IMAP security

TenFour · 16 Mar 2019, 09:00 PM

Apparently, hackers have been successfully penetrating networks by attacking IMAP vulnerabilities. https://www.bleepingcomputer.com/new...-imap-attacks/

n5bb · 17 Mar 2019, 03:56 AM

After examining the actual Proofpoint paper, there’weren’t any conventional vulnerabilities in IMAP. Instead, email clients don’t normally use multifactor authentication. So if a target account uses the same password on multiple accounts, there is no additional authentication from a device available to prevent an attack. The article said that the initial source of the password was a phishing attack. The attackers then could use those credentials with IMAP (or other) email access to an account used by the phished individual.

This attack method is why Fastmail now tried to get you to use device-dependent passwords for email client access to their system. Each device has a unique long password, and your can’t use your master webmail password for an IMAP email account.

The key think that everyone needs to realize is that you MUST use a completely different long password for every account. Any re-use of passwords lets a phishing attack get into all of your accounts.

Bill

TenFour · 17 Mar 2019, 04:59 AM

My reading of the Proofpoint article is a little different. A large number of attacks utilize hacked passwords from one of the many enormous dumps that then use a password spraying technique to try numerous combinations on email accounts that utilize IMAP, and therefore are not protected with 2-factor authentication. In other words, you can login to an IMAP-enabled account with just a username and password. Is that not correct? I think of the many G Suite accounts that have 2FA enabled, but then you must generate an "app password" to allow your preferred email app on your phone to be able to access your account. An attacker could bypass 2FA if they could somehow find the app password, though in G Suite's case it is randomly generated so I don't know how those would be obtained in a password dump. However, many email services allow you to turn on 2FA without generating unique passwords for use via IMAP.

n5bb · 17 Mar 2019, 06:38 AM

I don’t disagree with the comments you made, but here is my opinion on this.

A conventional brute-force attack on an IMAP account might be attempted by trying to use one username repeatedly with many different passwords, hoping that one will be correct. But the email system can just block all attempts to log in to that particular account from that particular IP address for some timeout interval.
So the attacker might use a bot net to run this attack. Again, rate limiting by the email server can prevent a quick high rate attack on a specific username.
The attacker might then take a completely different approach. They might use phishing over a huge population of users to determine some commonly used passwords and usernames. They then spray these out to a wide range of email servers from a bot net. Since the targets are spread so widely, the IMAP servers don’t see an organized attack. They see a low rate of random bad connection attempts from various IP’s. The reason this works is that (as mentioned in the paper) they use techniques such as phishing so they know they are using some usernames and passwords which are actually in use.
Let’s think about how 2FA works. The password consists of two parts: The fixed password entered by the user and the pseudorandom password generated by the authentication system. There is a shared cyptographic key which is shared between the server and the user device during setup, and the system can be vulnerable during that initial setup process.
A 2FA system is just as (slightly) vulnerable to a brute-force attack as a non-2FA system if the password length and complexity are the same. The real difference is that with a 2FA system you are forced to use a moderately long pseudorandom password rather than “pass” or some other simple string of characters.
With an email client using IMAP (or other conventional access technique) the user typically isn’t aided in generating a long password. They don’t understand the value of a pseudorandom password generator and password safe to keep those unique passwords. So they use the same short password for each of their services - as short and simple as the system will allow. This means that once the attacker discovers one of their passwords, they can spray it around and see if it finds a matching account. If the attacker does this enough times for enough account names with enough passwords they know are in use, they will eventually spray enough around so that a few match. In fact, many people will use the same password as someone else, so the attacker can use just the most popular passwords and spray them around by trying to log in to thousands of different IMAP accounts at various services.
So this is a different statistical technique for attacks. They don’t try to guess your username or password - they use real usernames and passwords accumulated over a long time using phishing (or other sources), then spray them around until they eventually find an account where they match.
The solution is easy. Use a unique and very long pseudorandom password (as long as your client and the email system allows) and save it in a password manager if you worrry about needing to reinstall the email client. You then must be VERY careful to be sure that the password manager is secure. And you must not re-use that password anywhere else - this is the key to personal security. If your account password at one particular service is compromised, this breach won’t affect any other service you use - as long as you keep your main email account (and mobile devices) secure, since this is where services send you password reset instructions.
For example, Fastmail application passwords are automatically generated by Fastmail, and they are 16 characters long with 32 possible values for each character. This is 80 bits of entropy, and is considered unbreakable. As long as the email client is a modern one which allows the stored password to be encrypted, there is no practical way for someone to get your IMAP password. If you use a secure connection to the server (forced by Fastmail) with modern browser and operating system security, a man-in-the-middle can’t intercept and use your password.

Bill

TenFour · 17 Mar 2019, 06:54 AM

Bill, I agree with what you wrote, and I would add that based on my experience I suspect there are large numbers of O 365 and G Suite accounts that do not enforce 2FA in the first place, and probably have IMAP enabled by default to allow users to easily hook up their smartphone apps or else the IT department will spend all day every day helping users set up their phones. I have found it is very hard to get people to take ordinary precautions with their work email accounts, and most people use horrible passwords and the minimal security allowed. I know personally an office that requires everyone to use the same passwords for most important systems, and they are not good passwords. Maybe we should require teaching a bit of IT security in schools--it is a basic skill required to live in the world today.

n5bb · 17 Mar 2019, 06:56 AM

Quote:

Originally Posted by TenFour

... I know personally an office that requires everyone to use the same passwords for most important systems, and they are not good passwords...

OUCH! That’s the worst advice I have every heard!

Bill

TenFour · 17 Mar 2019, 07:02 AM

Quote:

OUCH! That’s the worst advice I have every heard!

The head person is not technical and would be continually flummoxed if random, complex passwords were used, and refused to be bothered to use a password manager. Plus, wanted to be able to log on to anyone's PC and all their systems when the people are not there. Look at the list of popular passwords--we are IT illiterate as a society.

16 Mar 2019, 09:00 PM	#1
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,723	IMAP security Apparently, hackers have been successfully penetrating networks by attacking IMAP vulnerabilities. https://www.bleepingcomputer.com/new...-imap-attacks/

17 Mar 2019, 04:59 AM	#3
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,723	My reading of the Proofpoint article is a little different. A large number of attacks utilize hacked passwords from one of the many enormous dumps that then use a password spraying technique to try numerous combinations on email accounts that utilize IMAP, and therefore are not protected with 2-factor authentication. In other words, you can login to an IMAP-enabled account with just a username and password. Is that not correct? I think of the many G Suite accounts that have 2FA enabled, but then you must generate an "app password" to allow your preferred email app on your phone to be able to access your account. An attacker could bypass 2FA if they could somehow find the app password, though in G Suite's case it is randomly generated so I don't know how those would be obtained in a password dump. However, many email services allow you to turn on 2FA without generating unique passwords for use via IMAP. Last edited by TenFour : 17 Mar 2019 at 05:04 AM.

17 Mar 2019, 06:38 AM	#4
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,926	I don’t disagree with the comments you made, but here is my opinion on this. A conventional brute-force attack on an IMAP account might be attempted by trying to use one username repeatedly with many different passwords, hoping that one will be correct. But the email system can just block all attempts to log in to that particular account from that particular IP address for some timeout interval. So the attacker might use a bot net to run this attack. Again, rate limiting by the email server can prevent a quick high rate attack on a specific username. The attacker might then take a completely different approach. They might use phishing over a huge population of users to determine some commonly used passwords and usernames. They then spray these out to a wide range of email servers from a bot net. Since the targets are spread so widely, the IMAP servers don’t see an organized attack. They see a low rate of random bad connection attempts from various IP’s. The reason this works is that (as mentioned in the paper) they use techniques such as phishing so they know they are using some usernames and passwords which are actually in use. Let’s think about how 2FA works. The password consists of two parts: The fixed password entered by the user and the pseudorandom password generated by the authentication system. There is a shared cyptographic key which is shared between the server and the user device during setup, and the system can be vulnerable during that initial setup process. A 2FA system is just as (slightly) vulnerable to a brute-force attack as a non-2FA system if the password length and complexity are the same. The real difference is that with a 2FA system you are forced to use a moderately long pseudorandom password rather than “pass” or some other simple string of characters. With an email client using IMAP (or other conventional access technique) the user typically isn’t aided in generating a long password. They don’t understand the value of a pseudorandom password generator and password safe to keep those unique passwords. So they use the same short password for each of their services - as short and simple as the system will allow. This means that once the attacker discovers one of their passwords, they can spray it around and see if it finds a matching account. If the attacker does this enough times for enough account names with enough passwords they know are in use, they will eventually spray enough around so that a few match. In fact, many people will use the same password as someone else, so the attacker can use just the most popular passwords and spray them around by trying to log in to thousands of different IMAP accounts at various services. So this is a different statistical technique for attacks. They don’t try to guess your username or password - they use real usernames and passwords accumulated over a long time using phishing (or other sources), then spray them around until they eventually find an account where they match. The solution is easy. Use a unique and very long pseudorandom password (as long as your client and the email system allows) and save it in a password manager if you worrry about needing to reinstall the email client. You then must be VERY careful to be sure that the password manager is secure. And you must not re-use that password anywhere else - this is the key to personal security. If your account password at one particular service is compromised, this breach won’t affect any other service you use - as long as you keep your main email account (and mobile devices) secure, since this is where services send you password reset instructions. For example, Fastmail application passwords are automatically generated by Fastmail, and they are 16 characters long with 32 possible values for each character. This is 80 bits of entropy, and is considered unbreakable. As long as the email client is a modern one which allows the stored password to be encrypted, there is no practical way for someone to get your IMAP password. If you use a secure connection to the server (forced by Fastmail) with modern browser and operating system security, a man-in-the-middle can’t intercept and use your password. Bill

17 Mar 2019, 03:56 AM	#2
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,926	After examining the actual Proofpoint paper, there’weren’t any conventional vulnerabilities in IMAP. Instead, email clients don’t normally use multifactor authentication. So if a target account uses the same password on multiple accounts, there is no additional authentication from a device available to prevent an attack. The article said that the initial source of the password was a phishing attack. The attackers then could use those credentials with IMAP (or other) email access to an account used by the phished individual. This attack method is why Fastmail now tried to get you to use device-dependent passwords for email client access to their system. Each device has a unique long password, and your can’t use your master webmail password for an IMAP email account. The key think that everyone needs to realize is that you MUST use a completely different long password for every account. Any re-use of passwords lets a phishing attack get into all of your accounts. Bill

17 Mar 2019, 06:54 AM	#5
TenFour Master of the @ Join Date: Feb 2017 Location: USA Posts: 1,723	Bill, I agree with what you wrote, and I would add that based on my experience I suspect there are large numbers of O 365 and G Suite accounts that do not enforce 2FA in the first place, and probably have IMAP enabled by default to allow users to easily hook up their smartphone apps or else the IT department will spend all day every day helping users set up their phones. I have found it is very hard to get people to take ordinary precautions with their work email accounts, and most people use horrible passwords and the minimal security allowed. I know personally an office that requires everyone to use the same passwords for most important systems, and they are not good passwords. Maybe we should require teaching a bit of IT security in schools--it is a basic skill required to live in the world today.