SlideShare una empresa de Scribd logo

Mobile Email Security

Rahul Sihag
Rahul Sihag
Tecnología
1 de 28
Descargar para leer sin conexión
Team-9 Anirudh Gaur (B.Tech) Rahul Sihag (B.Tech) Bharatram Natarajan (M.Tech) Sanjay Bankapur (M.Tech)
Introduction  SoftCorp is an emerging software development company and aims at leadership position in the upcoming mobile computing market by developing cutting edge products that address the entire range of handheld user needs.  SoftCorp product development team had worked on office applications such as text processors, image editors, and even a small spreadsheet application.  Team was quite clear that to develop a good email client for the PDAs/Mobile devices by which  Addressing the world that SoftCorp is arrived into the PDA software market, and  By development of this product would also help them to get more familiar with the handheld programming environment.  After brainstorming, the team listed all the required features and they found the product called “EazeeMail” by their competitor KurApps. Team has decided to use this product as a benchmark for developing of Mobile Email Client (MEC).  SoftCorp team found that EazeeMail didn‟t support multimedia based email such as support for audio clips, pictures etc. They decided that they will try to provide support for the multimedia emails.
Topics to cover  Identify and specify various security requirements by using use/abuse case diagram.  For the identified security requirements indentify potential vulnerabilities and threats for this system.  Identify the security loop holes from the given fragmented codes.  Identify at-least 4 design patterns that can be used to enhance the security for this product.  By taking any 1 use cases related to email functionality, will perform thread modelling and generate threat tree for the same.  Does SoftCorp requires redesigning of the product to ensure all security?
Security Requirements Assets: •Data like Email content, User login credentials, User account information, Configuration file, Email client code. •Email Server. •Handheld devices.
 The need for prevention of virus, malicious software which if present in the handheld devices will result in the confidentiality, integrity, privacy violation.  The need for securing the connection between the client and the email server in order to maintain data confidentiality, integrity, privacy.  The need for preventing spam mails in order not to overload the server and handheld devices.  The need for preventing phishing in email in order to protect the customer details and maintaining their trust, privacy.  The need for protecting the mobile email client code for maintaining integrity constraint and confidentiality constraint, privacy.  The need for protecting the configuration file from being accessed by anyone except the mobile email client for maintaining confidentiality, integrity.
Security Threats & Vulnerabilities  Virus - Responsible for destructive payloads, destroying data and bringing down entire mail systems. E.g.: Internet Worms, Mass mailer viruses tend to stay longer even if antivirus products have included protection against them in their products leading to loss of money, resources ,effort to recover from such incidents, loss of productivity, corrupt or lost data, loss of user confidence.  Phishing (Identify Theft) – It targets the customers of financial institutions and high- profile online retailers by luring them to spoofed websites and give their credentials. This leads to personal information revelation to other people thereby violating the confidentiality of the data.  Spam – It bring down system availability and also can carry viruses, malicious code and fraudulent solicitations for private information. It overloads network and server resources.  Adversary who are eavesdropping on the channel between the client and the email server, capturing the data and modifying the data according to his need and resending again.
Solutions to Threats  Use of anti-virus software which will remove virus, malware program and un-trusted program, anti spam solution like blacklist the list of spam users rather than deleting the mails every time the mail comes, enabling the email spam filter and anti phishing solutions like Caller ID by Microsoft, Sender Policy Framework by Meng Wong, Domain Keys by Yahoo etc.  Use of secure protocol like SSL(Secure Socket Layer).  The wrapping of client code, configuration file with anti-virus software, anti-spam solution, anti-phishing solution which will act as the firewall for the client code.
Security Code Issue & Correction Fragment 1 void f(char *src1, char* src2) Threat of changing both src1 and src2 in this function { char dest[DEST_SIZE]; // check to make sure first string fits if (strlen(src1) > sizeof(dest)) return; strcpy(dest, src1); // copy as much of the second string as will fit strncat(dest, src2, sizeof(dest)); strncpy() and strncat() functions are a source of buffer ... overflow vulnerabilities. } void f(const char *src1, const char* src2) { char dest[DEST_SIZE]; // check to make sure first string fits if (strlen(src1) > sizeof(dest)) return; strncpy_s and strcat_s functions are strcpy_s(dest, src1); secure for buffer vulnerabilities. // copy as much of the second string as will fit strncat_s(dest, src2, sizeof(dest)); ... }
Fragment 2: void *ConcatBytes(void *buf1, size_t len1, char *buf2, size_t len2) { void *buf = malloc(len1 + len2); if (buf == NULL) return; // allocation failed Threat of changing both buf1 and buf2in this function memcpy(buf, buf1, len1); memcpy(buf + len1, buf2, len2); ... Void pointers can store any data type & hence data type } mismatch will occur with memcpy. void *ConcatBytes(const void *buf1, size_t len1, const char *buf2, size_t len2) { void *buf = malloc(len1 + len2); if (buf == NULL) return; // allocation failed memcpy_s(buf, len1, buf1, len1); memcpy_s(buf + len1, len2 buf2, len2); ... }
Fragment 3: #define MAX_BUFF (64) BYTE bBuff[MAX_BUFF]; DWORD cbBuff = 0; Functions return value is not verified … to check status of request // Determine how much data // to read RegQueryValueEx ( hKey, NULL, NULL, NULL,&cbBuff ); ... // Read ALL the data!!! Not verifying if cbBuff is greater RegQueryValueEx ( hKey, NULL, NULL, bBuff, &cbBuff ); than MAX_BUFF … #define MAX_BUFF (64) BYTE bBuff[MAX_BUFF]; DWORD cbBuff = 0; … // Determine how much data // to read If(RegQueryValueEx ( hKey, NULL, NULL, NULL,&cbBuff ) > 0) { ... If(cbBuff>MAX_BUFF) bBuff=new BYTE[cbBuff]; // Read ALL the data!!! RegQueryValueEx ( hKey, NULL, NULL, bBuff, &cbBuff ); } …
Fragment 4: … SqlConnection sql = new SqlConnection( @”data source = localhost;” + “userid = sa;password = password;” ); String sql = “select * from client where name = „” + name + “‟”; … Both UserId and Password values should Threat of SQL Injection not be hard coded in the code. Values should be read from the configuration file. … String id=getUserId(); String pass=getPasswd(); SqlConnection sql = new SqlConnection( @”data source = localhost;” + “userid = ” +id+ “;password=” + pass+ “;” ); String sql = “select * from client where name = „” + name + “‟”; If(checkSyntax(sql) < 0) return; …
Secure Design Patterns Thin client: process centrally, present locally  Sensitive data stays centralised in hardened bunkers, with remote devices allowed views of it via thin-client terminal applications.  network access is required, thin client doesn't support offline use.  The advantage of thin client is that data never leaves the server - it is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers, and require strong or two-factor authentication using SecureID or other tokens.
Thin device: replicated data, with device-kill for insurance  Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data-centres.  Because of their size, storage capacity, and comparatively modest processing power, application is limited to e- mail rather than general data processing.  Using native management tools or third-party mobile device platforms like Sybase, smartphone security policies that can typically be imposed include backup and enforced encryption.
Protected process: local information processing in a secure "bubble"  It allows data to be processed locally.  Sensitive information sits inside a compartmentalised processing environment that is separated from the user's local operating system environment - whose security and backup properties are controlled by IT.  The protected process pattern has many advantages: local execution, offline operation, central management, and a high degree of granular security control, including remote wipe.
Protected data: documents protect themselves regardless of location  Technologies like enterprise rights management enshrine access rules into documents directly.  These rules, which rely on cryptography to enforce, apply no matter where the document rests - a key advantage.  Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.
Suggestion SoftCorp should not go for complete redesign, since complete code is already done. Hence below strategy can be used for security review of the product:-  Threat Modelling  Test Planning  Test Execution  Security Bug Fixing Applicable Tests:  Authentication Testing  Input Validation Testing  Session Management Testing  Encryption Testing  Application Testing
Benefits of Threat Modelling These are some benefits of threat modelling:-  Complex design level security bugs can be easily identified if we incorporate the threat modelling.  More over multi-step security bugs (several small failures combining to form a disaster) are best found using threat modelling.  it also will also help us to understand our application better, since we would spend time analysing the makeup of the application in a relatively structured manner.  It yields useful documents which the testing team could use to test against.
Threat Modelling Process: 1. Identify Security Objectives 2. Create an Application Overview 3. Application Decomposition 4. Identify Threats 5. Mitigation Measures
Use Case: Sending an e-mail Security Objectives: Confidentiality (No Eavesdropping) – Any third person having access to my network should not be able to read my mail. Privacy - Information may be used to tell in which city you are located or even to find out what your address is in some cases. No Spam and Unwanted Email Integrity (No Tampering) - No data should be modified during the transmission of an email. Non-repudiation
Application Overview Users - Senders with authenticated account at email provider Technologies - Network : Wireless network Protocol : SMTP (Simple Mail Transport Protocol) Description - 1. Compose an email 2. Press the send button
Application Decomposition
Threats (1) Disclosure of Information: Most of emails are transmitted in the clear (not encrypted) text. By means of some available tools, persons other than the designated recipients can sniff the packets and can read the email contents. Email messages are stored on SMTP servers in plain, unencrypted text. Backups of the data on these servers may be made at any time and administrators can read any of the data on these machines. (2) Modification of messages: Email contents can be modified during transport or storage.
(3) Repudiation: Because normal email messages can be forged, there is no way for you to prove that someone sent you a particular message. This means that even if someone DID send you a message, they can successfully deny it. (4) Identity Theft: If someone can obtain the username and password that you use to access your email servers, they can read your email and send false email messages as you.
Threat Tree Figure: Attack Tree for Information Disclosure
Mitigation Encrypting an EMAIL message Encrypt the message before sending. Use encryption algorithms like authenticated Diffi- Hellman key exchange or RSA Algorithm. This solves the problem of eavesdropping and Disclosure of Information
Encrypting the TRANSMISSION or RECEIPT of an email (SMTP/POP/IMAP over SSL/TLS) While connecting to mail server (whether sending or receiving), email credentials (username and password) are encrypted, protecting them from being intercepted by malicious users as they traverse the internet from email client to mail server.
Security with Escrow Encryption Escrow encryption uses a trusted “encryption middleman” to provide the same security offered by asymmetric key encryption, but with universal compatibility. The sender ands receiver connects to the middleman’s web mail portal on a secure SSL connection. There will be no information disclosure in communication channel and no identity theft as both sender and receiver are on secure SSL connection. There will be no repudiation as the middleman validates the sender. The middleman encrypts the message and stores it on his server. Therefore no one can modify the message because it never leaves the middleman’s server and it will be secure even in backups.
Mobile Email Security

Recomendados

Python dictionaries
Python dictionariesPython dictionaries
Python dictionariesKrishna Nanda
 
Proposing an Encryption Algorithm based on DES
Proposing an Encryption Algorithm based on DESProposing an Encryption Algorithm based on DES
Proposing an Encryption Algorithm based on DESInternational Journal of Science and Research (IJSR)
 
Implementation of rainbow tables to crack md5 codes
Implementation of rainbow tables to crack md5 codesImplementation of rainbow tables to crack md5 codes
Implementation of rainbow tables to crack md5 codesKhadidja BOUKREDIMI
 
Faisal aslam
Faisal aslamFaisal aslam
Faisal aslamNadeem Gujjar
 
EFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITY
EFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITYEFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITY
EFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITYIJNSA Journal
 
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...IJNSA Journal
 
ClassesandObjects
ClassesandObjectsClassesandObjects
ClassesandObjectsYourVirtual Class
 
IRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET Journal
 

Recomendados

Python dictionaries
Python dictionariesPython dictionaries
Python dictionariesKrishna Nanda
 
Proposing an Encryption Algorithm based on DES
Proposing an Encryption Algorithm based on DESProposing an Encryption Algorithm based on DES
Proposing an Encryption Algorithm based on DESInternational Journal of Science and Research (IJSR)
 
Implementation of rainbow tables to crack md5 codes
Implementation of rainbow tables to crack md5 codesImplementation of rainbow tables to crack md5 codes
Implementation of rainbow tables to crack md5 codesKhadidja BOUKREDIMI
 
Faisal aslam
Faisal aslamFaisal aslam
Faisal aslamNadeem Gujjar
 
EFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITY
EFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITYEFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITY
EFFICIENT CONDITIONAL PROXY REENCRYPTION WITH CHOSEN CIPHER TEXT SECURITYIJNSA Journal
 
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...
COLLECTIVE SIGNATURE PROTOCOLS FOR SIGNING GROUPS BASED ON PROBLEM OF FINDING...IJNSA Journal
 
ClassesandObjects
ClassesandObjectsClassesandObjects
ClassesandObjectsYourVirtual Class
 
IRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET- Encrypted Negative Password using RSA Algorithm
IRJET- Encrypted Negative Password using RSA AlgorithmIRJET Journal
 
Patterns for key-value stores
Patterns for key-value storesPatterns for key-value stores
Patterns for key-value storesOle-Martin Mørk
 
Datak526
Datak526Datak526
Datak526prabhuvin
 
Hash crypto
Hash cryptoHash crypto
Hash cryptoHarry Potter
 
Project report
Project reportProject report
Project reportmeenalpandey
 
Basic explanation to md5 implementation in C
Basic explanation to md5 implementation in CBasic explanation to md5 implementation in C
Basic explanation to md5 implementation in CSourav Punoriyar
 
Ch34508510
Ch34508510Ch34508510
Ch34508510IJERA Editor
 
Survey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile CommunicationSurvey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile Communicationijsrd.com
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...ijistjournal
 
Mj2521372142
Mj2521372142Mj2521372142
Mj2521372142IJERA Editor
 
A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5Khulna University, Khulna, Bangladesh
 
Nhibernate Part 1
Nhibernate Part 1Nhibernate Part 1
Nhibernate Part 1guest075fec
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Message Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmMessage Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmAjay Karri
 
Achieving data privacy through secrecy views and null based virtual upadates
Achieving data privacy through secrecy views and null based virtual upadatesAchieving data privacy through secrecy views and null based virtual upadates
Achieving data privacy through secrecy views and null based virtual upadatesMuthu Samy
 
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...IJECEIAES
 
Aina_final
Aina_finalAina_final
Aina_finalChandramowliswaran NARAYANASWAMY
 
Email security
Email securityEmail security
Email securityAhmed EL-KOSAIRY
 
Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Topsec Technology
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail securityrajakhurram
 
Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?NeoCertified
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking Salman Memon
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 

Más contenido relacionado

La actualidad más candente

Patterns for key-value stores
Patterns for key-value storesPatterns for key-value stores
Patterns for key-value storesOle-Martin Mørk
 
Basic explanation to md5 implementation in C
Basic explanation to md5 implementation in CBasic explanation to md5 implementation in C
Basic explanation to md5 implementation in CSourav Punoriyar
 
Survey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile CommunicationSurvey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile Communicationijsrd.com
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...ijistjournal
 
Nhibernate Part 1
Nhibernate Part 1Nhibernate Part 1
Nhibernate Part 1guest075fec
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)theijes
 
Message Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmMessage Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmAjay Karri
 
Achieving data privacy through secrecy views and null based virtual upadates
Achieving data privacy through secrecy views and null based virtual upadatesAchieving data privacy through secrecy views and null based virtual upadates
Achieving data privacy through secrecy views and null based virtual upadatesMuthu Samy
 
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...IJECEIAES
 

La actualidad más candente (16)

Patterns for key-value stores
Patterns for key-value storesPatterns for key-value stores
Patterns for key-value stores
 
Datak526
Datak526Datak526
Datak526
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Project report
Project reportProject report
Project report
 
Basic explanation to md5 implementation in C
Basic explanation to md5 implementation in CBasic explanation to md5 implementation in C
Basic explanation to md5 implementation in C
 
Ch34508510
Ch34508510Ch34508510
Ch34508510
 
Survey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile CommunicationSurvey of Hybrid Encryption Algorithm for Mobile Communication
Survey of Hybrid Encryption Algorithm for Mobile Communication
 
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
PERFORMANCE ANALYSIS OF PARALLEL IMPLEMENTATION OF ADVANCED ENCRYPTION STANDA...
 
Mj2521372142
Mj2521372142Mj2521372142
Mj2521372142
 
A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5
 
Nhibernate Part 1
Nhibernate Part 1Nhibernate Part 1
Nhibernate Part 1
 
The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)The International Journal of Engineering and Science (The IJES)
The International Journal of Engineering and Science (The IJES)
 
Message Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 AlgorithmMessage Authentication using Message Digests and the MD5 Algorithm
Message Authentication using Message Digests and the MD5 Algorithm
 
Achieving data privacy through secrecy views and null based virtual upadates
Achieving data privacy through secrecy views and null based virtual upadatesAchieving data privacy through secrecy views and null based virtual upadates
Achieving data privacy through secrecy views and null based virtual upadates
 
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
DARE Algorithm: A New Security Protocol by Integration of Different Cryptogra...
 
Aina_final
Aina_finalAina_final
Aina_final
 

Destacado

Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Topsec Technology
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail securityrajakhurram
 
Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?NeoCertified
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking Salman Memon
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5koolkampus
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and AwarenessSanjiv Arora
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarVishwadeep Badgujar
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)Prafull Johri
 
All about email
All about emailAll about email
All about emailestefana4
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An IntroductionJayaseelan Vejayon
 
Email - Electronic Mail
Email - Electronic MailEmail - Electronic Mail
Email - Electronic MailPeter R. Egli
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKINGSHERALI445
 

Destacado (20)

Email security
Email securityEmail security
Email security
 
Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only Email Security Threats: IT Manager's Eyes Only
Email Security Threats: IT Manager's Eyes Only
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 
Why is email security important?
Why is email security important?Why is email security important?
Why is email security important?
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking
 
Email security
Email securityEmail security
Email security
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 
Email Security Overview
Email Security OverviewEmail Security Overview
Email Security Overview
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
 
Email Security and Awareness
Email Security and AwarenessEmail Security and Awareness
Email Security and Awareness
 
Cyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep BadgujarCyber security government ppt By Vishwadeep Badgujar
Cyber security government ppt By Vishwadeep Badgujar
 
S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)S/MIME & E-mail Security (Network Security)
S/MIME & E-mail Security (Network Security)
 
All about email
All about emailAll about email
All about email
 
Computer Hacking - An Introduction
Computer Hacking - An IntroductionComputer Hacking - An Introduction
Computer Hacking - An Introduction
 
Email - Electronic Mail
Email - Electronic MailEmail - Electronic Mail
Email - Electronic Mail
 
Hacking
HackingHacking
Hacking
 
Email
EmailEmail
Email
 
ETHICAL HACKING PPT
ETHICAL HACKING PPTETHICAL HACKING PPT
ETHICAL HACKING PPT
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 
TYPES OF HACKING
TYPES OF HACKINGTYPES OF HACKING
TYPES OF HACKING
 

Similar a Mobile Email Security

Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityPratap Dangeti
 
Open source Tools and Frameworks for M2M - Sierra Wireless Developer Days
Open source Tools and Frameworks for M2M - Sierra Wireless Developer DaysOpen source Tools and Frameworks for M2M - Sierra Wireless Developer Days
Open source Tools and Frameworks for M2M - Sierra Wireless Developer DaysBenjamin Cabé
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
IRJET- Anchoring of Cloud Information under Key Presentation
IRJET- Anchoring of Cloud Information under Key PresentationIRJET- Anchoring of Cloud Information under Key Presentation
IRJET- Anchoring of Cloud Information under Key PresentationIRJET Journal
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceJesse Nebling
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014Kevin Lo
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelDivye Kapoor
 
C,c++ interview q&a
C,c++ interview q&aC,c++ interview q&a
C,c++ interview q&aKumaran K
 
IRJET- A Work Paper on Email Server using 3DES
IRJET- A Work Paper on Email Server using 3DESIRJET- A Work Paper on Email Server using 3DES
IRJET- A Work Paper on Email Server using 3DESIRJET Journal
 
Secure Checkpointing Approach for Mobile Environment
Secure Checkpointing Approach for Mobile EnvironmentSecure Checkpointing Approach for Mobile Environment
Secure Checkpointing Approach for Mobile Environmentidescitation
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Paula Januszkiewicz
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingMax Kleiner
 
IRJET - Hash Functions and its Security for Snags
IRJET - Hash Functions and its Security for SnagsIRJET - Hash Functions and its Security for Snags
IRJET - Hash Functions and its Security for SnagsIRJET Journal
 

Similar a Mobile Email Security (20)

Final report
Final reportFinal report
Final report
 
Application of Machine Learning in Cybersecurity
Application of Machine Learning in CybersecurityApplication of Machine Learning in Cybersecurity
Application of Machine Learning in Cybersecurity
 
Open source Tools and Frameworks for M2M - Sierra Wireless Developer Days
Open source Tools and Frameworks for M2M - Sierra Wireless Developer DaysOpen source Tools and Frameworks for M2M - Sierra Wireless Developer Days
Open source Tools and Frameworks for M2M - Sierra Wireless Developer Days
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
IRJET- Anchoring of Cloud Information under Key Presentation
IRJET- Anchoring of Cloud Information under Key PresentationIRJET- Anchoring of Cloud Information under Key Presentation
IRJET- Anchoring of Cloud Information under Key Presentation
 
Application Security
Application SecurityApplication Security
Application Security
 
Toorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing ExperienceToorcon - Purple Haze: The Spear Phishing Experience
Toorcon - Purple Haze: The Spear Phishing Experience
 
Web application security
Web application securityWeb application security
Web application security
 
CGI.ppt
CGI.pptCGI.ppt
CGI.ppt
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014The TCP/IP stack in the FreeBSD kernel COSCUP 2014
The TCP/IP stack in the FreeBSD kernel COSCUP 2014
 
The TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux KernelThe TCP/IP Stack in the Linux Kernel
The TCP/IP Stack in the Linux Kernel
 
C,c++ interview q&a
C,c++ interview q&aC,c++ interview q&a
C,c++ interview q&a
 
IRJET- A Work Paper on Email Server using 3DES
IRJET- A Work Paper on Email Server using 3DESIRJET- A Work Paper on Email Server using 3DES
IRJET- A Work Paper on Email Server using 3DES
 
Secure Checkpointing Approach for Mobile Environment
Secure Checkpointing Approach for Mobile EnvironmentSecure Checkpointing Approach for Mobile Environment
Secure Checkpointing Approach for Mobile Environment
 
Embedded C - Lecture 2
Embedded C - Lecture 2Embedded C - Lecture 2
Embedded C - Lecture 2
 
Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018Gartner Security & Risk Management Summit 2018
Gartner Security & Risk Management Summit 2018
 
maxbox starter72 multilanguage coding
maxbox starter72 multilanguage codingmaxbox starter72 multilanguage coding
maxbox starter72 multilanguage coding
 
IRJET - Hash Functions and its Security for Snags
IRJET - Hash Functions and its Security for SnagsIRJET - Hash Functions and its Security for Snags
IRJET - Hash Functions and its Security for Snags
 

Último

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Último (20)

unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Mobile Email Security

  • 1. Team-9 Anirudh Gaur (B.Tech) Rahul Sihag (B.Tech) Bharatram Natarajan (M.Tech) Sanjay Bankapur (M.Tech)
  • 2. Introduction  SoftCorp is an emerging software development company and aims at leadership position in the upcoming mobile computing market by developing cutting edge products that address the entire range of handheld user needs.  SoftCorp product development team had worked on office applications such as text processors, image editors, and even a small spreadsheet application.  Team was quite clear that to develop a good email client for the PDAs/Mobile devices by which  Addressing the world that SoftCorp is arrived into the PDA software market, and  By development of this product would also help them to get more familiar with the handheld programming environment.  After brainstorming, the team listed all the required features and they found the product called “EazeeMail” by their competitor KurApps. Team has decided to use this product as a benchmark for developing of Mobile Email Client (MEC).  SoftCorp team found that EazeeMail didn‟t support multimedia based email such as support for audio clips, pictures etc. They decided that they will try to provide support for the multimedia emails.
  • 3. Topics to cover  Identify and specify various security requirements by using use/abuse case diagram.  For the identified security requirements indentify potential vulnerabilities and threats for this system.  Identify the security loop holes from the given fragmented codes.  Identify at-least 4 design patterns that can be used to enhance the security for this product.  By taking any 1 use cases related to email functionality, will perform thread modelling and generate threat tree for the same.  Does SoftCorp requires redesigning of the product to ensure all security?
  • 4. Security Requirements Assets: •Data like Email content, User login credentials, User account information, Configuration file, Email client code. •Email Server. •Handheld devices.
  • 5.  The need for prevention of virus, malicious software which if present in the handheld devices will result in the confidentiality, integrity, privacy violation.  The need for securing the connection between the client and the email server in order to maintain data confidentiality, integrity, privacy.  The need for preventing spam mails in order not to overload the server and handheld devices.  The need for preventing phishing in email in order to protect the customer details and maintaining their trust, privacy.  The need for protecting the mobile email client code for maintaining integrity constraint and confidentiality constraint, privacy.  The need for protecting the configuration file from being accessed by anyone except the mobile email client for maintaining confidentiality, integrity.
  • 6. Security Threats & Vulnerabilities  Virus - Responsible for destructive payloads, destroying data and bringing down entire mail systems. E.g.: Internet Worms, Mass mailer viruses tend to stay longer even if antivirus products have included protection against them in their products leading to loss of money, resources ,effort to recover from such incidents, loss of productivity, corrupt or lost data, loss of user confidence.  Phishing (Identify Theft) – It targets the customers of financial institutions and high- profile online retailers by luring them to spoofed websites and give their credentials. This leads to personal information revelation to other people thereby violating the confidentiality of the data.  Spam – It bring down system availability and also can carry viruses, malicious code and fraudulent solicitations for private information. It overloads network and server resources.  Adversary who are eavesdropping on the channel between the client and the email server, capturing the data and modifying the data according to his need and resending again.
  • 7. Solutions to Threats  Use of anti-virus software which will remove virus, malware program and un-trusted program, anti spam solution like blacklist the list of spam users rather than deleting the mails every time the mail comes, enabling the email spam filter and anti phishing solutions like Caller ID by Microsoft, Sender Policy Framework by Meng Wong, Domain Keys by Yahoo etc.  Use of secure protocol like SSL(Secure Socket Layer).  The wrapping of client code, configuration file with anti-virus software, anti-spam solution, anti-phishing solution which will act as the firewall for the client code.
  • 8. Security Code Issue & Correction Fragment 1 void f(char *src1, char* src2) Threat of changing both src1 and src2 in this function { char dest[DEST_SIZE]; // check to make sure first string fits if (strlen(src1) > sizeof(dest)) return; strcpy(dest, src1); // copy as much of the second string as will fit strncat(dest, src2, sizeof(dest)); strncpy() and strncat() functions are a source of buffer ... overflow vulnerabilities. } void f(const char *src1, const char* src2) { char dest[DEST_SIZE]; // check to make sure first string fits if (strlen(src1) > sizeof(dest)) return; strncpy_s and strcat_s functions are strcpy_s(dest, src1); secure for buffer vulnerabilities. // copy as much of the second string as will fit strncat_s(dest, src2, sizeof(dest)); ... }
  • 9. Fragment 2: void *ConcatBytes(void *buf1, size_t len1, char *buf2, size_t len2) { void *buf = malloc(len1 + len2); if (buf == NULL) return; // allocation failed Threat of changing both buf1 and buf2in this function memcpy(buf, buf1, len1); memcpy(buf + len1, buf2, len2); ... Void pointers can store any data type & hence data type } mismatch will occur with memcpy. void *ConcatBytes(const void *buf1, size_t len1, const char *buf2, size_t len2) { void *buf = malloc(len1 + len2); if (buf == NULL) return; // allocation failed memcpy_s(buf, len1, buf1, len1); memcpy_s(buf + len1, len2 buf2, len2); ... }
  • 10. Fragment 3: #define MAX_BUFF (64) BYTE bBuff[MAX_BUFF]; DWORD cbBuff = 0; Functions return value is not verified … to check status of request // Determine how much data // to read RegQueryValueEx ( hKey, NULL, NULL, NULL,&cbBuff ); ... // Read ALL the data!!! Not verifying if cbBuff is greater RegQueryValueEx ( hKey, NULL, NULL, bBuff, &cbBuff ); than MAX_BUFF … #define MAX_BUFF (64) BYTE bBuff[MAX_BUFF]; DWORD cbBuff = 0; … // Determine how much data // to read If(RegQueryValueEx ( hKey, NULL, NULL, NULL,&cbBuff ) > 0) { ... If(cbBuff>MAX_BUFF) bBuff=new BYTE[cbBuff]; // Read ALL the data!!! RegQueryValueEx ( hKey, NULL, NULL, bBuff, &cbBuff ); } …
  • 11. Fragment 4: … SqlConnection sql = new SqlConnection( @”data source = localhost;” + “userid = sa;password = password;” ); String sql = “select * from client where name = „” + name + “‟”; … Both UserId and Password values should Threat of SQL Injection not be hard coded in the code. Values should be read from the configuration file. … String id=getUserId(); String pass=getPasswd(); SqlConnection sql = new SqlConnection( @”data source = localhost;” + “userid = ” +id+ “;password=” + pass+ “;” ); String sql = “select * from client where name = „” + name + “‟”; If(checkSyntax(sql) < 0) return; …
  • 12. Secure Design Patterns Thin client: process centrally, present locally  Sensitive data stays centralised in hardened bunkers, with remote devices allowed views of it via thin-client terminal applications.  network access is required, thin client doesn't support offline use.  The advantage of thin client is that data never leaves the server - it is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers, and require strong or two-factor authentication using SecureID or other tokens.
  • 13. Thin device: replicated data, with device-kill for insurance  Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data-centres.  Because of their size, storage capacity, and comparatively modest processing power, application is limited to e- mail rather than general data processing.  Using native management tools or third-party mobile device platforms like Sybase, smartphone security policies that can typically be imposed include backup and enforced encryption.
  • 14. Protected process: local information processing in a secure "bubble"  It allows data to be processed locally.  Sensitive information sits inside a compartmentalised processing environment that is separated from the user's local operating system environment - whose security and backup properties are controlled by IT.  The protected process pattern has many advantages: local execution, offline operation, central management, and a high degree of granular security control, including remote wipe.
  • 15. Protected data: documents protect themselves regardless of location  Technologies like enterprise rights management enshrine access rules into documents directly.  These rules, which rely on cryptography to enforce, apply no matter where the document rests - a key advantage.  Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.
  • 16. Suggestion SoftCorp should not go for complete redesign, since complete code is already done. Hence below strategy can be used for security review of the product:-  Threat Modelling  Test Planning  Test Execution  Security Bug Fixing Applicable Tests:  Authentication Testing  Input Validation Testing  Session Management Testing  Encryption Testing  Application Testing
  • 17. Benefits of Threat Modelling These are some benefits of threat modelling:-  Complex design level security bugs can be easily identified if we incorporate the threat modelling.  More over multi-step security bugs (several small failures combining to form a disaster) are best found using threat modelling.  it also will also help us to understand our application better, since we would spend time analysing the makeup of the application in a relatively structured manner.  It yields useful documents which the testing team could use to test against.
  • 18. Threat Modelling Process: 1. Identify Security Objectives 2. Create an Application Overview 3. Application Decomposition 4. Identify Threats 5. Mitigation Measures
  • 19. Use Case: Sending an e-mail Security Objectives: Confidentiality (No Eavesdropping) – Any third person having access to my network should not be able to read my mail. Privacy - Information may be used to tell in which city you are located or even to find out what your address is in some cases. No Spam and Unwanted Email Integrity (No Tampering) - No data should be modified during the transmission of an email. Non-repudiation
  • 20. Application Overview Users - Senders with authenticated account at email provider Technologies - Network : Wireless network Protocol : SMTP (Simple Mail Transport Protocol) Description - 1. Compose an email 2. Press the send button
  • 22. Threats (1) Disclosure of Information: Most of emails are transmitted in the clear (not encrypted) text. By means of some available tools, persons other than the designated recipients can sniff the packets and can read the email contents. Email messages are stored on SMTP servers in plain, unencrypted text. Backups of the data on these servers may be made at any time and administrators can read any of the data on these machines. (2) Modification of messages: Email contents can be modified during transport or storage.
  • 23. (3) Repudiation: Because normal email messages can be forged, there is no way for you to prove that someone sent you a particular message. This means that even if someone DID send you a message, they can successfully deny it. (4) Identity Theft: If someone can obtain the username and password that you use to access your email servers, they can read your email and send false email messages as you.
  • 24. Threat Tree Figure: Attack Tree for Information Disclosure
  • 25. Mitigation Encrypting an EMAIL message Encrypt the message before sending. Use encryption algorithms like authenticated Diffi- Hellman key exchange or RSA Algorithm. This solves the problem of eavesdropping and Disclosure of Information
  • 26. Encrypting the TRANSMISSION or RECEIPT of an email (SMTP/POP/IMAP over SSL/TLS) While connecting to mail server (whether sending or receiving), email credentials (username and password) are encrypted, protecting them from being intercepted by malicious users as they traverse the internet from email client to mail server.
  • 27. Security with Escrow Encryption Escrow encryption uses a trusted “encryption middleman” to provide the same security offered by asymmetric key encryption, but with universal compatibility. The sender ands receiver connects to the middleman’s web mail portal on a secure SSL connection. There will be no information disclosure in communication channel and no identity theft as both sender and receiver are on secure SSL connection. There will be no repudiation as the middleman validates the sender. The middleman encrypts the message and stores it on his server. Therefore no one can modify the message because it never leaves the middleman’s server and it will be secure even in backups.