将电子邮件作为密码重置点的攻击和漏洞分析

2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ) Pub Date : 2018-02-01 DOI:10.1109/MOBISECSERV.2018.8311443

Caleb Routh, Brandon DeCrescenzo, Swapnoneel Roy

{"title":"将电子邮件作为密码重置点的攻击和漏洞分析","authors":"Caleb Routh, Brandon DeCrescenzo, Swapnoneel Roy","doi":"10.1109/MOBISECSERV.2018.8311443","DOIUrl":null,"url":null,"abstract":"In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.","PeriodicalId":281294,"journal":{"name":"2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-02-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":"{\"title\":\"Attacks and vulnerability analysis of e-mail as a password reset point\",\"authors\":\"Caleb Routh, Brandon DeCrescenzo, Swapnoneel Roy\",\"doi\":\"10.1109/MOBISECSERV.2018.8311443\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.\",\"PeriodicalId\":281294,\"journal\":{\"name\":\"2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)\",\"volume\":\"24 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-02-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"4\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/MOBISECSERV.2018.8311443\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/MOBISECSERV.2018.8311443","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 4

摘要

在这项工作中，我们对使用电子邮件作为自助密码重置点进行了安全性分析，并利用了电子邮件服务器忘记密码重置路径的一些漏洞。我们对个人电子邮件帐户执行并说明了三种不同的攻击，使用各种工具，例如:通过社交媒体或公共记录可获得的公共知识来回答安全问题并执行社会工程攻击，公众可用的硬件来执行中间人攻击，以及免费软件来执行暴力攻击登录的电子邮件帐户。我们的研究结果揭示了使用电子邮件作为密码重置点的一些固有漏洞。这些发现与移动设备的安全性密切相关，因为用户倾向于使用移动设备而不是桌面设备进行互联网访问。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Attacks and vulnerability analysis of e-mail as a password reset point

In this work, we perform security analysis of using an e-mail as a self-service password reset point, and exploit some of the vulnerabilities of e-mail servers' forgotten password reset paths. We perform and illustrate three different attacks on a personal Email account, using a variety of tools such as: public knowledge attainable through social media or public records to answer security questions and execute a social engineering attack, hardware available to the public to perform a man in the middle attack, and free software to perform a brute-force attack on the login of the email account. Our results expose some of the inherent vulnerabilities in using emails as password reset points. The findings are extremely relevant to the security of mobile devices since users' trend has leaned towards usage of mobile devices over desktops for Internet access.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2018 Fourth International Conference on Mobile and Secure Services (MobiSecServ)

自引率

0.00%

发文量