1 00:00:02,050 --> 00:00:04,179 Email, now, is one of the most important 2 00:00:04,180 --> 00:00:06,100 online services that we use. 3 00:00:06,330 --> 00:00:07,120 For most people 4 00:00:07,200 --> 00:00:09,859 it can be a single point of security failure, 5 00:00:09,860 --> 00:00:12,690 because many of our accounts are linked to it. 6 00:00:13,450 --> 00:00:15,930 If you have a email compromise, 7 00:00:16,370 --> 00:00:19,600 your associated accounts are also compromised. 8 00:00:20,090 --> 00:00:22,129 Private information will be compromised, 9 00:00:22,130 --> 00:00:26,009 including your name, address, contacts, 10 00:00:26,010 --> 00:00:27,919 friends and anything else 11 00:00:27,920 --> 00:00:31,360 that’s associated or stored within your email. 12 00:00:32,060 --> 00:00:33,739 It’s obvious to most people 13 00:00:33,740 --> 00:00:35,880 why email security is important, 14 00:00:36,200 --> 00:00:41,549 but email unfortunately is fundamentally broken, 15 00:00:41,550 --> 00:00:43,400 as far as security is concerned, 16 00:00:43,750 --> 00:00:45,550 and it cannot be fixed. 17 00:00:45,950 --> 00:00:49,939 All we can do is keep putting sticky plasters on it. 18 00:00:49,940 --> 00:00:53,880 Plasters which, unless everyone else adopts, 19 00:00:53,920 --> 00:00:55,400 which is pretty much the same as 20 00:00:55,560 --> 00:00:57,230 changing email completely, 21 00:00:57,500 --> 00:00:58,879 we’re just not going to fix 22 00:00:58,880 --> 00:01:01,530 these security problems that are inherent in email. 23 00:01:01,820 --> 00:01:05,550 Email is from a time when security wasn't thought of. 24 00:01:05,760 --> 00:01:08,510 But we continue to use email 25 00:01:08,560 --> 00:01:10,720 because it is ubiquitous, 26 00:01:10,780 --> 00:01:13,020 everybody has an email address now. 27 00:01:13,480 --> 00:01:14,999 If everyone suddenly switched 28 00:01:15,000 --> 00:01:18,240 to a secure messaging alternative tomorrow, 29 00:01:18,460 --> 00:01:19,740 the problem would be solved. 30 00:01:20,090 --> 00:01:22,110 But because that’s not going to happen, 31 00:01:22,300 --> 00:01:23,849 we are stuck with a broken 32 00:01:23,850 --> 00:01:26,010 messaging system called email. 33 00:01:26,670 --> 00:01:29,210 This means you will need to convince others 34 00:01:29,450 --> 00:01:31,340 to adopt encryption technology 35 00:01:31,680 --> 00:01:34,120 if you want to communicate with them privately. 36 00:01:34,430 --> 00:01:35,630 You can't do it on your own. 37 00:01:36,460 --> 00:01:37,400 Let's take it from the beginning. 38 00:01:37,401 --> 00:01:40,399 So there are two ways to access email. 39 00:01:40,400 --> 00:01:43,130 First, you’ve got your web browser 40 00:01:43,320 --> 00:01:47,290 using functionality like HTML5 and JavaScript. 41 00:01:47,470 --> 00:01:50,429 And probably most people now think of that as email, 42 00:01:50,430 --> 00:01:52,379 that is the most common way 43 00:01:52,380 --> 00:01:54,219 that people tend to access email, 44 00:01:54,220 --> 00:01:56,750 you know, via Gmail or Yahoo Mail. 45 00:01:57,690 --> 00:02:00,919 But the second way that is used is an email client, 46 00:02:00,920 --> 00:02:05,850 which is something like Thunderbird, or Claws, or Outlook, 47 00:02:05,900 --> 00:02:07,850 people might use commonly at work. 48 00:02:08,170 --> 00:02:10,030 You have Mac Mail, 49 00:02:10,490 --> 00:02:11,799 or you have the mail apps 50 00:02:11,800 --> 00:02:14,640 that you get on your cell and mobile phones. 51 00:02:14,870 --> 00:02:16,320 Those are all email clients. 52 00:02:16,920 --> 00:02:18,539 And most email providers will allow you 53 00:02:18,540 --> 00:02:21,700 to use both methods, the webmail access 54 00:02:21,980 --> 00:02:23,090 and the email client. 55 00:02:23,780 --> 00:02:28,960 With webmail, you access via HTTPS, port 443, 56 00:02:29,380 --> 00:02:32,290 which is running SSL and TLS encryption, 57 00:02:32,570 --> 00:02:33,810 or at least you should be, 58 00:02:34,210 --> 00:02:36,370 that is the standard solution for most people. 59 00:02:36,610 --> 00:02:38,599 If you’re not, then it’s extremely insecure, 60 00:02:38,600 --> 00:02:42,190 but really, almost all webmail will be encrypted 61 00:02:42,550 --> 00:02:46,870 using HTTPS, port 443, SSL/TLS. 62 00:02:47,330 --> 00:02:49,599 You authenticate that server, 63 00:02:49,600 --> 00:02:50,960 that the server is genuine 64 00:02:51,160 --> 00:02:54,840 via a certificate as is normal with HTTPS, 65 00:02:55,200 --> 00:02:58,620 and the client is authenticated usually with a password. 66 00:02:59,070 --> 00:02:59,820 And if you can, 67 00:02:59,821 --> 00:03:01,710 you should change your authentication method 68 00:03:02,030 --> 00:03:03,900 to be Two Factor Authentication, 69 00:03:04,220 --> 00:03:05,999 as this mitigates password attacks 70 00:03:06,000 --> 00:03:08,260 as we’ve discussed in the Password section. 71 00:03:08,940 --> 00:03:10,189 You should find an email provider 72 00:03:10,190 --> 00:03:12,330 that offers Two Factor Authentication. 73 00:03:13,540 --> 00:03:14,720 If you only use webmail, 74 00:03:15,170 --> 00:03:17,930 then emails are only stored on the server. 75 00:03:19,000 --> 00:03:20,990 And then we have the email client. 76 00:03:21,100 --> 00:03:24,640 With an email client, there are a number of protocols 77 00:03:25,130 --> 00:03:28,640 and port options for both sending and receiving email. 78 00:03:29,080 --> 00:03:31,770 So the options when it comes to receiving mail, 79 00:03:32,120 --> 00:03:36,210 is you have IMAP port 143, which is unencrypted, 80 00:03:36,550 --> 00:03:41,260 you have POP port 110, which is unencrypted; 81 00:03:41,620 --> 00:03:43,100 you don't want to use these. 82 00:03:43,440 --> 00:03:46,390 If you care anything about your email security, 83 00:03:46,920 --> 00:03:50,399 receiving emails, then you don't want to use these, 84 00:03:50,400 --> 00:03:53,499 and most providers now either don't provide them, 85 00:03:53,500 --> 00:03:55,690 or provide encrypted alternatives. 86 00:03:56,400 --> 00:03:59,720 And those alternatives are IMAP port 993, 87 00:04:00,080 --> 00:04:02,520 which is running SSL/TLS encryption 88 00:04:02,890 --> 00:04:07,120 with the certificate based server-side authentication, 89 00:04:07,610 --> 00:04:08,880 like with a website, 90 00:04:09,160 --> 00:04:12,750 and you have POP 3 on port 995, 91 00:04:13,370 --> 00:04:16,280 running the same SSL/TLS encryption 92 00:04:16,730 --> 00:04:20,300 with, again, certificate based server-side authentication. 93 00:04:20,940 --> 00:04:21,880 And those are the two that 94 00:04:21,881 --> 00:04:24,320 you want to go after for receiving email. 95 00:04:24,690 --> 00:04:29,560 IMAP port 993 and POP 3 port 995. 96 00:04:29,960 --> 00:04:31,619 Now, some email providers 97 00:04:31,620 --> 00:04:33,940 may put those on different ports, 98 00:04:34,020 --> 00:04:36,810 but those are the de facto port numbers. 99 00:04:37,300 --> 00:04:38,989 But what is important, is that 100 00:04:38,990 --> 00:04:42,220 they are both running SSL and TLS. 101 00:04:42,890 --> 00:04:43,710 Now, when it comes to the difference 102 00:04:43,711 --> 00:04:45,160 between IMAP and POP, 103 00:04:45,640 --> 00:04:49,050 of the two, IMAP is the popular option 104 00:04:49,290 --> 00:04:50,599 when you need to check your emails 105 00:04:50,600 --> 00:04:53,789 from multiple devices, such as a laptop, 106 00:04:53,790 --> 00:04:55,230 phone, tablet and so on, 107 00:04:55,680 --> 00:04:58,230 because the emails are synced using IMAP 108 00:04:58,650 --> 00:05:00,890 with the server and all devices. 109 00:05:01,590 --> 00:05:03,880 All devices retain copies 110 00:05:04,380 --> 00:05:06,400 with the server having the master copy. 111 00:05:06,790 --> 00:05:08,370 This is the most convenient 112 00:05:08,670 --> 00:05:11,280 and what most people will be used to using. 113 00:05:11,620 --> 00:05:15,219 POP3, alternatively, downloads emails 114 00:05:15,220 --> 00:05:18,210 from the server to a single email client, 115 00:05:18,500 --> 00:05:20,800 then deletes the emails from the server. 116 00:05:21,190 --> 00:05:22,699 Because your messages get downloaded 117 00:05:22,700 --> 00:05:24,149 to a single email client, 118 00:05:24,150 --> 00:05:25,630 and then deleted from the server, 119 00:05:25,970 --> 00:05:28,390 it can appear that the mail is missing, 120 00:05:28,730 --> 00:05:30,840 or disappeared from your inbox 121 00:05:31,030 --> 00:05:32,239 if you try to check your mail 122 00:05:32,240 --> 00:05:34,590 from a different email client or webmail. 123 00:05:35,120 --> 00:05:36,910 But you may want this for security though, 124 00:05:37,210 --> 00:05:39,610 to have no emails stored on the server. 125 00:05:40,310 --> 00:05:42,570 If you’re worried about people accessing the server, 126 00:05:42,940 --> 00:05:43,940 use POP3. 127 00:05:44,410 --> 00:05:46,490 If you’re worried about people accessing your laptop, 128 00:05:46,780 --> 00:05:48,800 store on the server and the client with IMAP. 129 00:05:49,830 --> 00:05:50,750 Then we have the protocols 130 00:05:50,751 --> 00:05:53,440 for sending emails with an email client. 131 00:05:53,950 --> 00:05:57,410 We have SMTP port 25, 132 00:05:57,870 --> 00:06:01,900 which is the original unencrypted port to use; 133 00:06:02,090 --> 00:06:04,649 you don't want to use this if you care about 134 00:06:04,650 --> 00:06:07,600 your emails and sending your emails and privacy. 135 00:06:08,480 --> 00:06:11,610 Then you have something called STARTTLS, 136 00:06:11,690 --> 00:06:14,560 which is usually on port 587. 137 00:06:14,910 --> 00:06:17,930 And that is for using SSL/TLS encryption. 138 00:06:18,490 --> 00:06:22,079 And then you have SMTP port 465, 139 00:06:22,080 --> 00:06:24,830 which again is SSL/TLS encrypted. 140 00:06:25,330 --> 00:06:27,470 You want to use, when it’s possible, 141 00:06:27,940 --> 00:06:32,450 SMPT port 465 with the SSL/TLS. 142 00:06:32,820 --> 00:06:37,290 STARTTLS on 587 is more susceptible 143 00:06:37,480 --> 00:06:39,180 to man-in-the middle attacks. 144 00:06:39,520 --> 00:06:45,140 So go with the SMTP port 465, SSL/TLS option. 145 00:06:46,160 --> 00:06:48,610 For both email clients and webmail, 146 00:06:48,960 --> 00:06:52,300 the SSL/TLS will use a cipher suite, obviously. 147 00:06:52,900 --> 00:06:54,170 You want this to be a good one. 148 00:06:54,570 --> 00:06:58,140 Ideally, using Elliptical Curve Diffie-Hellman, 149 00:06:58,360 --> 00:07:00,490 so the session keys are ephemeral, 150 00:07:00,780 --> 00:07:03,090 so that if the private key is compromised, 151 00:07:03,320 --> 00:07:05,970 only small amounts of data is compromised. 152 00:07:06,200 --> 00:07:08,140 The section on Encryption covers this. 153 00:07:08,360 --> 00:07:11,720 If you remember, back to when we looked at Cipher Suites, 154 00:07:11,850 --> 00:07:15,820 we used a tool called SSL Labs, which is here. 155 00:07:16,410 --> 00:07:20,869 This doesn't scan SMTP or IMAP SSL 156 00:07:20,870 --> 00:07:23,890 mail ports unfortunately, but you can use it 157 00:07:24,190 --> 00:07:26,830 for checking port 443 for webmail. 158 00:07:27,280 --> 00:07:30,500 So for example here, I could check “ghostmail”, 159 00:07:32,540 --> 00:07:35,620 and see how their SSL/TLS stacks up. 160 00:07:36,340 --> 00:07:37,890 And here we go, A+. 161 00:07:44,580 --> 00:07:48,279 Now see, elliptical curve, RSA_WITH_AES, 162 00:07:48,280 --> 00:07:50,561 so yeah, they seem to be doing all the right things there. 163 00:07:50,660 --> 00:07:55,010 And, if you want to examine the other ports like 465, 587, 164 00:07:55,360 --> 00:07:57,570 you’ve got a few options for how you can do that. 165 00:07:58,520 --> 00:08:02,160 One with Kali, is you have SSLscan, 166 00:08:03,450 --> 00:08:04,519 and if you press Return here, 167 00:08:04,520 --> 00:08:07,880 that's just going to simply do port 443. 168 00:08:08,370 --> 00:08:10,249 But if you want to do a special port, 169 00:08:10,250 --> 00:08:11,660 you would do 465, 170 00:08:12,260 --> 00:08:16,720 so then you could look at the SMTP over TLS/SSL. 171 00:08:17,240 --> 00:08:18,440 Just press return here. 172 00:08:18,620 --> 00:08:19,500 And look at there; 173 00:08:19,570 --> 00:08:22,540 because ghostmail only has a webmail interface, 174 00:08:22,780 --> 00:08:25,859 but if they did have port 465 open, 175 00:08:25,860 --> 00:08:26,860 you could check that out. 176 00:08:27,570 --> 00:08:28,919 So here we see what we saw 177 00:08:28,920 --> 00:08:31,880 with SSL Labs, the same Cipher Suites. 178 00:08:32,410 --> 00:08:33,929 Another way of checking out the mail servers 179 00:08:33,930 --> 00:08:38,560 which I like is these guys here. 180 00:08:38,770 --> 00:08:44,010 So if we put in an email address 181 00:08:44,080 --> 00:08:47,580 of someone that you know, and we click Try, 182 00:08:48,340 --> 00:08:50,219 or if you put in even a dummy email address, 183 00:08:50,220 --> 00:08:53,379 if you put test@ghostmail, or gmail, 184 00:08:53,380 --> 00:08:56,030 or what have you, click Try, 185 00:08:56,620 --> 00:08:59,370 it communicates with the mail servers. 186 00:09:00,720 --> 00:09:01,310 It finds out 187 00:09:01,311 --> 00:09:03,039 who the mail server is for that domain, 188 00:09:03,040 --> 00:09:06,769 because it isn't always ghostmail.com, or that domain. 189 00:09:06,770 --> 00:09:07,830 So we can see here, 190 00:09:08,450 --> 00:09:11,419 we have the mail server there, that is taken 191 00:09:11,420 --> 00:09:14,079 from what’s called the MX record for that domain, 192 00:09:14,080 --> 00:09:16,620 MX is the mail record, or mail exchange record. 193 00:09:17,560 --> 00:09:18,560 And what we can see here 194 00:09:18,880 --> 00:09:20,950 is the communication with the mail server, 195 00:09:21,250 --> 00:09:23,950 you can see there, this is using STARTTLS, 196 00:09:25,700 --> 00:09:28,420 and there we can see the Cipher Suite that it uses. 197 00:09:28,890 --> 00:09:31,960 And what you’re actually seeing here is text, 198 00:09:32,000 --> 00:09:34,350 ASCII communication with that port. 199 00:09:34,820 --> 00:09:37,010 So these commands are actually being put 200 00:09:37,210 --> 00:09:39,680 into the package stream for that port. 201 00:09:40,210 --> 00:09:42,120 But I can show you an example of that. 202 00:09:44,000 --> 00:09:46,605 So let's check out maybe Gmail. 203 00:09:47,028 --> 00:09:49,039 So first of all, we need to figure out 204 00:09:49,040 --> 00:09:51,249 what the mail server address is, 205 00:09:51,250 --> 00:09:53,142 so we need to use something called “NSLOOKUP”. 206 00:09:54,217 --> 00:09:56,125 Says is doing a DNS lookup 207 00:09:56,365 --> 00:09:58,662 to check the mail exchange record, 208 00:09:59,097 --> 00:09:59,897 which will give us 209 00:09:59,965 --> 00:10:04,182 the IP address of the mail server for gmail.com. 210 00:10:07,211 --> 00:10:08,299 And there we go, 211 00:10:08,300 --> 00:10:09,599 and we can see actually they’ve got 212 00:10:09,600 --> 00:10:11,817 quite a few which is no surprise. 213 00:10:12,057 --> 00:10:15,389 So to issue text-based SMTP commands, 214 00:10:15,390 --> 00:10:17,977 we need to use some sort of tool that allows us to do that, 215 00:10:17,978 --> 00:10:20,519 we can use Telnet, we can use Netcat. 216 00:10:20,520 --> 00:10:23,954 Netcat is a tool that enables you to read and write 217 00:10:24,171 --> 00:10:27,405 to network connections using TCP and UDP. 218 00:10:27,897 --> 00:10:28,897 So if I go – 219 00:10:40,100 --> 00:10:40,640 So as you can see, 220 00:10:40,641 --> 00:10:43,577 I can just issue standard text commands. 221 00:10:45,234 --> 00:10:46,502 But that is what this is doing, 222 00:10:46,503 --> 00:10:54,950 so I must try that command. 223 00:10:58,445 --> 00:11:04,428 25. Paste. There we go. 224 00:11:04,971 --> 00:11:06,571 So we see we get the same response. 225 00:11:06,689 --> 00:11:07,794 It’s given us some options, 226 00:11:07,795 --> 00:11:08,849 therefore what we want to do. 227 00:11:08,850 --> 00:11:12,260 So STARTTLS, etc. 228 00:11:13,930 --> 00:11:15,130 So, let’s escape out of there. 229 00:11:19,300 --> 00:11:19,930 But yeah, essentially 230 00:11:19,931 --> 00:11:21,660 if we issue the same commands here, 231 00:11:22,820 --> 00:11:24,670 we are going to get the same sort of response. 232 00:11:25,890 --> 00:11:27,819 Now, moving on to Authentication. 233 00:11:27,820 --> 00:11:29,550 For Authentication, as I’ve said, 234 00:11:29,730 --> 00:11:32,790 certificates are used to verify the server, 235 00:11:32,980 --> 00:11:34,290 “is who they claim to be?” 236 00:11:34,990 --> 00:11:38,570 The email client will use his own certificate repository 237 00:11:38,660 --> 00:11:40,230 or that of the operating system, 238 00:11:40,560 --> 00:11:42,009 just the same as a browser does 239 00:11:42,010 --> 00:11:44,869 to validate that the server is who the server is. 240 00:11:44,870 --> 00:11:46,790 So that’s the same as HTTPS, 241 00:11:47,270 --> 00:11:50,170 browsing, server authentication, you know, it’s the same thing. 242 00:11:50,320 --> 00:11:51,240 And we can, of course, 243 00:11:51,241 --> 00:11:53,450 look at the certificates that are on there, 244 00:11:54,040 --> 00:11:55,999 and this is a useful site to do that. 245 00:11:56,000 --> 00:11:58,540 So if we click on “More Detail” here, 246 00:12:00,190 --> 00:12:01,310 let's have a look down. 247 00:12:02,900 --> 00:12:03,370 And there we go, 248 00:12:03,371 --> 00:12:05,171 we can see the first certificate in the chain. 249 00:12:06,383 --> 00:12:07,408 There’s the public key. 250 00:12:11,633 --> 00:12:13,166 And the certificate itself, 251 00:12:14,000 --> 00:12:16,233 and then the second certificate in the chain, 252 00:12:16,666 --> 00:12:18,232 we can see all the way down as to 253 00:12:18,233 --> 00:12:20,290 where the root certificate is. 254 00:12:21,750 --> 00:12:23,679 Client-side authentication. 255 00:12:23,680 --> 00:12:26,490 So depending on the mail client, 256 00:12:26,810 --> 00:12:29,599 you will have different options for authentication, 257 00:12:29,600 --> 00:12:31,170 so those include things like 258 00:12:31,660 --> 00:12:33,429 transmitting the password unencrypted, 259 00:12:33,430 --> 00:12:35,270 which was what was originally done. 260 00:12:35,740 --> 00:12:37,809 And then you’ve got transmitting the password encrypted, 261 00:12:37,810 --> 00:12:39,920 because you’re using SSL or TLS. 262 00:12:40,490 --> 00:12:44,330 You can do things like Kerberos or GSSAPI, 263 00:12:44,760 --> 00:12:46,679 which is something generally used 264 00:12:46,680 --> 00:12:48,560 for enterprise solutions. 265 00:12:49,100 --> 00:12:50,420 You’ve got NTLM, 266 00:12:50,540 --> 00:12:52,529 which is a Microsoft solution 267 00:12:52,530 --> 00:12:55,137 if you’re connecting to exchange servers. 268 00:12:55,714 --> 00:12:58,102 You could use TLS/SSL 269 00:12:58,360 --> 00:13:00,257 or some type of certificate 270 00:13:00,368 --> 00:13:02,200 for your client authentication. 271 00:13:02,728 --> 00:13:04,552 There’s something called OAuth2 272 00:13:04,896 --> 00:13:07,048 that you can use; but generally, 273 00:13:07,368 --> 00:13:08,583 you want to try and use 274 00:13:08,584 --> 00:13:10,494 some form of strong authentication 275 00:13:10,850 --> 00:13:13,610 or two-factor authentication if you can, 276 00:13:13,780 --> 00:13:16,920 and we covered two-factor authentication in its own section.