POP3 and (password) security... (Part 2)

After writing "POP3 and (password) security", I received few e-mails asking me about potential consequences of someone knowing (learning) your e-mail passwords…

Well, it depends on the (e-mail) system. Most obvious consequence is that someone other than you can now read your e-mail. Every one of us now has to decide if that is bad and how bad.

<funny mode = "on">
Personally I wish someone would guess my password and read my e-mail in hopes of this person responding to some of them instead of me... ;-) ...
</funny>

Next thing we have to ask ourselves is, where else do we use this same username and password? At time where single-sign-on systems are more and more popular, one password is used to access your e-mail and other (corporate) systems that might be holding sensitive data.

Last but not least; and too often underestimated consequence. Some e-mail systems are configured (some of them by default) to allow relaying of any e-mail if clients successfully authenticate.

What is e-mail relaying?
In general, e-mail servers will only accept inbound e-mail messages where "Mail to:" ("rcpt to:") filed matches domain name that e-mail server is "responsible" for. In my case this would be anything ending with "@krneki.net". E-mail messages that have destination address anything other than "@krneki.net" should get rejected.

Knowing username and password would allow anyone to authenticate against e-mail server (SMTP service) and submit messages destined to any domain other such as "@gmail.com" making server accept and relay messages to other e-mail servers.

This is bad for few reasons:

• It will consume all available resources (e.g. hard disk space)
• It is very likely that your public IP address will end up on spam list (black list) preventing delivery of our legitimate e-mail messages to our partners and customers

Such attacks against e-mail servers are not uncommon and are popular enough to get mentioned on Wikipedia!

KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e) in fw.sys

I received this dump files from our customer. Unfortunately there seem to be something wrong with dump file itself and I had a bit of trouble getting necessary information from it.

Computer in trouble:
Windows Server 2003 Kernel Version 3790 (Service Pack 2) MP (2 procs) Free x86 compatible
Product: Server, suite: TerminalServer SingleUserTS
Built by: 3790.srv03_sp2_rtm.070216-1710
Kernel base = 0x80800000 PsLoadedModuleList = 0x808af9c8
Debug session time: Wed Oct 31 11:46:37.968 2007 (GMT+1)
System Uptime: 0 days 0:01:33.781

Error reported by the computer:
KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)

!analyze –v returns following information
STACK_COMMAND: .bugcheck ; kb
FOLLOWUP_IP: fw+288aebf66b6aeb 0c8b or al,0x8b
FAULTING_SOURCE_CODE:
FOLLOWUP_NAME: MachineOwner
SYMBOL_NAME: fw+288aeb
MODULE_NAME: fw
IMAGE_NAME: fw.sys <-- It looks like fw.sys driver is causing problems
DEBUG_FLR_IMAGE_TIMESTAMP: 45214c7f
FAILURE_BUCKET_ID: 0x8E_fw+288aeb
BUCKET_ID: 0x8E_fw+288aeb
Followup: MachineOwner

STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong.808a3600 80839b02 00000000 0000000e 00000000 intelppm+0x2ca2
808a3604 00000000 0000000e 00000000 00000000 nt!KiIdleLoop+0xa

Let's take a look at registers
0: kd> r
eax=6029c494 ebx=ffdffee0 ecx=ffdffee0 edx=00000041 esi=ffdffec0 edi=867edd70
eip=f75d9ca2 esp=808a35e4 ebp=808a3600 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000206
intelppm+0x2ca2:f75d9ca2 01895104fbf4 add [ecx+0xf4fb0451],ecx ds:0023:f4db0331=????????

I am not sure if this is actual dump file problem or something else. Analysis it stating that fw.sys caused the problem, but in STACK_TEXT and in registers we can spot intelppm+0x2ca2 (intelppm.sys driver). intelppm.sys is Microsoft's Processor Device Driver... :-). OK. Let's say I am willing to give benefit of the doubt to WinDBG... :-)

Let's get some more information about fw.sys
0: kd> lm v m fw*
start end module name
f642e000 f69ceb20 fw (no symbols)
Loaded symbol image file: fw.sys
Image path: fw.sys
Image name: fw.sys
Timestamp: Mon Oct 02 19:29:35 2006 (45214C7F) <-- Coult be a bit old...
CheckSum: 005ACF67
ImageSize: 005A0B20
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

And for intelppm.sys
0: kd> lm v m intel*
start end module name
f75d7000 f75e6000 intelppm T (no symbols)
Loaded symbol image file: intelppm.sys
Image path: intelppm.sys
Image name: intelppm.sys
Timestamp: unavailable (FFFFFFFE) <-- Hmmm... ?
CheckSum: missing <-- Hmmm; This shouldn't be missing
ImageSize: 0000F000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0

fw.sys driver belongs to Check Point firewall.

I checked for any updates on Chek Point's website and knowledgebase where they do list few problems/solutions related to fw.sys and blue screens. Unfortunately Check Point seemed to have some connectivity problems between their front end and backend servers and I was not able to see any solutions... At this point I turned the case over to our in house Check Point experts... :-)

POP3 and (password) security

This is one of the most common "security misunderstanding" and I see it very often.

Whenever I am setting up e-mail servers and enabling web access, there is always a long and hard discussion on security. Customers are usually at this point worried about protection of their servers and usernames and passwords that will be sent over the internet. The obvious solution is SSL or even better TLS, which ensures that usernames, password and e-mail content are transferred from client computer to e-mail server and vice-versa in secure (encrypted) way.

After this is done, I often get strangest request possible. Enable and open POP3 and/or IMAP access to the server... and with this one simple sentence all security planning and considerations are gone

What I can't really understand is why is almost everyone thinking about security and SSL and encryption when it comes to web access and no one associates same security risks with POP3, IMAP, SMTP protocols and transfer of passwords?

Username and password are often sent in clear text (picture above)

Click image to enlarge

POP3 is not some magical protocol that would encrypt anything by itself. Yes, it is possible to set up POP3 in secure way (POP3S, IMAPS), but requires a bit more work compared to HTTPS and web access.

With web access you don't have to configure the clients, while with POP3 and IMAP you have to set the clients up to use secure protocols to send usernames and password in encrypted way. There is also an option which will protect (encrypt) the content of the e-mail while being downloaded from the server.

Content is also often transfered without protection... (picture above)
Click image to enlarge

None of this is done by default and most ISPs work in this manner! Even in closed (corporate) environments it can be a challenging, configuring couple of hundred if not thousands of clients. Most environments will have hard time doing the switch from insecure to secure protocols (e.g. POP3 to POP3S) because of extra configuration of the clients, possible downtime or even application incompatibilities. This is why it is extremely important to set up services and networks in a secure way in the first place.

There is another situation to consider and it is important one for roaming users. If you move from your network to a network where you are a guest, you might only be allowed access to some basic protocols such as HTTP, HTTPS, SMTP, and POP3, but not POP3S. POP3 by default runs on TCP port 110 while POP3S by default runs on TCP port 995 which might not be open on a gust network preventing roaming users from accessing their e-mails. This is more common problem then one might expect.