives a remote hacker the power to start Distribute DOS (DDOS) attacks using multiple ‘Zombie’ computers.

Proxy – Designed to turn the victim’s computer into a proxy server available to the hacker. Used for anonymous Telnet, ICQ, IRC, etc. to make purchases with stolen credit cards, etc. Gives the hacker complete anonymity as trail leads back to infected computer.

Hybrid attacks that combine the use of Trojans and traditional viruses have become increasingly popular. An example of this is the notorious Nimda virus that used multiple methods to spread itself and managed to get past anti-virus software by using a behaviour not typically associated with viruses. Nimda exploited a flaw in the MIME header and managed to infect 8.3 million computers worldwide in a matter of days.

Protect your enterprise

As businesses place increasing reliance on e-mail systems they must address the growing security concerns from both e-mail borne attacks and attacks against vulnerable e-mail systems. When enterprise e-mail systems are left exposed by insecure devices, hackers can enter the organisation and compromise the companies

Corporate backbone, rendering investments in information technology security useless. The implications from a security breach can impact the company’s reputation, intellectual property and ability to comply with government regulations.

The only way for organisations to fortify their e-mail systems is to use a comprehensive e-mail security gateway to lock down the e-mail systems. This approach includes:

Locking down the e-mail system at the perimeter – Perimeter control for e-mail systems starts with deploying an e-mail gateway. The e-mail gateway should be purpose-built with a hardened operating system and intrusion detection capabilities to prevent the gateway from being compromised.

Securing access from outside systems – The e-mail security gateway must be responsible for handling traffic from all external systems and must ensure that traffic passed through is legitimate. By securing access from outside, applications like Webmail are prevented from being used to gain access to internal systems.

Real-time monitoring of e-mail traffic – Real-time monitoring of e-mail traffic is critical to preventing hackers from utilising e-mail to gain access to internal systems. Detection of attacks and exploits in e-mail, such as malformed MIME, requires continuous monitoring of all e-mail.

Leave a Reply