SHRI VAISHNAV VIDYAPEETH VISHWAVIDYALAYA

Shri Vaishnav Institute of Information Technology

Department of Computer Science and Engineering

Session:- 2023
3rd Year 5th Semester
Subject: Cyber and Network Security
Course Code:BTCS503N
Enrollment no.:21100BTCSE09838

Submitted To: SubmittedBy:

Dr. Rupali Bhartiya Harsh Patel
CS-B -3rd Year

Ishan Tare 21100BTCSE09850

 2

OBJECTIVES:
The student should be made to:

1. Learn to implement the encryption algorithms

2. Learn to secure the computer system from cyber attacks.
3. Learn to secure the social networking attacks on websites, and social media networks.
4. Learn to use network security tools

OUTCOMES:

At the end of the course, the student should be able to:

1. Implement the cipher techniques

2. Develop the various security algorithms
3. Use different open source tools for network security and analysis
4. Perform data analytics on social media datasets to secure system from cyber-attacks.

LIST OF HARDWARE REQUIREMENTS & SOFTWARE REQUIREMENTS

SOFTWARE REQUIREMENTS

C++

Python

Java or equivalent compiler

KF Sensor or Equivalent

Snort

HARDWARE REQUIREMENTS

Standalone desktops (or) Server supporting 30 terminals or more

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 3

INDEX

Experiment EXPERIMENT NAME Page No.

No.
1. Password strength checker 5

2. Implement the following SUBSTITUTION & 7

TRANSPOSITION TECHNIQUES concepts:
a) Caesar Cipher
b) Playfair Cipher
c) Hill Cipher
d) Vigenere Cipher
e) Rail fence – row & Column Transformation
3. Comparison of the security features of at least three 5
web browsers.
4. Social media data analytics for website. 18

5. Write features of any social media data analytics tool 24

available free online. (Likealyzer, Facebook or any
other tool)
6. Analysis of the Security Vulnerabilities of E- 29
commerce services.
7. Finding out the vulnerable data on Social Networking 32
sites.
8. Steps to ensure Security of any one web browser 36
(Mozilla Firefox/Google Chrome).
9. Write the attacks on social network sites. 40

10. Analysis the security vulnerabilities of E-Mail 43

Application.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 4

Experiment: 01
PASSWORD STREGTH CHECKER

Aim: To check the Password strength.

Password strength is a measure of the effectiveness of a password against guessing or brute- force
attacks. In its usual form, it estimates how many trials an attacker who does not have direct access
to the password would need, on average, to guess it correctly. The strength of a password is a
function of length, complexity, and unpredictability.[1]
Using strong passwords lowers overall risk of a security breach, but strong passwords do not
replace the need for other effective security controls.[2] The effectiveness of a password of a given
strength is strongly determined by the design and implementation of the factors
(knowledge, ownership, inherence). The first factor is the main focus in this article.
The rate at which an attacker can submit guessed passwords to the system is a key factor in
determining system security. Some systems impose a time-out of several seconds after a small
number (e.g. three) of failed password entry attempts. In the absence of other vulnerabilities, such
systems can be effectively secured with relatively simple passwords. However, the system must
store information about the user's passwords in some form and if that information is stolen, say by
breaching system security, the user's passwords can be at risk.

IMPLEMENTATION:

1. public class Main

2. {
3. public static void main(String[] args) {
4. System.out.println(checkPassStrength("Hel@lo12"));
5. }
6. public static String checkPassStrength(String passwd){
7. int n = passwd.length();
8. boolean hasLower = false, hasUpper = false, hasDigit = false, specialChar = false;
9. for(int i = 0; i < passwd.length(); i++){
10. if (Character.isLowerCase(passwd.charAt(i)))
11. hasLower = true;
12. else if (Character.isUpperCase(passwd.charAt(i)))
13. hasUpper = true;
14. else if (Character.isDigit(passwd.charAt(i)))
15. hasDigit = true;
16. else
17. specialChar = true;
18. }

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 5

19. if (hasDigit && hasLower && hasUpper && specialChar && (n >= 8))
20. return "Strong";
21. else if ((hasLower || hasUpper || specialChar) && (n >= 6))
22. return "Moderate";
23. else
24. return "Weak";
25. }
26. }
Output:
 "Hel@lo12"

 "Hello"

ASSIGNMENT:

Refer questions at the end of the manual.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 6

Experiment: 02
ENCRYPTION TECHNIQUE IMPLEMENTATION

Aim: Encryption technique implementation and simulation.

Theory:
Ciphertext is encrypted text transformed from plaintext using an encryption algorithm. Ciphertext
can't be read until it has been converted into plaintext (decrypted) with a key. The decryption
cipher is an algorithm that transforms the ciphertext back into plaintext.

Ciphertext is the result of encryption performed on plaintext using an algorithm, called a cipher.
Ciphertext is also known as encrypted or encoded information because it contains a form of the
original plaintext that is unreadable by a human or computer without the proper cipher to decrypt
it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of
encryption, is the process of turning ciphertext into readable plaintext.

The Caesar Cipher technique is one of the earliest and simplest method of encryption technique.
It‘s simply a type of substitution cipher, i.e., each letter of a given text is replaced by a letter some
fixed number of positions down the alphabet. For example, with a shift of 1, A would be replaced by
B, B would become C, and so on. The method is apparently named after Julius Caesar, who
apparently used it to communicate with his officials.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 7

Program:
1. public class Main
2. {
3. public static void main(String[] args) {
4. System.out.println(encrypt("NiKhIl"));
5. }
6. public static String encrypt(String str){
7. String result = "";
8. char temp;
9. for(int i = 0; i < str.length(); i++){
10. temp = (char)(str.charAt(i) + 2);
11. if(temp > 122)
12. temp = (char)(temp % 123 + 97);
13. else if(temp > 90 && temp < 93)
14. temp = (char)(temp % 91 + 65);
15. result += temp;
16. }
17. return result;
18. }
19. }

Output:

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 8

IMPLEMENTATION OF PLAYFAIR CIPHER

AIM:To write a program to implement the Playfair Substitution technique.

DESCRIPTION:

The Playfair cipher starts with creating a key table. The key table is a 5×5 grid of letters that will
act as the key for encrypting your plaintext. Each of the 25 letters must be unique and one letter of
the alphabet is omitted from the table (as there are 25 spots and 26 letters in the alphabet).

To encrypt a message, one would break the message into digrams (groups of 2 letters) such that,
for example, "HelloWorld" becomes "HE LL OW OR LD", and map them out on the key table.
The two letters of the diagram are considered as the opposite corners of a rectangle in the key table.
Note the relative position of the corners of this rectangle. Then apply the following 4 rules, in
order, to each pair of letters in the plaintext:

1. If both letters are the same (or only one letter is left), add an "X" after the first letter

2. If the letters appear on the same row of your table, replace them with the letters to their
immediate right respectively

3. If the letters appear on the same column of your table, replace them with the letters
immediately below respectively

4. If the letters are not on the same row or column, replace them with the letters on the same row
respectively but at the other pair of corners of the rectangle defined by the original pair.

ALGORITHM:

STEP-1: Read the plain text from the user.

STEP-2: Read the keyword from the user.

STEP-3: Arrange the keyword without duplicates in a 5*5 matrix in the row order and

fill the remaining cells with missed out letters in alphabetical order. Note that

‗i‘ and ‗j‘ takes the same cell.

STEP-4: Group the plain text in pairs and match the corresponding corner letters by

forming a rectangular grid.

STEP-5: Display the obtained cipher text.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 9

RESULT: The Playfair cipher substitution technique had been implemented successfully.

IMPLEMENTATION OF HILL CIPHER

AIM: To write a program to implement the hill cipher substitution techniques.

DESCRIPTION:

Each letter is represented by a number = 1... Z = 25, is used, but this is not an essential feature of
the cipher. To encrypt a message, each block of n letters is multiplied by an invertible decrypt the
message, each block is multiplied by the inverse of the matrix used for encryption. The matrix
used for encryption is the cipher randomly from the set of invertible

ALGORITHM:

STEP-1: Read the plain text and key from the user.

STEP-2: Split the plain text into groups of

STEP-3: Arrange the keyword in a 3*3 matrix.

STEP-4: Multiply the two matrices to obtain the cipher text of length three.

STEP-5: Combine all these groups to get the complete cipher text.

IMPLEMENTATION OF HILL CIPHER

AIM: To write a program to implement the hill cipher substitution techniques.

Each letter is represented by a number modulo 26. Often the simple scheme A = 0, B is used, but
this is not an essential feature of the cipher. To encrypt a message, implied by an invertible n × n
matrix, against modulus sage, each block is multiplied by the inverse of the matrix used for matrix
used for encryption is the cipher key, and it should be chosen the set of invertible n × n matrices
(modulo 26). Read the plain text and key from the user. Split the plain text into groups of length
three. Arrange the keyword in a 3*3 matrix. Multiply the two matrices to obtain the cipher text of
length three. Combine all these groups to get the complete cipher text.

unsigned int a[3][3]={{6,24,1},{13,16,10},{20,17,15}};

unsigned int b[3][3]={{8,5,10},{21,8,21},{21,12,8}};

unsigned int c[20],d[20];

printf("Enter plain text\n ");

for(i=0;i<strlen(msg);i++)

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 10

IMPLEMENTATION OF VIGENERE CIPHER

AIM: To implement the Vigenere Cipher.

DESCRIPTION:

To encrypt, a table of alphabets can be used, termed a or Vigenère table. It consists of the alphabet
written out 26 times in different rows, each alphabet shifted cyclically to the left compared to the
previous 26 possible Caesar ciphers. At different points in the encryption process, the cipher uses
a different alphabet from one of the rows. The alphabet used at each point depends on a repeating
keyword.

Each row starts with a key letter. The remainder of the row holds the letters A to Z. Although there
are 26 key rows shown, you will only use as many keys as there are unique letters in the key string,
here just 5 keys, {L, E, M, O, N}. For successive letters of the message, we are going to take
successive letters of the key string, and encipher each message letter using its corresponding key
row. Choose the next letter of the key, go along that row to find the column heading that matches
the message character; the letter at the [key-row, msg-col] is the enciphered letter.

ALGORITHM:

STEP-1: Arrange the alphabets in row and column of a 26*26 matrix.

STEP-2: Circulate the alphabets in each row to position left such that the first letter is attached to
last.

STEP-3: Repeat this process for all 26 rows and construct the final key matrix.

STEP-4: The keyword and the plain text is read from the user.

STEP-5: The characters in the keyword are repeated sequentially so as to match with that of the
plain text.

STEP-6: Pick the first letter of the plain text and that of the keyword as the row indices and
column indices respectively.

STEP-7: The junction character where these two meet forms the cipher character.

STEP-8: Repeat the above steps to generate the entire cipher text.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 11

IMPLEMENTATION OF RAIL FENCE – ROW & COLUMN TRANSFORMATION

TECHNIQUE

AIM: To write a program to implement the rail fence transposition technique.

DESCRIPTION:

In the rail fence cipher, the plain text is written downwards and diagonally on

successive "rails" of an imaginary fence, then moving up when we reach the bottom rail.

When we reach the top rail, the message is written downwards again until the whole plaintext

is written out. The message is then read off in rows.

ALGORITHM:

STEP-1: Read the Plain text.

STEP-2: Arrange the plain text in row columnar matrix format.

STEP-3: Now read the keyword depending on the number of columns of the plain text.

STEP-4: Arrange the characters of the keyword in sorted order and the corresponding

columns of the plain text.

STEP-5: Read the characters row wise or column wise in the former order to get the

cipher text.

RESULT:

The rail fence algorithm had been executed successfully.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 12

Experiment: 03
COMPARISON OF SECURITY FEATURES OF WEB BROWSERS

Aim: To Compare the security features of at least three web browsers.

Introduction:
It is becoming increasingly popular for attackers to compromise computers through vulnerable
web browsers. An insecure web browser can lead to spyware being installed on your computer
without your knowledge, attackers taking control of your computer, stealing your information, or
even using your computer to attack other computers.

Your computer faces different threats whenever you browse the Web, including viruses, malware,
and spyware. The good news is your web browser has a lot of built-in security features to help
protect your computer.

The newest versions of Internet Explorer, Firefox, and other browsers all protect against phishing
and malware attacks, and most also let you browse anonymously, though they implement these
features in very different ways.

Comparison of Security features of Google Chrome, Mozilla Firefox, Microsoft

Internet Explorer, Opera, and Apple Safari:

Features Chrome Firefox IE Opera Safari

Version tested 1.0.154.36 3.12 beta 8 beta 2 9.63 3.2.1
2 (525.27.1)
Pros Fast and Battle Best enterprise Impressive Good pop-
clean; best tested by deployment security up blocking;
browser attackers; and control; top granularity; good anti-
security best security good anti- phishing
model; cipher granularity; DoS filter; good
strong Web support; security zones; protection; local
site isolation excellent excellent add- many unique password
add-on on manager features; protection
support; strict EV
enforcement

security
zones

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 13

Cons Lack of Lack of Most attacked DEP and Lack of

security per site browser; high ASLR not security
granularity; JavaScript number of enabled; ECC granularity;
cannot blocking known ciphers not poor cipher
disable without vulnerabilities; supported; support; no
JavaScript; add-on; vulnerable to not security
poor doesn't exploitation of thoroughly zones;
password highlight third-party tested by absence of
protection; true ActiveX attackers enterprise
previous domain controls feaures
exploits name
simple to
accomplish
TLS available Y Y Y Y Y
and offered
first
SSL 3.0 Y Y Y Y Y
SSL 2.0 Y Y Y Y Y
SSL 1.0 N N N N N
enabled by
default
AES Y Y Y Y N
ECC Y Y Y N N
InfoCard N N Y N N
supported by
default
Extended Y Y Y Y Y
Validation
certificates
Enforce FIPS N Y Y N N
cipher use
Server TLS/SSL Y Y Y Y N
certificate
revocation
information
checked by
default
OCSP support N Y Y Y Y
enabled

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 14

Multiple N Y Y N N
security
zones/domains
Security N Y Y Y Y
controls by
Web site
exceptions
Control N N Y Y N
security and
functionality
on a per site
basis
Automatically Y Y Y Y Y
store and recall
passwords
Stong local N Y Y Y Y
password
protection
Java support Y Y Y Y Y
MIME content Y Y, limited Y Y Y
type sniffing
DEP enabled Y Y Y N N
by default
Vista ASLR Y Y Y N Y
enabled by
default
Vista Integrity Low/Med. Medium Low/Med. Medium Medium
level
Built-in N N Y N N
ActiveX
support
Built-in script Y Y Y Y Y
support
Ability to N Y Y Y Y
globally
disable
JavaScript
Ability to N N Y N N
disable
JavaScript on a

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 15

per site or
security zone
basis
Plug-in Y Y Y Y Y
support
Plug-in N Y Y N N
management
Control access Y Y Y Y Y
data across
domains
Control Y Y Y Y Y
displaying
content across
mixed zones
by default
Control Y Y Y Y Y
browser access
to clipboard
Automated Y Y Y Y Y
updates
Moniker Y Y Y Y N
handling to
prevent
automatic
application
launching
Cross-site Y Y Y Y Y
script filtering
Supports Y, digest Y, digest Y, all Y Y
Windows
authentication
Block reported N Y Y Y N
malicious sites
Highlights true Y N Y N N
domain name
Anti-phishing Y Y Y Y Y
filter
Privacy Y Y Y Y Y
features

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 16

Pop-up Y Y Y Y Y
blocking
Private session Y Y Y N Y
browsing
One click Y Y Y Y Y
history erase
One click Y N Y N N
default settings
reset
Ad blocking N N N Y N
(outside of
pop-ups)
Parental N N Y N N
controls

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 17

Experiment: 04
SOCIAL MEDIA DATA ANALYTICS

Aim: Social media data analytics for any website.

Theory:
Social media can benefit businesses by enabling marketers to spot trends in consumer behavior
that are relevant to a business's industry and can influence the success of marketing efforts.

Social media analytics is the ability to gather and find meaning in data gathered from social
channels to support business decisions — and measure the performance of actions based on those
decisions through social media.

Social media analytics is broader than metrics such as likes, follows, retweets, previews, clicks,
and impressions gathered from individual channels. It also differs from reporting offered by
services that support marketing campaigns such as LinkedIn or Google Analytics.

Social media analytics uses specifically designed software platforms that work similarly to web
search tools. Data about keywords or topics is retrieved through search queries or web ‗crawlers‘
that span channels. Fragments of text are returned, loaded into a database, categorized and
analyzed to derive meaningful insights.

Steps for tracking social media analytics:

Social media can benefit businesses by enabling marketers to spot trends in consumer behavior
that are relevant to a business's industry and can influence the success of marketing efforts.

Step 1: Access Social Media Analytics

We use Facebook as an example of how to view the data that each social media platform offers.
Facebook Insights is a detailed program that helps you learn about your audience‘s behavior. It's
simple to understand and includes interactive visual graphics – making it easy to use, even for
beginners.

To navigate to the Insights panel, start at your business‘s Facebook page and choose ―Insights‖
from the white menu at the top of the page.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 18

You‘ll be presented with a number of choices, including:

 Actions on Page
 Page Views
 Page Likes
 Reach
 Post Engagements
 Page Followers

Step 2: Discover Information About Your Followers

Choose ―Page Followers‖ to see information about your Facebook followers.

The graphs are interactive, and you can scroll over them to view specific information or click on
them to pull more details.

To view information about how many followers you have, look at the first graph, ―Total
Followers.‖ Scrolling over it shows your total page followers on any specific date.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 19

The next graph is called ―Net Followers.‖ It calculates the number of page likes minus the number
of unlikes to show overall audience growth.

Scroll over the graph to discover when people liked or unliked your pages. This is useful when
you‘re ready to measure the success of your shared content. You can look at the date you published
a post and find out if you added followers – or lost them – on that day.

The third graph shows where your new followers were when they liked your page.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 20

In the left-hand column of your Insights dashboard, there's a menu for viewing different data.

Click on the Posts menu option to find information about when your audience is online.

Have you ever wondered when are the best times to post on social media? Here‘s the data that
gives you the answers.

By scrolling through the graph, called When Your Audience is Online, you can find the days and
times your fans socialize on Facebook.

The graph above is a small sampling of the data that‘s quickly available through the Facebook
Insights manager.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 21

Step 3: Set Goals to Know What Social Media Metrics to Measure

It‘s fascinating to watch your audiences unfold in such detail on different social media analytics
programs. But before you get carried away, decide which numbers are important for achieving
your goals. What data will you track and measure to improve results?

A recent study of 344 social media marketers revealed that the most important metrics for tracking
the success of social media are engagement (36%) and conversion rates (35%).

The metrics you track and follow will depend on the goals you set in your social media strategy.
Be sure they‘re ―S.M.A.R.T.‖ goals:

 Specific
 Measurable
 Attainable
 Realistic
 Time-bound
For example, if your purpose is to improve brand awareness, you might set a goal of 500 likes or
100 shares. To reach that goal, you‘ll track metrics such as likes, shares, net followers, and
engagement.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 22

Step 4: Use Tools to Help Analyze and Measure Your Social Data

There are software programs and apps that allow you to manage all your social media accounts in
one place to improve the effectiveness and results of your social media efforts.

For example, Sprout Social and Hootsuite are two apps that allow you to schedule posts ahead of
time and track results across a number of social media platforms.

Sprout Social

Sprout Social is a user-friendly platform that streamlines social media management for Facebook,
Instagram and other social media channels. In addition to providing detailed analytics data, Sprout
Social includes social listening tools for tracking brand mentions, consumer sentiment and
competitor activity. It also reveals how fan growth correlates with content performance and
includes historical engagement data that helps administrators optimize post- scheduling times.

Google Analytics is another option for tracking social media results. You can learn more about
using Google for social media data from Monster Insights guide on how to analyze social media
traffic using Google Analytics.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 23

Experiment: 05
STUDY OF SOCIAL MEDIA DATA ANALYSER

Aim: Write features of any social media data analytics tool available free online. (Likealyzer,
Facebook or any other tool)

Introduction:
Sprout Social is a user-friendly platform that streamlines social media management for Facebook,
Instagram and other social media channels. In addition to providing detailed analytics data, Sprout
Social includes social listening tools for tracking brand mentions, consumer sentiment and
competitor activity. It also reveals how fan growth correlates with content performance and
includes historical engagement data that helps administrators optimize post- scheduling times.

Features of Sprout Social:

1. Create posts tailored to each social platform

Scheduling to Facebook, Instagram and Twitter all at once saves time, but you may want to
change the content to fit the platform. On Instagram, you may want to add your hashtags, but
on Facebook and Twitter, you may want to include links to your website.
You don‘t need to repeatedly copy and paste content to create customized posts for each network.
This Sprout feature provides a more streamlined solution: Schedule + Duplicate.

You can create your post for Instagram with hashtags, then click Schedule + Duplicate to see the
post automatically reopen in your Compose window with any text and attachments. From there,
select your Facebook Page, edit the post as you‘d like and send it out! This will also allow you to
quickly schedule the same message across multiple Twitter profiles.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 24

2. Preview your Instagram grid on mobile

When publishing to Instagram, you can preview your grid by using Sprout‘s mobile app. This
Sprout feature allows you to envision how all of your posts will look together once published.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 25

3. Receive notifications for failed messages and repost

While we hope that post failures do not happen often, we also know that temporary server errors
or formatting issues may cause a post to be rejected by the native networks. To make sure that you
do not lose any of your carefully curated content, enable failed message push notifications in the
Sprout mobile app.

4. Schedule directly from your browser with Sprout’s extensions

When working from Google Chrome and Firefox, you can install Sprout‘s extension to share a
link any time you come across interesting content.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 26

5. Automatically target your Optimal Send Times in Compose

Identifying the best times to post for your target niche or social network isn‘t always a simple task,
and it can take up a lot of your planning time if you don‘t have any help in optimizing your
schedule.

Sprout‘s ViralPost is here to make scheduling much easier by highlighting Optimal Send Times
(available in Professional and Advanced Plans) right within the Compose window.

6. Moderate ad comments in the Smart Inbox

Many social media marketers are creating ad content to engage their audiences. Once you‘ve
created your ads, you can also respond to incoming comments on these posts for Facebook and
Instagram.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 27

You can connect your Facebook Ad Account in Sprout (which does not count as additional
profiles) to begin interacting with your ad comments alongside your organic content.

7. Delete or hide comments from the Inbox

While scrolling through your Smart Inbox, you may find a spam comment on your Facebook Page.
You can delete or hide this right from your Inbox with this Sprout feature, which was recently
released for Instagram as well!

8. Tag messages to track message performance by type

Message Tagging is a Sprout feature on Sprout‘s Professional and Advanced Plans. With Tagging,
you can customize your outgoing and incoming message tracking to best fit your social media
goals.

For example, you can track how many negative comments compared with positive comments you
received on a particular post. You can also track how many incoming comments a campaign
generates.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 28

Experiment: 06
Security Vulnerability Analysis
Aim: To analyse the Security Vulnerabilities of E-commerce services.
Theory:
In the eCommerce industry, security vulnerability stands for the weak points of the system that
can be easily attacked by scammers or prone to various fraudulent activities for getting money,
products, and personal information from clients‘ bases for the purpose of profit.

Security risks have always existed for e-commerce businesses as attackers attempt to exploit
vulnerabilities to gain access to customers‘ personal and financial data. E-commerce is such a hot
target for hackers that online retailers saw a 50% jump in cybercrime in 2020. Leaving security
vulnerabilities in e-commerce unaddressed can cause significant damage to a company and its
customers, erode customer trust, harm the bottom line, and even potentially put an organization in
legal insecurity.

Common Security Vulnerabilities in E-commerce:

 Financial Frauds or Payment Frauds: This type is one of the most typical for
eCommerce and dates back to the very first attempts of the businesses going online. Often,
scammers used to make unauthorized transactions and immediately wipe out the trails. Or
else, they can use the fake emails, accounts, and names, and even IP addresses to look like
the real customer.
After they have requested a refund with, for instance, a fake screenshot, most eCommerce
platforms basically give them money for nothing, especially if they‘re not aware of this
financial trick.

 SQL Injection: SQL injection is a web security vulnerability that allows an attacker to
interfere with the queries that an application makes to its database. It generally allows an
attacker to view data that they are not normally able to retrieve. This might include data
belonging to other users, or any other data that the application itself is able to access. In
many cases, an attacker can modify or delete this data, causing persistent changes to the
application's content or behaviour.
The results from an SQL injection attack on a vulnerable site may range from a detailed
error message, which discloses the back-end technology being used, or allowing the
attacker to access restricted areas of the site because he manipulated the query to an always-
true Boolean value, or it may even allow the execution of operating system commands.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 29

 Bot Attack: Some criminals also attack eCommerce sites with bots, that basically act like
real users and can hardly be detected by the security system. This is why bot attack is
considered to be one of the common security vulnerabilities you should always keep in
mind.
However, bots are not just fake users that can boost your traffic to slow down the site‘s
speed. Instead, they can also steal the personal information of your customers, record their
log-in credentials and bank information, manipulate the products‘ prices and randomly
block them, thus making your eCommerce platform less secure and user- friendly.

 Price Manipulation: This is a vulnerability that is almost completely unique to online

shopping carts and payment gateways. In the most common occurrence of this
vulnerability, the total payable price of the purchased goods is stored in a hidden HTML
field of a dynamically generated web page. An attacker can use a web application proxy
such as Achilles to simply modify the amount that is payable, when this information flows
from the user's browser to the web server.
This information is eventually sent to the payment gateway with whom the online merchant
has partnered. If the number of transactions is very high, the price manipulation may go
completely unnoticed. Repeated attacks of this nature could destroy the number of users
to the website

 Weak Authentication and Authorization: Authentication mechanisms that do not

prohibit multiple failed logins can be attacked using tools such as Brutus. Similarly, if the
web site uses HTTP Basic Authentication or does not pass session IDs over SSL (Secure
Sockets Layer), an attacker can sniff the traffic to discover user's authentication and/or
authorization credentials.
Since HTTP is a stateless protocol, web applications commonly maintain state using
session IDs or transaction IDs stored in a cookie on the user‘s system. Thus, session ID is
the only way that the web application can determine the online identity of the user.
If the session ID is stolen (say through XSS), or it can be predicted, then an attacker can
take over a genuine user‘s online identity. Hence, we need to take care of the session id by
providing the necessary algorithms.

 Cross-site scripting: The Cross-site Scripting (XSS) attack are targeted against the end
user and leverages two factors:
1. The lack of input and output validation being done by the web application
2. The trust placed by the end-user in a URL that carries the vulnerable web site‘s
name.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 30

The XSS attack requires a web form that takes in user input, processes it, and prints out the
results on a web page, which also contains the user‘s original input. It is most commonly
found in ‗search‘ features, where the search logic will print out the results along with a
line such as ‗Results for user_supplied_input‘.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 31

Experiment: 07
Aim: Finding out the vulnerable data on Social Networking sites.

Theory:
With fast-growing technology, online social networks (OSNs) have exploded in popularity over
the past few years. The pivotal reason behind this phenomenon happens to be the ability of OSNs
to provide a platform for users to connect with their family, friends, and colleagues.

Social media offers an outlet for people to connect, share life experiences, pictures and video. But
too much sharing—or a lack of attention to impostors—can lead to a compromise of business and
personal accounts. There are numerous security and privacy issues related to the user‘s shared
information especially when a user uploads personal content such as photos, videos, and audios.
The attacker can maliciously use shared information for illegitimate purposes. The risks are even
higher if children are targeted.

Vulnerable data on Social Networking sites:

What information are you sharing when you use social networks?

The kinds of information that you may be sharing on a social network includes:

 Your profile. Most social networks allow users to create detailed online profiles and
connect with other users in some way. This may involve users sharing information with
other users, such as one‘s gender, age, familial information, interests, educational
background and employment.
 Your status. Most social networks also allow users to post status updates in order to
communicate with other users quickly. Though there may be privacy settings to restrict
access to status updates, these networks are frequently designed to broadcast information
quickly and publicly.
 Your location. Many social networks are designed to broadcast your real-time location,
either as public information or as an update viewable to authorized contacts. This might
allow users to ―check in‖ to a local event or business, or share one‘s location with contacts
within their network.
 Shared content. Many social networks encourage users to share content, such as music,
photographs, videos and links to other webpages.

All of this sharing reveals information about you, including contextual information you may not
even be aware of. By sharing this information online, you may be providing enough information
to allow advertisers to track you or hackers to take advantage of your online identity. Therefore,

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 32

it is important to be aware of the information that you are providing and to be conscious of the
choices you can make to protect your privacy.

How may your social networking information be used and shared?

Publicly available information: Every social network allows you to post some information that
is completely publicly accessible. This can be anything from your username to individual posts, to
your entire account. These kind of ―public‖ posts are not blocked behind any kind of access
restriction. Anyone, including strangers, can view whatever is posted as ―public.‖ However, there
may be other data that you share publicly without realizing it, and there are less obvious ways that
your information may be treated as public without your permission, including:

 Certain information may be publicly visible by default. In some situations, a user may be
able to change the privacy settings to make the information ―private‖ -- so that only
approved users can view it. Other information must remain public; the user does not have
an option to restrict access to it (frequently such information includes your account name).
 A social network can change its privacy policy at any time without a user‘s permission.
Content that was posted with restrictive privacy settings may become visible when a
privacy policy is altered.
 Approved contacts (people on your ―Friends list‖ or people that ―follow‖ you) may copy
and repost information – including photos or personal information – without a user‘s
permission, potentially bypassing privacy settings.
 Third-party applications that have been granted access may be able to view information
that a user or a user‘s contacts post privately.
 Social networks themselves do not necessarily guarantee the security of the information
that has been uploaded to a profile, even when those posts are set to be private. While
security flaws and breaches are usually quickly fixed, there is potential for taking advantage
of leaked information.

Advertising: Your own publicly posted content isn‘t the only way that you can be tracked, and
advertisers are very interested in the information that can be gathered by tracking your online
activity. This may include:

 Tracking which websites, a user has viewed

 Storing information associated with specific websites (such as items in a shopping cart)
 Analysing aggregated data for marketing purposes

Behavioural advertising is the term used to describe the practice of tailoring advertisements to
an individual‘s personal interests. Social networks that provide their services without user fees
make a profit by selling advertising. This is often done through behavioural advertising, also
known as targeting. This practice is appealing to marketers because targeted advertisements are

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 33

more likely to result in a purchase by a viewer than comparable non-targeted advertisements. They
are valuable to social networks as they can be sold at a higher price than regular ads.

Third-party applications are programs that interact with a social network without actually being
part of that social network. These applications take many forms but some typical and popular forms
include games that you may play with contacts, online polls or quizzes, or third- party interfaces
with the social network. To make these applications useful, social networks may allow developers
automatic access to public information of users, and may even access some private information,
when a user grants the application permission. You may inadvertently grant an application access
to your profile without realizing the extent of the permissions being granted. Some facts to keep
in mind when considering using third-party applications:

 They may not be covered by the social network‘s privacy policy. Most social networks
do not take responsibility for the third-party applications that interact with their sites
 They may not be guaranteed to be secure.
 They may gain access to more information than is necessary to perform their functions.
 They may contain malware designed to attack the user‘s device.
 Third-party developers may report users‘ actions back to the social networking platform.
 A social network may have agreements with certain websites and applications that allow
them access to public information of all users of the social network.

Privacy policies: Most people skip over the privacy policy when joining a social network.
However, users can learn a lot of useful information by reviewing a privacy policy before signing
up for service. A social network‘s privacy policy will explain how the social network will collect
and use information about people who visit the site. When reviewing a privacy policy, remember:

 Privacy policies can change – sometimes dramatically-- after a user creates an account.
 Terms of service may have information just as important as the privacy policy, so always
review those as well.
 The privacy policy only covers the social network. It does not, for example, cover third-
party applications that interact with the website.

Privacy tips for using social networks:

There are many ways that information on social networks can be used for purposes other than what
the user intended. Any time you choose to engage with social networking sites, you are taking
certain risks. However, these practical tips may help you minimize the risks of social networks.

When registering an account:

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 34

 Use a strong password different from the passwords you use to access other sites.
Ideally, use a password manager to generate and store your passwords.
 If you are asked to provide security questions, use information that others would not know
about you, or, even better, don't use accurate information at all. If you are using a password
manager, record the false questions and answers and refer to your password manager if you
need to recover your account.
 Consider creating a new email address to use only with our social media profile(s).
 Provide the minimum amount of personal information necessary, or that you feel
comfortable providing.
 Review the privacy policy and terms of service.
 During the registration process, social networks often solicit you to provide an email
account password so that they can access your address book. If you consider using this
feature, make sure to read all terms so that you understand what will be done with this
information.

General privacy tips for using social networks

 Become familiar with the privacy settings available on any social network you use, and
review your privacy settings frequently. On Facebook, for example, you may want to make
sure that your default privacy setting is "Friends Only". Alternatively, use the "Custom"
setting and configure the setting to achieve maximum privacy.
 Be careful sharing your birthday, age, or place of birth. This information could be useful
to identity thieves and to data mining companies. If you do consider posting your birthday,
age or place of birth, restrict who has access to this information using the site‘s privacy
settings.
 Try to stay aware of changes to a social network‘s terms of service and privacy policy.
Consider subscribing to an RSS feed for (or following) Tosback, a project of the
Electronic Frontier Foundation, to track changes in website policies (which covers some,
but not all social networks).
 Use caution when using third-party applications. For the highest level of safety and privacy,
avoid them completely. If you consider using one, review the privacy policy and terms of
service for the application.
 If you receive a connection request from a stranger, the safest thing to do is to reject the
request. If you decide to accept the request, use privacy settings to limit what information
is viewable to the stranger and be cautious of posting personal information to your account,
such as your current location as well as personally identifiable information.
 Take additional precautions if you are the victim of stalking, harassment or domestic
violence.
 Consider pruning your "friends" list on a regular basis. It's easy to forget who you've
connected to over time, and therefore who you are sharing information with.
 Log off from social networking sites when you no longer need to be connected.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 35

Experiment: 08
SECURITY CONFIGURATION OF WEB BROWSER

Aim: To ensure Security of any one web browser (Mozilla Firefox/Google Chrome).

Theory:
As Chrome's popularity has grown over the past decade, third-party associations in the form of
extensions, apps, and software have also increased. These integrations can help you be more
productive, but they can also put you and your data at risk.

Luckily, Chrome is one of the most secure browsers available. It comes with many built-in features
to ensure your online safety, but you might not be familiar with all of them. To help protect your
browser, here are eight tips to make the browser more secure.

Steps to Secure your Google Chrome browser

1. Limit synced items: We use Google Chrome across all our devices, and so, to keep us updated
we often sync all our devices so that all the information (logins and passwords, bookmarks, etc.)
is available to us at all times. However, this continuous sending of data can put your security at
risk, so limit the synchronization.

To do this, click the three dots on the upper right side of Chrome and then Settings > Advanced
> Sync and other Google Services.

As you see in the above image, Synchronize everything is set by default. We recommend
deactivating the options you use less frequently.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 36

2. Shifting to Chrome's Enhanced Protection

Safe browsing, a security service by Google to protect users from malicious websites, offers two
types of protection; Standard and Enhanced. Unless you've changed it previously, your browser is
set to Standard protection by default. Standard protection warns you about unsafe websites before
you visit them and helps you avoid potentially harmful files and extensions.

Enhanced protection offers much more, however. It's a must-have security setting with features
such as warning users to change passwords if exposed during a breach, improving the security on
other Google apps you use, and predicting harmful events before they happen.

Here is how you can shift your browser's protection from Standard to Enhanced to improve your
security:

1. Navigate to Chrome's Settings by tapping the three vertical dots in the top-right corner.
2. Click on Privacy and Security in the left sidebar and navigate to Security.
3. Enable Enhanced protection under Safe Browsing.

3. Encrypt synchronized data: In the same menu, i.e. Settings > Advanced > Sync and other
Google Services, there is another options to encrypt your synchronized data. Select the option
Encrypt synced data with your own sync passphrase. Next, choose a password that you can
remember (different from your Google account password).

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 37

This will add an extra layer of security by asking for the password every time Google Chrome
wants to synchronize your data.

4. Using Chrome's Safety Check: Chrome has a built-in tool that allows you to test how secure
your browser is. This tool helps you identify any data breaches, available browser updates,
malicious extensions, the strength of your saved passwords, and the type of protection you are
using in your browser.
To run a security check, follow these steps:
1. Navigate to Chrome's Settings.
2. Under Safety check, tap on Check Now.

Chrome will alert you about your weak security areas in a few seconds. Regularly running safety
checks will ensure your safety.

5. Change your Password settings: Under Settings > Advance > Passwords ensure that Offer
to save passwords and Auto Sign-in are both unchecked. Even though this would mean you will
have to remember your passwords, and will need to sign in every time you go to a particular
website.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 38

6. Change the System settings within Google Chrome: For the very concerned for online
privacy, I would highly recommend unchecking Continue Running Background Apps When
Google Chrome Is Closed. This will close all apps when you exit Chrome and prevent
notifications (such as Gmail, Facebook, etc.) from having access to your desktop. You would
find this setting under Settings > Advanced > System.

7. Turn off Google Activity Control: Google Chrome not only saves your browsing data, but so
does Google itself every time you're logged in to your Google account. This option, activated by
default, can be easily deactivated. To do this, access the option Activity controls of your account
from this link, and deactivate the switch.

8. Setup 2-Step Verification: To enable 2-step verification, sign in to your Google account from
the usual web page. On the left-hand side, click on Security, then under Signing in to Google,
click on 2-Step Verification. If you be disabled by default. Enable it and set it up by clicking on
the Get Started button.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 39

Experiment: 09
STUDY OF SOCIAL NETWORKING ATTACKS

Aim: Write the attacks on social network sites.

Introduction:
With fast-growing technology, online social networks (OSNs) have exploded in popularity over
the past few years. The pivotal reason behind this phenomenon happens to be the ability of OSNs
to provide a platform for users to connect with their family, friends, and colleagues.

Social media offers an outlet for people to connect, share life experiences, pictures and video. But
too much sharing—or a lack of attention to impostors—can lead to a compromise of business and
personal accounts. There are numerous security and privacy issues related to the user‘s shared
information especially when a user uploads personal content such as photos, videos, and audios.
The attacker can maliciously use shared information for illegitimate purposes. The risks are even
higher if children are targeted.

Common attacks on social network sites:

1. Fake Profile: Cybercriminals are getting more ingenious with their tactics! By using a fake
social media profile, they are capable of copying a legitimate profile and perform small- and large-
scale attacks. Fake profiles can be used to mimic real public figure profiles to distribute mass-
malware or phishing campaigns to their followers or contacts. Through fake profiles, cyber
attackers can also copy the real social media profiles of key individuals within a target company
or business.

2. Identity theft: In this sort of assault, the assailant utilizes someone else‘s identity like social
security number, mobile, number, and address, without their permission to commit attackers. With
the help of these details, the attacker can easily gain access to a victim's friend list and demand
confidential information from them using different social engineering techniques. Since the
attacker impersonates a legitimate user, he can utilize that profile in any conceivable way which
could seriously affect authentic clients.

3. Spam attack: Spam is the term used for unsolicited bulk electronic messages. Although email
is the conventional way to spread spam, social networking platform is more successful in spreading
spam. The communication details of legitimate users can easily be obtained from company
websites, blogs, and newsgroup. It is not difficult to convince the targeted client to read spam
messages and trust it to be protected. Most of the spams are commercial advertisements but they
can also be used to collect sensitive information from users or may contain viruses, malware or
scams.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 40

4. Phishing: Phishing is the most common type of social engineering attack. At a high level, most
phishing scams aim to accomplish three things:

 Obtain personal information such as names, addresses, and Social Security Numbers;
 Use shortened or misleading links that redirect users to suspicious websites that host
phishing landing pages; and
 Leverage fear and a sense of urgency to manipulate the user into responding quickly.

An invader can impersonate an authentic user and may use his/her identity to send fake messages
to other users via a social networking platform which contains malicious URL. That URL might
readdress a consumer to the phony website where it asks for personal information

5. Social engineering. An attacker might call employees to trick them into sending private data,
proving credentials or wiring the attacker money. In a complex attack, the attacker can pretend to
be a high-level executive to trick the targeted user into transferring money to the attacker‘s account.

6. Brand impersonation. Using brand employee names, the attacker can trick customers into
thinking requests are from the legitimate brand. This could be used to trick users into divulging
personal information or account credentials.

7. Malicious Links and Content: Instead of posting malicious content directly to a social media
platform, cybercriminals usually use malicious links to lure a victim into clicking through to a data
that is hosted on third-party sites. Like brand impersonation, an attacker could create domains and
websites that claim to be the legitimate business and trick users into downloading malware or
providing credentials.

8. Pretexting: Here an attacker obtains information through a series of cleverly crafted lies. The
scam is often initiated by a perpetrator pretending to need sensitive information from a victim so
as to perform a critical task.

The attacker usually starts by establishing trust with their victim by impersonating co-workers,
police, bank and tax officials, or other persons who have right-to-know authority. The pretexter
asks questions that are ostensibly required to confirm the victim‘s identity, through which they
gather important personal data.

9. Reconnaissance:

More social media users nowadays are open to sharing a lot of personal details about themselves,
making them easy targets of a reconnaissance attack. Cyber-attackers or threat actors can collate
and analyse users‘ profiles, relationships, behaviours, hobbies, and more, then use that information
to craft enticing messages and other lures. A reconnaissance attack can be performed

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 41

passively on social media and is difficult to detect. Users wouldn‘t know that threat actors are
already using their information to authenticate or access other services or accounts, such as online
banking.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 42

Experiment: 10
SECURITY ANALYSIS OF EMAIL

Aim: To analyse the security vulnerabilities of E-Mail Application.

Learning Objectives
1. Understand the security issues and vulnerability in Email system.
2. Identify the threats in Email Communication
3. Point out the limitations exists in currently used protocols.

Introduction:
Today's email security threats are multiplying at an unprecedented rate. Many organizations are
also vulnerable to spear-phishing, whale phishing, ransomware, and other malware attacks. As a
result, large and small businesses must devise strategies to protect against emerging email security
threats. More than 91% of cyber-attacks are now launched via email, and email remains the
weakest point in the security chain.

Due to the rising demand for online communication, email remains a top security issue or even a
weakness in 2021. When it comes to email protection, traditional measures such as the most up-
to-date antivirus software will never be able to prevent cyber-attacks, especially advanced social
engineering attacks. What are the top email security risks?

Attacks on E-Mail Application:

1. Spoofing: E-mail spoofing happens when a cybercriminal sends an e-mail to a user
masquerading as someone the user knows. E-mail spoofing to the original sender is easy to
accomplish and extremely difficult to trace. For example, the scammer can spoof the email of
someone in your organization to obtain vital information. They may even ask for money from your
employees. Due diligence is the best way of thwarting spoofing attacks. However, businesses
should also acquire software that improves their email security.

2. Phishing: Phishing is another type of attack cybercriminals use to steal user data. Such data
often includes credit card numbers and login credentials. It occurs when the attacker masquerades
as a trusted entity and dupes the victim into opening an email.

3. Malware: Increasingly, attackers are taking advantage of e-mail to deliver a variety of attacks
to organizations through the use of malware, or ―malicious software,‖ that include viruses, worms,
Trojan horses, and spyware. These attacks, if successful, may give the malicious entity

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 43

control over workstations and servers, which can then be exploited to change privileges, gain
access to sensitive information, monitor users‘ activities, and perform other malicious actions.

4. Domain Squatting: The act of registering, selling, or using a domain name with the intent of
profiting from someone else's trademark is known as domain squatting. As a result, domain
squatting and targeted spear phishing attacks will affect both businesses and their customers.

5. Client-Side Attacks: The number of attack vectors available to internet users is growing every
day. A single link containing malicious content may be enough to infect a device. The protection
of the e-mail service components must be improved, and necessary anti-phishing solutions, such
as employee training or email threat simulating, must be implemented to combat threats.

6. Ransomware: Ransomware is a vicious malware that attacks your entire computer system. and
blocks you from accessing your data until you pay the ransom demanded by the attacker. One way
in which cyber attackers launch this malware is through emails. Ransomware has led to businesses
losing billions of dollars over the years.

7. Configuration Errors: This is a pervasive security problem. A poorly configured e-mail

service may lead to a big issue by enabling e-mail to be delivered without authentication.

For example, a cybercriminal without authentication access to your e-mail service may send a random e-
mail to one of your employees. A cybercriminal who embodies the CEO may be more likely to succeed.

8. File Format Exploits: File format vulnerabilities are quickly becoming one of the most serious
information security risks that face many businesses. Attackers who take advantage of these flaws
build carefully designed malicious files that trigger program flaws (such as buffer overflows).
These vulnerabilities are particularly dangerous because they often affect several platforms.

9. Browser Exploit Kit: Emails with internet browser vulnerabilities can lead to data leakage,
identity theft, and access issues in your accounts. Sometimes a link in your browser kit may contain
an abused code that cybercriminals can use to exploit your email. To avoid this threat, you should
ensure that your email service and the security components have fool proof protective measures.

10. Business Email Compromise (BEC) and Spear-Phishing Attacks: Another important point
is that a cyber attacker who bypasses all security protocols attacks a device by exploiting the end
user's unawareness since most people are unable to recognize a sophisticated phishing email.
Phishing assessments, exams, questionnaires, and games can be used to educate users about how
to recognize threats on a regular basis.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 44

Security Issues and vulnerability in Email System

Threats in Email Communication
Eavesdropping: E-mail messages pass through networks which are part of big picture i.e. Internet
with a lot of people on it. So it is very easy for someone to track or capture your message and read
it.
Identity Theft: Means someone pretend to be you on the network. It may be possible if not proper
security protocols are followed that someone may steal or capture your username/password and
used to read your email messages. Further also send email messages from your account without
your knowledge.
Message Modification: Anyone who captures your message can also alter your message contents
if it is not encrypted. Further anyone having administrative rights on any of SMTP server your
message visit can not only read your message but can also modifies it.
False Messages: Sender‘s name can easily be fabricated so it is very easy to send message that
pretends to be send by someone else.
Unprotected Backups: Messages generally stored in plain Text on SMTP server and also backups
can be created. Even if you delete the message they can be residing on the severs/backup-servers
for years. So anyone who accesses these servers can also access or read your message.
Repudiation: As it is known that email messages can easily be forged so anyone sending you some
message can later on deny regarding sending of message and it is very difficult to prove it. This
has implications corresponding to emails use as contracts in business communications.
Email spoofing: Sometime email that pretends to be received from an authentic source but in actual
it is send from somewhere else.
Email Spamming: Spam or junk mail refers to sending of email to no. of persons for any
advertisement purpose or for some malicious intent. To send spam often lists are created by
searching data from Internet, or by stealing mailing list from the internet.
Email bombing: E-mail ―bombing‖ is refers to sending identical mail repeatedly by abusers to a
particular address/user.
Sending threats: Threatening mails are sending to users which disturb their state of mind or to
provoke them to take some wrong step. Sometimes false statements are also forwarded to third
parties or users to injure the reputation of some particular person. It is called as Defamation, a

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 45

communication is not considered defamatory unless it is forwarded to someone other than the
target.
Email frauds: Email Fraud is the intentional deception made for some personal or monetary gain.
Emails used as tools to spread malicious software: Emails are also used as tools to spread viruses,
worms and other malicious software. They are attached to your emails as attachment, when you
click on them they attack your computer or browser.
Phishing: It is also most common attack through email. It is originally defined as an attack to steal
your confidential information like passwords, ATM pin and other bank credentials. It works as
some email coming to you that pretends to be from some trusted source you know like your bank.
These emails entice you to click on some link present in email or to open some attachment or
respond to some message and that click directed to you their site in actual but it appears like your
trusted website of bank and ask to fill some confidential information like passwords which is
actually stolen from you and use for any malicious intent later on.

Limitations exist in currently used protocols

Any Network service like email system must provide following five services for security reasons:

Message Confidentiality: It promotes privacy that is the message transfer between sender and
receiver is secure and no one can read or track the message while transferring.

Message Integrity: It says that the same message/data should arrive at receiver end as it can be
sent by sender. No alteration intentionally or accidentally takes place during transfer.

Message Authentication: It ensures that message can be received from the sender only or from
the trusted source. In this receiver must be sure about the identity of sender.

Message Non-repudiation: It ensures that anytime sender should not be able to deny sending of
message which originally sends by him/her.

Entity Authentication: It ensures identification of user; the user must be verified before accessing
the resources and services. This is done by asking login-id and password.

SMTP: SMTP does not encrypt messages. So, the communication between SMTP servers is in
plain text so eavesdropping takes place. If you are login to SMTP server using your username and
password that is also pass in plain text so again anyone stole your information during transfer.
Messages sent through SMTP also contains information about sending computer and

Shri Vaishnav Vidyapeeth Vishwavidyalaya,

 46

software used which when capture can be used for malicious intent. So, SMTP lacks privacy
concern.

POP and IMAP: POP and IMAP are pull protocols, Request is sent to mail server to access the
mailbox and for that login using username and password is required. These details are not
encrypted before sending unless SSL is used. So, our confidential information is at stake.

Shri Vaishnav Vidyapeeth Vishwavidyalaya,