|
The Technical Zone... The Geeky forum... Use this forum to discuss technical aspects of email, from authentication protocols to encryption. |
|
Thread Tools |
16 Mar 2019, 09:00 PM | #1 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,722
|
IMAP security
Apparently, hackers have been successfully penetrating networks by attacking IMAP vulnerabilities. https://www.bleepingcomputer.com/new...-imap-attacks/
|
17 Mar 2019, 03:56 AM | #2 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,926
|
After examining the actual Proofpoint paper, there’weren’t any conventional vulnerabilities in IMAP. Instead, email clients don’t normally use multifactor authentication. So if a target account uses the same password on multiple accounts, there is no additional authentication from a device available to prevent an attack. The article said that the initial source of the password was a phishing attack. The attackers then could use those credentials with IMAP (or other) email access to an account used by the phished individual.
This attack method is why Fastmail now tried to get you to use device-dependent passwords for email client access to their system. Each device has a unique long password, and your can’t use your master webmail password for an IMAP email account. The key think that everyone needs to realize is that you MUST use a completely different long password for every account. Any re-use of passwords lets a phishing attack get into all of your accounts. Bill |
17 Mar 2019, 04:59 AM | #3 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,722
|
My reading of the Proofpoint article is a little different. A large number of attacks utilize hacked passwords from one of the many enormous dumps that then use a password spraying technique to try numerous combinations on email accounts that utilize IMAP, and therefore are not protected with 2-factor authentication. In other words, you can login to an IMAP-enabled account with just a username and password. Is that not correct? I think of the many G Suite accounts that have 2FA enabled, but then you must generate an "app password" to allow your preferred email app on your phone to be able to access your account. An attacker could bypass 2FA if they could somehow find the app password, though in G Suite's case it is randomly generated so I don't know how those would be obtained in a password dump. However, many email services allow you to turn on 2FA without generating unique passwords for use via IMAP.
Last edited by TenFour : 17 Mar 2019 at 05:04 AM. |
17 Mar 2019, 06:38 AM | #4 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,926
|
I don’t disagree with the comments you made, but here is my opinion on this.
|
17 Mar 2019, 06:54 AM | #5 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,722
|
Bill, I agree with what you wrote, and I would add that based on my experience I suspect there are large numbers of O 365 and G Suite accounts that do not enforce 2FA in the first place, and probably have IMAP enabled by default to allow users to easily hook up their smartphone apps or else the IT department will spend all day every day helping users set up their phones. I have found it is very hard to get people to take ordinary precautions with their work email accounts, and most people use horrible passwords and the minimal security allowed. I know personally an office that requires everyone to use the same passwords for most important systems, and they are not good passwords. Maybe we should require teaching a bit of IT security in schools--it is a basic skill required to live in the world today.
|
17 Mar 2019, 06:56 AM | #6 |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,926
|
|
17 Mar 2019, 07:02 AM | #7 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,722
|
Quote:
|
|
Thread Tools | |
|
|