EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > The Technical Zone...
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption.

Reply
 
Thread Tools
Old 16 Mar 2019, 09:00 PM   #1
TenFour
Cornerstone of the Community
 
Join Date: Feb 2017
Posts: 523
IMAP security

Apparently, hackers have been successfully penetrating networks by attacking IMAP vulnerabilities. https://www.bleepingcomputer.com/new...-imap-attacks/
TenFour is offline   Reply With Quote

Old 17 Mar 2019, 03:56 AM   #2
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,497
After examining the actual Proofpoint paper, thereíwerenít any conventional vulnerabilities in IMAP. Instead, email clients donít normally use multifactor authentication. So if a target account uses the same password on multiple accounts, there is no additional authentication from a device available to prevent an attack. The article said that the initial source of the password was a phishing attack. The attackers then could use those credentials with IMAP (or other) email access to an account used by the phished individual.

This attack method is why Fastmail now tried to get you to use device-dependent passwords for email client access to their system. Each device has a unique long password, and your canít use your master webmail password for an IMAP email account.

The key think that everyone needs to realize is that you MUST use a completely different long password for every account. Any re-use of passwords lets a phishing attack get into all of your accounts.

Bill
n5bb is offline   Reply With Quote
Old 17 Mar 2019, 04:59 AM   #3
TenFour
Cornerstone of the Community
 
Join Date: Feb 2017
Posts: 523
My reading of the Proofpoint article is a little different. A large number of attacks utilize hacked passwords from one of the many enormous dumps that then use a password spraying technique to try numerous combinations on email accounts that utilize IMAP, and therefore are not protected with 2-factor authentication. In other words, you can login to an IMAP-enabled account with just a username and password. Is that not correct? I think of the many G Suite accounts that have 2FA enabled, but then you must generate an "app password" to allow your preferred email app on your phone to be able to access your account. An attacker could bypass 2FA if they could somehow find the app password, though in G Suite's case it is randomly generated so I don't know how those would be obtained in a password dump. However, many email services allow you to turn on 2FA without generating unique passwords for use via IMAP.

Last edited by TenFour : 17 Mar 2019 at 05:04 AM.
TenFour is offline   Reply With Quote
Old 17 Mar 2019, 06:38 AM   #4
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,497
I donít disagree with the comments you made, but here is my opinion on this.
  • A conventional brute-force attack on an IMAP account might be attempted by trying to use one username repeatedly with many different passwords, hoping that one will be correct. But the email system can just block all attempts to log in to that particular account from that particular IP address for some timeout interval.
  • So the attacker might use a bot net to run this attack. Again, rate limiting by the email server can prevent a quick high rate attack on a specific username.
  • The attacker might then take a completely different approach. They might use phishing over a huge population of users to determine some commonly used passwords and usernames. They then spray these out to a wide range of email servers from a bot net. Since the targets are spread so widely, the IMAP servers donít see an organized attack. They see a low rate of random bad connection attempts from various IPís. The reason this works is that (as mentioned in the paper) they use techniques such as phishing so they know they are using some usernames and passwords which are actually in use.
  • Letís think about how 2FA works. The password consists of two parts: The fixed password entered by the user and the pseudorandom password generated by the authentication system. There is a shared cyptographic key which is shared between the server and the user device during setup, and the system can be vulnerable during that initial setup process.
  • A 2FA system is just as (slightly) vulnerable to a brute-force attack as a non-2FA system if the password length and complexity are the same. The real difference is that with a 2FA system you are forced to use a moderately long pseudorandom password rather than ďpassĒ or some other simple string of characters.
  • With an email client using IMAP (or other conventional access technique) the user typically isnít aided in generating a long password. They donít understand the value of a pseudorandom password generator and password safe to keep those unique passwords. So they use the same short password for each of their services - as short and simple as the system will allow. This means that once the attacker discovers one of their passwords, they can spray it around and see if it finds a matching account. If the attacker does this enough times for enough account names with enough passwords they know are in use, they will eventually spray enough around so that a few match. In fact, many people will use the same password as someone else, so the attacker can use just the most popular passwords and spray them around by trying to log in to thousands of different IMAP accounts at various services.
  • So this is a different statistical technique for attacks. They donít try to guess your username or password - they use real usernames and passwords accumulated over a long time using phishing (or other sources), then spray them around until they eventually find an account where they match.
  • The solution is easy. Use a unique and very long pseudorandom password (as long as your client and the email system allows) and save it in a password manager if you worrry about needing to reinstall the email client. You then must be VERY careful to be sure that the password manager is secure. And you must not re-use that password anywhere else - this is the key to personal security. If your account password at one particular service is compromised, this breach wonít affect any other service you use - as long as you keep your main email account (and mobile devices) secure, since this is where services send you password reset instructions.
  • For example, Fastmail application passwords are automatically generated by Fastmail, and they are 16 characters long with 32 possible values for each character. This is 80 bits of entropy, and is considered unbreakable. As long as the email client is a modern one which allows the stored password to be encrypted, there is no practical way for someone to get your IMAP password. If you use a secure connection to the server (forced by Fastmail) with modern browser and operating system security, a man-in-the-middle canít intercept and use your password.
Bill
n5bb is offline   Reply With Quote
Old 17 Mar 2019, 06:54 AM   #5
TenFour
Cornerstone of the Community
 
Join Date: Feb 2017
Posts: 523
Bill, I agree with what you wrote, and I would add that based on my experience I suspect there are large numbers of O 365 and G Suite accounts that do not enforce 2FA in the first place, and probably have IMAP enabled by default to allow users to easily hook up their smartphone apps or else the IT department will spend all day every day helping users set up their phones. I have found it is very hard to get people to take ordinary precautions with their work email accounts, and most people use horrible passwords and the minimal security allowed. I know personally an office that requires everyone to use the same passwords for most important systems, and they are not good passwords. Maybe we should require teaching a bit of IT security in schools--it is a basic skill required to live in the world today.
TenFour is offline   Reply With Quote
Old 17 Mar 2019, 06:56 AM   #6
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,497
Quote:
Originally Posted by TenFour View Post
... I know personally an office that requires everyone to use the same passwords for most important systems, and they are not good passwords...
OUCH! Thatís the worst advice I have every heard!

Bill
n5bb is offline   Reply With Quote
Old 17 Mar 2019, 07:02 AM   #7
TenFour
Cornerstone of the Community
 
Join Date: Feb 2017
Posts: 523
Quote:
OUCH! Thatís the worst advice I have every heard!
The head person is not technical and would be continually flummoxed if random, complex passwords were used, and refused to be bothered to use a password manager. Plus, wanted to be able to log on to anyone's PC and all their systems when the people are not there. Look at the list of popular passwords--we are IT illiterate as a society.
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 09:21 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy